FacultyFaculty/Author Profile

Technology Security, and Ethical Challenges in Arbitration and Mediation


SANDRA D. GRANNUM: All right, we're moving on to the next panel. And to bring you into this panel, I want you to ponder the following question-- How can you maintain a client's confidences in a world where everyone appears to know everything about everyone else? And so this is the "Technology, Security, and Ethical Challenges in Arbitration and Mediation" panel. And it is directed by Professor Teresa Verges. Teresa joined the University of Miami School of Law faculty in the fall of 2011.

She is the founding director of Miami Law's Investor Rights Clinic, which launched in January 2012. The Clinic represents investors who have claims against their brokers, in arbitration proceedings before FINRA, but whose claims are too small for them to be able to find legal representation. Teresa supervises the students at the Clinic and teaches them seminars on substantive law, securities arbitration, broker-dealer regulation, professional responsibility, and practical skills-- allowing the students to undertake all aspects of client representation. And her full bio is in the materials. So, Professor, you're on.

TERESA J. VERGES: Thank you. Delighted to be back at the conference. And I have a really impressive group of panelists here, to help me talk to you all, about a topic that I've never been myself totally comfortable with. And that's technology, period-- anything with the name technology in it. But it is a requirement. But first, I want to take a moment, and just introduce my esteemed panelists.

To my immediate left is Nicole Iannarone. She is Associate Clinical Professor and Director of the Investor Advocacy Clinic at Georgia State University College of Law. Before joining GSU, Nicole was a partner at Bondurant Mixon & Elmore, where she practiced for nearly 10 years, in complex commercial litigation. She's a graduate of Yale Law School, and currently serves on the NAMC-- FINRA's NAMC. And, is President of the Atlanta Bar.

To her left is Jeffrey Jury. He is a shareholder at Burn Anderson, Jury & Brenner, in Austin, Texas. He is nationally recognized in arbitration and mediation, where his experience is supported by many years of complex trial, appellate, and administrative litigation. He is an Adjunct Professor at the University of Texas, in Austin. And he's a graduate of Baylor Law.

And then to Jeff's left is Ellen Slipp. She's a Managing Director and Head of Litigation, for Citi Private Bank. She manages litigation globally-- extensive experience in a number of areas, including securities arbitration litigation. Prior to that, she spent 11 years trying sales practice and employment cases in arbitration, for Citi. We had the pleasure of serving with Ellen on the NAMC. And she graduated from Suffolk University. Additional and fuller bios are in the materials, for you all.

So the topic today, I said, is technology, and the ethical implications for lawyers when something is speeding along at a lot faster rate than our ethical rules, or the guidance for us on those rules. And so we're going to try to touch on some of the key areas, that I think are implicated in our practice on a day-to-day basis. First of all, things like the new technologies that are impacting practice, such as cloud computing and file sharing. As well as things we've been dealing with for quite some time, including email use, and increasingly, texting, as we're settling cases.

And then, of course, we'll dive into a little social media. And end with our ethical duty, to maintain technological competence, to assist us in our practice.

So first, I want to touch a little bit about law firms and lawyers being generally considered soft targets. Never want to be considered soft on anything. But it's well rumored and well known, by hackers, that we are soft targets. And there's several reasons for that. First of all, clearly we, as lawyers and law firms, maintain very sensitive client information. And it's also in a much more compact area.

For example, if a firm is working on a merger, or acquisition, or a particular deal, we're going to have a subset of the information-- making it much easier for a cyber hacker to get to, as opposed to going to the potential business or issuer that they would be interested in. But another fundamental reason why we're soft targets is because we are notoriously technologically behind the eight ball. We don't usually have the strongest IT systems in place, and we don't also keep up with training. So we're considered pretty easy to hack. Ellen, you wanted to talk a little bit about this concern, particularly when hiring outside counsel.

ELLEN SLIPP: Yeah, I work predominantly for the Citigroup Private Bank. And so Terry had asked me, and Sandra had asked me, to give a little bit of the in-house perspective on some of these issues regarding technology. And I'm sure there are people in the audience who know me well, who know this is definitely not my strong suit. And I am especially hampered this fall, given the departure of my two identical twin sons-- who I call the tech department-- at my house. So I am really kind of boxing with one arm behind my back here.

But I'll give you a little bit of in-house perspective on this. I support the Citi Private Bank. One of our main lines of business is the law firm group business. We support over 111 law firms throughout the country, and several in the UK. And we give them support, by way of their operating accounts, their pensions, their investments. But we also supply them with credit products, deposit products, mortgage products. Where they would otherwise not be able to be private bank clients, because they don't have the $10 million to walk in the door, we supply them with access to some of our products.

What happens a lot is that, as Terry pointed out, we are soft targets, in that particular line of business. Because the transactions are enormous. So if you have a regular client internally at Citi, they may do two or three wires per year. But if you're supporting the operating account, the pension, the payroll, the real estate, the rent-- all of it-- for a law firm, there is a lot of products and wire transactions, that come into play on a daily basis.

So we've had some issues. Not a lot-- touch wood. But we've had some issues. And it's always when you get one of these malware fraud cyber attack issues. There is an investigation that needs to go on, that says, was it human error, or was it a systemic flaw in the operating products? And of course, by the time that you actually filed the complaint with the Citi Investigative Services, or the FBI, or there's an affidavit or fraud that's being submitted with law enforcement, the money could be in Kazakhstan. And the Fed recall wire system is not going to get you that money back.

