Model Rule 1.6

Subscribe to Model Rule 1.6

Everyone knows that we have an ethical duty of competence, and in most jurisdictions this includes a duty to be aware of the “benefits and risks” of relevant technology.  Examples of possible technology issues affecting our practices:  encryption (and cyber-security in general), cloud storage, e-mail handling, the internet of things — there are many more.  And snafus from failing to understand technology or handle it properly can have fallout for lawyers and clients.

Here’s a possible example, and it’s a scary one:  not using redaction technology properly, resulting in disclosure of information that shouldn’t be revealed.

Redaction pitfalls

Mistakes in redacting sensitive information can lead to high-profile problems.  Just this week, it was reported that lawyers for President Trump’s former campaign chairman, Paul Manafort, apparently failed to redact a federal court document properly, permitting the blacked-out text to be viewed “with a few keystrokes.”

Similarly, in the Parkland, Florida high school shootings case, the school district apparently didn’t properly redact a document regarding the alleged shooter, which contained confidential information about him.  A Florida newspaper reported that the method used “made it possible for anyone to read the blacked-out portions by copying and pasting them into another file,” which the newspaper did — drawing a contempt threat from the judge presiding over the criminal case.

Not redacting documents properly has also led to disciplinary action.  In 2013, a Chicago lawyer was reprimanded when he failed to ensure that personal information was redacted in federal student loan collection actions he filed on behalf of the U.S. government.  And in 2014, a Kentucky lawyer received a public reprimand for, among other misconduct, failing to redact his client’s social security number in bankruptcy filings he made on her behalf.

A law.com reporter for Corporate Counsel recently wrote that he was able to download from PACER a 100-page affidavit in pdf format with multiple redacted pages — but the black boxes disappeared when the document was copied into another application, “revealing all the private financial information that was supposed to be hidden.”

The reporter quoted a security expert who cautioned that people don’t know how to use redaction technology properly, and cited a 2005 National Security Agency report advising that redaction should not just visually hide sensitive information but actually remove it from the document.  (An updated NSA report is here.)

Think you can sidestep complicated technology by just taking out your black marker and obscuring the confidential text?  Even that may not be enough; as noted here, some scanners can pick up the covered words.

What to do?

In addition to the duty of technological competence set out in comment [8] of Model Rule 1.1, we of course must preserve our clients’ confidential information under Rule 1.6, and safe-keep their property under Rule 1.15 (which can include their information).

Does all this mean that every lawyer must become a tech guru with a detailed understanding of the highly complex systems we are required to use and rely on every day?  No.  (I, for one, can barely add and subtract, and I went to law school so I wouldn’t have to — at least not very much.)  But at minimum, we have to recognize what we don’t know — in the words of comment [8], that means “keeping abreast” of technology developments.  And most important, we have to get the expert help we need to navigate these shark-filled waters, whether it’s turning to high-end tech advisors, getting assistance from the bar association or educating ourselves.

What we can’t do is put our techno-phobic heads in the sand.

Picture this:   You’re travelling across U.S. borders, heading home from a client meeting abroad.  However, unlike other trips, this time a Customs and Border Protection agent requests that you unlock and hand over for inspection your computer and cell phone — full of client confidential information.  You’ve been concerned about this issue, and so you’ve had your IT department encrypt all of the sensitive data on your devices.  Will that protect you client’s information from disclosure?

Ethics duties at the border

We wrote here last year about the ethics issues with border searches of e-devices, including the New York City Bar Association’s July 2017 opinion on how to deal with the duty of confidentiality in that scenario.

The NYCBA ethics committee advised that you may of course ethically comply with lawful government orders, but also that you should not comply “unless and until” you “undertake reasonable efforts to dissuade border agents from reviewing clients’ confidential information or to persuade them to limit the extent of their review.”

The concern about this issue was heightened by a sharp uptick in border searches of e-devices.  Customs officers searched an estimated 30,200 cellphones, computers and other electronic devices of people entering and leaving the U.S. last year — an almost 60 percent increase from 2016, according to Homeland Security Department data.

Most recently, in January 2018, the CBP revised Directive No. 3340-049, which includes procedures for searching information subject to attorney-client privilege.  Section 5.2 calls for segregating privileged material to ensure that it is “handled appropriately.”

Encryption – it’s no panacea

What about encrypting the client information on your e-device to make sure it stays confidential and won’t be revealed during a potential border search? That approach may be of limited use.

