A Federal Court judge recently told me that when he asked the lawyer about the ESI (Electronically Stored Information) in his matter, the lawyer replied there wasn’t any. When the judge asked if there were going to be any e-mails that he’d be producing, the lawyer said, “yes, but that’s not ESI.”
Given the readily available technology that greatly increases security of client data, eDiscovery review technology that substantially reduces overall review time and costs by surfacing up more relevant data faster, and the general availability of free eDiscovery education and resources, the question becomes whether a lawyer may be brought up on ethics violations or potentially face malpractice charges for intentionally or negligently (by virtue of her ignorance) failing to employ the appropriate technology?
I had the opportunity to sit down over a cup of coffee with Dennis Rendleman, Ethics Counsel at the American Bar Association, Center for Professional Responsibility, in Chicago one cold afternoon this past winter. Besides having a wonderful conversation with Dennis on a broad range of issues, I tested my hypothesis out on Dennis. Ultimately, he said that if I add “maybe” and “could be” to my hypothesis, rather than “shall” or “will,” the answer “might be,” “potentially,” and “possibly,” under the right set of facts – yes!
Of course, this answer reminds me of a quote by Jeremy Bentham, the famed English philosopher, who once said: “Lawyers are the only persons in whom ignorance of the law is not punished.” And yet, if we hold litigants to the maxim of ignorantia juris non excusat, shouldn’t we, as lawyers, apply it to ourselves as well when it comes to cybersecurity and eDiscovery technology?
To answer this question, I always like to start with Rule 1.1 of the ABA Model Rules of Professional Responsibility. It states:
A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.
But then the question becomes how do you define competence as it relates to relevant technology? To answer this, Comment 8 is our guiding light. It states:
“To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject” (emphasis added).
In other words, irrespective of the expertise that may be required in a matter, if the lawyer is not keeping up with the “benefits and risks” associated with “relevant technology” in eDiscovery, then she may not be considered competent in that particular matter. The addition of these highly probative phrases were added in 2012. Interestingly enough, since 2012, 36 states in the country have modified their own state’s ethics rules to include the same or substantially same verbiage.
Still, when does an attorney become subject to a potential ethics violation for not understanding the “benefits and risks associations with relevant technology?” If we dig deeper, would any of the following examples potentially subject a lawyer to an ethics violation?
- What if an attorney chooses to work out of an overpriced coffee shop with free WIFI? Could we say that her failure to use a VPN and a privacy screen on her laptop potentially exposed her client’s data because she didn’t understand the risks of using free WIFI and the equal risks “shoulder surfers” in the cafe? There’s a fascinating discussion on this topic that can be found in California’s State Ethics Board wrote Ethics Opinion 2010-179.
- What about the lawyer who said they use the same Dropbox account to store their family photos and personal documents as his Motion for Summary Judgment and client data? The lawyer didn’t see any information governance or security issues, or even understand why attorney-client privilege may have been potentially pierced if his personal Dropbox account were to be hacked. (There’s a wonderful conversation to be had here that starts with a deeper understanding of Rule 6(c).[i])
- Could a reasonable person not argue that a lawyer negligently or intentionally overbilled her client by failing to understand (and therefore leverage) newer eDiscovery technology that may reduce the overall review time and substantially cut costs by finding the most relevant documents faster?
- What about an attorney who says they specifically chose not to digitize old asbestos documents because by doing so, it would make the data more easily accessible and text searchable to the other side?
Given the advancements in technology as a result of the sheer volume of data that is being created today, it is imperative that every lawyer either understand the basics of cybsersecurity and eDiscovery technology or work with another lawyer to ensure compliance within the Federal Rules of Civil Procedure (FRCP) and the Federal Rules of Evidence (FRE) (or her particular states’ analogous laws). Additionally, she can become knowledgeable through receiving the input and advice of her Litigation Support staff, CISO or IT Director, eDiscovery paralegal, and/or their trusted service providers to make the appropriate decisions from there.
Deliberately choosing to put one’s head in the sand is not a tactic that pays off in the long run. Courts have been increasingly chastising lawyers for not paying attention to “relevant technology.” In fact, a whole post can be written on every judge throughout the country who has lambasted (and sanctioned) lawyers in case law for not understanding eDiscovery. Why chance it? Take advantage of free education through ACEDS, attend free webinars, partner with your litigation support team, and your trusted service provider to ensure that ignorantia juris non excusat doesn’t translate into a potential ethics violation – or possibly worse.
[i] See Rule 1.6(c) that requires lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Under Comment 17, it says that a “lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.” Comment 18 says lawyers must take “reasonable precautions to prevent the information from coming into the hands of unintended recipients.” Comment 19 really sums it all up: a “lawyer must make reasonable measures to ensure the inadvertent disclosure.” Jill Rhodes, the chief information security officer for Trustmark Companies said once that the “biggest factor that makes law firms of all sizes vulnerable to a cyber-attack is insider ignorance. All it takes is to step away from your computer without locking it or working on sensitive client information while using the free WIFI at your local coffee ship where the system is “very exposed and makes law firm data vulnerable.” https://www.law360.com/articles/464016/big-law-firms-are-most-vulnerable-to-hackers-aba-panel