If you’re admitted to handle a case PHV, mind your P’s and Q’s.

Translation:  Pro hac vice admission to practice before a court outside the state where you’re licensed requires attention to a range of ethics duties, and running afoul of them can have bad consequences.  Two recent cases spotlight some of the issues.

We’re looking at you….

A Louisiana lawyer was admitted pro hac vice to represent a client in the Western District of North Carolina.  On the application, he certified that he had never been subject to a formal suspension or public discipline in Louisiana.  Whoops.  In 2014, the lawyer had been suspended in the Bayou State for neglecting a client matter and mishandling a client trust account, but the suspension was deferred pending successful completion of a two-year probation.

The lawyer argued that his certification on the PHV application was not a material misrepresentation.  Maybe not technically — but the district court in North Carolina was not buying it.  The lawyer’s missteps in his home state didn’t automatically disqualify from appearing in North Carolina, said the court.  But he was required to explain his disciplinary history.  The lawyer’s argument that he had to disclose only an actual interruption in his ability to practice was “manifestly not credible,” the court found.  Even making the argument demonstrated his lack of candor, the court noted.

The outcome:  revocation of the lawyer’s permission to represent his client in the case.

Lesson:  Your state has a version of Model Rule 3.3 (Candor toward the Tribunal), Model Rule 5.5 (Multi-jurisdictional Practice) and Model Rule 8.4(c) (dishonesty, misrepresentation).  Don’t try to shave the corner of the plate when you’re applying for PHV admission.  Explain anything that even arguably needs explaining.  Don’t try to justify a failure to disclose with an over-technical reading of the  requirements.  A court might not look kindly on that strategy.

Hand-flapping and harassment

An Ohio lawyer admitted pro hac vice before the Delaware Chancery Court was representing the defendants.  Things went awry when the lawyer deposed one of the plaintiff’s witnesses, and based on misconduct at the deposition, the court granted the lawyer’s own motion to withdraw his PHV admission.

From its review of the deposition transcript and video, the court noted that the lawyer

  • raised his hand and made yapping gestures toward plaintiff’s counsel while plaintiff’s counsel was speaking;
  • repeatedly interrupted plaintiff’s counsel and referred to him as “Egregious Steve,” and the “sovereign of Delaware”;
  • harassed the deponent with personal questions; and
  • called the deponent and plaintiff’s counsel “idiots.

For this conduct, which it called “not only rude, but tactically so,” the court granted the motion to withdraw, and also referred the matter to Delaware disciplinary counsel, along with imposing attorneys’ fees on the lawyer and his firm.

Lesson:  Be professional and dignified at all times, but especially when you are in someone else’s bailiwick.  As the court said, the lawyer was appearing in Delaware “as a courtesy extended to him to practice pro hac vice.”  Delaware, like many other jurisdictions, has a professionalism code, in addition to its Rules of Professional  Conduct.  The Delaware code stresses “civility,” respectfulness, “emotional self-control,” and refraining from “scorn and superiority in words or demeanor,” and is binding on those appearing pro hac vice, the court said.

The take-home from these two cases is obvious.  When you’re specially admitted before a court, any professional or ethical misconduct carries with it the added potential risk of being tossed from the case, with clear downsides for your client, as well as for you.  Mind those P’s and Q’s, and stay out of PHV trouble.

Everyone knows that we have an ethical duty of competence, and in most jurisdictions this includes a duty to be aware of the “benefits and risks” of relevant technology.  Examples of possible technology issues affecting our practices:  encryption (and cyber-security in general), cloud storage, e-mail handling, the internet of things — there are many more.  And snafus from failing to understand technology or handle it properly can have fallout for lawyers and clients.

Here’s a possible example, and it’s a scary one:  not using redaction technology properly, resulting in disclosure of information that shouldn’t be revealed.

