Everyone knows that we have an ethical duty of competence, and in most jurisdictions this includes a duty to be aware of the “benefits and risks” of relevant technology. Examples of possible technology issues affecting our practices: encryption (and cyber-security in general), cloud storage, e-mail handling, the internet of things — there are many more. And snafus from failing to understand technology or handle it properly can have fallout for lawyers and clients.
Here’s a possible example, and it’s a scary one: not using redaction technology properly, resulting in disclosure of information that shouldn’t be revealed.
Redaction pitfalls
Mistakes in redacting sensitive information can lead to high-profile problems. Just this week, it was reported that lawyers for President Trump’s former campaign chairman, Paul Manafort, apparently failed to redact a federal court document properly, permitting the blacked-out text to be viewed “with a few keystrokes.”
Similarly, in the Parkland, Florida high school shootings case, the school district apparently didn’t properly redact a document regarding the alleged shooter, which contained confidential information about him. A Florida newspaper reported that the method used “made it possible for anyone to read the blacked-out portions by copying and pasting them into another file,” which the newspaper did — drawing a contempt threat from the judge presiding over the criminal case.
Not redacting documents properly has also led to disciplinary action. In 2013, a Chicago lawyer was reprimanded when he failed to ensure that personal information was redacted in federal student loan collection actions he filed on behalf of the U.S. government. And in 2014, a Kentucky lawyer received a public reprimand for, among other misconduct, failing to redact his client’s social security number in bankruptcy filings he made on her behalf.
A law.com reporter for Corporate Counsel recently wrote that he was able to download from PACER a 100-page affidavit in pdf format with multiple redacted pages — but the black boxes disappeared when the document was copied into another application, “revealing all the private financial information that was supposed to be hidden.”
The reporter quoted a security expert who cautioned that people don’t know how to use redaction technology properly, and cited a 2005 National Security Agency report advising that redaction should not just visually hide sensitive information but actually remove it from the document. (An updated NSA report is here.)
Think you can sidestep complicated technology by just taking out your black marker and obscuring the confidential text? Even that may not be enough; as noted here, some scanners can pick up the covered words.
What to do?
In addition to the duty of technological competence set out in comment [8] of Model Rule 1.1, we of course must preserve our clients’ confidential information under Rule 1.6, and safe-keep their property under Rule 1.15 (which can include their information).
Does all this mean that every lawyer must become a tech guru with a detailed understanding of the highly complex systems we are required to use and rely on every day? No. (I, for one, can barely add and subtract, and I went to law school so I wouldn’t have to — at least not very much.) But at minimum, we have to recognize what we don’t know — in the words of comment [8], that means “keeping abreast” of technology developments. And most important, we have to get the expert help we need to navigate these shark-filled waters, whether it’s turning to high-end tech advisors, getting assistance from the bar association or educating ourselves.
What we can’t do is put our techno-phobic heads in the sand.