Ethics And Technology: Recent Developments And Potential Risks That No Lawyer Should Ignore
Prepared in connection with a Continuing Legal Education course presented at New York County Lawyers’ Association, 14 Vesey Street, New York, NY scheduled for October 28, 2015
Program Co-sponsors: NYCLA’s Ethics Committee and NYCLA’s Cyberlaw Committee
Faculty: Joseph Bambara, UCNY, Co-Chair, NYCLA’s Cyber Space Law Committee; Carol Buckler, New York Law School; James B. Kobak, Jr., General Counsel, Hughes Hubbard & Reed LLP; Pery Krinsky, Krinsky, PLLC; Peter Micek, Access Now; Jonathan Stribling-Uss, Constitutional Communications
This course has been approved in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 3Transitional and Non-Transitional credit hours: 3 Ethics.
This program has been approved by the Board of Continuing Legal education of the Supreme Court of New Jersey for 3 hours of total CLE credits. Of these, 3 qualify as hours of credit for ethics/professionalism, and 0 qualify as hours of credit toward certification in civil trial law, criminal law, workers compensation law and/or matrimonial law.
ACCREDITED PROVIDER STATUS: NYCLA’s CLE Institute is currently certified as an Accredited Provider of continuing legal education in the States of New York and New Jersey.
Information Regarding CLE Credits and Certification
Ethics and Technology: Recent Developments and Potential Risks that NO Lawyer Should Ignore
October 28, 2015; 6:00 PM to 9:00 PM
The New York State CLE Board Regulations require all accredited CLE providers to provide documentation that CLE course attendees are, in fact, present during the course. Please review the following NYCLA rules for MCLE credit allocation and certificate distribution.
i. You must sign-in and note the time of arrival to receive your course materials and receive MCLE credit. The time will be verified by the Program Assistant.
ii. You will receive your MCLE certificate as you exit the room at the end of the course. The certificates will bear your name and will be arranged in alphabetical order on the tables directly outside the auditorium.
iii. If you arrive after the course has begun, you must sign-in and note the time of your arrival. The time will be verified by the Program Assistant. If it has been determined that you will still receive educational value by attending a portion of the program, you will receive a pro-rated CLE certificate.
iv. Please note: We can only certify MCLE credit for the actual time you are in attendance. If you leave before the end of the course, you must sign-out and enter the time you are leaving. The time will be verified by the Program Assistant. Again, if it has been determined that you received educational value from attending a portion of the program, your CLE credits will be pro-rated and the certificate will be mailed to you within one week.
v. If you leave early and do not sign out, we will assume that you left at the midpoint of the course. If it has been determined that you received educational value from the portion of the program you attended, we will pro-rate the credits accordingly, unless you can provide verification of course completion. Your certificate will be mailed to you within one week.
Thank you for choosing NYCLA as your CLE provider!
New York County Lawyers’ Association Continuing Legal Education Institute
14 Vesey Street, New York, N.Y. 10007 • (212) 267-6646
Ethics and Technology: Recent Developments and Potential Risks that NO Lawyer Should Ignore
Wednesday, October 28, 2015 6:00 PM to 9:00 PM
Program Co-sponsors: NYCLA’s Ethics Committee and NYCLA’s Cyberlaw Committee
Faculty: Joseph Bambara, UCNY, Co-Chair, NYCLA’s Cyber Space Law Committee; Carol Buckler, New York Law School; James B. Kobak, Jr., General Counsel, Hughes Hubbard & Reed LLP; Pery Krinsky, Krinsky, PLLC; Peter Micek, Access Now; Jonathan Stribling-Uss, Constitutional Communications
Ethics and Technology
Ethics and Technology
Presentations on technology and risks for lawyers and clients including:
− ABA Ethics Rules Overview
− Email/SMS: Ethical and security issues
− Cloud: Keeping client data safe and confidential
− Social Media: Lawyers Ethical Do’s and Don’ts
− Where can lawyers get affordable service and help
Ethics and Technology
Competence in the digital age requires something new: An understanding by lawyers of developments in technology that affect both lawyers’ cases and the manner in which lawyers practice.
Developments in technology
Ethics and Technology: Data
Ethics and Technology : Client Data
Sources of the new data
NYCLA Ethics and Cyber Space Law
Ethics and Technology: Client Data
How did this emerge so quickly: Server Farms (Amazon, Google) and Open Source Software and Database Management and new technology HTML5, JAVA and inexpensive outsourced developers
Ethics and Technology: Client Data
Inexpensive Cloud Computing, Open Source Software and Database Management have spawned Big Data
90 percent of the data in the world today has been created in the past two years.
Ethics and Technology: Client Data on Mobile Devices
A mobile device is a hand sized computing device with a display screen with touch input or a miniature keyboard. iPhone, Android, iPad and Blackberry are common mobile devices.
Mobile phone offer advanced capabilities beyond average cell phone, often with PC-like functionality. A mobile device (phone, pad) runs a complete operating system software providing a standardized interface and platform for application developers with an array of input and output options including keyboard, touch screen, voice recognition, camera/scanner
These devices with their array of capabilities and ease of transporting are in some ways more capable than a laptop/desktop computer
Ethics and Technology ABA Ethics Rules Overview
TECHNOLOGY AMENDMENTS TO THE MODEL RULES: COMPETENCE, CONFIDENTIALITY, AND OUTSOURCING
A lawyer’s duty to provide competent representation. Model Rule 1.1 states: “A lawyer shall provide competent representation to a client.
Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.”
A Comment (#8) to Rule 1.1 addressing competence now includes the following highlighted clause: “ To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”
This provision requires lawyers to better understand any advances in technology that genuinely relate to competent performance of the lawyer’s duties to a client.
Email/SMS: Ethical and security Issues
The duty of confidentiality owed by lawyers to their clients is one of the foundations of the attorney-client relationship.
Generally, this duty is memorialized in ABA Model Rule of Professional Conduct 1.6., which states in part that a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, or the disclosure is impliedly authorized in order to carry out the representation, with certain exceptions listed in Rule 1.6(b).
Lawyers should instruct clients to avoid using workplace devices or systems for sensitive or substantive communications between lawyer and client.
According to the opinion, the duty of a lawyer to so advise the client arises as soon as the lawyer knows or reasonably should know that the client is likely to send or receive substantive lawyer-client communications via electronic means “where there is significant risk” that the communications will be read by a third party.
Email/SMS: Ethical and security Issues
There are two alternatives for securing your digital communications: secure portals and encryption.
A secure portal is a website you can only connect to via HTTPS that holds any messages (and often, files) you want to give someone else access to. For example, you would log in, type a message to your client, and hit send. Your client would get an email letting them know they have a message, which they would have to log in to get. A secure portal is cumbersome, but it is an effective extra layer of security. (It is also a good idea if you are representing employees and worry about them reading emails from you at work.)
Some secure portals include Clio and My Case, which send notifications by email, but do not include the substance of the message.
Another, higher-security option is encrypting your emails. This works, but it is even more cumbersome than a secure portal, and you will have to train your clients to do it properly. Still, if you want to secure your communications, email encryption works.
Ethics and Technology
Email/SMS: Ethical and security Issues
Another, higher-security option is encrypting your emails.
FIREFOX ThunderBird w Enigmail and PGP
Ethics and Technology
Email/SMS: Ethical and security Issues
Encrypted Email and Document Exchange services offer secure messaging and document exchange, for when you need to ensure that communications with your clients or others are encrypted and safe from prying eyes.
Dialawg (www.dialawg.com) provides encrypted communications specifically for attorneys. Files and messages are sent over an encrypted SSL channel. All data is encrypted and stored in Dialawg’s private network, and recipients can view the files or messages securely via the web, Outlook, an iPhone or other device. The basic service is free, with messages costing $.20 per recipient. Bronze, Silver and Gold levels range from $3 to $48 per month.
RPost (www.rpost.com) provides a registered email service with encrypted delivery of email and compliance with HIPAA, FSA and other privacy regulations. Services include registered email, electronic signatures and email encryption with document archiving. Pricing ranges from $79 per month for 100 units per month to $9,750 per month for 25,000 units per month.
ZixCorp (www.zixcorp.com) will send an encrypted email directly into a recipient’s inbox as an HTML attachment within a plain-text email. Users click on the email attachment and enter a password, after which the message is decrypted in an Internet browser. Stored messages are encrypted. Call for pricing information.
Cloud: Keeping client data safe and confidential
Keeping client data secure should be a primary focus for every attorney. As long as any type of data is connected to the Internet, whether it sits on a server in the law firm’s office or resides in the cloud, it is still vulnerable to hackers. Cloud-based services often have better security than all but the largest law firms can support.
A dedicated cloud provider can offer the most up-to-date operating systems, enterprise-grade firewalls and frequently updated patches and anti-virus software to thwart the constantly changing approaches that sophisticated hackers develop. Along with virtual precautions, attorneys should look for partners that offer different levels of physical security at their sites, such as requiring badges, keys and codes for those on the premises. They should also specifically ask about data encryption.
Through a cloud-based approach, law firms can also improve disaster recovery with extra layers of redundancy and protection. When data is stored in the cloud, supported across multiple locations, firms can insulate themselves against the loss of important information if one site is compromised.
With the rise of laptops, tablets and smart phones, many attorneys and office staff take advantage of access and flexibility to work away from the office.
Cloud: Keeping client data safe and confidential
The ABA Rules of Conduct, as well as most state ethics rules, have concluded that using cloud computing applications to store client data aligns with professional obligations as long as attorneys practice some due diligence.
Several ABA Model Rules are relevant to attorney duties and obligations around cloud storage. They include:
Model Rule 1.1
Under this rule, lawyers must provide “competent” representation to their clients. That means lawyers must have enough knowledge about cloud computing and their specific providers to adequately safeguard their clients’ data.
