Should legal ethics rules be changed to allow non-lawyer ownership of legal services providers? So controversial is the question that it was major news in July when the State Bar of California voted to appoint a task force to study and make recommendations on the issue. What spurred the bar to take this action was the Legal Market Landscape Report it commissioned from William D. Henderson, professor at Indiana University Maurer School of Law. Henderson is my guest on today’s episode to discuss his findings and recommendations.

Henderson’s report makes the case that the legal profession is failing in its core mission of serving those who need legal services. The situation has brought the profession to an inflection point that requires action by regulators, Henderson says. The most effective regulatory action would be to ease rules on non-lawyer investment in order to allow lawyers to more closely collaborate with professionals from other disciplines, such as technology, process design, data analytics, accounting, marketing and finance.

“By modifying the ethics rules to facilitate this close collaboration,” Henderson writes in his report, “the legal profession will accelerate the development of one-to-many productized legal solutions that will drive down overall costs; improve access for the poor, working and middle class; improve the predictability and transparency of legal services; aid the growth of new businesses; and elevate the stature and reputation of the legal profession as one serving the broader needs of society.”

At Maurer, Henderson holds the Stephen F. Burns Chair on the Legal Profession. In 2017, he founded Legal Evolution, an online publication that chronicles successful innovation within the legal industry. A prolific author and speaker, he focuses primarily on the empirical analysis of the legal profession. Among his honors, he was named by the ABA Journal as a Legal Rebel, included on the National Law Journal’s list of The 100 Most Influential Lawyers in America, and in both 2015 and 2016 named the Most Influential Person in Legal Education by The National Jurist magazine.

Listen above, on Apple Podcasts, or via your favorite podcast player. To never miss an episode, subscribe on Apple Podcasts or via RSS, or like us on Facebook. And if you like what you hear, say something nice in Apple Podcasts. Your ratings help us reach more listeners.

New: Record a voice comment. Want to comment on a LawNext episode and have it played on the show? Record your comment as a voice memo on your device and email it to info@lawnext.com. Each week, we’ll play selected comments on the show.

Since 2015, I have been tracking the states that have adopted the duty of technology competence for lawyers. I have been doing that by updating a now three-year-old blog post. The post has become messy and unwieldy.

To clean it up, I’ve created a new page where I will continue to track adoption. The new page can be found here:

From now on, all updates will be listed at this new page. I will no longer update the old page. Please update any bookmarks or links you may have.

The new page features:

  • The full list of states that have adopted ABA Model Rule 1.1, Comment 8.
  • A clickable map that takes you to more information for each state that has adopted the rule.
  • Other resources for further reading on the duty of technology competence.

Let me know if you have any other suggestions for this page.

 

In 2016, Florida became the first state to mandate technology training for lawyers, when it adopted a rule requiring lawyers to complete three hours of CLE every three years “in approved technology programs.”

So far, no other state has followed suit. But now one has moved a giant step closer to following in Florida’s footsteps. The North Carolina State Bar Council has approved a proposed amendment to lawyers’ annual CLE requirements that would mandate that one hour of the required 12 hours of CLE training annually be devoted to technology training.

The council adopted the proposed amendment on April 20. The proposed amendment now goes to the North Carolina Supreme Court for approval.

The proposed amendment would also add a definition of technology training:

“Technology training” shall mean a program, or a segment of a program, devoted to education on information technology (IT) or cybersecurity (see N.C. Gen. Stat. §143B-1320(a)(11), or successor statutory provision, for a definition of “information technology”), including education on an information technology product, device, platform, application, or other tool, process, or methodology. To be eligible for CLE accreditation as a technology training program, the program must satisfy the accreditation standards in Rule .1519 of this subchapter: specifically, the primary objective of the program must be to increase the participant’s professional competence and proficiency as a lawyer. Such programs include, but are not limited to, education on the following: a) an IT tool, process, or methodology designed to perform tasks that are specific or uniquely suited to the practice of law; b) using a generic IT tool process or methodology to increase the efficiency of performing tasks necessary to the practice of law; c) the investigation, collection, and introduction of social media evidence; d) e-discovery; e) electronic filing of legal documents; f) digital forensics for legal investigation or litigation; and g) practice management software. See Rule .1602 of this subchapter for additional information on accreditation of technology training programs.

Now the question is, Which state will be next?

My post yesterday about Kentucky having adopted the duty of technology competence brought an email alerting me that Indiana had also adopted the duty, bringing the total to 31. The complete list of states that have adopted this duty can be found here.

A hat tip to William C. Wagner, partner at Taft Stettinius & Hollister LLP in Indianapolis, for pointing me to the Indiana Supreme Court’s order on July 31, 2017, adopting Comment 6 to Rule 1.1 on competence. The revised rule took effect on Jan. 1, 2018.

Indiana’s Comment 6 is now identical to ABA Model Rule 1.1, Comment 6, and reads:

To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with the technology relevant to the lawyer’s practice, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.

If you know of any others that I have missed, please let me know.

Just a week ago, I reported on the 29th state to have adopted the duty of technology competence, as part of my ongoing tally of states, and now there is the 30th to add: Kentucky.

