Ethical Obligations and Pitfalls of Working Remotely During the COIVD-19 Pandemic

Many attorneys are now forced to work remotely due to the COVID-19 pandemic. This unprecedented situation presents new ethical pitfalls that lawyers must recognize and take steps to mitigate. Although many States have begun to re-open their economies, the COVID-19 pandemic is far from over. As of June 11, 2020, over 7,273,958 cases have been reported worldwide, including 413,372 deaths.1 Almost half of those cases (3,485,245) have been reported in the Americas.2 First and foremost is client confidentiality. With the increased use of Zoom meetings, cloud storage, and other remote electronic devices, the risk of accidental dissemination of client’s personal information has risen drastically. ABA Model Rule 1.6 governs confidentiality of information. Rule 1.6 Confidentiality of Information:3 (a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b). (b) A lawyer may reveal information relating to the representation of a client to the extent the lawyer reasonably believes necessary: (1) to prevent reasonably certain death or substantial bodily harm; (2) to prevent the client from committing a crime or fraud that is reasonably certain to result in substantial injury to the financial interests or property of another and in furtherance of which the client has used or is using the lawyer's services; (3) to prevent, mitigate or rectify substantial injury to the financial interests or property of another that is reasonably certain to result or has resulted from the client's commission of a crime or fraud in furtherance of which the client has used the lawyer's services; (4) to secure legal advice about the lawyer's compliance with these Rules; (5) to establish a claim or defense on behalf of the lawyer in a controversy between the lawyer and the client, to establish a defense to a criminal charge or civil claim against the lawyer based upon conduct in which the client was involved, or to respond to allegations in any proceeding concerning the lawyer's representation of the client; (6) to comply with other law or a court order; or (7) to detect and resolve conflicts of interest arising from the lawyer’s change of employment or from changes in the composition or ownership of a firm, but only if the

1 Situation Report – 143, https://www.natlawreview.com/article/3-cyberattacks-and-3-practical-measures-lawyers- can-take-to-protect-themselves, WHO (last visited June 12, 2020). 2 Id. 3 ABA Rule 1.6. revealed information would not compromise the attorney-client privilege or otherwise prejudice the client.4 In August 2012, the American Bar Association (ABA) amended Rule 1.6, adding a new subsection (c) to the confidentiality of information rule. The rule, as adopted, reads as follows: “A lawyer shall make reasonable efforts to prevent inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”5

In addition, comment [18] now elaborates that:

Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g. by making a device or important piece of software excessively difficult to use).6

Lawyers have an affirmative duty to safeguard client information against unauthorized access, including cyber-attacks. A client may also require a lawyer to implement special security measures not specified by the rule, or to forgo security measures that would be required by the rule.7

In August of 2012, the ABA also added language to comment [8] of Rule 1.1, broadening the scope of a lawyer’s requirement to maintain competence. Keeping “abreast of changes in the law and its practice” now includes weighing “the benefits and risks associated with all relevant technology.”8 This means that lawyers utilizing email, cloud computing, data storage software, social media, blogs, or any other technology have an ethical duty to learn and understand the risks associated with such technology.

These duties extend not only to individual lawyers, but to associate lawyers, support staff, and law firms. ABA Rule 5.1 requires law firm partners (or any lawyer who individually, or together with others possesses comparable managerial authority in a law firm) “shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that all lawyers in the firm conform to the Rules of Professional Conduct.”9

Conduct Related to the Practice of Law

Since the new addition to Rule 1.6, technology has become a fixture in the legal world. Lawyers can communicate with clients, co-workers, courts and opposing counsel through email, text message, and even social media. Rule 1.6(c) requires that lawyers take reasonable steps to ensure

4 Subsection (b)(7) was added with the August 2012 amendments. 5 ABA Rule 1.6(c) (as amended). 6 ABA Rule 1.6 comm. [18] (as amended). 7 See id. 8 ABA Rule 1.1 comm. [8] 9 ABA Rule 5.1(a). 1 that these communications do not disclose information related to the representation of a client.