Model Rule 1.6
Lawyers also must protect the confidentiality of their client information. With recent data breaches, attorneys should be particularly thoughtful about the cloud services they utilize to store any type of client information.
Cloud: Keeping client data safe and confidential
Cloud Storage allows you to access files and documents from any computer with an Internet connection, as well as share them
DropBox (www.dropbox.com) installs a simple folder on all of your computers; then just move your files into that folder, and they are nearly instantly synched to a cloud location Dropbox for storage of confidential documents, due to encryption issues. But it is the best online document manager for nonconfidential records.
Box.net (www.box.net), like Dropbox, provides tools to manage users, security and permissions, for rolling documents out to a larger group of employees.
NetDocuments (www.netdocuments.com) allows you to create your entire folder structure in the cloud. All your files are completely searchable online, and you can easily import email from Outlook into your account. NetDocuments also provides a records management function to automate the retention periods of certain types of documents.
Worldox (www.worldox.com), best known for its standalone software product, now offers Complete Cloud, which provides the same Worldox document management service, but with no software to install or upgrade, or servers to purchase, call for pricing information.
Social Media: Lawyers Ethical Do’s and Don’ts’s
These rules include:
ABA Model Rule 7.3 Solicitation of Clients. Attorneys need to be aware of what is considered a unauthorized solicitation of a client using social media. For example, a solicitation would include a LinkedIn “invitation”, from an attorney to a non-lawyer with no pre-existing relationship, to provide legal services.
ABA Formal Opinion 462. Attorneys should not make the assumption that
friending a judge on social media complies with the jurisdiction’s code of ethics.
ABA Duties to a Prospective Client 1.18. Communication with a non-lawyer may give rise to an attorney-client relationship. Attorneys must be aware that they could inadvertently create this relationship.
ABA Model Rule 5.5 Unauthorized Practice of Law and ABA Model Rule 8.5 Disciplinary Authority. A lawyer must be cautious when posting on social media because it can be accessed by any person in any geographical location. These types of communications may not be allowed under the ethical guidelines of the jurisdiction in which the non-lawyer resides.
Social Media: Lawyers Ethical Do’s and Don’ts’s
Based on the case law that is emerging concerning social media, there are several key “do’s” and “don’ts” that every attorney should know:
instruct your clients to preserve discoverable social media information
instruct your clients to refrain from discussing ongoing litigation on social media
conduct inspections of the social media profiles of opposing counsel and parties
do not serve the providers of social media platforms with civil discovery
do not “fake friend” opposing parties or witnesses
research the social media footprint of potential and actual jurors
do not fail to properly authenticate social media information for use at trial
follow the ethical code regarding social media responsibility in your state’s ethics rules
NOW For a Deeper Dive into need to understand the Recent Developments and Potential Risks That NO Lawyer Can Ignore
Addressing the data insecurity crisis with Attorneys
Attorneys, and the private sector as a whole, are facing a crisis of data insecurity. The 2014 Ponemon Data Breach Study interviewed 1166 Information Technology (IT) professionals and 1110 end user employees in a representative cross section of public and private entities in the US and Europe. They concluded that 67 percent of IT Professionals self-reported their organization experienced the loss or theft of company data over the past two years and only 22 percent of employees reported that their organization was able to tell them what happened to lost, data, files, or emails.
There are a number of steps that attorneys must take to address concerns about data security of their organizations or clients. Unified security planning and encryption are the most important first steps. This article addresses the current legal and ethical requirements for Attorneys to engage with digital technology, with a focus on the default encryption of client data.
Both Nevada and Massachusetts have legally mandated encryption as part of their consumer protection regulations. The Massachusetts Attorney General has been very active in enforcing consumer data protection. In July 2014, the Attorney General, enforced a civil penalty of $150,000 against the Women & Infant’s Hospital of Rhode Island (“WIH”) to resolve allegations that it lost unencrypted data. This legal action demonstrates that the Massachusetts Attorney General is aggressively engaged enforcing both Federal and Massachusetts information security law against out of state entities who insecurely store the personal data of Massachusetts residents. Massachusetts information security law, M.G.L. c. 93H, applies to “persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts”. The law applies to all private businesses including lawyers and law firms and requires a written organization wide security plan that includes “to the extent technically feasible, . . . encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.” The organizational program also must include “[e]ncryption of all personal information stored on laptops or other portable devices.” Covered “personal information” includes Social Security numbers, driver’s license numbers, state- issued identification card numbers, financial account numbers and credit card numbers. This law has been enforced against out-of-state businesses having sufficient minimum contacts with the Commonwealth of Massachusetts.
Nevada also has a robust data protection law with two principal sets of provisions. First, Nevada gives the Payment Card Industry Data Security Standard (“PCIDSS”), an industry standard developed by a private rulemaking body, the force of law in the state. The PCIDSS aspect of the law requires all data collectors doing business in the state that accept a payment card in connection with a sale of goods or services maintain the personal data securely. The second set of provisions requires encryption of personal information during electronic transmission or while in storage on data storage devices. The transmission provisions of the law require that a “data collector doing business in this State to whom subsection 1 does not apply [i.e., that is not required to comply with the PCIDSS] shall not . . . [t]ransfer any personal information through an electronic, non voice transmission other than a facsimile to a person outside of the secure system of the data collector unless the data collector uses encryption to ensure the security of electronic transmission.”
In addition to state mandated legal schema, Attorneys have a clear ethical responsibility to protect client information. Rule 1.6 of the Model Rules of Professional Responsibility states that, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” As the comments to the section reads, the “fundamental principle in the client-lawyer relationship is that, in the absence of the client’s informed consent, the lawyer must not reveal information relating to the representation.” In 2012 the ABA modified the language of the applicable rule to impose an explicit obligation on attorneys to take positive steps to protect the confidentiality of information concerning their clients and cases. Each state bar has its own interpretation of how to define “reasonable effort.” Pennsylvania’s state bar, for example, has defined reasonable effort in a way that specifically encourages attorneys to regularly use encryption to protect their clients.
Business people are already transitioning to encryption en masse. A global survey of nearly five thousand businesses found encryption use has increased six percent in the past year to the point where 35 percent of organizations now have an encryption strategy applied consistently across the entire enterprise. In the United States, encrypted traffic has jumped from 2.29 percent of all peak hour traffic before 2013 to 3.8 percent in 2014, and in Latin America it has gone from 1.8 percent to 10.37 percent. More than ten global publications have embraced encrypted “dropboxes” for first contact with new sources, including The New York Times, The New Yorker, The Washington Post, and The Guardian.
However law firms and attorney associations have been slow to secure their systems, and are leaving themselves open to adverse legal action and significant fees as a result. State laws mandating encryption and uniform organizational security planning for attorney client information are an important first step to real security and ethical responsibility in the information age.
Jonathan Stribling-Uss, Esq. Emerging Issues in Cybersecurity, Legal Ethics and Tech.
Constitutional Communications Project, March, 2015
Security is a process, not an event.
What threats from which adversaries pose the highest risk to your assets?
Threat= what you are protecting against
Adversary = who is posing this threat
Asset = what you are protecting
Risk = likelihood of that threat occurring
Capacities= a tactic you can develop to lower your risks
Thinking through Threats
What are some threats you can think of for you and your work?
Jonathan Stribling-Uss, Esq. Emerging Issues in Cybersecurity, Legal Ethics and Tech.
Constitutional Communications Project, March, 2015
Be aware about what information you share over electronic mediums
Don’t speculate or joke about the origin of crimes or violent or questionable activities over electronic mediums
Don’t talk about harmless criminal activity over electronic medium (i.e. don’t email people asking to buy a prescription pill for tooth ache.)
Respect clients/lawyers needs for privacy over electronics
Best practice is not to bring phones to a first client meeting with an unknown person.
By Peter Micek and Jonathan Stribling
1. Digital security doesn’t have to be about protecting yourself or hiding anything. It’s about respecting others, building trust, and being able to act with confidence online.
2. No silver bullets; but human rights risks necessitate that we pursue ways to mitigate specific adversaries and threats.
3. Encryption is ubiquitous. Many of the open source tools are usable and scalable, and improving constantly. I use them daily at work and socially.
a. Diverse types of encryption
b. What is PGP?
i. Definition; history of development
ii. Public key innovation
iii. What PGP does and doesn’t do
1. Does protect communications, or simply data at rest
2. Does ensure: Confidentiality (encryption), Integrity (signature), Authentication (signature showing key associated with email address, not person)
3. Doesn’t do Anonymity: PGP encrypts content, not metadata
a. envelope analogy
. browse the internet anonymously; naval origin story
i. free software and a network
ii. Good for research; Replace traditional VPNs, which reveal the exact amount and timing of communication. VPNs are vulnerable to snooping by admins; not Tor.
iii. how to use: download browser bundle
1. Can still log in; Facebook onion site example
d. OpenWhisper Systems: TextSecure/Signal/RedPhone
. Easy, secure.
1. go to App Store
i. OTR and Forward Secrecy.