Redaction pitfalls

Mistakes in redacting sensitive information can lead to high-profile problems.  Just this week, it was reported that lawyers for President Trump’s former campaign chairman, Paul Manafort, apparently failed to redact a federal court document properly, permitting the blacked-out text to be viewed “with a few keystrokes.”

Similarly, in the Parkland, Florida high school shootings case, the school district apparently didn’t properly redact a document regarding the alleged shooter, which contained confidential information about him.  A Florida newspaper reported that the method used “made it possible for anyone to read the blacked-out portions by copying and pasting them into another file,” which the newspaper did — drawing a contempt threat from the judge presiding over the criminal case.

Not redacting documents properly has also led to disciplinary action.  In 2013, a Chicago lawyer was reprimanded when he failed to ensure that personal information was redacted in federal student loan collection actions he filed on behalf of the U.S. government.  And in 2014, a Kentucky lawyer received a public reprimand for, among other misconduct, failing to redact his client’s social security number in bankruptcy filings he made on her behalf.

A law.com reporter for Corporate Counsel recently wrote that he was able to download from PACER a 100-page affidavit in pdf format with multiple redacted pages — but the black boxes disappeared when the document was copied into another application, “revealing all the private financial information that was supposed to be hidden.”

The reporter quoted a security expert who cautioned that people don’t know how to use redaction technology properly, and cited a 2005 National Security Agency report advising that redaction should not just visually hide sensitive information but actually remove it from the document.  (An updated NSA report is here.)

Think you can sidestep complicated technology by just taking out your black marker and obscuring the confidential text?  Even that may not be enough; as noted here, some scanners can pick up the covered words.

What to do?

In addition to the duty of technological competence set out in comment [8] of Model Rule 1.1, we of course must preserve our clients’ confidential information under Rule 1.6, and safe-keep their property under Rule 1.15 (which can include their information).

Does all this mean that every lawyer must become a tech guru with a detailed understanding of the highly complex systems we are required to use and rely on every day?  No.  (I, for one, can barely add and subtract, and I went to law school so I wouldn’t have to — at least not very much.)  But at minimum, we have to recognize what we don’t know — in the words of comment [8], that means “keeping abreast” of technology developments.  And most important, we have to get the expert help we need to navigate these shark-filled waters, whether it’s turning to high-end tech advisors, getting assistance from the bar association or educating ourselves.

What we can’t do is put our techno-phobic heads in the sand.

If you’re corporate counsel to an organization, you know how hard it can be to navigate privilege issues.  In a single day, you can be involved in talking to business managers, communicating with your CEO and dealing with the board.  When are your communications privileged, and how can you protect them?  A recent Colorado district court opinion has some pointers, based on a finding that a memo partly authored by in-house counsel was not privileged.

Legal advice, or just business?

In class action litigation, the plaintiffs asked the court to compel defendant Marriott to turn over an unredacted version of a nine-page financial and business growth strategy memo that corporate officers addressed to the organization’s Corporate Growth Committee.  Various lawyers in the law department had significant responsibility for preparing the memo, and the court found that some sections of the final memo had been written by in-house lawyers.

But the fact that a lawyer prepares a document is not sufficient to make the communication privileged.  Rather, the privilege’s proponent must “clearly demonstrate that the communication … was made for the express purpose of securing legal, not business advice.”

Further, the court said, the “primary purpose” of the communication must be getting or giving legal assistance, rather than business advice.

Mixed messages

So what to do with a document that contains a mixture of business advice and legal advice, which the court found were “intertwined” in the memo?  Citing the lack of Colorado precedent, and applying a case from the District of Columbia, the court held that the legal advice must “predominate for the communication to be protected.”  It did not predominate here, said the court.  Instead, while the strategy memo involved some legal advice, most of it was “ordinary and customary business strategy advice.”

Tips to protect the privilege

This case has some take-home lessons for in-house counsel on how to protect the privilege over legal advice.