The addition of Rule 1.6(c) creates a relatively new and unknown ethical duty for lawyers embracing the world of technology. Some commenters have even gone as far as to say “[t]his is a monumental change that sets a new standard suggesting that lawyers are required to implement reasonable technological safeguards to prevent even an ‘inadvertent’ disclosure of a client’s information or data).10

In recent years, this new ethical duty has been thrust into the spotlight by an increase in cyber- attacks on both large and small law firms. When lawyers are forced to work remotely, away from any digital safeguards which might be implemented in a law firm setting, they must take extra precautions to safeguard their client’s confidential information.

The Danger of Cyber-Attacks

In 2015, Panama-based law firm Mossack Fonseca was breached by a cyber-attack which leaked more than 11.5 million firm documents.11 This attack was one of the largest and most far-reaching law-firm cyber breaches in history. The breach led to a police raid and investigation as well as widespread political fallout. Iceland Prime Minister Sigmundur Gunnlaugsson resigned after accusations of fraud, while Spanish Minister of Industry Jose Manuel Soria resigned after the leak tied him to offshore investments in the Bahamas.12

The attack was not the result of a skilled hacker breaching high-tech firm security or an insider leaking access to the firm’s network. The attacker’s point of entry was through an exploitable weakness in Revolution Slider, a common web plug-in for blogging website WordPress.13 The weakness allowed hackers to easily gain access to Mossack Fonseca’s web server, where they could access and download data. In fact, Mossack Fonseca’s web server was not even behind a firewall, and was several months out-of-date.14

These rudimentary security errors led to one of the most egregious and far-reaching cyber-attacks in legal history, but have also served to alert lawyers to the dangers of cyber-attack and weaknesses in firm security. Keeping systems up-to-date, segregating sensitive information, and ensuring that basic security measures such as firewalls are in place can minimize the risk of such a massive breach.

Recent cyber-attacks have also breached several major firms in the United States. In 2016, Cravath, Swaine & Moore, one of the largest law firms in the United States, was breached by a cyber-attack.

10 Will Harrelson, Mobile Device Security for lawyers: How Solos and Small Firms Can Ethically Allow Bring Your Own Device, Curo Legal (Jul. 3, 2018 10:03 AM), https://www.curolegal.com/mobile-device-security-lawyers- solos-small-firms-can-ethically-allow-bring-your-own-device/. 11 See Julie Sobowale, 6 major law firm hacks in recent history, ABA Journal (July 3, 2018 10:46 AM), http://www.abajournal.com/magazine/article/law_firm_hacking_history?icn=most_read. 12 See id. 13 See Jason Bloomberg, Cybersecurity Lessons Learned From ‘Panama Papers’ Breach, Forbes (July 3, 2018 10:58 AM), https://www.forbes.com/sites/jasonbloomberg/2016/04/21/cybersecurity-lessons-learned-from-panama- papers-breach/#17a7442d2003. 14 See id. 2

The hackers reportedly used the information gathered in the breach to make more than $4 million through illegal insider trading.15 Also reported as part of the 2016 breach was mega-firm Weil, Gotshal & Manges.16

In 2017, global firm DLA Piper was shut down for several days by a ransomware attack, which reportedly locked firm computers, encrypted files, and demanded payment for a key-code to regain access.17 DLA Piper employees were left without phones and email for three full days as a result of the attack, although it is not reported that any data was stolen.18

Although the headlines are filled with attacks on large firms, small firms and even boutique firms can be targets for cyber-attacks. As many as two-hundred cyber-attacks on U.S. law firms took place between 2016 and 2017, with 40% of the firms being unaware they had been breached. 19 Many law firms are ripe targets for attack due to a lack of high-tech security and concentration of potentially sensitive data.