2. Policies at my organization Access Now
. Set up GPG
. Platforms and applications: Thunderbird, enigmail
i. How to guides for Mac and PC
a. Use policies
. Always use for sensitive data; sign for links; respond with PGP unless impossible; not on mobile devices; fingerprint in signature
i. Never store your private PGP key on your mobile phone. In other words, do not encrypt/decrypt work emails on your smartphone. Rationale: Mobile phones are inherently insecure because the baseband processor on your phone always has potential access to your data Engine Room policy
b. How I use PGP
. Give examples of professional contacts and situations
3. Encryption and human rights
. Human rights law
. A19, A17/12
i. Special Rapporteurs David Kaye’s and Frank La Rue’s reports
ii. UNESCO Connecting the Dots: Recognise the role that anonymity and encryption can play as enablers of privacy protection and freedom of expression, and facilitate dialogue on these issues.
a. Practical reasons
i. Protect journalists, human rights defenders, etc etc
ii. Access Now Digital Security Helpline work
4. Access Now advocacy for encryption and digital security
i. Bills in India, France, UK
a. Corporate: Encrypt all the things, HTTPS Everywhere, Soghoian
b. US: SaveCrypto.org
Why Professionals Must Encrypt:
Attorneys, Journalists and Professionals Must Learn Secure Communications
1. The dark glass rubik’s cube at the center of the Internet
Just twenty miles southwest of Baltimore, off the “NSA employees only” exit of Maryland’s route 295 South, there is a “dark glass rubik’s cube” of office buildings in which sits what, until 2013, was the world’s most unknown agency. Until last year, The National Security Agency (NSA), was jokingly referred to as “No Such Agency.” But a year’s worth of shocking news stories have earned the world’s largest secret agency – which has a classified budget of more then 20 billion dollars and over 30,000 employees – a new acronym, “Not Secret Anymore.”
This article aims to show that professionals of all types must change their behavior and expectations when using electronics in light of the secrets that have been revealed about the NSA. The NSA’s current practices of mass electronic surveillance destroy the professional integrity, independence and self-regulating structures of professional associations in the United States and around the world. This includes but is not limited to organizations like the American Bar Association (ABA) and the Society of Professional Journalists. Professionals who have a duty to protect the information of their clients and sources must take immediate steps, including regular use of encryption for client communication. Only this will maintain the independence of our professions, and ensure we do not lose client trust to NSA overreach.
As the UN’s Special Rapporteur, the highest official for counter-terrorism and human rights, concluded in his recent report on the Snowden revelations, “The hard truth is that the use of mass surveillance technology effectively does away with the right to privacy of communications on the Internet altogether.” Even if we leave the NSA’s Surveillance aside, we have reached a critical tipping point on the issue of secure communications, internet privacy and information control. After countless major data breaches at big banks and retail chains, like Chase, Target and Home Depot, it is clear that personal data is not adequately protected. As Snowden has repeatedly stated, “unencrypted communications on the internet are no longer safe” and that “all professionals must encrypt” their communication by default.6 The overreach of the NSA, the increasing accessibility of encryption technology, and the popular awareness of the insecurity of current information systems make it clear that the time has come for professionals, from attorneys to reporters, to develop competency in secure communications and encryption.
2. Collect it all
The Snowden documents reveal that the NSA works with the intelligence agencies of the United Kingdom, Canada, New Zealand, and Australia. These five nations – self-titled as the “five Eyes” – have a shared agreement through which they act as a secret coalition of intelligence agencies to conduct global mass electronic surveillance. In 2011, they held an annual conference at which they agreed upon a “new collection posture.” A key element of that posture is to “collect it all.” “Collect it all” means that the security services of the five governments with the most advanced electronic capabilities have decided that it is their role to collect and hold all electronic information globally.5
This “collect it all” posture is not a wild dream or an empty threat. In secret, the Five Eyes have constructed the largest data holding facility ever created in Bluffsdale, Utah. In 2013 the facility official opened with the capacity to hold a “yottabyte” of data.6 A yottabyte (named after Yoda from Starwars) is one thousand times the amount of data that will be stored on the entire Internet in 2015. They are filling this facility with information by tapping the undersea cables that transmit the information of the Internet. They are taking pictures of all internet activity while it passes though the fiber optic lines. The NSA then holds all of this information for at least five years.7 This holding time allows the NSA to sift through the data for useful patterns and insights.
The NSA’s formal mandate is to collect foreign information. They are not supposed to collect the data or communications of U.S. citizens who are on U.S. soil. But internet traffic does not respect national boundaries. The Internet is structured so information is transferred in the most efficient and cheapest way. This means that, instead of traveling the most geographically direct route, messages from one person in the US to another person in the US may travel outside of the country to reach their destination. The NSA exploits the supranational structure of the Internet to allow it to collect data from and communication between US citizens who are communicating within the territorial United States.8 The NSA also has information sharing agreements with the Five Eyes governments. These other governments collect information on U.S. citizens, which they then share with the NSA or the other partners. So even if the NSA does not directly collect the communications of U.S. citizens, they can access that data through the United Kingdom or other members of the Five Eyes.
This dragnet collection is the basis of the term “mass electronic surveillance.” The UN defines “mass surveillance” as a situation in which “states with high levels of Internet penetration can…gain access to the telephone and e-mail content of an effectively unlimited number of users and maintain an overview of Internet activity associated with particular websites.” The UN report states that in a system of “mass surveillance, all of this is possible without any prior suspicion related to a specific individual or organization.”
3. The destruction of client and source trust means the end of professional integrity
The United States Privacy and Civil Liberties Oversight Board concluded that, “Permitting the government to routinely collect the calling records of the entire nation fundamentally shifts the balance of power between the state and its citizens.”9 The UN Rapporteur mirrored that conclusion, finding that without drastic change we allow “a risk that systematic interference with the security of digital communications will continue to proliferate without any serious consideration being given to the implications of the wholesale abandonment of the right to online privacy.”10
All professionals are impacted, but attorneys have clear ethical responsibility to protect client data. Rule 1.6 of the Model Rules of Professional Responsibility states that, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”11 Each state bar has its own interpretation of how to define reasonable effort, and – even before the Snowden revelations – some state bars encouraged attorneys to use encryption to protect their clients.
If professionals do not begin to publicly offer encrypted methods for communication, they will cut themselves off from clients and sources who need to protect their information. Edward Snowden’s story provides a good example of this challenge. Snowden tried to establish contact with Glenn Greenwald, the reporter and attorney who later helped to break Snowden’s story. Greenwald was unable to get Snowden’s messages for more then six months, because he was not competent in the use of encryption. If lawyers do not use encryption, many clients who are threatened by the government will not trust attorneys enough to approach them. Clients who want to engage in trade negotiations will not approach a firm, unless they are sure they can trust the attorneys to protect their data by keeping sensitive information off of electronic medium.15 Journalists will only be able to report stories that valorize the government, because sources won’t trust them with information that could anger the government agencies. These losses will be invisible, because we will never hear from the people who did not trust our communications technologies enough to establish contact.
4. “What’s the threat?”
Last December a federal judge concluded that the US government could not “cite a single case in which analysis of the NSA’s bulk metadata collection actually stopped an imminent terrorist attack.”16 President Obama’s own Review Group on Intelligence and Communications Technologies concluded that mass surveillance “was not essential to preventing attacks” and that information to detect terrorist plots could “readily have been obtained in a timely manner using conventional [court] orders.”17
If invasive mass electronic surveillance technologies are not particularly effective against terrorism, then why have the intelligence agencies decided to put so much energy and time into building mass surveillance? “The Role of National Interest, Money and Egos” – a presentation which was developed for a handful of NSA officials concerning NSA planning for the Internet as a whole and which was leaked by Edward Snowden – can help us to assess the NSA’s real intentions. It states, “What country doesn’t want to make the world a better place…for itself?” Next it addresses US domination over the Internet stating, “What’s the threat? Lets be blunt. The western world (especially the US) gained influence and made a lot of money via the drafting of earlier standards.”18
The reasons for the “collect it all” posture are primarily global control, not security. One of the key NSA strategic planning documents leaked by Snowden is the 2009 “Quadrennial Intelligence Community Review Final Report.” The Quadrennial report is the 25 year strategic planning for the NSA and the US intelligence community. The report lays out the top six strategic priorities for the coming decades. One of the six key priorities, that top NSA officials identify as their strategic “hedge” is “technology acquisition by all means.” They go on to specify that the NSA should ensure US technical domination of emerging technologies “by all means.” The planning document uses an “illustrative example” of how this process works with a hypothetical about infiltrating an Indian and Russian technological agreement on a possible new form of superconductors. In the hypothetical they state that the NSA would make “separate clandestine approaches to India and Russia to break up the partnership. [The NSA] conducts cyber operations against research facilities in the two countries, as well as the intellectual “supply chain” supporting these facilities. Finally, it assesses whether and how its findings would be useful to U.S. industry.” It is clear that they have already begun to implement aspects of this strategy. The Snowden documents show that the NSA is spying on financial targets such as the Brazilian oil giant Petrobras; economic summits; international credit card and banking systems; the EU antitrust commissioner investigating Google, Microsoft, and Intel; and the International Monetary Fund and World Bank in order to commit economic and technical espionage.19 This is an expansion of an NSA strategy for control of intellectual property that goes back to at least 1994. In one instance, this has played out publicly in a series of patient lawsuits between US and German wind turbine manufactures resulting in increased control of intellectual property for US based corporations.20 This is the guiding strategy of the current NSA posture.21 It has remarkable similarities to other historical variants like imperialism or colonialism, but they have been updated to what Prabir Purkayastha has called the “digital colonialism” of the current era. 22
5. Icreach, Metadata and “Parallel construction”
Attorney’s relationships with clients are being collected and logged by the NSA in many ways. One of the most significant methods of collection is the federal multi-agency collaboration surrounding the “Icreach” database.23 Icreach is a database of “five eyes” metadata intercepts used by a dozen federal agencies for domestic criminal prosecutions. The NSA legally justifies the domestic use of the Icreach database by using Executive Order 12333, a broad interpretation of a 1982 Reagan era executive signing statement,24 although Executive Order 12333 was adopted by President Reagan as a signing statement and was never subject to any judicial or legislative input or oversight.25 The DEA runs this multi-agency collaboration under the unit title “Special Operations Division”(SOD). The SOD is a $125 million unit with hundreds of employees from a dozen federal agencies including the FBI, CIA, NSA, IRS and DHS.