Section 5.3.3 of the revised CBP directive provides that if border officers can’t inspect your device “because it is protected by a passcode or encryption,” they may detain it and convey it (or a copy of its contents) to third parties who can supply “technical assistance.”

This is an indirect reference to the various U.S. intelligence agencies that are authorized pursuant to Section 2.6 of Executive Order 12333 to provide technical support and assistance to the CBP.  This aid may be derived from the National Security Agency, which leads the federal government in cryptology, or from the National Media Exploitation Center which consists of representatives from multiple intelligence agencies that are  responsible for decrypting, translating and analyzing documents and electronic devices in the federal government’s possession.

If CBP officers seek to decrypt and access the confidential information on your device, they likely have the authority and the technical resources, through federal intelligence agencies, to do so.

The magnitude of the risk, and what to do

Even though the 5,000 devices searched in February last year sounds like a lot, it’s only a tiny percentage according to CBP’s Office of Public Affairs. The agency says that in FY 2017, only about .007 percent of arriving international travelers screened and processed by CBP officers were required to submit to an e-device search.  That possibly points to a low risk for any one lawyer who might be returning from international travel.

But given the breadth of your ethics duty, and the limits on the ability of encryption to protect confidential client information on your devices, it would be a best practice to heed the advice that the NYCBA gave last year:

  • Depending on the circumstances, including the sensitivity of the information, you should consider not carrying any client confidential information across the border.
  • Rather than exposing your client’s information to disclosure in a search, you should securely back up client information and cross the border only with a blank “burner” phone or laptop.
  • And before coming back across the border, you should also turn off syncing of cloud services, sign out of web-based services, and/or uninstall applications providing local or remote access to confidential information.

Lawyers and their firms should consider incorporating these measures into their data security policies and practices. It’s what the times, and your ethics duties, would seem to call for.

We’ve written before about what you can and cannot say when withdrawing from representation.  Now a Texas bar ethics opinion adds a twist:  what can you tell an insurance company that retains you to represent its insured, when the client won’t cooperate?

Lonely in the Lone Star state

A Texas lawyer had a quandary.  An insurer had assigned Lawyer to defend its insured in a state court personal injury action arising out of a car accident.  For a while, the client cooperated.  Then — radio silence.  Lawyer tried contacting the client by various means, including having an investigator track the client down to ask him to contact Lawyer.

The client’s non-cooperation made it difficult or impossible to defend the suit, and exposed Lawyer to sanctions for not answering discovery requests.  Lawyer also realized that the client’s failure to communicate might violate the cooperation provision of the insurance policy, and result in the insurer withdrawing coverage.

Lawyer’s investigator finally delivered a letter to the client, warning that Lawyer would move to withdraw if the client didn’t contact Lawyer.  Receiving no response, Lawyer prepared to withdraw, and asked for guidance on what he could disclose to the insurance company  about the reasons for withdrawing.

Silence is golden

You can’t say much, answered the state bar ethics committee.  “At a minimum,” the committee said, the client’s “failure to communicate with Lawyer is unprivileged client information.”  Under the state’s version of Model Rule 1.6, that meant that it was confidential information that Lawyer could not disclose to third parties or use to the disadvantage of the client, including in the context of withdrawing from the representation.

No exception to the general confidentiality rule applied here, noted the committee.  For instance, like the Model Rule, the Texas rule allows lawyers to disclose confidential client information in order to carry out the representation.  It’s sensible to regard that kind of disclosure as always being impliedly authorized, because otherwise, we could not negotiate with opposing counsel, for instance.  But the disclosure here would not be for the purpose of representing the client, the committee said — rather, it would be for the purpose of ending the representation.

Therefore, in withdrawing, the Lawyer was advised not to reveal the client’s failure to communicate in order to explain either to the insurance company or the court the reason for Lawyer’s withdrawal.

The committee cited the  ABA Ethics Committee’s 2016 Opinion 476, which considered what you can say to the court when withdrawing for non-payment, and which, like the Texas opinion, advises that the information is within the scope of your confidentiality duty to the client.

Take home lessons

  • Bear in mind that even the most difficult client is still your client; the Texas opinion points out that there’s no free ethics pass even when the client stops communicating with you.
  • And in the insurance defense context, the insured is a client for ethics purposes, despite the fact that the insurance company has assigned the case to you and is paying your fees.