The fact that such large law firms, with devoted IT personnel, can become victims of cyber attacks should highlight the dangers facing solo practitioners and small firms. The ABA has reported that internet scams and phishing attacks have multiplied dramatically during the COVID-19 pandemic.20 These attacks come in many different forms: an e-mail from a “partner” at your law firm requesting help with a task, which turns out to be the purchase and transfer of a pre-paid VISA card; phishing scams involving new (fake) potential clients; or even something as simple as ransomware disguised as an important legal document. Indeed, even the federal stimulus package, which calls for emergency aid being given to both individuals and businesses, has opened scamming opportunities.21

The most common cyberthreats are phishing email scams and ransomware.22 Phishing email scams typically involve emails that impersonate a legitimate sender and fool the recipient into giving up information. Often, the email re-directs a user to a page where they must provide login credentials. In 2018, nearly 80% of law firms experienced phishing attacks.23 Recently, scammers claiming to be part of the World Health Organization sent phishing emails which asked the victim

15 See Sobowale, 6 major law firm hacks in recent history. 16 See id. 17 Debra Cassens Weiss, DLA Piper is hit by ‘major cyber attack’ amid larger hack spreading to US, ABA Journal (July 3, 2018 11:18 AM), http://www.abajournal.com/news/article/dla_piper_is_hit_by_major_cyber_attack_amid_larger_hack_spreading_to_ us/. 18 Jnana Settle, 10 Law Firm Cyber-Attacks of 2017, Disrupter Daily (July 3, 2018 11:20 AM), https://www.disruptordaily.com/top-10-law-firm-cyber-attacks/. 19 Ian Lopez, DLA Piper Isn’t Alone – 40% of Law Firms Unaware of Breaches, ALM (July 3, 2018 2:17 PM), http://www.lawjournalnewsletters.com/sites/lawjournalnewsletters/2017/08/01/dla-piper-isnt-alone-40-of-law-firms- unaware-of-breaches/?slreturn=20180603141413. 20 Stephanie Francis Ward, How scams multiply during the COVID-19 crisis and why lawyers are not immune, https://www.abajournal.com/web/article/scams-multiply-during-covid-19-crisis-lawyers-are-not-immune, ABA Journal (last visited June 12, 2020). 21 Id. 22 3 Cyberattacks and 3 Practical Measures Lawyers Can Take to Protect Themselves, https://www.natlawreview.com/article/3-cyberattacks-and-3-practical-measures-lawyers-can-take-to-protect- themselves, The National Law Review (last visited June 12, 2020). 23 Id. 3 to open an attachment containing official information regarding COVID-19 precautions.24 In fact, by clicking the link, victims were installing key-logging software which could record credentials and other critical information. A similar e-mail scam claims to be from Amazon, asking you to sign in for a free bottle of hand sanitizer with your next purchase.25

The next most common type of cyber-attack is ransomware. Ransomware, once installed, denies access to a computer system or other critical data.26 Typically, a victim’s device is infected with ransomware through phishing emails or another similar scam. The software prompts the victim to wife funds to the scammer in order to regain access to the compromised device.27 In many cases, even after the ransom is paid, access to the system is never restored.

Another recent development is “Zoombombing,” or, in other words, interrupting a Zoom meeting by exploiting security lapses within the program.28 The use of Zoom and other similar programs has drastically increased since the arrival of the COVID-19 pandemic. Monthly Zoom usage went from 10 million meetings in December 2019, to 200 million in March 2020, and the program remains the number one most downloaded app in the Apple and Google app stores.29

Finally, some COVID-19-related scams are targeting smartphones. In some cases, scammers send malicious text messages providing a link to an app which tracks the spread of COVID-19 in real time.30 Instead, when the appl is downloaded, the scammers can listen through the victim’s microphone, watch through the smartphone camera, and even browse messages.31 This is all done through a customized version of a freely available smartphone app called “SpyMax.”32

Compliance with Rule 1.6(c) and Protection from Cyber-Attack

The plain language of Rule 1.6(c) does not define “reasonable efforts” or what specific measures are necessary. Comment [18] does provide several factors which courts might take into consideration in determining whether a violation of Rule 1.6(c) has occurred: the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients.33

Since the additions to Rule 1.6 were made in 2012, experts and commenters have discussed the appropriate security methods a lawyer must implement in order to have made “reasonable efforts”