  • It’s on you:  “The legal duty to protect the privilege falls on the legal department,” said the court, noting that Marriott’s team was “large and experienced.”  But even if you’re a one-person shop, you are the point-person for privilege issues.
  • Educate the stakeholders:  Those tasked with advising on and writing parts of the Marriott memo had “a duty to inform the Corporation of the privilege and to take steps to protect their advice,” said the court.  Schooling your company’s managers on the privilege is key to helping protect it.  For instance, do they know that cc-ing you does not necessarily make a document privileged?
  • Don’t intermix business and legal advice:  If the legal advice in the strategy memo had been in “separate paragraphs or pages,” or in a “confidential addendum or even a separate memorandum,” the court hinted that it might have protected those parts as privileged and only ordered disclosure of part of the memo.  Instead, the information was so intertwined that redaction “would be impractical.”

And some related pointers:

  •   Label!  If you are giving legal advice, start your communication with “You’ve asked me for my legal opinion on …” or “my legal advice regarding…. .”  Head those documents “Attorney Client Privilege.”  But don’t over-use the header.  If everything that comes out of your office is marked “Privileged,” that might be deemed to cancel out the effect.
  • Don’t overshare:  Remember, e-mail has a way of getting out of control.  Long threads where you are an early addressee may be deemed not privileged after going to people within or outside the company who shouldn’t receive the information.

Different outcome?

The court in this case adopted the “primary purpose” standard, but there are others — for instance, whether legal advice is “one of the significant purposes” of the communication.  We’ve discussed that test, which the  D.C. Circuit adopted in 2014, here and here.  Over at Presnell on Privileges, Todd Presnell wonders whether the result in the Marriott case would have been different under that standard, and it’s a good question.  Privilege disputes can be very fact-specific, and the test the court applies can certainly dictate the outcome.

Do we need another reminder about the perils of posting internet comments on cases and matters we are connected with?  Apparently we do, and here’s a strong one.  Earlier this month, an assistant U.S. attorney for the Eastern District of Louisiana was disbarred based on hundreds of comments he posted pseudonymously on the website of the New Orleans Times-Picayune.  The posts included many related to high-profile cases he or his colleagues in the U.S. Attorney’s office were prosecuting, including government bribery scandals and the killing of two unarmed residents by the police following Hurricane Katrina.

In its opinion, the Louisiana Supreme Court wrote that the lawyer’s “extrajudicial comments about pending cases” struck at “the foundation of our system.”  The court felt compelled to “send a strong message … that a lawyer’s ethical obligations are not diminished by the mask of anonymity provided by the internet.”

The hearing panel had recommended a two-year suspension, with one year deferred. The court, however, adopted the disciplinary board’s disbarment recommendation, which in the Bayou State entitles a lawyer to petition for reinstatement after five years.

“GUILTY as charged!”

The lawyer was a prolific poster on the newspaper’s internet site, using a number of pseudonyms to comment about pending cases he or his office was involved in.  For instance, during a bribery trial he prosecuted, the lawyer posted that the defendant’s lawyer “has screwed his client!!!!,” continuing that “You’re just as arrogant as [the allegedly bribed official] … and the jury knows it.”

During the federal trial of six police officers for the shooting of unarmed residents on the Danziger Bridge, and the ensuing cover-up, the lawyer posted, “Perhaps we would be safer if the NOPD would leave next hurricane and let the National Guard assume all law enforcement duties.  GUILTY AS CHARGED.”

The lawyer’s posts connected to the Danziger Bridge trial came to light after the six officers were found guilty and received lengthy sentences.  Following an investigation, the lawyer’s conduct was cited as one aspect of a pattern of prosecutorial misconduct that prompted the grant of the officers’ motion for new trial and eventually a plea bargain for much lighter sentences.

Not the way to relieve stress

The lawyer stipulated that his conduct violated Louisiana’s versions of Model Rules 3.6 (trial publicity); 3.8(f) (prosecutors’ extra-judicial comments); 8.4(a) (violating rules of professional conduct) and 8.4(d) (conduct prejudicial to the administration of justice).