So the whole game here is to try to get ahead of it. Everyone likes to use these terms-- lessons learned, deep dive, all of that nomenclature. But in this sphere, it's particularly important, because you're setting yourselves up for repeated problems, if you don't solve the problem that presents itself at that particular moment.

The other issue is also the cyber fraudsters understand that a lot of this is cyclical. At the bank, people have to take their mandatory two-week compliance leave. Usually, that happens in August, and around the holidays. So we are a little bit resource constraint around those times. They've figured that out. And so we really have to be on your toes, racket back, during certain particular times of the year, to make sure that we're confronting that in the best possible way.

TERESA J. VERGES: And you raise an interesting question. And these are two very important pockets. Sometimes it's the vulnerability that's created by our own systems. And was there was there a chink in the armor, as it were? Versus, the armor is great, but it was user error, through clicking on an email in a fishing expedition, as it were.

So I thought it might make sense to just talk a little bit about some of the threats out there, that have impacted law firms. Nicole, you want to talk a little bit about that?

NICOLE IANNARONE: Sure. I, likewise, don't know an incredible amount of technology. But I know enough of it to scare myself, and maybe scare everybody else here too, as we talk about the threats that law firms face. Terry asked me to talk a little bit about why and how law firms are targeted. And I think I'll start going back a little bit. In an ethics presentation, I can't help but tell you what an ethics rule is, that applies to a situation.

And we have an ethics rule from the ABA, that most states say now. They've either enacted their own version, or they say, now we've already got this covered. Which is, we have an ethical duty to keep up with changes and technology, and protect our clients' confidential information. Both in the competence rule and in the confidentiality rule, technology is now implicated, at the ABA level, and by most states.

So why are law firms being targeted? Because we have all sorts of information, that folks can use for a lot of different things. Think of divorce firms, who want to know which hot celebs are getting divorced. People get into that information, because you can make a lot of money-- TMZ-- or break some great news, if someone gets that. But more maliciously, there are state secrets at a lot of law firms. What kind of trade deals and work are law firms working on? And for our clients, financial accounts-- the types of things that Ellen has already talked about.

Law firms are usually targeted with two different types of attacks. One is a ransomware attack, that quite often starts from one employee accidentally clicking on a link in an email. And if your systems in a national law firm, or international law firm, are linked together, one employee can shut down pretty much everything. That's what happened to DLA Piper, a few months ago-- when one employee somewhere in Europe got wrapped into a ransomware attack.

Where a hacker obtained control of the systems, and says, give us some money, or we're going to destroy all of your files, that can really shut you down-- in a law firm, in a hospital, in any type of business. And it comes a lot from human error, and lack of training with some of the employees who are responding to emails. Phishing attacks, I know we're going to talk about, are really, really hard to detect. They're not as simplistic as they used to be. They don't always have the misspellings. You really have to think before you check a link.

There's also wiperware attacks. And those are attacks where the malware just destroys the information. The other side comes in and says, we want you to not have access to any of your files. You've clicked the wrong link. Poof, they're gone. We won't give them back. We don't care how much money you pay us. Those are both really big risks. Perhaps the biggest ones are the ones that you don't know about. Someone's come into your system, taken some information, and you aren't aware that it's ever been missed.

JEFFREY JURY: Before we go to the next topic, I want to add one thing about that. We hear these presentations all the time. And we know to be scared. And we walk away, and we have heartburn moments. The first time I mediated a data breach attack case, I will tell you that the level of fear that I walked away from after a day of mediating that case, and learning about what happened, it's not eye opening. And it's not jaw dropping. It's, how in the world does this stuff really go on? And you cannot imagine. And of course, I can't tell you. But it made me want to go home and construct an aluminum foil hat.

This is organized, sophisticated criminal activity, that rivals anything that you will see in a movie. So I am more than moderately paranoid about the kinds of threats that are posed, and how we have to take this seriously. Because it is-- I think the popular term is to say it's an existential threat. But it is of mind-blowing proportions. And experience is something you don't get until right after you needed it. And I've spent a lot of time spent a lot of time working, and helping people solve problems created by that. I have represented entities, who've come to consult with me about compliance with the data breach statute that we have in Texas, which is very robust. And it applies to anybody who does business in Texas. It doesn't apply to financial institutions under 15 USC 6809.

But this is something to which we have to pay very great attention. Because I guess this is the part of the program where somebody really sounds the threat, in a way that I hope will scare you like you've never been scared before.

TERESA J. VERGES: Well, that's exactly right. Let me ask, you said you've mediated your first data breach case. How many of those have you actually handled now? And have any of them involved lawyers, or law firms?

JEFFREY JURY: I don't think I can answer that. Other than to say, I've mediated a small handful of them, because they are uncommon. But they don't get any better. The second one is not better than the first. I can tell you that none have involved a law firm yet. But it has involved businesses that you would think there would be protection. Or they're businesses that have sophisticated IT people.

NICOLE IANNARONE: In a prior life, I have worked with law firms who have found themselves in this precarious situation. And it's not fun to talk to a law firm and say, hey, so we need to figure out what exactly was taken. And for each of those clients who were impacted, we need to call them, and tell them. And discuss with them, what of their confidential information was disclosed to others, to the best of our knowledge. And we have to do it extremely quickly. Those are extremely unpleasant phone calls to make. Hopefully, you've talked with your clients ahead of time about information security. A lot of clients, particularly financial clients, will do audits of their external counsel, to make sure that they have controls in place.

What I will say, from working from law firms, is while there is certainly an enormous threat from bad actors and hackers, there is also a threat from your own employees. If someone is being perhaps laid off, or is having personal issues of some type, those are just as harmful and potentially risky as an external party coming in. And they can be even harder to deal with.