24 Id. 25 Marc Saltzman, Coronavirus pandemic generates new fraud strains: COVID-19 scams on computers, smartphones, https://www.usatoday.com/story/tech/columnist/2020/04/04/coronavirus-scams-going-viral-attacking- computers-and-smartphones/2939240001/, USA Today (last visited 6/12/2020). 26 3 Cyberattacks and 3 Practical Measures Lawyers Can Take to Protect Themselves. 27 Id. 28 Jefferson Graham, Use Zoom? These 5 safety tips can keep the ‘Zoombombing’ hackers away, https://www.usatoday.com/story/tech/2020/04/02/how-to-keep-zoombombing-hackers-away-zoom-safety- tips/5113080002/, USA Today (last visited June 12, 2020). 29 Id. 30 Coronavirus pandemic generates new fraud strains: COVID-19 scams on computers, smartphones. 31 Id. 32 Id. 33 ABA Rule 1.6 comm. [18]. 4 to safeguard client information.

At a minimum, commenters agree that lawyers should ensure that firm employees are instructed on topics such as: 1) the need for strong passwords containing a mix of letters, numbers, and symbols; 2) encryption of information stored on hard drives, storage devices, and transmitted via email; 3) multifactor authentication that ensures data can only be accessed if a lawyer has a password and some other form of identification; 4) understanding how to avoid phishing scams; 5) the dangers of public computers and public Wi-Fi connections; 6) the risk of file-sharing sites; and 7) protecting against malware.34

Other experts suggest more extensive safeguards, including: 1) risk assessment to determine the threats to the firm’s client information; 2) appointing or naming a person or team in charge of information security; 3) employing procedures by which employees are evaluated based on compliance with policies and procedures; 4) implementing a disaster recovery and business continuity plan; 5) establishing procedures for auditing or assessing the effectiveness of firm security controls; 6) utilizing physical safeguards such as barriers, screens, and locking mechanisms for desks, offices, and filing cabinets; and 7) technical safeguards such as malware detection software, firewalls, and control of access to systems with client information through passwords or other authentication.35

Lawyers are not expected to become experts on cyber-security and every aspect of the technology utilized to aid in the practice of law. They are expected, however, to understand the risks associated with such technology, and to employ reasonable efforts to minimize the risk of inadvertent disclosure or unauthorized access to client information.

There are several simple, cost-effective ways to minimize risk of cyber-attacks. First, data encryption can make it significantly more difficult for hackers and scammers to intercept important client information. A virtual private network (“VPN”) encrypts data in a cost-effective, non- intrusive, and reliable way.36 Second, two-factor authentication can prevent unwanted access when credentials or other log-in information is intercepted by scammers. Two-factor authentication, typically in the form of a one-time password sent to the user’s device, adds a second layer of security which prevents a scammer from logging in with only the user’s credentials.37 In short, the user must physically possess the device in order to complete the two-factor authentication. Finally, investing in anti-phishing, anti-malware, and other data loss prevention tools can help minimize risk. Hackers are known to exploit old and known vulnerabilities – simply updating your software and installing up-to-date antivirus programs can help prevent unwanted intrusion.38

34 Richard B. Polony & Brendan J. McCartney, Is it Safe? Ethical Implications of Connectivity, 21 Fidelity L.J. 37, 56-58 (2015). 35 Drew Simshaw & Stephen S. Wu, Ethics and Cybersecurity: Obligations to Protect Client Data, ABA (July 3, 2018 1:28 PM), https://www.americanbar.org/content/dam/aba/events/labor_law/2015/march/tech/wu_cybersecurity.authcheckdam. pdf. 36 3 Cyberattacks and 3 Practical Measures Lawyers Can Take to Protect Themselves. 37 Id. 38 Id. 5

Now more than ever, lawyers must anticipate cyber-attacks on firms and even personal devices. Indeed, with ABA Model Rule 1.6 in mind, lawyers must make “reasonable efforts” to protect client data, whether it is stored on your firm’s server, your personal cell phone, or a box of files in the trunk of your car.