But at the disciplinary hearing, although acknowledging his misconduct, the lawyer testified that he thought his posts would help him deal with the stress of his work.  His treating psychologist opined that the lawyer suffered from post-traumatic stress disorder resulting from his past work as a police officer and FBI agent, during which he had witnessed gruesome scenes and personally had come under gunfire.

In imposing a sanction, the court rejected PTSD as a mitigating factor.  Although the psychologist testified that the online posts were the result of the lawyer’s PTSD, the court found no clear and convincing support for the conclusion that there was a causal link between the posts and the lawyer’s mental condition.

Key to that determination, said the court, was the lawyer’s own admission that he knew he should not be posting his comments online, and that it was his anger over public corruption that led him to vent his pseudonymous criticism.

Think before you click submit

We all feel the stress of our chosen profession.  But is the relief valve of venting it in public (even anonymously) worth the risk of professional discipline?  Keeping a private journal (locked in your drawer) may not be as satisfying as seeing your words up in pixels, but it’s surely safer from a licensing standpoint.

A federal district court refused last week to disqualify a Connecticut lawyer in a suit against Yale University, even though finding a violation of the state’s version of Model Rule 4.2, the “no contact rule.”  Although ruling that disqualification was too extreme a sanction, the court ordered the turnover of interview notes from the lawyer’s interview of the improperly-contacted witness.

The case underscores the need to tread carefully when contacting anyone associated with the opposing party.

Coin curator’s claim

Yale University has an acclaimed art museum, and the museum’s former Curator of Coins and Medals sued the university for age discrimination after it terminated his employment.

In addition to being the museum’s coin curator, the plaintiff was an adjunct professor in the classics department.  The plaintiff’s lawyer phoned another professor in the department and interviewed him for 34 minutes as a potential witness, according to the opinion.  The other professor had never been involved in a law suit, and later said that it did not occur to him during the interview that he needed to consult with Yale’s lawyers before answering questions from the opposing side.

Yale’s counsel only learned about the interview six weeks later, and promptly moved to disqualify the plaintiff’s counsel for violating the no-contact rule, asserting that the professor interviewed was a represented “party” who was off-limits under the rule, absent consent from Yale’s lawyers.

Conceded “technical” violation

Connecticut’s Rule 4.2 differs from the Model Rule by barring communication about the subject of the representation “with a party the lawyer knows to represented by another lawyer in the matter,” without the other lawyer’s consent.  (The Model Rule uses the word “person,” not “party.”)  This raises the question “Who is included as a party?” for purposes of the no-contact rule, especially when an organization is a party.

Under the Connecticut rule comments, a “party” includes an organization’s employees with managerial responsibility; employees whose act or omission in connection with the matter may be imputed to the organization; and employees whose statements may constitute an admission of the organization.  While not express in the opinion, the profession presumably fell into one of these categories — perhaps the third one.

The plaintiff’s lawyer conceded that his interview raised a “technical violation” of Rule 4.2, but that it had been inadvertent, because the professor and the plaintiff were close colleagues and the lawyer regarded the professor as a witness on behalf of the plaintiff.  The lawyer argued that he had no intent to gain an unfair advantage, and that Yale was not prejudiced.

Trial taint needed for DQ

The district court agreed that the circumstances did not merit disqualification, notwithstanding the conceded rule violation.

As in many other jurisdictions, there is authority in the Second Circuit that disqualification motions require balancing the need to uphold ethical standards with a party’s right to freely-chosen counsel.  Therefore, an ethical violation, standing alone, might not be sufficient to mandate disqualification.  Many opinions in the Second Circuit and elsewhere hold that the remedy of disqualification is justified only when a violation poses a significant risk of trial taint.

The court agreed that disqualification was not necessary here.