We’ve written before about the breadth of the duty of confidentiality we owe to our clients, and how it even extends to matters that you think are safe to discuss because they are of “public record.”   (See here and here.)  Now comes the ABA’s latest on the subject of lawyer “public commentary” — Formal Opinion 480 (Mar. 6, 2018).  And it prompts us to be wary of a couple pitfalls when it comes to what we say about clients in online articles, on twitter, at webinars, in podcasts and through traditional print publications — all of which the opinion refers to as “public commentary.”

Duty “extends generally”

All such public commentary, the ABA reminds us, whether on-line or not, must comply with the relevant jurisdiction’s version of Model Rule 1.6.  The rule requires us to maintain the confidentiality of all information relating to the representation of a client, unless that client has given informed consent to the disclosure, the disclosure is impliedly authorized to carry out the representation, or the disclosure is permitted by a specific exception in Rule 1.6(b).

The confidentiality rule, as is frequently said, is much broader than the attorney-client privilege, and includes all information relating to the representation, whatever its source.  Even the identity of the client is usually deemed to be confidential information, the ABA ethics committee notes in this newest, foot-note-heavy opinion.  And, adds the committee, it’s highly unlikely that a disclosure exception (except for consent) would apply when a lawyer engages in this sort of public commentary.

Don’t hype the hypo

That brings us to “hypotheticals.”  We all use them — from law profs in class, to lawyers seeking informal practical advice from colleagues at other firms, to gurus of various stripes who use real-life examples at legal CLE seminars.  But, says the ABA committee, beware:  “A violation of Rule 1.6(a) is not avoided by describing public commentary as a ‘hypothetical,’ if there is a reasonable likelihood that a third party may ascertain the identity or situation of the client from the facts.”

For example, in a widely-reported case mentioned in the ABA opinion, an Illinois lawyer got a 60-day suspension in her home jurisdiction for violating  Rule 1.6, when she blogged about her criminal defense clients using either their first names, a derivation of their first names, or their jail ID number.  Reciprocal discipline was imposed in Wisconsin.

In light of the ABA opinion, you’re going to want to make sure that any real-life client situations you describe in  public commentary is so thoroughly disguised that no one can tell that it’s real.  If you’re using social media to educate and engage, there’s arguable benefit in discussing actual situations in a hypothetical way, while being sure to scrub the real facts out.  But as we’ve said before, if you’re just making cocktail party chit-chat, why even go there?  It’s not worth the risk of divulging confidential client information.

Trial publicity statements

The ABA opinion also briefly notes the constraints that Model Rule 3.5 puts on using public commentary to influence the court of public opinion.  The rule prohibits a lawyer from seeking to influence a judge, juror, prospective juror, or other official by means prohibited by law, and cites the case of a Louisiana lawyer disbarred for, among other things, using an internet petition campaign to contest the rulings of a judge presiding over a custody dispute involving her client.  That kind of conduct can also obviously lead to trouble.

All in all, the new opinion is a straightforward application of Rule 1.6 to this age of public commentary; but it is a good wake-up call for those who need one.

You’ve probably read about the New York Times reporter who says that he overheard lawyers for President Donald Trump discuss the ongoing Russia investigation at a Washington, D.C. restaurant, and then reported on the talk — which revealed details of a strategy debate, the alleged existence of documents “locked in a safe,” and other purported insight on the internal workings of the President’s legal team.

(If you somehow missed the story — maybe you just stopped paying attention — check out the Times reporting, the backstory on how the reporter overheard the conversation, and the ABA Journal’s report.)

Every reporter’s dream

The NYT reporter, Kenneth P. Vogel, wrote that he overheard the conversation when he happened to be seated at a steakhouse at the next table over from Ty Cobb and John Dowd.  Cobb was brought over from Hogan Lovells in July to run point on the Russia investigation; Dowd, another member of the White House legal team, retired from Akin Gump Strauss Hauer & Feld in 2015.

Vogel later wrote, “I have always thought of overhearing conversations as an underappreciated journalistic tool.”  The Washington Post commented, “It is every Washington reporter’s dream to sit down at a restaurant, overhear secret stuff, and get a scoop.”

Don’t let this happen to you!