ELLEN SLIPP: I agree with that 100%. Which is why, at certain large financial institutions, I'm sure many businesses across the spectrum of industries have limitations on when temporary employees can be employed. Because the risk with a temp is that they actually know all the systems. They know where the bones are buried, so to speak, and they don't have loyalty to the firm. So to your point, that's often where a lot of the harm will come to visit, because of these temporary employees.

TERESA J. VERGES: And I would imagine, in financial institutions and quite a broad spectrum of industries, the days of when employees got two-weeks notice, those days are essentially gone-- if they're employees, which are most employees, actually have access to systems. I'm far more familiar with, we'll pay you the two weeks or the month, but you get brought in, while someone is literally closing off your access-- for those very reasons. It happens very, very quickly. Because of exactly the point, that you don't want to have the email that gets fired off with sensitive information-- either within the organization, or, God forbid, outside of the organization.

JEFFREY JURY: One potential takeaway is that if you don't know if your state has a notification and a civil penalty system for not notifying people, be sure you know that. Because in Texas our statute has significant civil penalties for not promptly notifying-- $2,000 to $50,000 per event.

TERESA J. VERGES: Well, there is an article that provides a lot of information with the materials. And the there are 49 jurisdictions, at one level or another. So most of us then are required to notify to some authority any breaching or hacking authorities. Like, the Panama Papers, obviously the issue was that they obtained nonpublic information. Didn't hold it as ransom, but disclosed it to the world-- a lot of sensitive client information. So, clearly, that's embarrassing reputationally. But there are now obligations to report that. And then, of course, we may have an ethical obligation to tell our clients. Wouldn't you agree, Nicole?

NICOLE IANNARONE: Absolutely. Confidentiality is one of the biggest applications and duties that we owe to our clients. And I think when you talk to lawyers a lot about confidentiality, there's many lawyers who conflate that with attorney-client privilege. But confidentiality is exceptionally broad. It relates to any information that the lawyer obtains related to the representation. So if you think about it, that could be, did someone come and see me today? What is the name of my client? How many cases have I worked on for a client? Confidential information really includes almost anything that you have related to a case, at all. So yeah, that's an ethical duty, that absolutely comes up.

Technology plays into it, in that we have to take steps to protect the information. So a lot of lawyers are beginning to look into, what do I need to do to make sure that I don't accidentally release some information? For us, and many outside firms, try not to use thumb drives. They are so easy to lose. They will fall out of your pocket. You can leave them in a computer somewhere. And particularly if you are not encrypting the information on the thumb drive and putting a password on it, they are an easy way for confidential information to get lost-- sometimes without anyone ever knowing about it.

I've had conversations with lawyers about whether they have a lock on their screen for their laptop. Does your laptop just automatically lock after a couple of minutes of inactivity? Those little questions about protecting confidentiality are so important. And I put those out there as reasonable efforts. I think those are things that all of us can do. I hope we know how to encrypt files. It's really not that hard. Google it. We're happy to talk to you about those.

TERESA J. VERGES: I've never done that. I never have.

NICOLE IANNARONE: It's a pretty straightforward to do it, to encrypt it. I teach this in the Clinic, with my law students. If we're ever sending files related to a case, we put them in a PDF. We take out all the metadata, to the extent it's not discovery materials. And if it has ultra-sensitive information in it, we make sure to encrypt it with a password. And when you send the material-- students have a hard time with this every once in a while. When you send the materials to whomever you're sending them to over email, don't include the password in the email. Send it separately. You would be very surprised by that one.

If we're going to use a zip drive or a thumb drive-- I prefer not to use them at all. But if for whatever reason we have to use one of those, we're going to make sure that the data is encrypted, and that there is a password on the zip drive. And we are going to send it in an ultra-secure method, that has some level of confirmation of receipt.

TERESA J. VERGES: And the slide that we're showing right now is one of the new additions. In 2012, Ethics 2020 committee looked at technology, with a view towards what, if anything, should be added to the rules? And there was really only a couple of things, that Nicole mentioned earlier. The new subsection, 1C, recognizes that you can't possibly protect-- a lot of experts in this area will say it's not a matter of if, it's a matter of when an attorney's firm gets breached. But the question for us, in terms of professional responsibility, disciplinary proceedings, and those kinds of things is, did we take all those reasonable steps?

So, Jeff, let me let me turn to you, with respect to what constitutes reasonable. You've got a firm-- you said it was a smaller firm. Obviously, those challenges are bigger. So, what constitutes reasonable? And I actually have a hypo, for you to sort of attack.

JEFFREY JURY: Yes. Well, I live this, because we have 22 lawyers in our firm. We have an IT person. Anybody who has ever worked at a place that sets up a computer network or systems, we all know that the following thing happens. You get a vendor, you get it setup. And then jumping ahead to what happens three years later. What is the thing that the second vendor always says, 10 times out of 10? Who set this up in the first place? That person didn't know what they were doing. How are we supposed to figure that out? Do the ethical rules require us to figure it out?

Well, I know how to turn the computer on. And I'm probably an advanced beginner. So we've got to find somebody who knows what they're doing. And the short answer is, you're probably OK, if you hire somebody who appears to be a knowledgeable vendor. You can rely on that. At least in the approach that Texas has taken, if you have hired a firm or person who is smart about these things, to handle it, you're probably going to be OK. But you've got to be sure that that person is the right person.

Well, how do you do that? The one thing that I would suggest that you do-- which you probably do already, if you have any kind of input or control over this. I was helping an organization that was looking at, do we choose vendor A, or vendor B? Both of which contain descriptions of what the security protocol that isolates the calibrator from the veeblefetzer, and all that other stuff-- which meant nothing to me, and meant nothing to the client.

