Transcript TECHNOLOGY & ETHICS Association of Corporate Counsel © 2014 AGENDA Technology & Competence (ABA Model Rule 1.1) Technology & the Duty of Confidentiality (ABA.

TECHNOLOGY & ETHICS
Association of Corporate Counsel
© 2014
1
AGENDA
Technology & Competence (ABA Model Rule 1.1)
Technology & the Duty of Confidentiality (ABA Model Rule 1.6)
Receiving Counterparty’s Metadata (ABA Model Rule 4.4)
Outsourcing & Cloud Computing (ABA Model Rule 5.3)
Social Media (still being chartered…)
2
WHAT’S NEW?
• August 2012 – ABA modernizes model rules of professional
conduct
• Six new technology-related changes, including modifying
definition of writing to include “electronic communications”
• Topics addressed include: competence, confidentiality, and
outsourcing
• California – has addressed each of these issues through formal
opinions; although has not adopted ABA Model Rules, California
Bar is trendsetter in this space
Not in scope: Technology and Client Development
3
“An attorney’s obligations under the
ethical duty of competence
evolve as new technologies develop and then
become integrated with the practice of law.”
California State Bar Formal Opinion Interim No. 11-0004 (Feb. 28, 2014)
(related to ESI and discovery request)
4
For IHC, where is tech competence
relevant?
•
•
•
•
•
•
•
•
•
Responding to discovery
Choosing to store client information in a cloud
Advising on compliance with data privacy regulation
Managing cyber and warrantless surveillance risks
Managing corporate information flows
Advising on document retention policies
Sending & receiving documents with metadata
Leveraging technology to lower department costs
Advising on social media for investigations, hiring, etc.
Proficiency needed may vary.
5
TECHNOLOGY & COMPETENCE
ABA Model Rule 1.1:
“Competent representation requires
the legal knowledge, skill, * * *
reasonably necessary for the
representation.”
Comment [8] (new):
“To maintain the requisite
knowledge and skill, a lawyer
should keep abreast of changes
in the law and its practice,
including the benefits and risks
associated with relevant
technology…”
6
Takeaways on competence
• Not a new obligation
• IHC should understand how
technology works
• We can still rely on
consultants and IT experts
However–
• Remember, we have the big
picture
• Legal analysis of technologyrelated decisions is key
7
TECHNOLOGY & CONFIDENTIALITY
ABA Model Rule 1.6(c) (new):
“A lawyer shall make reasonable
efforts to prevent the inadvertent
disclosure of, or unauthorized
access to, information relating to
the representation of a client.”
Earlier focus was simply:
“A lawyer shall not reveal
information relating to the
representation of a client * * *.”
ABA Model Rule 1.6(a).
8
ABA Model Rule 1.6(c)
Why?
Possible situations
• Guidance on duty to
safeguard
• Confi concerns with ESI
1. Email sent to wrong person
2. Legal dept. or lawyer’s
account is hacked
3. Employee releases info
without authorization
California State Bar, Formal Opinion
No. 2010-179 (recognizing duty to
prevent)
ABA Formal Opinion 11-459 (2011)
(duty to protect confidentiality of
email communications)
9
Reasonableness from two angles
Does IHC have a legal duty to safeguard?
•
•
Confi agreement?
Other applicable law?
As part of ethical duty, are efforts to safeguard reasonable?
•
•
•
•
•
•
Sensitivity of information
Likelihood of disclosure
Cost
Difficulty of implementation
Adverse impact on representation?
(e.g., too difficult to use software or equipment)
Client consent?
10
Spotlight: Warrantless surveillance?
• Resulting ethical questions:
– Privacy expectation: Can IHC no longer reasonably expect
certain communications to be private?
– Confidentiality: Must we protect against warrantless surveillance
as part of the reasonable efforts to prevent inadvertent disclosures?
– Privilege: Must we protect against warrantless surveillance to
intend that a communication be made in confidence?
• It depends:
– Type of information at issue, the client’s business, significance of
risk, and other factors…
11
HYPO 1 – Inbox always full!
•
Situation: In-house counsel’s work is never done at the end of the day. Inhouse counsel just received information from the compliance team that an
employee may be offering bribes to public officials to secure company contracts.
•
Action: The employee forwards the relevant documents and emails, including
the name and other data on the suspected employee, to a personal email
account so that he can spend the rest of the night working on the issue. This is
much easier than trying to log back in through VPN. And the home network is
password protected.
•
Issue: Is the in-house counsel meeting the ethical obligation to make
reasonable efforts to prevent inadvertent disclosure?