The Icreach database intercepts “metadata,” a kind of data that shows the relationships between people. Metadata is the “who” and “when” about communication on the phone and online. It is the “outside of the envelope” for normal phone calls. It tells the time someone placed a call, to whom the call was made and how long the call was. Similar data exists for all types of communication: instant messages, emails, text, and the geo-location of computers and cell phones. For cell phones, metadata can include all the physical locations of the cell phone over time. Metadata is the “digital fingerprint,” and it provides information to map social networks through the connections established through electronic communication. This metadata is turned into contact chains and linked in the Icreach database to allow for easy warrantless “google type” searches of the communication and location tracking of US citizens and others. While the actual application of Icreach data in criminal cases is still mostly kept secret, hypothetically this mapping can be used to cast suspicion on anyone who has had electronic communication with someone who the government suspects of criminal activity. While we don’t know their extent, we do know that prosecutions have been initiated based on Icreach relationship-mapping.
Icreach based prosecutions use a procedure called “parallel construction” to hide the NSA intercept information from court filings. In practice, this often means that law enforcement agents, including local police, systemically lie to prosecutors about the existence of the Icreach database and its use as the original source for a tip that begins an investigation. For example, a current federal prosecutor in Florida confirmed to Reuters that, “in a drug case he was handling, a DEA agent told him the investigation of a U.S. citizen began with a tip from an informant. When the prosecutor pressed for more information, a DEA supervisor intervened and revealed that the tip had actually come through the SOD and from an NSA intercept”.26
The warrentless use of such a database and the fact that the individual agents use “parallel construction” to hide the use of the data base from the judiciary destroys the sixth amendment right for a defendant to see the evidence against them in an open court. The current vice chairman of the criminal justice section of the American Bar Association, James Felman, calls this domestic use of NSA intercepts “outrageous” and “indefensible.” Nancy Gertner, a Harvard Law School professor and former federal judge, said that, “It is one thing to create special rules for national security, ordinary crime is entirely different. It sounds like they are phonying up investigations.”27 It is unclear how many thousands of cases may be based on this type of illegal evidence, but, as of October 2014, the use of “parallel construction” is being investigated by the Justice Department.
6. What is NSA Targeting and how targeting happens
“Targeting” is a term the NSA uses to describe more extensive infiltration of particular electronic and computer systems. This is an internally defined process with little judicial oversight or outside review mechanisms. It is difficult to tell what criterion the NSA is using to determine who it will target more intensively. Individual agents are given a huge degree of leeway and discretion, and there are few consequences for targeting the wrong person accidentally. As Snowden has stated, “At my desk, I could be wiretapping anyone in America, from a federal judge to the President of the United States.”28 This statement is verified by the fact that, even as early as 2009, the New York Times reported that an NSA agent had targeted and read President Clinton’s personal email.29 Snowden documents show that, according to the NSA’s own policy from their Office of General Counsel, discovering that an American has accidentally been selected for intensive surveillance is “nothing to worry about.” It must only be logged in an internal quarterly report.30
From the NSA’s internal records, it has become clear that the NSA has developed strategic priorities for targeting certain groups. These groups are Muslims leaders of all types,31 “radicalizers” generally,32 Palestinian leaders, the “human network” associated with Wikileaks, anyone searching for privacy tools on the internet, computer network system operators, drug dealers, terrorists, presidents, the UN, people who make cryptography, and others33
NSA documents show that people that the NSA views as “radicalizers” have been targeted for “reputational” attacks for their behavior on the internet, like watching porn, online promiscuity, or even simply “not checking facts in their articles.” Internal memos from NSA executives make it clear that the NSA views these targeted people, some of whom are US citizens, as “radicalizers” specifically because of their political speech; for visibly and influentially making arguments like “the US brought the 9/11 attacks on itself”.34
There are many attorneys that have been or currently are subject to intensive NSA surveillance. We know that Muslim-American attorneys have been subject to intensive Foreign Intelligence Surveillance Act (FISA) court surveillance, and we also know that attorneys who have worked for Wikileaks and attorneys employed in global firms working on trade negotiations have also been targeted.35 When the Washington Post analyzed the final information used in twenty two thousand leaked NSA surveillance reports, 89% of the information was from those who are associates of the targeted individuals, while only 11% was from the individuals who are designated NSA targets.36 These facts make it virtually certain that privileged conversations are caught in the surveillance web. Because of this mass collection structure, legally privileged information will likely be compromised in the normal course of non-secure attorney client communication. The NSA has no filtering procedure for privileged attorney-client information.
7. Targeting the technology professionals rely on
The NSA put “back doors” (a term for a flaw in the software construction that allows surveillance programs to access supposedly secured information) in some proprietary encryption.37 The NSA did this by paying $10 million to an encryption manufacturer, named RSA to weaken the math that secured its encryption. They also created a section of the National Standardization Board for Encryption within the US National Institute of Standards and Technology (NIST) that would take encryption programs and insert a backdoor (random number generator) into the product, which would allow the NSA to guess the outcome of otherwise random code construction.38 In Germany and China, the NSA also directly inserted human agents into the encryption industry to undermine encryption technologies that these nations are developing.39
Over 80 software and hardware companies have close “partnership” relationships with the NSA, but their level of cooperation is not fully known.40 Microsoft partners with the NSA by giving them knowledge of software bugs before releasing them to the public or the anti-virus companies.41 This means that, at regular intervals, the NSA is able to get access to all computers running Microsoft for a period of time before the holes in the code are patched. This sort of access has allowed the NSA to put Computer Network Extracting (CNE) keyloggers on between 50,000- 100,000 computers.42 A computer infected with a keylogger or screen logger allows the NSA to read a record of every key typed or every screen viewed, often in real time.
8. Why open source is a solution
Proprietary standards, like Microsoft and Apple Operating Systems, all provide legal and technical prohibitions on users and engineers that keep them from viewing the actual functioning of the codes that make the computer programs run.43 Open source software, like Linux or Debian, allows for software engineers and users to fully control all aspects of a computer system. This doesn’t mean that open source programs are flawless or bug free. The idea is that the public and code developers should know about their bugs at the same time the NSA does. This allows engineers and users to quickly know if their computer may have been compromised.44 Open source standards allow for a more scientific process of transparent and verifiable software improvements that are not dependent on a closed group that could be directly cooperating with the NSA. Many countries, including the governments of Uruguay, Ecuador, and Brasil, are now running most of their information technology on open source platforms.45
9. Why encryption is a solution
Encryption is – simply – writing in code.46 Current encryption programs apply very rigorous math, logic and technology to the basic process that all people engage in when creating dialects or languages. In a strange twist of technological progress, the current application of this science allows for anyone with a home computer to create encryption advanced enough that it, when properly implemented, cannot be broken by all the computer power in the world.47 As Snowden has stated “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”48 This means that an everyday computer user with medium competency can currently download a free open source encryption program from the Internet that, when properly implemented and verified, allows them to encode information in a way that is impossible for even the NSA to break.49
10. The great encrypting starts with you
Professionals and everyday people are already transitioning to encryption en masse. A global survey of nearly five thousand businesses found encryption use has increased six percent in the past year to the point where 35% of organizations now have an encryption strategy applied consistently across the entire enterprise.50 In the United States, encrypted traffic has jumped from 2.29 percent of all peak hour traffic before Snowden to 3.8 percent after Snowden, and in.Latin America it has gone from 1.8 percent to 10.37 percent.51 More then ten major global newspapers – including The New York Times, The New Yorker, The Washington Post, The Guardian and The Intercept – have embraced encrypted “dropboxes” for first contact with new sources.52 Hundreds of journalists are using encrypted emails for source protection.
However, without a massive increase in the level of encryption in society and politics, we consign ourselves to professional associations that will be unable to retain integrity and public trust.53 This can be avoided if we each seek to encrypt our information and push our professional organizations to do the same. Once the use of encryption increases to around fifteen percent of all Internet traffic in the United States it will significantly impede governments’ use of mass electronic surveillance technology against the Internet as a whole. At that point, we would be able to secure communication generally and thus restore privacy, ensuring professional integrity and First, Fourth and Sixth Amendment rights in the information age.54
New York State
 To maintain the requisite knowledge and skill, a lawyer should (i) keep abreast of changes in substantive and procedural law relevant to the lawyer’s practice, (ii) keep abreast of the benefits and risks associated with technology the lawyer uses to provide services to clients or to store or transmit confidential information, and (iii) engage in continuing study and education and comply with all applicable continuing legal education requirements under 22 N.Y.C.R.R. part 1500.
New York State
Comments 16 & 17
 Paragraph (c) requires a lawyer to exercise reasonable care to prevent disclosure of information related to the representation by employees, associates and others whose services are utilized in connection with the representation. See also Rules 1.1, 5.1 and 5.3. However, a lawyer may reveal the information permitted to be disclosed by this Rule through an employee.
 When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to use a means of communication or security measures not required by this Rule, or may give informed consent (as in an engagement letter or similar document) to the use of means or measures that would otherwise be prohibited by this Rule.