The duty took effect on Jan. 1, 2018, having been adopted by the Supreme Court of Kentucky on Nov. 15, 2017 (Order 2017-18). Among a number of rules amendments, the order amended SCR 3.130(1.1), Kentucky’s corollary to ABA Model Rule 1.1 on competence, to add the same Comment 6 as the model rule:

Maintaining Competence

To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education, and comply with all continuing legal education requirements to which the lawyer is subject.

The phrase I’ve italicized is the same as the language that the ABA recommended in 2012 when it approved a change to the Model Rules of Professional Conduct to make clear that lawyers have a duty to be competent not only in the law and its practice, but also in technology.

Here is the full list of states that have adopted the duty of technology competence.

As I continue my effort to keep a tally of the states that have adopted the duty of technology competence. I’ve just learned, belatedly, of another.

On Sept. 26, 2017, the Supreme Court of Missouri adopted the amendment.  It amends Rule 4-1.1 of Missouri’s Rules of Professional Conduct by revising Comment 6, Maintaining Competence, to be in accord with ABA Model Rule 1.1. The Missouri rule now reads:

To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education, and comply with all continuing legal education requirements to which the lawyer is subject.

The phrase I’ve italicized is the same as the language that the ABA recommended in 2012 when it approved a change to the Model Rules of Professional Conduct to make clear that lawyers have a duty to be competent not only in the law and its practice, but also in technology.

Here is the full list of states that have adopted the duty of technology competence.

(A big tip of the hat to Carole Levitt of Internet for Lawyers for alerting me to this change.)

I’ve written any number of posts about the duty of technology competence under ABA Model Rule 1.1, Comment 8, and I’ve been tracking its adoption by the states. But one aspect of this duty that does not get as much attention is how lawyers can get and remain technologically competent.

There have been several developments on this front, including news over the past week of two more initiatives that should further promote technology competence among legal professionals. One is online training for lawyers in legal innovation and technology, the other an index tracking how well law schools are preparing students to deliver legal services in the 21st Century.

This is the topic of my column this week at Above the Law: OK, We Get Technology Competence, But How Do We Get Technologically Competent?

In my continuing effort to keep a tally of the states that have adopted the duty of technology competence, I’ve discovered another, Nebraska, which brings the total to 28 states.

The Nebraska Supreme Court adopted the amendment on June 28, 2017.  It amends comment 6 to Nebraska Rule of Professional Conduct § 3-501.1 — the corollary to ABA Model Rule 1.1 on competence — to read as follows:

To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.

The italicized phrase is the same as the language that the ABA recommended in 2012 when it approved a change to the Model Rules of Professional Conduct to make clear that lawyers have a duty to be competent not only in the law and its practice, but also in technology.

Here is the full list of states that have adopted the duty of technology competence.

During the past week, I’ve had the great honor and pleasure of presenting a four-hour program on legal ethics and technology to members of the Solo & Small Firm Section of the Florida Bar. What made this program particularly special was that it took place during a 10-day cruise along the Danube River, from Vilshofen, Germany, to Budapest, Hungary.

In case anyone is interested in seeing the slides from my presentation, they are below. Two notes about the presentation. One, it is long. Two, it is oriented to Florida and so discusses many Florida ethics rules and opinions. Even so, much of it applies to lawyers in any state.

 

The American Bar Association’s Standing Committee on Ethics and Professional Responsibility has issued a major new opinion providing guidance on the steps lawyers should take to protect client confidentiality in electronic communications.

The new opinion, Formal Opinion 477 (embedded copy below), updates Formal Opinion 99-413, issued in 1999, to reflect changes in the digital landscape as well as 2012 changes to the ABA’s Model Rules of Professional Conduct, particularly the addition of the duty of technology competence in Model Rule 1.1 and changes to Rule 1.6 regarding client confidences.

Most notably, the opinion says that some circumstances warrant lawyers using “particularly strong protective measures” such as encryption. In the 1999 opinion, the committee concluded that unencrypted email was acceptable because lawyers have a reasonable expectation of privacy in all forms of email communications.

In this new opinion, the committee declined to draw a bright line as to when encryption is required or as to the other security measures lawyers should take. Instead, the committee recommended that lawyers undergo a “fact-based analysis” that includes evaluating factors such as:

  • The sensitivity of the information.
  • The likelihood of disclosure if additional safeguards are not employed.
  • The cost of employing additional safeguards.
  • The difficulty of implementing the safeguards.
  • The extent to which the safeguards adversely affect the lawyer’s ability to represent
    clients (e.g., by making a device or important piece of software excessively difficult
    to use).

In some cases that will require encryption, the committee said, while for matters of “normal or low sensitivity,” standard security measures will suffice.

In the technological landscape of Opinion 99-413, and due to the reasonable expectations of privacy available to email communications at the time, unencrypted email posed no greater risk of interception or disclosure than other non-electronic forms of communication. This basic premise remains true today for routine communication with clients, presuming the lawyer has implemented basic and reasonably available methods of common electronic security measures. Thus, the use of unencrypted routine email generally remains an acceptable method of lawyer-client communication.