Our take on this cautionary tale, of course, centers on Model Rule 1.6 — client confidentiality.  We often have occasion to warn you to consider particular wrinkles in the rules that affect your particular jurisdiction.  But not this time.  In every U.S. jurisdiction, lawyers have an obligation not to disclose confidential information relating to the representation of a client without the client’s consent.

That duty covers a wide swath of information learned through the representation.  It’s much broader than information that is protected by the evidentiary attorney client privilege.

And so many ordinary things you might do without thinking twice can jeopardize your client’s confidential information — as Cobb and Dowd have perhaps discovered.  (Some have suggested that the incident was so blatant that it must have been intentional.  But intentional or not, disclosure still requires client consent.  The Times reported that, according to its sources, the disclosure prompted White House counsel Donald F. McGahn II to “sharply reprimand[] Mr. Cobb for his indiscretion.”)

The list could go on ad infinitum, but here are just a few examples of every-day things that can breach your duty of confidentiality:

  • schmoozing about work while standing in line at Starbucks;
  • doing client pitches;
  • sharing war stories with friends over cocktails;
  • talking on a cell phone in a public place;
  • reading client documents on a laptop while sitting next to someone on a train or plane;
  • forgetting documents on a restaurant table or in a cab;
  • forwarding client-related emails to people outside your firm;
  • sharing documents or forms created for a client with friends or other clients.

You must remember this…

Remember, confidential information also includes “disclosures by a lawyer that do not in themselves reveal protected information but could reasonably lead to the discovery of such information by a third person.”  (Model Rule 1.6 cmt. 4.)  In other words, just leaving out names doesn’t help, if someone can figure out who you are talking about.

And, as the President’s lawyers perhaps learned, when your client realizes that you have disclosed confidential information, “oops” may not be a complete excuse.

Bottom line:  You might never work at the White House, but make it your default mode not to discuss client business outside of your office, and you won’t go wrong.

Travelling abroad for work?  What should you do if a Customs and Border Patrol agent, claiming lawful authority, demands that you unlock your computer or thumb drive or cell phone — full of client confidential information — and hand it over to be searched as you cross the U.S. border?

New York City bar association ethics opinion issued on July 25 offers some practical tips, and spotlights the ethical duties of confidentiality and client communication involved in this increasingly-common scenario.

Cause for concern

The confidentiality concern is more than hypothetical.  According to the Department of Homeland Security, in February 2017 alone, CBP agents searched more than 5,000 cell phones, laptops and other devices.  That’s as many searches as in all of 2015.  CBP policy apparently permits U.S. customs agents to review any information that physically resides on travelers’ electronic devices, with or without any reason for suspicion, and to seize the devices pending inspection.

The ABA voiced concern in May, requesting that the Department of Homeland Security revise CBP’s procedures in order to better protect client confidential information from search or seizure at border crossings.

Evasive tactics necessary?

Under every state version of Model Rule 1.6, you have an ethical duty to safeguard the confidentiality of client information in your possession, and “few principles are more important to our legal system,” the opinion notes.

The thoroughly-reasoned and detailed New York opinion concludes that Rule 1.6, coupled with Rule 1.1 (Competence), raises obligations before a lawyer approaches the U.S. border; at the border when an agent seeks access to a device; and after an agent has reviewed clients’ confidential information.

  • Before crossing the border, Rule 1.6(c) and its comments, which require “reasonable efforts to prevent … unauthorized access to” client confidential information, means that you must take reasonable precautions in advance to avoid disclosing such information unless authorized by the client (which is unlikely).  Depending on the circumstances, including the sensitivity of the information, these efforts may include not carrying any client confidential information across the border.  If so, the opinion suggests:  securely backing up client information and then crossing the border with a blank “burner” phone or laptop; turning off syncing of cloud services; signing out of web-based services; and/or uninstalling applications providing local or remote access to confidential information.
  • At the border, Rule 1.6(b)(6) and its comments come into play.  It permits lawyers to disclose confidential information to the extent reasonably believed to be necessary when required “to comply with other law or court order,” including “a governmental entity claiming authority pursuant to … law.”  But, the opinion cautions, disclosure is not “reasonably necessary” to comply with law if there are reasonable lawful alternatives to disclosure.  The opinion concludes that “it would be an unreasonable burden” to require a lawyer to forgo entering the U.S. or to allow herself to be taken into custody or litigate the lawfulness of a border search. But the opinion also says that lawyers have a duty not to comply “unless and until” the lawyer “undertakes reasonable efforts to dissuade border agents from reviewing clients’ confidential information or to persuade them to limit the extent of their review.”  To facilitate that challenge, you should carry ID confirming that you are a lawyer, notify agents that your device has client confidential information on it, request that the agents limit their review, and ask to speak to a superior officer, says the opinion.
  • After a search or seizure of client confidential information, Rule 1.4 (Communication) requires that you notify affected clients about what occurred and the extent to which their confidential information may have been reviewed or seized.  That communication will let the client decide on possible responses, including a potential legal challenge.