So what I did was I went to our IT person. I said, you're smart about these things. Just look at these two proposals. I'm not telling you what they're about. Just look at them. Which vendor would you hire? It was very easy for him. Because he looked at the one description, that looked OK to me. He said, I wouldn't give this person a second look. It goes in the no pile. Because the way that they have described their proposal tells me that they don't take it seriously. I said, oh, OK. But this one, on the other hand, I could ask follow-up questions more easily.

So the short answer is, find somebody. Call a friend. Get somebody who knows what they're doing, and ask them to just look at the proposal. I was really surprised by that experience, by taking two proposals. One looked better than the other, but the other looked OK. But how are we to decide?

So find somebody who knows what they're doing. You're probably going to be OK. And for those of you who have to manage this on a micro level, make sure you get a vendor who will train the people who will be using the stuff. Who will do that, and who will update the stuff. I call it the stuff. There's another word for it. But make sure that they will have technical support, and all of those kinds of things, so you don't have to do any explaining later on.

ELLEN SLIPP: I guess I'm sort of fortunate, or unfortunate-- pick your day-- to work for a large organization that has all kinds of machinery around exactly what you're describing. So not only do our outside counsel, many of whom are in this room-- who have passed all these tests, as far as management of risk, information security, and privileged, and privacy, and all the rest of it.

We actually also make sure that all of the vendors that those outside counsel hire have to jump through all of those same hoops. And I see some nodding out in the audience. So for better or for worse, apologies to those if you have to go through that pain. But in the grand scheme of things, I think it is helpful for everybody to have those push points. To be able to say, OK, if we're hiring x,y, and z external vendor to do an email review. We know that they have all the protocols that my firm would want to have in place, being supervised by an esteemed outside counsel firm.

TERESA J. VERGES: And I too am fortunate, working for a large university. Again, this is all sort of the things that are taken care of. And as we have moved technologically, first it starts out to be an annoyance. oh, there's another training that we have to do. Or, now we have two-factor authentication. I know what it is. I don't know the technical name for it. But yes, where now we want to sign into their system, I have to have another way to authenticate it. And it's like, what a pain in the butt, I just want to get to the work. But these things are absolutely important and critical. I realize, they're helping keep me safe, and at least keep me ethically in line.

Another thing that has always been annoying is every three or four months it's like new password, new password. And you're like, I just got the last one.

ELLEN SLIPP: And hopefully you're not keeping them on a Post-it note on your computer screen.

TERESA J. VERGES: No, no, no. But I discovered an app. And in this app, I only have to know one password. And I just never have to forget that, because all of the passwords for everything is on it. And I just change that. I couldn't imagine living in today's world, getting access to everything from my workstation to my bank, without having that little app.

JEFFREY JURY: And how do you know to trust the app?

TERESA J. VERGES: [LAUGHS] Good question. I just have blind faith.

JEFFREY JURY: What are you going to do?

TERESA J. VERGES: Good ratings. Exactly. You do the best you can. And I think that what the [INAUDIBLE] set out and also what the rule talks about, with respect to reasonableness, is it's within our resources and measureds, you don't have to have an IT person on hand, as long as you contract out and do those things.

So, what about the annoying updating software?

NICOLE IANNARONE: You have to do it. I hate it when they change software. I have learned all the shortcuts in software. I like the way the software looks. I know where everything is. And inevitably, every month, two months, six months, someone comes up with a new update. You need to do it. You need to do it immediately. Sometimes they just throw out updates to make things pretty, and annoy people like me who don't like change. But most of the time, when an update is being pushed out, it is to fix a security issue, or some other vulnerability within the software. Bugs are found all the time. Make sure you are not exploited through one of those bugs, by just clicking and updating the software that you have. It's not that bad. It's worse if you get breached.

TERESA J. VERGES: It sometimes just feels like it's every day.

NICOLE IANNARONE: It is, yeah. That's one you have to do. Another is passwords. Don't be on the list of the dirty dozen passwords. They're really funny. The top passwords that we see are things like QWERTY, 1-2-3-4, 1-2-3-4-5, 1-2-3-4-5-6. And Log In, things like that. They're just too easy. Don't use those.

ELLEN SLIPP: Birthdays, social security numbers, children's birthdays.

TERESA J. VERGES: My favorite pet.

JEFFREY JURY: Don't use something that somebody can look up publicly. Don't use your street name, or your street address. If somebody can look it up publicly, come up with something that nobody's going to think about you. We all have things--

ELLEN SLIPP: A cautionary tale-- I've also heard some of those Facebook inquiries-- what's your favorite color, what was your childhood dog's name? All that, you know? It's kind of fun and interesting to share with your kind of friends on Facebook, but the hackers understand that that's a way in to your computer systems and your security. So cautionary tale-- just pick up the phone and talk about your dog's name, or whatever with your friends, don't do it on Facebook.

JEFFREY JURY: Sometimes I'll answer those and give false answers.


JEFFREY JURY: So I can put out chaff and distract them.

ELLEN SLIPP: I think you had a question.

AUDIENCE: There have been some studies lately that just having shorter passwords, that have one capital letter, one lower case, and then a symbol, really that's not enough. It's better to have longer passwords, that might be a whole sentence or a phrase than to have a bunch of changing capitals and symbols That it's easier to hack when you have an eight-letter password that might have, for example, what you have on the [INAUDIBLE] up there. If it's only eight-letters long, that's a lot easier to hack than if you have 25 letters, that might create a sentence that's familiar to you.