Here, the district court explained, the taint concern was that the plaintiff’s lawyer had obtained confidential information about Yale’s litigation strategy from the professor, who had previously discussed the case with Yale’s lawyers.  The plaintiff’s lawyer had proposed to provide the court with the notes from the interview for in camera review; but the best remedy, said the court, was to order the lawyer to turn the notes over to Yale’s counsel.

Take-home lessons

If you’re involved in representing a client in any matter (not just litigation), you need to take heed of the no-contact rule.  As this case highlights, the rule comes in different flavors depending on jurisdiction.  While the case here involved disqualification, there is also always the possibility of disciplinary action from violating an ethics rule.  Last, the court’s order to turn over the interview notes — clear attorney work product — to the opposing party is a surprising remedy.  But obviously, such an order can’t be ruled out in circumstances that would appear to call for it.

You probably know about the ethics rule that prohibits lawyers from trying to prospectively limit their liability to clients (or at least I hope you do!).  You can find it in your state’s version of Model Rule 1.8(h).

In an interesting twist, the Utah Ethics Advisory Committee recently opined that it’s permissible to include a provision in a retainer agreement requiring the client to indemnify the lawyer against third party claims against the lawyer arising from the client’s own “behavior or negligence.”

Narrow reading — but not alone

The Utah committee said that an indemnification provision against liability, loss and expense to the lawyer caused by third-party claims arising from client’s conduct “is not specifically prohibited by the rules.”

While Utah’s Rule 1.8(h) (identical to the Model Rule) bars prospective limitation of liability to a client for malpractice, the committee said, “it does not address the specific question of whether an attorney may include an indemnification provision for claims brought by third parties.”  Therefore, such a provision “is not prohibited on its face.”

Third-party indemnification provisions might be helpful in representations involving opinion letters — for example, providing a legal opinion on behalf of a lessor, which is to be given to and relied on by the lessee.  The lawyer would be benefitted by being able to seek indemnification from the lessor client against later claims by the lessee.

Few state ethics committees seem to have addressed the issue of third-party indemnification.  But the New York State Bar Association, in a 2013 opinion, has approved the concept in the context of opinion letters.  And a 2005 Oregon opinion advised that a lawyer asked to investigate a client’s employee could seek indemnity from the client against subsequent claims by the employee against the lawyer.

Insurance deductible?  Not so fast

What about using such an indemnification provision to hold a client responsible for the lawyer’s malpractice insurance deductible if the client unsuccessfully sues the lawyer for malpractice?

The Utah committee also considered that question, and concluded that Rule 1.8(h) doesn’t expressly bar that scenario, because “requiring payment for an unsuccessful malpractice claim, on its face, does not limit liability for malpractice.”  But trying to use indemnification to extract payment from the client for your malpractice insurance deductible may be misconduct under other rules, said the committee.  Rule 8.4(d) bars engaging in conduct that is “prejudicial to the administration of justice.”  An agreement that would make a client (or, by then, presumably a former client) responsible for paying your deductible after the client loses a malpractice case against you, could “have a chilling effect on a client’s pursuit of a malpractice claim and would thus be prejudicial to the administration of justice,” the committee advised.

Client communication

In any event, client communication is key.  To say the least, “the average client may not understand what indemnification is or in what specific circumstances it could be applied.”  Sophisticated clients might, but your best bet is clear explanation and understanding.  Model Rule 1.4(b) (“Communication”) requires you to “explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.”

That would seem to apply to the client’s decision to agree to indemnify you for anything.

*****

Note:  My co-editors and I are thrilled that the ABA Journal has again honored The Law for Lawyers Today as one of its “Web 100,” putting us among the 35 best legal blogs in the U.S.  Read the magazine’s announcement here.  We’re very proud, and we promise to keep bringing you fresh and lively news and comment from “Legal Ethics World.”  Thanks for reading!

Advising a “client” on how to move “grey money” into the U.S. has resulted in an agreed public censure in September for a New York attorney.  The lawyer (along with a number of others) was caught on video by Global Witness, a British-based public advocacy group.  But the sanction raises some questions regarding the imposition of discipline for conduct based on a pretextual situation.