Globe-trotting implications

Tennessee ethics lawyer Brian Faughan shared his comments on this opinion under the headline “Practicing law like it’s espionage.”  The ways to carry out the potential duty to avoid taking confidential information across U.S. borders, as well as the other recommendations in the New York opinion, indeed make me think of spy craft, and to wonder if we are entering the world of novelist John LeCarre.  That’s an uncomfortable thought — but under the reasoning of this opinion, such considerations are necessary as a matter of ethics.

Whistle BlowerA whistle-blowing general counsel won an $8 million federal jury verdict earlier this month, in a case that might encourage other GC’s to call out corporate wrongdoing.

Compensatory and punitive damages

After deliberating only three hours, the jury in Wadler v. Bio-Rad found that the GC had a reasonable basis for reporting his suspicions about the company’s Chinese sales operations to the organization’s audit team.

The GC’s allegations prompted an internal investigation by outside counsel, which concluded that the sales team had not violated the Foreign Corrupt Practices Act.

But the jury found that the company had retaliated against the GC by firing him after the report, in violation of the Sarbanes-Oxley Act, and that absent the report, he would not have been terminated for legitimate reasons.

The award to the GC included $5 million in punitive damages.  Speaking to Law360 (subs. req.), the GC’s lawyer attributed the punitive damages to the company  CEO’s creation of a back-dated negative performance review; computer metadata proved that the review hadn’t been created until after the GC had been fired.

Does SOX protection trump company’s privilege?

Judgment on the jury verdict was entered on February 10.  It will almost certainly be the subject of post-trial motions and possibly an appeal.

But the verdict stands out as a rare trial win for a GC in a whistle-blower case based on retaliatory firing.  Such suits have often been foreclosed before trial because of restrictions on a company lawyer’s ability to use confidential information of the employer in proving the GC’s case.

For example, in 2013, the Second Circuit affirmed dismissal of a GC’s whistle-blower suit brought under the federal False Claims Act, holding that the allegations relied on privileged information that could not be disclosed, and that the FCA did not preempt New York state ethics rules on confidentiality.

In the Bio-Rad case, however, the federal magistrate judge found at the end of 2016 that the whistle-blower protections of SOX trumped the company’s attorney-client privilege, and turned back the company’s motion to preclude use of privileged information at trial.

The GC’s ability to use this information as evidence arguably spelled the difference here.

Key factors in the magistrate judge’s ruling:

  • as a federal claim asserted under SOX,  the federal common law of privilege applied; that took the case outside the scope of the California Supreme Court’s 1994 ruling in General Dynamics Corp. v. Superior Court, which had limited retaliatory discharge claims to those that could be established without breaching the attorney-client privilege;
  • the text and structure of SOX doesn’t indicate that in-house lawyers aren’t protected from retaliation, and SOX § 1514(A)(b) and particularly the SEC’s final rule (17 C.F.R. § 205) preempts the California state ethics rule on client confidentiality;
  • Model Rule 1.6 is the guiding standard, which — unlike the California state rule — permits a lawyer to reveal information relating to the representation of a client to the extent the lawyer reasonably believes necessary to establish the lawyer’s claim in a controversy between the lawyer and the client; and
  • Bio-Rad made so many disclosures to the SEC, the DOJ and the DOL during the course of previous investigations and administrative proceedings, and to the court in the pre-trial phase of the case, that the company waived the privilege as to many communications.

The SEC had filed an amicus brief during the briefing on the company’s motion to exclude, supporting the position that the magistrate judge took — that SOX trumps state legal ethics rules regarding client confidentiality.

Trend or outlier?

Whether the Bio-Rad case will be upheld, and whether it is a trend or an outlier, remain to be seen.  But in the short run, it may encourage other GC’s to blow the whistle.