JEFFREY JURY: I've been told different things about that. I've been told, include a capital letter and an unusual character, and you'll be fine. I don't know if that's true, or not. I mean, somebody is constantly working to outsmart all of it.

ELLEN SLIPP: Well that's where the malware problem comes in. Because they have these people who can see you typing in your password, and hijack it. So not to be doom and gloom like my new friend here, but this is a cautionary tale-- and not like a rosy way to end the afternoon.

JEFFREY JURY: Right. Sorry.

TERESA J. VERGES: And then of course, even if you have all the appropriate systems, and automatic updating the software, and changing passwords, and all that in place, again, user errors actually led to some of the significant breaches at law firms. Like the foreign nationals who were able to hack into a firm and obtain a ton of information, that they used to make millions of dollars on the market, trading on inside information. And that was the result of a phishing hack. Would you like to talk about what exactly that is? We've thrown that term around a couple of times. Do you feel comfortable?

ELLEN SLIPP: Yeah, sure, and quickly. So phishing, we all get inundated with emails every single day. You know, the cautionary tale here is just make sure that when you're clicking on a link-- obviously, this is 101-- you know who the email is from. You're expecting that email. You just won the lottery, Ellen Slipp. I doubt it, so I'm not going to click on that link and open up something. I'm fortunate at my firm, that we have an email box. So I can forward something that looks suspicious, or fishy-- F-I, not the other spelling-- to send to them. And they all will systemically look at it, and send out a blast email to everybody, who probably has received the exact same incoming email from people.

I was speaking earlier about our law firm group business. And I'm not soliciting new law firms to come to the Citi Private Bank. But we're fortunate enough that out of the 110 or so law firms, every fall we have a seminar, where the managing partners and their payroll admin are invited to come to a two-day seminar, sponsored by the FBI-- to exactly spearhead these kinds of efforts. And it's a wonderful seminar. I've attended it. And people are really stunned and shocked as to the scams that can come to visit. Unfortunately, there was one that happened, and one of our major law firm group clients was not able to get the managing partner and the payroll operator in. The next day, there was a $20 million phishing scam, that came to visit. So that was unfortunate timing on their part.

But you know, it's obvious stuff. Like back in the day of snail mail, if you're having family friends visiting from out of town and you needed to tell them where the key was hidden-- under the doormat, in the litter box, or under the dog dish in the courtyard, whatever-- you wouldn't put that in a postcard. You would put it in a sealed envelope, that you could actually lick and stamp. You wouldn't put it in a postcard.

Because do you really want your mailman reading your mail? Decidedly not. And that's just really kind of the 101 with all this. We've had a couple of more bells and whistles recently put on our Citi mail servers. Where you actually are given a note, if you're going to send any email external to Citi. Are you aware this is external mail? Are you still OK with sending it? So it's two clicks, before you even get anything out the door. Which is another safeguard.

Because sometimes in the throes of business and your zeal to get things done-- whether you're on the train, subway, whatever-- you might be a little careless. Not intentionally, but quickly sending off an email. So now, you have to click twice before you send something outside of Citi. And I'm sure we don't have a monopoly on this. It's not complicated business. But we have a couple of those bells and whistles now, to try to keep us a little safer.

TERESA J. VERGES: Anything that doesn't legit-- and more and more-- I mean, in the last probably six months I have forwarded at least three or four emails. It's like, I'm not going to click on that. I'm going to forward it to our IT guys. Saying, guys, is this the real deal? No, it's absolutely not. So every single time I've guessed correctly. I've always erred on the side of-- it will come back to me. And say, that's fine, you can open it. It's only going to take. But if it's at all fishy, don't click on it.

And in fact, they're getting really smart. Because they use the names of people that are in your contact group. So that those emails come to you, and it's, oh, it's from Joe Smith, who I know, who is in the other department. It's better to just check first.

One of the newest technologies that-- I don't know how new it is anymore, but I know that we just did it last year-- is a way to sort of take the onus. I think this is something very promising, for smaller practitioners in particular. Instead of having to sort of fortify your system against every potential threat, is to sort of discharge this duty through a cloud-computing service. It's known as a SAS provider. That stands for Software As Service.

And so, essentially, it is cloud computing. It's moving all of your files. So we did that at the University, at the law school, university wide. So all of our client files are now accessible on the cloud. We use Box. And so we can access anything from anywhere, on any device. That's both exciting and incredibly scary. I'm interested-- Ellen, have you guys use that kind of technology at all?

ELLEN SLIPP: Honestly, there is this perception, because I work for a large bank, that we have all kinds of money to throw at technology problems. I think that's a little not accurate. But we're starting to move that way, not least because now we're moving towards an open floor plan stuff. So we're going to have to start doing that. Obviously, we use SharePoint sites, when we have to upload a lot of documents, for visibility from outside counsel, and people in disparate locations.

I've done it a lot. Not least when I have an investigation, or a matter that crosses jurisdictional lines. So that, for example, if you have a banker who's involved in the North America region, and you also have somebody tangentially involved in India or Asia-Pacific, you don't have to wait for the sun to rise in Hong Kong to be able to be doing your work, and be able to share your work. So that's my limited exposure to it, which is obviously helpful. It kind of creeps me out a little bit. For example, like my iPhone-- I don't have that Find Phone thing, because I just don't want the martians in the sky knowing where I am at all hours of the day. So I just I'm not probably the best person to answer that particular question, Terry.

TERESA J. VERGES: What about what about you all? Have you had any experience?