New York State
 A lawyer may use nonlawyers outside the firm to assist the lawyer in rendering legal services to the client. Examples include (i) retaining or contracting with an investigative or paraprofessional service, (ii) hiring a document management company to create and maintain a database for complex litigation, (iii) sending client documents to a third party for printing or scanning, and (iv) using an Internet-based service to store client information. When using such services outside the firm, a lawyer or law firm must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the professional obligations of the lawyer and law firm. The extent of the reasonable efforts required under this Rule will depend upon the circumstances, including: (a) the education, experience and reputation of the nonlawyer; (b) the nature of the services involved; (c) the terms of any arrangements concerning the protection of client information; (d) the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality, (e) the sensitivity of the particular kind of confidential information at issue; (t) whether the client will be supervising all or part of the nonlawyer’ s work. See also Rules 1.1 (competence), 1.2 (allocation of authority), 1.4 (communication with client), 1.6 (confidentiality), 5.4 (professional independence of the lawyer) and 5.5 (unauthorized practice of law). When retaining or directing a nonlawyer outside the firm, a lawyer should communicate directions appropriate under the circumstances to give reasonable assurance that the nonlawyer’s conduct in compatible with the professional obligations of the lawyer.
New York County Lawyers Association Professional Ethics Committee Formal Opinion 748
March 10, 2015
TOPIC: The ethical implications of attorney profiles on LinkedIn
DIGEST: Attorneys may maintain profiles on LinkedIn, containing information such as education, work history, areas of practice, skills, and recommendations written by other LinkedIn users. A LinkedIn profile that contains only one’s education and current and past employment does not constitute Attorney Advertising. If an attorney includes additional information in his or her profile, such as a description of areas of practice or certain skills or endorsements, the profile may be considered Attorney Advertising, and should contain the disclaimers set forth in Rule 7.1. Categorizing certain information under the heading “Skills” or “Endorsements” does not, however, constitute a claim to be a “Specialist” under Rule 7.4, and is accordingly not barred, provided that the information is truthful and accurate.
Attorneys must ensure that all information in their LinkedIn profiles is truthful and not misleading, including endorsements and recommendations written by other LinkedIn users. If an attorney believes an endorsement or recommendation is not accurate, the attorney should exclude it from his or her profile. New York lawyers should periodically monitor and review the content of their LinkedIn profiles for accuracy.
RULES OF PROFESSIONAL CONDUCT: 7.1 and 7.4
LinkedIn, the business-oriented social networking service, has grown in popularity in recent years, and is now commonly used by lawyers. The site provides a platform for users to create a profile containing background information, such as work history and education, and links to other users they may know based on their experience or connections. Lawyers may use the site in several ways, including to communicate with acquaintances, to locate someone with a particular skill or background—such as a law school classmate who practices in a certain jurisdiction for assistance on a matter—or to keep up-to-date on colleagues’ professional activities and job changes.
The site also allows users and their connections to list certain skills, interests, and accomplishments, creating a profile similar to a resume or law firm biography. Users can list their own experience, education, skills, and interests, including descriptions of their practice areas and prior matters. Other users may also “endorse” a lawyer for certain skills—such as litigation or matrimonial law—as well as write a recommendation as to the user’s professional skills.
This opinion addresses the ethical implications of LinkedIn profiles: specifically, whether a LinkedIn Profile is considered “Attorney Advertising,” when it is appropriate for an attorney to accept endorsements and recommendations, and what information attorneys should include (and exclude) from their LinkedIn profiles to ensure compliance with the New York Rules of Professional Conduct.
LinkedIn allows a user to provide objective, biographical information such as one’s “Education” and “Experience,” as well as subjective information, such as “Skills,” “Endorsements,” and “Recommendations.” LinkedIn users can control the fields they choose to populate. Some users may only list education and work experience, while other users may include more extensive information, such as skills, endorsements, and recommendations. Furthermore, the information in one’s profile visible to others may vary depending on the whether the viewer located the profile through an external search engine such as Google, whether the viewer is logged in to LinkedIn on the computer being used, or whether the viewer is “connected” on LinkedIn to the person whose profile he or she is viewing.
In light of the varied information an attorney may provide on his or her profile, and which information is visible to online users, the use of LinkedIn raises concerns about what aspects of an attorney’s profile constitute “Attorney Advertising,” which is subject to specific ethical rules, and what aspects do not. The New York Rules of Professional Conduct define attorney advertising as “communications made in any form about the lawyer or the law firm’s services, the primary purpose of which is retention of the lawyer or law firm for pecuniary gain as a result of the communication. RPC 7.1. The rules further delineate what information an attorney may include in an advertisement—such as education, past experience, fee arrangements, testimonials or endorsements (NYRPC 7.l(b), (d))—and what information an attorney may not include in an advertisement—such as undisclosed paid endorsements or certain trade names. RPC 7.l(c). Online advertisements must be labeled “Attorney Advertising” “on the first page, or on the home page in the case of a website” (Id. at 7.1(f)) and any advertisement containing statements about the lawyer’s services, testimonials, or endorsements must include the disclaimer “[p]rior results do not guarantee a similar outcome.” Id. at 7.l(e)(3).
The comments to the rules make clear that “[n]ot all communications made by lawyers about the lawyer or the law firm’s services are advertising” as the advertising rules do not encompass communications with current clients or former clients germane to the client’s earlier representation. RPC 7.1, Cmt. . Likewise, communications to “other lawyers . . . are excluded from the special rules governing lawyer advertising even if their purpose is the retention of the lawyer or law firm.” Id. Cmt. .
Applying these rules to LinkedIn profiles, it is the opinion of this Committee that a LinkedIn profile that contains only biographical information, such as a lawyer’s education and work history, does not constitute an attorney advertisement. An attorney with certain experience such as a Supreme Court clerkship or government service may attract clients simply because the experience is impressive, or knowledge gained during that position may be useful for a particular matter. As the comments to the New York Rules of Professional Conduct make clear, however, not all communications, including communications that may have the ultimate purpose of attracting clients, constitute attorney advertising. Thus, the Committee concludes that a LinkedIn profile containing only one’s education and a list of one’s current and past employment falls within this exclusion and does not constitute attorney advertising.
The additional information that LinkedIn allows users to provide beyond one’s education and work history, however, implicates more complicated ethical considerations. First, do LinkedIn fields such as “Skills” and “Endorsements” constitute a claim that the attorney is a specialist, which is ethically permissible only where the attorney has certain certifications set forth in RPC 7.4? Second, even if certain statements do not constitute a claim that the attorney is a specialist, do such statements nonetheless constitute attorney advertising, which may require the disclaimers set forth in RPC 7.1?
New York Rule of Professional Conduct 7.4 prohibits an attorney from identifying herself as a “specialist” or “specializ[ing] in a particular field of law” unless the attorney has been certified by an appropriate organization or jurisdiction. RPC 7.4(a)–(c). The New York State Bar Association (NYSBA), interpreting the New York Rules of Professional Conduct, concluded in a 2013 opinion that “a lawyer or law firm listed on a social media site may . . . identify one or more areas of law practice [but] to list those areas under a heading of ‘Specialties’ would constitute a claim that the lawyer or law firm ‘is a specialist or specializes in a particular filed of law,”‘ and would likely run afoul of Rule 7.4, unless the attorney’s certifications meet the requirements of that Rule. See NYSBA Ethics Opinion 972 (June 26, 2013).
While NYSBA has addressed the ethical implications of the heading “Specialties,” the applicability of these guidelines to LinkedIn fields such as “Skills,” “Endorsements,” and “Recommendations” has not been previously addressed in New York. Further complicating this question is the fact that LinkedIn profile headings are not chosen by users. The LinkedIn website provides certain default fields, from which users can choose to add to their profiles. NYSBA advises users who are concerned about these headings to consider avoiding them entirely, by “includ[ing] information about the lawyer’s experience elsewhere, such as under another heading or in an untitled field that permits biographical information to be included.” Social Media Ethics Guidelines of the Commercial Federal Litigation Section of the New York State Bar Association at 4 (Mar. 18, 2014) available at http://www.nysba.org/workarea/Down1oadAsset.aspx?id=47547.
With respect to skills or practice areas on lawyers’ profiles under a heading, such as “Experience” or “Skills,” this Committee is of the opinion that such information does not constitute a claim to be a specialist under Rule 7.4. The rule contemplates advertising regarding an attorney’s practice areas, noting that an attorney may “publicly identify one or more areas of law in which the lawyer or law firm practices, or may state that the practice of the lawyer or law firm is limited to one or more areas of law, provided that the lawyer or law firm shall not state that the lawyer or law firm is a specialist or specializes in a particular field of law, except as provided in Rule 7.4(c).” RPC 7.4(a). This provision contemplates the distinction between claims that an attorney has certain experience or skills and an attorney’s claim to be a “specialist” under Rule 7.4. Categorizing one’s practice areas or experience under a heading such as “Skills” or “Experience” therefore, does not run afoul of RPC 7.4, provided that the word “specialist” is not used or endorsed by the attorney, directly or indirectly. Attorneys should periodically monitor their LinkedIn pages at reasonable intervals to ensure that others are not endorsing them as specialists.
b. Endorsements and Recommendations
Endorsements and recommendations written by other LinkedIn users raise additional ethical considerations. While these endorsements and recommendations originate from other users, they nonetheless appear on the attorney’s LinkedIn profile. The ethical treatment of endorsements and recommendations depends on who is considered to “own” the endorsement and recommendation: the author of the endorsement or recommendation or the person whose profile is enhanced by it.
Because LinkedIn gives users control over the entire content of their profiles, including “Endorsements” and “Recommendations” by other users (by allowing an attorney to accept or reject an endorsement or recommendation), we conclude that attorneys are responsible for periodically monitoring the content of their LinkedIn pages at reasonable intervals. To that end, endorsements and recommendations must be truthful, not misleading, and based on actual knowledge pursuant to Rule 7.1. For example, if a distant acquaintance endorses a matrimonial lawyer for international transactional law, and the attorney has no actual experience in that area, the attorney should remove the endorsement from his or her profile within a reasonable period of time, once the attorney becomes aware of the inaccurate posting. If a colleague or former client, however, endorses that attorney for matrimonial law, a field in which the attorney has actual experience, the endorsement would not be considered misleading. The Pennsylvania Bar Association, interpreting the Pennsylvania Rules of Professional Conduct, reached a similar conclusion in a 2014 opinion, emphasizing that an attorney must “monitor his or her social networking websites,  verify the accuracy of any information posted, [and] remove or correct any inaccurate endorsements. . . . This obligation exists regardless of whether the information was posted by the attorney, by a client, or by a third party.”