The “client” was actually an undercover investigator who posed as a German lawyer and succeeded in getting appointments with 13 firms (out of 50 he tried) to supposedly get advice on behalf of an undisclosed African government official.  The question from the fake lawyer’s fake client:  how to launder funds described as “gray money” or “black money,” including by buying a New York brownstone, a jet and a yacht.

60 Minutes exposé

The video later aired on 60 Minutes.  (The section on the censured lawyer is here.)  We previously wrote about Global Watch’s sting operation, noting that the bad news was that some of the firms appeared to be on ethical thin ice in their interaction with the investigator (assuming the secret tapes accurately reflected their conduct).  The good news was that 37 firms didn’t schedule meetings with the fake prospect.  (And one lawyer who agreed to a meeting firmly rejected the bait, saying that “it ain’t for me,” and pointing out the Foreign Corrupt Practices Act.)

The American Bar Association’s response to the 60 Minutes segment is here.

Agreed censure for “counseling a client”?

Almost two years after the 60 Minutes piece, the censured New York lawyer entered into a discipline-by-consent agreement based on his meeting with the Global Witness actor.

Significantly, the main charge was counseling “a client to engage in conduct [the lawyer] knew was illegal or fraudulent,” in violation of New York’s version of Model Rule 1.2(d).

Of course, no lawyer should violate that rule.  But the brief opinion of the New York Appellate Division’s First Department reflects no acknowledgment that the person speaking to the censured lawyer was an actor, that there was no bona fide prospective “client,” and that there was never going to be any action taken in response to whatever comments the censured lawyer might have made.  Rather, the opinion speaks of the conduct occurring during “a meeting with a potential client.”

The lawyer’s misconduct was significantly mitigated, the First Department noted, by his cooperation, and the fact that it was a single “aberrational” incident in the lawyer’s 50-year career.  Those factors justified the relatively light sanction — a public censure.

Beware possible counseling traps

This case spotlights the knife-edge you sometimes walk in counseling clients — including that a disciplinary authority might view as sanctionable even conduct undertaken in response to a pretext where there is no actual client.

You can never “counsel a client to engage, or assist a client, in conduct that the lawyer knows is criminal or fraudulent.”  But under Rule 1.2(d) you can and should “discuss the legal consequences of any proposed course of conduct with a client.”

And, as Comment [9] explains, you are not precluded “from giving an honest opinion about the actual consequences that appear likely to result from a client’s conduct. … There is a critical distinction between presenting an analysis of legal aspects of questionable conduct and recommending the means by which a crime or fraud might be committed with impunity.”

The stakes now appear higher than ever in getting that distinction right.

Some answers are so obvious that you are left wondering why the question needed to be asked in the first place. Like “should a client pay a fee it agreed to in advance?”  Or, “should an attorney try his or her best to prevail?”

And now this:  the ABA’s Standing Committee on Ethics and Professional Responsibility issued an advisory opinion earlier this month instructing lawyers who suffer a data breach that exposes “material client information” to notify clients of the breach and take additional measures to protect the confidentiality of the compromised information.  Obvious?  We think so.

When we advise clients about their data protection obligations, we often suggest that compliance is strengthened when data security strategies align with an organization’s culture. For law firms, this should be relatively easy:  lawyers learn (we hope in law school) that they have an ethical obligation under Model Rule 1.6 to preserve the confidentiality of their clients’ information.  In today’s world, that surely means that the lawyer and her firm should take appropriate measures to protect the information from cyber thieves and other threats to the security and confidentiality of a client’s confidential information.

Likewise, our duty of communication (Model Rule 1.4), coupled with our confidentiality obligations, should make it a no-brainer that when a breach occurs, the affected clients should be told.