NICOLE IANNARONE: Yeah. We use a cloud-based client management system, for the files that we have within our clinical law firm. And it's really important, as you do that, to look at some of the guidance that's out there, to understand what you're getting into. Our friends at the American Bar Association have an entire web page devoted to cloud computing, and the questions that you want to ask if you go into that cloud computing realm. They do a great job keeping the information up to date.

And a lot of states actually have ethics opinions dealing with how to use the cloud. My state is not one of them. But most of the disciplinary folks at your state bars are very nice. And if you have a question and call their help line, they want to help you. They don't want to disbar you. So calling ahead of time, I found, is always really helpful with a question.

So we use the ABA resources. We go through the questions that are listed there, to make sure that we're complying with them. I'm still-- because I know enough people who have been locked out of their sites. I still maintain a paper copy, of everything that we have in our client files. Cloud-based servers sometimes go down. There are times when there are massive denial of service attacks across the country. Where, basically, someone is pushing a lot of information at a bunch of websites, to slow down web traffic, and potentially shut them down to people who are legitimately trying to get information from that website.

And that happened to one of the cloud-computing services that was out there. And frankly, most of the eastern United States-- maybe last year, or the year before. So when my students came in and said, oh, I hate you for making us put everything in writing in a hard copy file, just in case. But I'm really happy that you made us do that today, because it didn't slow down our services at all.

So we're not entirely paperless. Because we want to make sure that if something happens to the files that we are able to keep going. If we were subject to a ransomware attack, it would be bad. I hope it would never happen. But we could say, all right, fine. We have a backup. We have the materials we need. It's going to be a pain to type all that stuff back in, but we've got it, and we will survive.

And I'd also worry, with cloud computing, a number of the firm management and cloud-computing sites have a model where they have one platform. But they have a number of add-ins or apps that you can use. Read the terms of service for the apps. Understand how they're using your information.

And make sure that it lives up to the client confidentiality and protection things. So for example, we've seen stories now about Siri potentially being used as your very own wiretap witness against you, in criminal cases-- as she's recording in the background all the time. If you have Siri and you are a law firm, you really want to think about whether you are protecting any of your clients confidences, or preserving the attorney-client privilege.

Siri seems like an obvious one. One that's less obvious is smart televisions, that also record in the background. Do you have a TV that will respond to voice commands? Because it likewise is probably recording in the background. And it may be using that information. And you might have agreed to let it use that information. So I'd take a look at those.

TERESA J. VERGES: Yeah. The first time I heard that I got a little bit scared. I just bought a smart TV, but it's not the kind that you talk to. It's the kind that you can just click through, so I feel a little more comfortable about that. But that's right, it's all potentially someone is listening. So you have to be very careful about what you talk about those things.

JEFFREY JURY: Cell phones. I do know more than one lawyer who will not have a sensitive discussion with a client with a cell phone in the room. Is that because of the recording? Yes. Even if they're turned on, I know more than one lawyer-- some of whom are quite tech savvy-- who will not have a sensitive discussion if a cell phone is present. You can go put it in another room.

TERESA J. VERGES: Wow. Because we all have those things on.


TERESA J. VERGES: Yes, we do.

ELLEN SLIPP: I have one right here, in my purse-- right by my side.

TERESA J. VERGES: But anyway, this graph illustrates, again, the ABA is keeping track of the cloud computing technology stuff for us-- which states have actually issued opinion. And out of all 20 states that have provided some guidance on cloud computing, they say, it is fine. But what's interesting-- and the ABAs done this for us-- is put a nice little chart of each state, and a little summary of sort of the guidance that they are providing attorneys. And it's a lot of the common sense stuff. You know, make sure that you're using the paid service of Box, not the free service. Make sure that you've read about how they're protecting the data.

And an important one, that I think a lot of us forget about, is the ability to access your client files back. Let's assume you're going to change services. Or you become unhappy with Box, and now you want to use different service, you need to be able to get those files back, because that's your client confidential information.

NICOLE IANNARONE: Or they file for bankruptcy.

TERESA J. VERGES: Correct, exactly. Let's talk a little bit about the Wi-Fi. Is it OK to use free Wi-Fi at the airport, or at the PLI Conference, with that nice little password we got?

NICOLE IANNARONE: If it is unsecured, no. Everybody can see what you're doing. They can get your login credentials. If you're paying with something over credit card, they see your credit card number. They see all of your confidential communications, that you're having with your clients over email. I have a talk every year with my students, who love the Starbucks, and all of the coffee shops where they get their free Wi-Fi. And say, look guys, you will work on nothing related to the Clinic at any spot that has unsecured Wi-Fi. How can you fix it? Turn your phone into a hot spot. If you really have to send that email, or you really have to buy something online, or see what's going on, use your own device as a hot spot, for your computer to get into it.

I spoke on this topic about a year ago, at the PIABA Conference, with someone who knows way more about technology than I do. And he told me of a little trick he did one time, when he was sitting in a CLE session and was about to talk about information security. And he noticed that there were tons of lawyers in the room who had logged on to the unsecured hotel Wi-Fi, where the seminar was being held.

So what he decided to do is create is own free Wi-Fi hot spot, just to see how many lawyers would sign up. I think he got 50. And then he got up. And he said, hey, if you all logged into this "free" Wi-Fi that sounded like the hotel conference center name, that was actually me. And I could, if I wanted to, go back and look at everything that you just did while you were on that. And the room, jaws dropped, as he did that. And he has stopped doing it now, because he didn't want to freak out too many people, and actually get their information. But it's really easy to just say, I'm running a little low on data, let me log in to the unsecured Wi-Fi.