Pennsylvania Bar Association Formal Op. 2014-300, “Ethical Obligations for Attorneys Using Social Media,” at 12. While we do not believe that attorneys are ethically obligated to review, monitor and revise their LinkedIn sites on a daily or even a weekly basis, there is a duty to review social networking sites and confirm their accuracy periodically, at reasonable intervals.
c. LinkedIn Profiles as “Attorney Advertising” and Appropriate Disclaimers
Finally, if an attorney chooses to include information such as practice areas, skills, endorsements, or recommendations, the attorney must treat his or her LinkedIn profile as attorney advertising and include appropriate disclaimers pursuant to Rule 7.1. As discussed above, not all communications are advertising, and a LinkedIn profile containing nothing more than biographical information would not ordinarily be considered an advertisement. But a LinkedIn profile that includes subjective statements regarding an attorney’s skills, areas of practice, endorsements, or testimonials from clients or colleagues is likely to be considered advertising.
Attorneys who wish to include this information should review Rule 7.1 to determine the appropriate language to include in their profiles. While the Committee declines to provide guidelines for all potential profile content, the Committee provides the following recommendations for attorneys’ consideration and directs attorneys to review Rule 7.1 before creating or significantly amending their LinkedIn profiles.
If an attorney’s LinkedIn profile includes a detailed description of practice areas and types of work done in prior employment, the user should include the words “Attorney Advertising” on the lawyer’s LinkedIn profile. See RPC 7.1(f). If an attorney also includes (1) statements that are reasonably likely to create an expectation about results the lawyer can achieve; (2) statements that compare the lawyer’s services with the services of other lawyers; (3) testimonials or endorsements of clients; or (4) statements describing or characterizing the quality of the lawyer’s or law firm’s services, the attorney should also include the disclaimer “Prior results do not guarantee a similar outcome.” See RPC 7.l(d) and (e). Because the rules contemplate “testimonials or endorsements,” attorneys who allow “Endorsements” from other users and “Recommendations” to appear on one’s profile fall within Rule 7.l(d), and therefore must include the disclaimer set forth in Rule 7.l(e). An attorney who claims to have certain skills must also include this disclaimer because a description of one’s skills—even where those skills are chosen from fields created by LinkedIn—constitutes a statement “characterizing the quality of the lawyer’s services” under Rule 7.l(d).
Attorneys may maintain profiles on LinkedIn, containing information such as education, work history, areas of practice, skills, and recommendations written by other LinkedIn users. A LinkedIn profile that contains only one’s education and current and past employment does not constitute Attorney Advertising. If an attorney includes additional information in his or her profile, such as a description of areas of practice or certain skills or endorsements, the profile may be considered Attorney Advertising and should contain the disclaimers set forth in Rule 7.1. Categorizing certain information under the heading “Skills” or “Endorsements” does not, however, constitute a claim to be a “Specialist” under Rule 7.4, and is accordingly not barred, provided that the information is truthful and accurate.
Attorneys must ensure that all information in their LinkedIn profiles, including endorsements and recommendations written by other LinkedIn users, is truthful and not misleading. If an attorney believes an endorsement or recommendation is not accurate, the attorney should exclude it from his or her profile. New York lawyers should periodically monitor and review the content of their LinkedIn profiles for accuracy.
ETHICS OPINION 1019
New York State Bar Association
Committee on Professional Ethics
Opinion 1019 (8/6/2014)
Topic: Confidentiality; Remote Access to Firm’s Electronic Files
Digest: A law firm may give its lawyers remote access to client files, so that lawyers may work from home, as long as the firm determines that the particular technology used provides reasonable protection to client confidential information, or, in the absence of such reasonable protection, if the law firm obtains informed consent from the client, after informing the client of the risks.
Rules: 1.00), 1.5(a), 1.6, 1.6(a), 1.6(b), 1.6(c), 1.15(d).
1. May a law firm provide its lawyers with remote access to its electronic files, so that they may work from home?
2. Our committee has often been asked about the application of New York’s ethical rules — now the Rules of Professional Conduct– to the use of modern technology. While some of our technology opinions involve the application of the advertising rules to advertising using electronic means, many involve other ethical issues. See, e.g.:
N.Y. State 680 (1996), Retaining records by electronic imaging during the period required by DR 9-102(D) [now Rule 1.15(d)].
N.Y. State 709 (1998), Operating a trademark law practice over the internet and using e-mail.
N.Y. State 782 (2004), Use of electronic documents that may contain “metadata”.
N.Y. State 820 (2008), Use of an e-mail service provider that conducts computer scans of emails to generate computer advertising.
N.Y. State 833 (2009), Whether a lawyer must respond to unsolicited emails requesting representation.
N.Y. State 842 (2010), Use of a “cloud” data storage system to store and back up client confidential information.
N.Y. State 940 (2012), Storage of confidential information on off-site backup tapes.
N.Y. State 950 (2012), Storage of emails in electronic rather than paper form.
3. Much of our advice in these opinions turns on whether the use of technology would violate the lawyer’s duty to preserve the confidential information of the client. Rule 1.6(a) sets forth a simple prohibition against disclosure of such information, i.e. “A lawyer shall not knowingly reveal confidential information, as defined in this Rule . . . unless . . . the client gives informed consent, as defined in Rule 1.00).” In addition, Rule 1.6(c) provides that a lawyer must “exercise reasonable care to prevent . . . others whose services are utilized by the lawyer from disclosing or using confidential information of a client” except as provided in Rule 1.6(b).
4. Comment 17 to Rule 1.6 provides some additional guidance that reflects the advent of the information age:
5. As is clear from Comment 17, the key to whether a lawyer may use any particular technology is whether the lawyer has determined that the technology affords reasonable protection against disclosure and that the lawyer has taken reasonable precautions in the use of the technology.
6. In some of our early opinions, despite language indicating that the inquiring I awyer must make the reasonableness determination, this Committee had reached general conclusions. In N.Y. State 709, we concluded that there is a reasonable expectation that e-mails will be as private as other forms of telecommunication, such as telephone or fax machine, and that a lawyer ordinarily may utilize unencrypted e-mail to transmit confidential information, unless there is a heightened risk of interception. We also noted, however, that “when the confidential information is of such an extraordinarily sensitive nature that it is reasonable to use only a means of communication that is completely under the lawyer’s control, the lawyer must select a more secure means of communication than unencrypted internet e-mail.” Moreover, we said the lawyer was obligated to stay abreast of evolving technology to assess changes in the likelihood of interception, as well as the availability of improved technologies that might reduce the risks at a reasonable cost.
7. In N.Y. State 820, we approved the use of an internet service provider that scanned e-mails to assist in providing user-targeted advertising, in part based on the published privacy policies of the provider.
8. Our more recent opinions, however, put the determination of reasonableness squarely on the inquiring lawyer. See, e.g. N.Y. State 842, 940, 950. For example, in N.Y. State 842, involving the use of “cloud” data storage, we were told that the storage system was password protected and that data stored in the system was encrypted. We concluded that the lawyer could use such a system, but only if the lawyer took reasonable care to ensure that the system was secure and that client confidentiality would be maintained. We said that “reasonable care” to protect a client’s confidential information against unauthorized disclosure may include consideration of the following steps:
(1) Ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information;
(2) Investigating the online data storage provider’s security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances;
(3) Employing available technology to guard against reason ably foreseeable attempts to infiltrate the data that is stored; and/or
(4) Investigating the storage provider’s ability to purge and wipe any copies of the data, and to move the data to a different host, if the lawyer becomes dissatisfied with the storage provider or for other reasons changes storage providers.
Moreover, in view of rapid changes in technology and the security of stored data, we suggested that the lawyer should periodically reconfirm that the provider’s security measures remained effective in light of advances in technology. We also warned that, if the lawyer learned information suggesting that the security measures used by the online data storage provider were insufficient to adequately protect the confidentiality of client information, or if the lawyer learned of any breaches of confidentiality by the provider, then the lawyer must discontinue use of the service unless the lawyer received assurances that security issues had been sufficiently remediated.
9. Cyber-security issues have continued to be a major concern for lawyers, as cyber-criminals have begun to target lawyers to access client information, including trade secrets, business plans and personal data. Lawyers can no longer assume that their document systems are of no interest to cyber-crooks. That is particularly true where there is outside access to the internal system by third parties, including law firm employees working at other firm offices, at home or when traveling, or clients who have been given access to the firm’s document system. See, e.g. Matthew Goldstein, “Law Firms Are Pressed on Security For Data,” N.Y. Times (Mar. 22, 2014) at B1 (corporate clients are demanding that their law firms take more steps to guard against online intrusions that could compromise sensitive information as global concerns about hacker threats mount; companies are asking law firms to stop putting files on portable thumb drives, emailing them to non-secure iPads or working on computers linked to a shared network in countries like China or Russia where hacking is prevalent); Joe Dysart, “Moving Targets: New Hacker Technology Threatens Lawyers’ Mobile Devices,” ABA Journal 25 (September 2012); Rachel M. Zahorsky, “Being Insecure: Firms are at Risk Inside and Out,” ABA Journal 32 (June 2013); Sharon D. Nelson, John W. Simek & David G. Ries, Locked Down: Information Security for Lawyers (ABA Section of Law Practice Management, 2012).