12
Takeaways on confidentiality
• Assess risks of handling
information – systemically &
matter specific
• “Reasonable efforts” for
ethical duty; business need
may require more
• Analyze separately from
other legal obligations
• And yet, consider third party
best practices (e.g. NIST
Cybersecurity Framework)
Either way, add value!
13
RECEIVING COUNTERPARTY’S METADATA
ABA Model Rule 4.4(b):
“A lawyer who receives a
document or electronically
stored information relating to
the representation of the
lawyer’s client and knows or
reasonably should know that
the document or electronically
stored information was
inadvertently sent shall
promptly notify the sender.”
14
ABA Model Rule 4.4(b)
Triggers
Obligations
•
•
•
•
•
•
Must know or should know ESI
sent inadvertently
Relates to representation
“Inadvertently sent”
•
•
ESI itself
Info that includes ESI
Notify sender
No need to send back
You can read metadata
But avoid using special forensic
software to access it
HOWEVER: in California, no duty
to notify. Sender must exercise
reasonable care
Oregon State Bar
Formal Opinion 2011-187
15
HYPO 2 – Seal the deal!
•
Situation: In-house counsel is negotiating a joint venture agreement
with a real estate company. The deal would include the acquisition of
critical IP assets that are difficult to value.
•
Action: The counter-party sends the in-house counsel an iteration of
the acquisition agreement that includes metadata showing an internal
back and forth on pricing and other potentially privileged commentary.
•
Issue? Can in-house counsel use the information to get the best deal
for the client without notifying the counterparty?
16
OUTSOURCING & CLOUD COMPUTING
ABA Model Rule 5.3
“With respect to a nonlawyer employed
or retained by or associated with a
lawyer: * * *
(b) A lawyer having direct supervisory
authority over the nonlawyer shall make
reasonable efforts to ensure that the
person’s conduct is compatible with the
professional obligations of the lawyer;
* * *.”
17
ABA Model Rule 5.3
What’s new
•
Comment clarifies that rule
applies to nonlawyers
outside dept.
–
–
–
–
–
•
Investigators
Paraprofessionals
Document management
Printing or scanning co.
Internet-based svcs
Comment includes
monitoring responsibility
18
When are efforts reasonable?
Depends on–
• Nonlawyer’s education,
experience and reputation
• Nature of services
• How client information is
protected
• Legal & ethical environments
of jurisdictions
New Hampshire Bar
Opinion 2011-12/5 (2011)
19
Cloud Computing
• Ethics rules allow it
• It’s a form of outsourcing
• Exercise reasonable care to
protect confidentiality of
client information
• States largely agree that
reasonable care required
WSBA Advisory Opinion 2215 (2012)
20
HYPO 3 – We need cutting edge!
•
Situation: GC determines that the widely dispersed legal team needs
a more efficient way to communicate real time to serve the client.
Additionally, legal documents – including contracts, advice memos, and
board documents – need to be stored and properly catalogued in a
central repository with tiered access rights.
•
Action: GC is poised to hire an innovative start-up that would provide
a custom solution at a competitive cost.
•
Issue: Is there anything the GC needs to consider before signing the
deal?
21
States may require a mix of precautions…











Stay abreast of best practices
Depending on sensitivity of date, get client consent
Heed client instructions
Understand provider’s security controls
Periodically review security measures
Have enforceable confi agreement
Get notice of breach
Ensure access to client data
Delete data & return to client when not needed
Ensure back-up strategy
Consult expert as needed
E.g. New Hampshire State Bar Opinion 2012-13/4 (Cloud Computing)
22
Takeaways on outsourcing
• Give appropriate instructions to nonlawyers.
• If directing outside counsel to use certain vendors,
agree on who is monitoring the vendors.
• Ensure nonlawyers in non-US jurisdictions
understand your professional obligations.
• Remember, cloud computing is a form of outsourcing
– so the same standards of diligence apply.
23
SOCIAL MEDIA
A few rules of thumb–
• Check it for public info
• Preserve it as evidence
• Avoid using it to deceive
• Don’t share confi info on it
Oregon State Bar Formal Opinion 2013-189
New Hampshire Bar
Opinion 2012-13/05 (2013)
New York City Bar
Opinion 2010-2 (2010)
Philadelphia Bar
Opinion 2009-02 (2009)
24
PRACTICE TIPS FOR IN-HOUSE COUNSEL
1. Understand benefits & risks of relevant technology.
2. Take reasonable steps to protect client information from
inadvertent disclosure.
3.
Know that discovering metadata in your documents may
trigger notification requirements.
4. Understand and plan for risks with cloud computing.
5. Know who is monitoring nonlawyer assistance and
communicate your professional obligations.
6. Exercise care and diligence with social media.
25
THANK YOU!
Association of Corporate Counsel
Large Law Department
26