Nevertheless, in its Formal Opinion 483 the Committee devotes 16 pages to state and support this conclusion. (Interestingly, the Committee primarily relies on rules dealing with competent representation and technological aptitude, and only secondarily refers to the duty of confidentiality.)  The opinion does contain instruction that, while hardly novel or visionary, provides sound advice:

  • A firm should implement technological and other measures to detect intrusions into its data systems;
  • A firm should develop, implement and test a data incident response plan. As we’re fond of saying, the time for a pilot to learn how to deal with catastrophic engine failure is not when the plane is hurtling to the ground from 30,000 feet.
  • The firm should promptly take measures to restore the affected systems and close the breach. (Don’t just stand by and do nothing!)
  • The firm should, alone or in concert with skilled cyber forensics professionals, determine how and why the breach occurred. (Again, don’t just scratch your head.)
  • The firm should notify current clients whose data are compromised. Oddly, the Committee stated that it is “unwilling” to impose that obligation with regard to former clients.
  • The opinion provides guidance on what the client notification should contain. Importantly, the opinion reminds lawyers that they may have additional notification obligations under federal and state data breach notification laws that apply, yes, even to lawyers.

 

Opinion 483 provides useful, if obvious, direction on our duties in response to a data breach. It hardly lays out a truly comprehensive set of best practices for safeguarding client information, but it does point in the right direction.

Picture this:   You’re travelling across U.S. borders, heading home from a client meeting abroad.  However, unlike other trips, this time a Customs and Border Protection agent requests that you unlock and hand over for inspection your computer and cell phone — full of client confidential information.  You’ve been concerned about this issue, and so you’ve had your IT department encrypt all of the sensitive data on your devices.  Will that protect you client’s information from disclosure?

Ethics duties at the border

We wrote here last year about the ethics issues with border searches of e-devices, including the New York City Bar Association’s July 2017 opinion on how to deal with the duty of confidentiality in that scenario.

The NYCBA ethics committee advised that you may of course ethically comply with lawful government orders, but also that you should not comply “unless and until” you “undertake reasonable efforts to dissuade border agents from reviewing clients’ confidential information or to persuade them to limit the extent of their review.”

The concern about this issue was heightened by a sharp uptick in border searches of e-devices.  Customs officers searched an estimated 30,200 cellphones, computers and other electronic devices of people entering and leaving the U.S. last year — an almost 60 percent increase from 2016, according to Homeland Security Department data.

Most recently, in January 2018, the CBP revised Directive No. 3340-049, which includes procedures for searching information subject to attorney-client privilege.  Section 5.2 calls for segregating privileged material to ensure that it is “handled appropriately.”

Encryption – it’s no panacea

What about encrypting the client information on your e-device to make sure it stays confidential and won’t be revealed during a potential border search? That approach may be of limited use.

Section 5.3.3 of the revised CBP directive provides that if border officers can’t inspect your device “because it is protected by a passcode or encryption,” they may detain it and convey it (or a copy of its contents) to third parties who can supply “technical assistance.”

This is an indirect reference to the various U.S. intelligence agencies that are authorized pursuant to Section 2.6 of Executive Order 12333 to provide technical support and assistance to the CBP.  This aid may be derived from the National Security Agency, which leads the federal government in cryptology, or from the National Media Exploitation Center which consists of representatives from multiple intelligence agencies that are  responsible for decrypting, translating and analyzing documents and electronic devices in the federal government’s possession.

If CBP officers seek to decrypt and access the confidential information on your device, they likely have the authority and the technical resources, through federal intelligence agencies, to do so.

The magnitude of the risk, and what to do

Even though the 5,000 devices searched in February last year sounds like a lot, it’s only a tiny percentage according to CBP’s Office of Public Affairs. The agency says that in FY 2017, only about .007 percent of arriving international travelers screened and processed by CBP officers were required to submit to an e-device search.  That possibly points to a low risk for any one lawyer who might be returning from international travel.