10. In light of these developments, it is even more important for a law firm to determine that the technology it will use to provide remote access (as well as the devices that firm lawyers will use to effect remote access), provides reasonable assurance that confidential client information will be protected. Because of the fact-specific and evolving nature of both technology and cyber risks, we cannot recommend particular steps that would constitute reasonable precautions to prevent confidential information from coming into the hands of unintended recipients, including the degree of password protection to ensure that persons who access the system are authorized, the degree of security of the devices that firm lawyers use to gain access, whether encryption is required, and the security measures the firm must use to determine whether there has been any unauthorized access to client confidential information. However, assuming that the law firm determines that its precautions are reasonable, we believe it may provide such remote access. When the law firm is able to make a determination of reasonableness, we do not believe that client consent is necessary.
11. Where a law firm cannot conclude that its precautions would provide reason able protection to client confidential information, Rule 1.6(a) allows the law firm to request the client’s informed consent. See also Comment 17 to Rule 1.6, which provides that a client may give informed consent (as in an engagement letter or similar document) to the use of means that would otherwise be prohibited by the rule. In N.Y. State 842, however, we stated that the obligation to preserve client confidential information extends beyond merely prohibiting an attorney from revealing confidential information without client consent. A lawyer must take reasonable care to affirmatively protect a client’s confidential information. Consequently, we believe that before requesting client consent to a technology system used by the law firm, the firm must disclose the risks that the system does not provide reasonable assurance of confidentiality, so that the consent is “informed” within the meaning of Rule 1.00), i.e. that the client has information adequate to make an informed decision.
12. A law firm may use a system that allows its lawyers to access the firm’s document system remotely, as long as it takes reasonable steps to ensure that confidentiality of information is maintained. Because of the fact-specific and evolving nature of both technology and cyber risks, this Committee cannot recommend particular steps that constitute reasonable precautions to prevent confidential information from coming into the hands of unintended recipients. If the firm cannot conclude that its security precautions are reasonable, then it may request the informed consent of the client to its security precautions, as long as the firm discloses the risks that the system does not provide reasonable assurance of confidentiality, so that the consent is “informed” within the meaning of Rule 1.0(i).
© 2015 New York State Bar Association
One Elk Street, Albany, NY 12207
Phone: 518-463-3200 Secure Fax: 518.463.5993
ETHICS OPINION 1020
New York State Bar Association
Committee on Professional Ethics
Opinion 1020 (9/12/2014)
Topic: Confidentiality; use of cloud storage for purposes of a transaction
Digest: Whether a lawyer to a party in a transaction may post and share documents using a “cloud” data storage tool depends on whether the particular technology employed provides reasonable protection to confidential client information and, if not, whether the lawyer obtains informed consent from the client after advising the client of the relevant risks.
Rules: 1.1, 1.6
1. The inquirer is engaged in a real estate practice and is looking into the viability of using an electronic project management tool to help with closings. The technology would allow sellers’ attorneys, buyers’ attorneys, real estate brokers and mortgage brokers to post and view documents, such as drafts, signed contracts and building financials, all in one central place.
2. May a lawyer representing a party to a transaction use a cloud-based technology so as to post documents and share them with others involved in the transaction?
3. The materials that the inquirer seeks to post, such as drafts, contracts and building financials, may well include confidential information of the inquirer’s clients, and for purposes of this opinion we assume that they do. Thus the answer to this inquiry hinges on whether use of the contemplated technology would violate the inquirer’s ethical duty to preserve a client’s confidential information.
4. Rule 1.6(a) contains a straightforward prohibition against the knowing disclosure of confidential information, subject to certain exceptions including a client’s informed consent, and Rule 1.6(c) contains the accompanying general requirement that a lawyer “exercise reasonable care to prevent … [persons] whose services are utilized by the lawyer from disclosing or using confidential information of a client.”
5. Comment  to Rule 1.6 addresses issues raised by a lawyer’s use of technology:
6. In the recent past, our Committee has repeatedly been asked to provide guidance on the interplay of technology and confidentiality. N.Y. State 1019 (2014) catalogues the Committee’s opinions on technology. In that opinion, we considered whether a law firm could provide its lawyers with remote access to its electronic files. We concluded that a law firm could use remote access “as long as it takes reasonable steps to ensure that confidential information is maintained.” Id. ¶12
7. Similarly, in N.Y. State 842 (2010), which considered the use of cloud data storage, we concluded that a lawyer could use this technology to store client records provided that the lawyer takes reasonable care to protect the client’s confidential information. We also reached a similar conclusion in N.Y. State 939 (2012) as to the issue of lawyers from different firms sharing a computer system.
8. The concerns presented by the current inquiry were also present in N.Y. State 1019, N.Y. State 939 and N.Y. State 842, and those opinions govern the outcome here. That is, the inquirer may use the proposed technology provided that the lawyer takes reasonable steps to ensure that confidential information is not breached. The inquirer must, for example, try to ensure that only authorized parties have access to the system on which the information is shared. Because of the fact-specific and evolving nature of technology, we do not purport to specify in detail the steps that will constitute reasonable care in any given set of circumstances. See N.Y, State 1019. ¶ 10. We note, however, that use of electronically stored information may not only require reasonable care to protect that information under Rule 1.6, but may also, under Rule 1.1, require the competence to determine and follow a set of steps that will constitute such reasonable care.
9. Finally, we note that Rule 1.6 provides an exception to confidentiality rules based on a client’s informed consent. Thus, as quoted in paragraph 5 above, a client may agree to the use of a technology that would otherwise be prohibited by the Rule. But as we have previously pointed out, “before requesting client consent to a technology system used by the law firm, the firm must disclose the risks that the system does not provide reasonable assurance of confidentiality, so that the consent is ‘informed’ within the meaning of Rule 1.00), i.e. that the client has information adequate to make an informed decision.” N.Y. State 1019 ¶ 11.
10. Whether a lawyer for a party in a transaction may post and share documents using a “cloud” data storage tool depends on whether the particular technology employed provides reasonable protection to confidential client information and, if not, whether the lawyer obtains informed consent from the client after advising the client of the relevant risks.
COPRAC Proposed Formal Opinion 11-0004 (2014).
© 2015 New York State Bar Association
One Elk Street, Albany, NY 12207
Phone: 518-463-3200 Secure Fax: 518.463.5993
NYCLA ETHICS OPINION 745
ADVISING A CLIENT REGARDING POSTS ON SOCIAL MEDIA SITES
TOPIC: What advice is appropriate to give a client with respect to existing or proposed postings on social media sites.
DIGEST: It is the Committee’s opinion that New York attorneys may advise clients as to (1) what they should/should not post on social media, (2) what existing postings they may or may not remove, and (3) the particular implications of social media posts, subject to the same rules, concerns, and principles that apply to giving a client legal advice in other areas including RPC 3.1, 3.3 and 3.4.
RPC: 4.1, 4.2, 3.1, 3.3, 3.4, 8.4.
This opinion provides guidance about how attorneys may advise clients concerning what may be posted or removed from social media websites. It has been estimated that Americans spend 20 percent of their free time on social media (Facebook, Twitter, Friendster, Flickr, LinkedIn, and the like). It is commonplace to post travel logs, photographs, streams of consciousness, rants, and all manner of things on websites so that family, friends, or even the public-at-large can peer into one’s life. Social media enable users to publish information regionally, nationally, and even globally.
The personal nature of social media posts implicates considerable privacy concerns. Although all of the major social media outlets have password protections and various levels of privacy settings, many users are oblivious or indifferent to them, providing an opportunity for persons with adverse interests to learn even the most intimate information about them. For example, teenagers and college students commonly post photographs of themselves partying, binge drinking, indulging in illegal drugs or sexual poses, and the like. The posters may not be aware, or may not care, that these posts may find their way into the hands of family, potential employers, school admission officers, romantic contacts, and others. The content of a removed social media posting may continue to exist, on the poster’s computer, or in cyberspace.
That information posted on social media may undermine a litigant’s position has not been lost on attorneys. Rather than hire investigators to follow claimants with video cameras, personal injury defendants may seek to locate YouTube videos or Facebook photos that depict a “disabled” plaintiff engaging in activities that are inconsistent with the claimed injuries. It is now common for attorneys and their investigators to seek to scour litigants’ social media pages for information and photographs. Demands for authorizations for access to password-protected portions of an opposing litigant’s social media sites are becoming routine.
Recent ethics opinions have concluded that accessing a social media page open to all members of a public network is ethically permissible. New York State Bar Association Eth. Op. 843 (2010); Oregon State Bar Legal Ethics Comm., Op. 2005-164 (finding that accessing an opposing party’s public website does not violate the ethics rules limiting communications with adverse parties). The reasoning behind these opinions is that accessing a public site is conceptually no different from reading a magazine article or purchasing a book written by that adverse party. Oregon Op. 2005-164 at 453.
But an attorney’s ability to access social media information is not unlimited. Attorneys may not make misrepresentations to obtain information that would otherwise not be obtainable. In contact with victims, witnesses, or others involved in opposing counsel’s case, attorneys should avoid misrepresentations, and, in the case of a represented party, obtain the prior consent of the party’s counsel. New York Rules of Professional Conduct (RPC 4.2). See, NYCBA Eth. Op., 2010-2 (2012); NYSBA Eth. Op. 843. Using false or misleading representations to obtain evidence from a social network website is prohibited. RPC 4.1, 8.4(c).
Social media users may have some expectation of privacy in their posts, depending on the privacy settings available to them, and their use of those settings. All major social media allow members to set varying levels of security and “privacy” on their social media pages. There is no ethical constraint on advising a client to use the highest level of privacy/security settings that is available. Such settings will prevent adverse counsel from having direct access to the contents of the client’s social media pages, requiring adverse counsel to request access through formal discovery channels.