A $15 overage charge is far cheaper than having to call your client and say, hi, some of your confidential information related to a case was disclosed. Here's what was disclosed. Here's how it happened. I'm terribly sorry. Those conversations are not fun to have. But we have to have them, in our duty of communication with our clients. We owe them the confidentiality. If there is a breach to it, that we become aware of, we've got to talk to them about it.

TERESA J. VERGES: That's right.

JEFFREY JURY: You know, I've represented lawyers in a variety of circumstances. And like any other case, the explaining part is what I call a yes, but. Yes comma but-- which is one of my most important case evaluation tools and risk evaluators. You have to understand on all of this, are you reasonable? All right, that's a standard with which we're comfortable. But understand that if you're giving a deposition, or you're writing an explanation to the grievance committee, or you're writing an explanation to the client, that is a big yes, but. Yes, this is what happened, but here's my explanation.

And if you keep that in mind, instead of a binary standard-- was I reasonable, or was I not reasonable?-- understand that part of the process is explaining the yes, I did that, but.

TERESA J. VERGES: Now that we're talking a little bit about controls-- and Jeff, you talked about the telephone and text messages-- can you settle a case by an exchange of text messages?

JEFFREY JURY: So we have a year-old case from the State Court of Appeals in Austin, that involved the claim that a case was settled by exchange of text messages. It was decided on some other grounds, but it's an interesting question. What the court said in dicta was, well, I suppose that we're going to treat that like any other contract that doesn't have a writing. We're going to use, in this case, an estoppel analysis. Because the facts of that case were that somebody changed their position and did some things in reliance on that. So that looks like estoppel, and maybe that's where it goes. It looks like the law is right now-- at least where I think about it a lot-- is that nothing prohibits. You can settle a case by exchange of text mails, but it's a rather informal sort of approach.

So you get into issues like, is there reasonable reliance? Did something happen to confirm the agreement? Did somebody send an email, or write a paper letter, to say, this confirms what we said in our text mail exchange? And of course, that's even before we get to the issue about confidentiality.

ELLEN SLIPP: Why is that any different than a handshake and a verbal commitment to settle a matter? It's actually a little bit better, because you have some paper trail.

JEFFREY JURY: Or a silicone trail. You do have some kind of trail, at which you can look and say. Yes, I agree with you. I mean, it's just like any other non-written contract.

TERESA J. VERGES: Well, let's talk a little bit about emails then, because that's something that we all do all the time. I guess my first question is, are lawyers required to encrypt their emails? Jeff, do you have any thoughts on that?

JEFFREY JURY: It doesn't look like it. In the ethics opinion, from our ethics committee in Texas, there's a long list of things. If you think the NSA might be watching, if you think law enforcement is watching your client, if you think that the soon to be ex-spouse has the password-- if you think somebody else has the password, then maybe think about another way to communicate. So this gets back to the reasonable standard. Are you required to encrypt? I think the answer to that is, no, as long as you've taken precautions-- and you've at least asked.

For those of you who write letters to clients, or create client retention agreements, it's something that really ought to be addressed, in the client retention agreement-- about how we communicate. And if we communicate by email, here's how our system works. And if you're going to tell me where the body is buried, don't put it in the email-- if it's really sensitive.

Family lawyers tell me all the time that they have extensive rules with the client about how we communicate. And they always ask somebody else have access to this. I get emails from legal assistants and secretaries to lawyers all the time sending me arbitration discovery, sending me confidential mediation submissions. And OK, that person is a staff person, who has the same duties of confidentiality. But it still makes me a little nervous.

NICOLE IANNARONE: When we think about our clients-- you know, in the Clinic, we represent folks who are typically less tech savvy. And I think of my in-laws, who share an email account. It's really cute. It's Art and Sandy. So when I email Art and Sandy, I get both of them. Just like when I call, they each pick up a phone, and we all talk together. But the email is the same way. And we have to chat with our students. Say, before you send any emails about this potential matter, you need to inquire-- does anyone else also use this account? The number of people who actually share accounts, where it's not obvious from the name, is incredible.

And that also goes for corporate clients, as well. When I was in private practice, I had a number of executives who shared their email with their assistant, or assistants-- either the personal assistant, the work assistance, the person who managed all the homes and the properties. But you need to know who has access to it. Because if you're going to communicate in that way, you're waiving the privilege, very likely, by sharing case strategy. And you're violating the duty of confidentiality. So you've got to talk about it.

Sometimes your clients ultimately have the say, in how you communicate. But you do have to chat with them ahead of time, to work through those details.

TERESA J. VERGES: Not to mention, there are some people, clients, they want you to send them something at work. I mean, I think that they need to understand, before you go ahead and just hit the button Send, is that a lot of employers-- I mean, there's a lot of jurisdictions that have held employers-- if you're at their workstation, et cetera, they have the right to inspect those workstations. They have access to those workstations. They can take screenshots, and so on and so forth. So confidential information is sort of going to be put at risk and out there.

JEFFREY JURY: What about the financial advisor, the general manager? Or one of the very fun facts, and one of my hypotheticals in my mediation class-- somebody shows up at mediation with a spiritual advisor from California. Can that person participate? This is my spiritual advisor, who's helped me through this. I've had spiritual advisors show up at mediations in real life. I mean, that was what inspired the fact pattern and the problem. What do you do? What do you do with the people who aren't lawyers, who are showing up just to help, or just to offer a little support at your mediation?