However, cyber-threats and the proliferation of electronic communications devices have changed the landscape and it is not always reasonable to rely on the use of unencrypted email. For example, electronic communication through certain mobile applications or on message boards or via unsecured networks may lack the basic expectation of privacy afforded to email communications. Therefore, lawyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters, applying the [above] factors to determine what effort is reasonable.

While the opinion urged lawyers to take reasonable steps to protect client communications, it said that it was beyond its scope to specify the steps for any given set of facts. Instead, the opinion listed seven considerations that should guide lawyers:

1. Understand the Nature of the Threat.

This includes consideration of the sensitivity of a client’s information and whether the client’s matter is a higher risk for cyber intrusion. “Client matters involving proprietary information in highly sensitive industries such as industrial designs, mergers and acquisitions or trade secrets, and industries like healthcare, banking, defense or education, may present a higher risk of data theft.”

2. Understand How Client Confidential Information is Transmitted and Where It Is Stored.

A lawyer should understand how their firm’s electronic communications are created, where client data resides, and what avenues exist to access that information, so that the lawyer can better manage the risk of inadvertent or unauthorized disclosure of client-related information.

3. Understand and Use Reasonable Electronic Security Measures.

Because access to client communications can occur in different forms, ranging from a direct intrusion into a law firm’s systems to theft or interception of information during the transmission process, a lawyer’s reasonable efforts include analysis of security measures applied to both disclosure and access to a law firm’s technology system and transmissions. Further, a lawyer should understand and use electronic security measures such as VPNs or other secure internet portals, use unique complex passwords that are changed periodically, implement firewalls, use anti-malware/anti-spyware/anti-virus software, and apply all necessary security patches.

4. Determine How Electronic Communications About Clients Matters Should Be Protected.

The opinion urges that, at the beginning of the client-lawyer relationship, the lawyer and client should discuss what levels of security will be necessary for client communications. For sensitive communications, a lawyer should use encryption and should consider the use of password protection for any attachments. “Alternatively, lawyers can consider the use of a well vetted and secure third-party cloud based file storage system to exchange documents normally attached to emails.” The opinion further notes that a client’s lack of technological sophistication or lack of available technology “may require alternative non-electronic forms of communication altogether.” Finally, the opinion notes that extra caution is required when a client uses computers subject to the access or control of a third party (such as a work computer).

5. Label Client Confidential Information.

Lawyers should mark privileged and confidential client communications as such in order to alert anyone to whom the communication was inadvertently disclosed that the communication is intended to be privileged and confidential. “This can also consist of something as simple as appending a message or “disclaimer” to client emails, where such a disclaimer is accurate and appropriate for the communication.”

6. Train Lawyers and Nonlawyer Assistants in Technology and Information Security.

Lawyers are ethically obligated to supervise their employees and subordinates to ensure compliance with ethical rules, and that obligation extends to electronic communications, the opinion says. For this reason, lawyers must establish policies and procedures, and periodically train employees, subordinates and others assisting in the delivery of legal services, in the use of reasonably secure methods of electronic communications with clients, as well as on reasonable measures for access to and storage of those communications.

7. Conduct Due Diligence on Vendors Providing Communication Technology.

The opinion reaffirms the principle that lawyers must perform due diligence when selecting an outside vendor. Factors to consider include:

  • Reference checks and vendor credentials.
  • Vendor’s security policies and protocols.
  • Vendor’s hiring practices.
  • The use of confidentiality agreements.
  • Vendor’s conflicts check system to screen for adversity.
  • The availability and accessibility of a legal forum for legal relief for violations of the vendor agreement.

If the lawyer lacks the competence to evaluate the vendor, the lawyer may perform the evaluation by associating with another lawyer or expert, or may educate him or herself.

The opinion also says that, when retaining a nonlawyer from outside the firm, the lawyer has further obligations to ensure that the nonlawyer’s services are provided in a manner that is compatible with the lawyer’s professional obligations.

Duty to Communicate

In addition to the seven factors summarized above, the opinion emphasizes that a lawyer has a duty to communicate with a client about the nature and method of electronic communications.

When the lawyer reasonably believes that highly sensitive confidential client information is being transmitted so that extra measures to protect the email transmission are warranted, the lawyer should inform the client about the risks involved. The lawyer and client then should decide whether another mode of transmission, such as high level encryption or personal delivery is warranted. Similarly, a lawyer should consult with the client as to how to appropriately and safely use technology in their communication, in compliance with other laws that might be applicable to the client.

Changes to Model Rules

The opinion relies heavily on two 2012 changes to the Model Rules. I’ve written frequently here about the duty of technology competence and I’ve been maintaining a tally of the states that have adopted the duty. This opinion expressly refers to that duty as one of the reasons for issuing an update to its 1999 opinion on email communications.

It also references the 2012 change to Rule 1.6 on confidentiality, which added a new duty in paragraph (c): “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

The committee concludes its opinion with this summary:

A lawyer generally may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.

This is an extremely important opinion that every lawyer should stop and read today.

For your convenience, the opinion is embedded below.