With respect to Zoom meetings, there are several simple ways to increase security and minimize risk. To safely use Zoom and other remote meeting applications, it is important to be wary of how scammers can take advantage of the programs. Invitations to Zoom meetings are almost exclusively sent out via a link to the specific meeting room. This makes it easy for scammers to utilize malicious links sent via e-mail. To avoid using these links, Zoom allows users to log in with a meeting ID and password, eliminating the need to click any links.39

The “screen sharing” settings are another way that scammers can infiltrate a Zoom meeting. The host can adjust these settings in the bottom right corner of the Zoom meeting screen so that no other users may share their screens during the meeting, helping to eliminate any unwanted intrusions.40

Finally, Zoom allows the user of “waiting rooms,” which act is a barrier to anyone attempting to join the meeting. Under a user’s account settings, “waiting room” options can be accessed. Once turned on, waiting rooms will become the default for all future meetings.41 Users who attempt to enter the meeting will be placed in the “waiting room” until entry is approved by the host, providing a simple but effective screening process to eliminate “Zoombombers.”

In many cases, simple common sense will allow users to avoid these scams. It is important to think before you click, never open attachments or emails from unknown senders, and familiarize yourself with the latest scams so that both your personal information, and your client’s information, is adequately protected.

Other Ethical Ramifications of Working Remotely

Since the outbreak of COVID-19, many State and local Bar Associations have issued ethics opinions regarding ethical obligations for lawyers working remotely.

One oft-cited rule is ABA Model Rule 1.1: Competence, which provides that “[a] lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonable necessary for the representation.”42 This means that “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements.”43

As a result, lawyers have a clear ethical obligation to familiarize themselves with relevant

39 Id. 40 Id. 41 Id. 42 ABA Rule 1.1. 43 Id., Comment [8]. 6 technology, such as Zoom meeting software or other remote work applications.

ABA Model Rule 5.1: Responsibilities of a Partner or Supervisory Lawyer provides that “[a] partner in a law firm, and a lawyer who individually or together with other lawyers possesses comparable managerial authority in a law firm, shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that all lawyers in the firm conform to the Rules of Professional Conduct.”44

Indeed, the fact that some or all lawyers associated with a firm may be working remotely does not eliminate the responsibility that partners or supervisory lawyers ensure conformity with the Rules of Professional Conduct. In the present situation, this rule may even be more important than ever before. Without everyday office interaction, it is much easier to lose track of what colleagues, paralegals, and other support staff are working on each day. This includes ensuring that other lawyers comply with Rule 1.6 while working from home or another remote location.

ABA Model Rule 1.4: Communications, provides that a lawyer shall:

(1) Promptly inform the client of any decision or circumstance with respect to which the client’s informed consent . . . is required; (2) Reasonably consult with the client about the means by which the client’s objectives are to be accomplished; (3) Keep the client reasonable informed about the status of the matter; (4) Promptly comply with reasonable requests for information; and (5) Consult with the client about any relevant limitation on the lawyer’s conduct when the lawyer knows that the client expects assistance not permitted by the Rules of Professional Conduct or other law.45

Additionally, “[a] lawyer shall explain a matter to the extent reasonable necessary to permit the client to make informed decisions regarding the representation.”46 Although quarantine and remote work may provide some challenges to efficient communication with clients, it does not relieve a lawyer’s ethical duty to keep clients informed about the status of their legal matters. With many matters being adjourned, time-limitations being tolled, and other unprecedented actions taking place, it is critical that lawyers inform their clients of the status of important matters.

Conclusion

The COVID-19 pandemic has caused unprecedented disruption for millions of people, including lawyers and their clients. Even without access to their physical offices and courtrooms, lawyers are still bound by the Rules of Professional Conduct. The protection of clients’ confidential information is now more important than ever, and it is every lawyer’s responsibility to familiarize themselves with their obligations in light of COVID-19 and adapt to the new world of quarantine,

44 ABA Rule 5.1(a). 45 ABA Rule 1.4(a). 46 Id. at (b). 7 face masks, and Zoom meetings.

It is equally important to ensure your own wellness and the wellness of your colleagues during these difficult times. This profession is already afflicted with higher rates of mental health issues, including depression and alcoholism, than the public at large. The present situation only stands to exacerbate these issues. While continuing to abide by your ethical obligations, please do not forget yourself, your family, and your colleagues who continue to be isolated.

8