TERESA J. VERGES: Well, we deal with a lot of elderly clients. And sometimes, also, folks that don't speak English. And they want to bring someone with them-- usually a son or daughter. And we make it very clear. We talk through the issues of privilege and confidentiality, our duty, et cetera. We have a document, that we've drawn up, that basically advises them of that. And at the end of the day, these are things that belong to the client. The client can waive that privilege.

And we have them sign it and acknowledge it, with the hope that if it ever became an issue we could try to convince a judge, or factfinder, or arbitrator that there was never an intention to waive a privilege here. This person needed someone there, because they are not comfortable with the language. Which is something that we certainly have an issue with, with a lot of Spanish speakers in Miami, and Creole speakers.

So those are things that we consider. You have to just advise them. At the end of the day, it's up to the client. Just a couple more points on email. And I wanted to leave a few minutes for social media, because that's something that we are all engaged in. But one is the oops factor-- hitting send to the wrong recipient. And that's usually because of auto correct. You start writing the name of someone-- and every time this happens it drives me crazy. Because you hit that Send. And all the sudden you see, wait, I didn't mean that person. So what are ethical obligations with respect to that? Nicole, you want to take that one?

NICOLE IANNARONE: Sure. I love the system that you guys have for sending external emails. Are you really sure you want to send it to this person? Because it probably will catch an email. This happens all the time. There was a story in the ABA journal a couple of months ago, about a lawyer who accidentally sent an email about an impending SEC investigation to a reporter at the Wall Street Journal, who had a very similar name to the person who was working on the matter at the SEC. And it was a nonpublic investigation. So yeah, that's not good. So you want to check, before you press Send, to make sure that you have the right name out there. Because that reporter was presumably not an attorney, and wrote about it.

Now, what responsibilities do lawyers have? When you receive information, that you know was inadvertently provided to you, the only duty we have, under Rule 4.4, is to notify the person who sent it. That's under the Model Rule. Different jurisdictions have different rules. So they sort of punt. And say, tell the person who sent it to you. But maybe you get to look at it. Maybe your duty of diligence and zealous representation means you need to read what's in it, if it's case strategy, and advise your client on it.

There's professionalism issues that come in, as well. Do you want to maintain a relationship with the other side, if you do that? So this has happened to me, where I've received some emails. I have, thank goodness, not sent any, that I'm aware of, to opposing parties, that relate to case strategy. When I receive them, I talk to a client about it. And say, look, somebody sent me something. I haven't read it. I think it could really damage what's going on if I do read it. And it's up to you, in our jurisdiction here in Georgia. But my advice is that we return it unread, and hope that if the same happens to us that they would treat it that way.

TERESA J. VERGES: We've already talked about metadata, so I'm going to skip that. And then, skip to this slide. But this was clarity-- all these materials are available, about certain things and suggestions, for email suggestions with your clients.

Let's talk about a couple of social media landmines-- lawyer blogs about clients. And maybe we've just got to give a couple of the stories, to get to the end. I think we're coming to the end here. How about posting a client's information, that is otherwise confidential, on a blog?

NICOLE IANNARONE: No go. It's not worth it. I think the next slide is one of my favorite stories ever. And I ask this when I teach legal ethics. Is a client's underwear confidential? Here's the story. These always come from Florida. I'm sorry, Terry. But Florida attorney decides to put out a Facebook post that says my client's family apparently thinks that-- photo of underwear-- is appropriate courtroom attire, hahaha. Believe it or not, this is confidential information. It's related to the representation. That's where I typically lose lawyers and law students. They go, come on, underwear, that's not a big deal. But it is, when you think about the relationship of trust. Do we think that this client could trust the public defender-- the lawyer who is helping him in a fight about whether he goes to jail or not? I think not, from that.

The lawyer thought she had a private Facebook account. Nothing is private. But one of her lawyer friends reported the story to the judge-- who kicked her off the case, and declared a mistrial. And she ultimately got fired for it, and disciplined by the Bar-- as she should. Because this is confidential. That's what we mean by related to the representation. It impacts the relationship of trust and confidence between the lawyer and the client. And it's a problem.

TERESA J. VERGES: And I have this one for you, Jeff. This was yours.

JEFFREY JURY: Yes. Claimant's counsels, plaintiff lawyers I know, increasingly are putting in their client retention letters, or their client agreements, that if you have a social media account that is grounds for withdrawal. Because of situations like this, where an $80,000 settlement did not get enforced. Because the settlement said, this is going to be confidential, except you can tell your financial advisors, your lawyer, and your spouse. The next day, the daughter puts out on social media to the Gulliver School, which was the defendant, that Mama and Papa Snay won their case against Gulliver. And Gulliver's paying for my vacation in Europe this summer. Suck it.

Now, the defenses by Dad were, it's not true. Because there wasn't a winning of the case. There was a settlement-- a confidential settlement.

And by the way, she didn't go on a European vacation. So this isn't true. So this doesn't mean you should not enforce the settlement.

Florida court didn't think it was funny. And said, sorry, your daughter did exactly what the confidentiality agreement said you would not do-- spouse, financial advisors, lawyers. So when this kind of stuff happens, I guess the takeaway is think about having, in your client contracts, something that talks about this. And again, the trend of the number of lawyers who are telling me that that's a ground for withdrawal, it sounds like a pretty good idea-- good way to build some armor.

TERESA J. VERGES: And on that note, we're two minutes over. I know. Thank you all.



  • twitter
  • LinkedIn
  • YouTube
  • RSS

All Contents Copyright © 1996-2018 Practising Law Institute. Continuing Legal Education since 1933.

© 2018 PLI PRACTISING LAW INSTITUTE. All rights reserved. The PLI logo is a service mark of PLI.