But given the breadth of your ethics duty, and the limits on the ability of encryption to protect confidential client information on your devices, it would be a best practice to heed the advice that the NYCBA gave last year:

  • Depending on the circumstances, including the sensitivity of the information, you should consider not carrying any client confidential information across the border.
  • Rather than exposing your client’s information to disclosure in a search, you should securely back up client information and cross the border only with a blank “burner” phone or laptop.
  • And before coming back across the border, you should also turn off syncing of cloud services, sign out of web-based services, and/or uninstall applications providing local or remote access to confidential information.

Lawyers and their firms should consider incorporating these measures into their data security policies and practices. It’s what the times, and your ethics duties, would seem to call for.

In the aftermath of Hurricane Florence, which last month dumped up to 35 inches of rain on parts of the Carolinas, Virginia and Maryland, caused 48 deaths, and up to $22 billion in property damage, comes a timely new ABA opinion about our ethical obligations related to disasters.

The hurricane did not spare lawyers and law firms.  Ahead of the 1,000-year storm, Law360.com reported that firms in Florence’s projected path shuttered offices, activated contingency plans, and were glad if their firm systems and client data were stored in the cloud.  (Subscribers can access the story here.)  (And doing the profession proud, volunteer lawyers manned hot-lines to help storm victims get needed legal services.)

But what are our actual disaster-related ethics duties?

Communication, withdrawal, files and more

Disasters happen; that’s a fact of life.  The entire 13-page Opinion 482 (Sept. 19. 2018) repays reading.  Some highlights and nitty-gritty advice from the opinion:

  • Model Rule 1.4 requires us to communicate with our clients.  To be able to reach clients following a disaster, the opinion says, you should maintain or be able to quickly recreate, lists of current clients and their contact information.
  • You “must evaluate in advance storing files electronically” so that you can have access to those files via Internet or smart device, if such are available after a disaster.
  • If you can continue to provide services in the disaster area, you continue to have the same ethics duties as before; but in an emergency, you may be able to provide advice outside your area of expertise, as allowed by comment [3] to Rule 1.1 (“Competence”).  (We’ve previously written here about “emergency lawyering.”)
  • If you’re a litigator, check with courts and bar associations to see if deadlines have been extended across the board.
  • You “must take reasonable steps in the event of a disaster to ensure access to funds” you are holding in trust, the opinion advises.  Of course, your obligations will vary depending on the circumstances.  If you know of an impending disaster, you should determine if you should reasonably transfer client funds to an account that will be accessible; or even attempt to complete imminent transactions before the disaster hits, “if practicable.”
  • You may need to withdraw after a disaster, under Rule 1.16 (“Withdrawal”) and Rule 1.3 (“Diligence”), if a client needs immediate legal services that you will be unable to timely provide.
  • If client files are destroyed, your duty of communication will require you to notify current and former clients about the loss of client property with “intrinsic value.”  But there is no duty, the opinion concludes, to notify either current or former clients about the loss of documents that have no intrinsic value, for which there are electronic copies, or that serve no current useful purpose.
  • To prevent the loss of important records, “lawyers should maintain an electronic copy of important documents in an off-site location that is updated regularly.”

Disaster Prep 101:

The ABA has a committee devoted solely to the topic of disaster preparedness, and its website has helpful resources and tips on everything from getting insurance, to types and methods of information retention, and how you can assess damage and rebuild after a disaster strikes your practice.  The committee’s 44-page Surviving a Disaster — A Lawyer’s Guide (Aug. 2011) is also helpful.

And remember, calamitous disasters aren’t confined to weather, war, and the like.  A disastrous health event can leave your practice reeling, especially if you are a solo or in a small firm.  As we’ve pointed out before, one’s own death and disability are not pleasant to think about, but choosing a profession in which we owe fiduciary duties to others requires us to make contingency plans, like those laid out in my home bar association’s “What-If Preparedness” program.

In all events, thinking about the unthinkable is part of what we do.