A number of recent cases have considered the extent to which courts may direct litigants to authorize adverse counsel to access the “private” portions of their social media postings. While a comprehensive review of this evolving body of law is beyond the scope of this opinion, the premise behind such cases is that social media websites may contain materials inconsistent with a party’s litigation posture, and thus may be used for impeachment. The newest cases tum on whether the party seeking such disclosure has laid a sufficient foundation that such impeachment material likely exists or whether the party is engaging in a “fishing ex edition” and an invasion of privacy in the hopes of stumbling onto something that may be useful.
Given the growing volume of litigation regarding social media discovery, the question arises whether an attorney may instruct a client who does not have a social media site not to create one: May an attorney pre-screen what a client posts on a social media site? May an attorney properly instruct a client to “take down” certain materials from an existing social media site?
Preliminarily, we note that an attorney’s obligation to represent clients competently (RPC 1.1) could, in some circumstances, give rise to an obligation to advise clients, within legal and ethical requirements, concerning what steps to take to mitigate any adverse effects on the clients’ position emanating from the clients’ use of social media. Thus, an attorney may properly review a client’s social media pages, and advise the client that certain materials posted on a social media page may be used against the client for impeachment or similar purposes. In advising a client, attorneys should be mindful of their ethical responsibilities under RPC 3.4. That rule provides that a lawyer shall not “(a) (l) suppress any evidence that the lawyer or the client has a legal obligation to reveal or produce… [nor] (3) conceal or knowingly fail to disclose that which the lawyer is required by law to reveal.”
Attorneys’ duties not to suppress or conceal evidence involve questions of substantive law and are therefore outside the purview of an ethics opinion. We do note, however, that applicable state or federal law may make it an offense to destroy material for the purpose of defeating its availability in a pending or reasonably foreseeable proceeding, even if no specific request to reveal or produce evidence has been made. Under principles of substantive law, there may be a duty to preserve “potential evidence” in advance of any request for its discovery. VOOM HD Holdings LLC v. EchoStar Satellite L.L.C., 93 A.D.3d 33, 939 N.Y.S. 2d 331 (1st Dep’t 2012) (“Once a party reasonably anticipates litigation, it must, at a minimum, institute an appropriate litigation hold to prevent the routine destruction of electronic data.”); QK Healthcare, Inc., v. Forest Laboratories, Inc., 2013 N.Y. Misc. LEXIS 2008; 2013 N.Y. Slip Op. 31028(U) (Sup. Ct. N.Y. Co., May 8, 2013); RPC 3.4, Comment . Under some circumstances, where litigation is anticipated, a duty to preserve evidence may arise under substantive law. But provided that such removal does not violate the substantive law regarding destruction or spoliation of evidence, there is no ethical bar to “taking down” such material from social media publications, or prohibiting a client’s attorney from advising the client to do so, particularly inasmuch as the substance of the posting is generally preserved in cyberspace or on the user’s computer.
An attorney also has an ethical obligation not to “bring or defend a proceeding, or assert or controvert an issue therein, unless there is a basis in law and fact for doing so that is not frivolous.” RPC 3.l(a). Frivolous conduct includes the knowing assertion of “material factual statements that are false.” RPC 3.l(b)(3). Therefore, if a client’s social media posting reveals to an attorney that the client’s lawsuit involves the assertion of material false factual statements, and if proper inquiry of the client does not negate that conclusion, the attorney is ethically prohibited from proffering, supporting or using those false statements. See, also, RPC 3.3; 4.1 (“In the course of representing a client, a lawyer shall not knowingly make a false statement of fact or law to a third person.”)
Clients are required to testify truthfully at a hearing, deposition, trial, or the like, and a lawyer may not fail to correct a false statement of material fact or offer or use evidence the lawyer knows to be false. RPC 3.3(a) (l); 3.4(a)(4). Thus, a client must answer truthfully (subject to the rules of privilege or other evidentiary objections) if asked whether changes were ever made to a social media site, and the client’s lawyer must take prompt remedial action in the case of any known material false testimony on this subject. RPC 3.3 (a)(3).
We further conclude that it is permissible for an attorney to review what a client plans to publish on a social media page in advance of publication, to guide the client appropriately, including formulating a corporate policy on social media usage. Again, the above ethical rules and principles apply: An attorney may not direct or facilitate the client’s publishing of false or misleading information that may be relevant to a claim; an attorney may not participate in the creation or preservation of evidence when the lawyer knows or it is obvious that the evidence is false. RPC 3.4(a)(4). However, a lawyer may counsel the witness to publish truthful information favorable to the lawyer’s client; discuss the significance and implications of social media posts (including their content and advisability); advise the client how social media posts may be received and/or presented by the client’s legal adversaries and advise the client to consider the posts in that light; discuss the possibility that the legal adversary may obtain access to “private” social media pages through court orders or compulsory process; review how the factual context of the posts may affect their perception; review the posts that may be published and those that have already been published; and discuss possible lines of cross-examination.
Lawyers should comply with their ethical duties in dealing with clients’ social media posts. The ethical rules and concepts of fairness to opposing counsel and the court, under RPC 3.3 and 3.4, all apply. An attorney may advise clients to keep their social media privacy settings turned on or maximized and may advise clients as to what should or should not be posted on public and/or private pages, consistent with the principles stated above. Provided that there is no violation of the rules or substantive law pertaining to the preservation and/or spoliation of evidence, an attorney may offer advice as to what may be kept on “private” social media pages, and what may be ‘‘taken down” or removed.
The Association of the Bar of the City of New York Committee on Professional Ethics
Formal Opinion 2012-2:
JURY RESEARCH AND SOCIAL MEDIA
TOPIC: Jury Research and Social Media
DIGEST: Attorneys may use social media websites for juror research as long as no communication occurs between the lawyer and the juror as a result of the research. Attorneys may not research jurors if the result of the research is that the juror will receive a communication. If an attorney unknowingly or inadvertently causes a communication with a juror, such conduct may run afoul of the Rules of Professional Conduct. The attorney must not use deception to gain access to a juror’s website or to obtain information, and third parties working for the benefit of or on behalf of an attorney must comport with all the same restrictions as the attorney. Should a lawyer learn of juror misconduct through otherwise permissible research of a juror’s social media activities, the lawyer must reveal the improper conduct to the court.
RULES: 3.5(a)(4); 3.5(a)(5); 3.5(d); 8.4
Question: What ethical restrictions, if any, apply to an attorney’s use of social media websites to research potential or sitting jurors?
Ex parte attorney communication with prospective jurors and members of a sitting jury has long been prohibited by state rules of professional conduct (see American Bar Association Formal Opinion 319 (“ABA 319”)), and attorneys have long sought ways to gather information about potential jurors during voir dire (and perhaps during trial) within these proscribed bounds. However, as the internet and social media have changed the ways in which we all communicate, conducting juror research while complying with the rule prohibiting juror communication has become more complicated.
In addition, the internet appears to have increased the opportunity for juror misconduct, and attorneys are responding by researching not only members of the venire but sitting jurors as well. Juror misconduct over the internet is problematic and has even led to mistrials. Jurors have begun to use social media services as a platform to communicate about a trial, during the trial (see WSJ Law Blog (March 12, 2012), http://blogs.wsj.com/law/2012/03/12/jury-files-the-temptation-of-twitter/), and jurors also turn to the internet to conduct their own out of court research. For example, the Vermont Supreme Court recently overturned a child sexual assault conviction because a juror conducted his own research on the cultural significance of the alleged crime in Somali Bantu culture. State v. Abdi, No. 2012-255, 2012 WL 231555 (Vt. Jan. 26, 2012). In a case in Arkansas, a murder conviction was overturned because a juror tweeted during the trial, and in a Maryland corruption trial in 2009, jurors used Facebook to discuss their views of the case before deliberations. (Juror’s Tweets Upend Trials, Wall Street Journal, March 2, 2012.) Courts have responded in various ways to this problem. Some judges have held jurors in contempt or declared mistrials (see id.) and other courts now include jury instructions on juror use of the internet. (See New York Pattern Jury Instructions, Section III, infra.)However, 79% of judges who responded to a Federal Judicial Center survey admitted that “they had no way of knowing whether jurors had violated a social-media ban.” (Juror’s Tweets, supra.) In this context, attorneys have also taken it upon themselves to monitor jurors throughout a trial.
Just as the internet and social media appear to facilitate juror misconduct, the same tools have expanded an attorney’s ability to conduct research on potential and sitting jurors, and clients now often expect that attorneys will conduct such research. Indeed, standards of competence and diligence may require doing everything reasonably possible to learn about the jurors who will sit in judgment on a case. However, social media services and websites can blur the line between independent, private research and interactive, interpersonal “communication.” Currently, there are no clear rules for conscientious attorneys to follow in order to both diligently represent their clients and to abide by applicable ethical obligations. This opinion applies the New York Rules of Professional Conduct (the “Rules”), specifically Rule 3.5, to juror research in the internet context, and particularly to research using social networking services and websites.
The Committee believes that the principal interpretive issue is what constitutes a “communication” under Rule 3.5. We conclude that if a juror were to (i) receive a “friend” request (or similar invitation to share information on a social network site) as a result of an attorney’s research, or (ii) otherwise to learn of the attorney’s viewing or attempted viewing of the juror’s pages, posts, or comments, that would constitute a prohibited communication if the attorney was aware that her actions would cause the juror to receive such message or notification. We further conclude that the same attempts to research the juror might constitute a prohibited communication even if inadvertent or unintended. In addition, the attorney must not use deception-such as pretending to be someone else—to gain access to information about a juror that would otherwise be unavailable. Third parties working for the benefit of or on behalf of an attorney must comport with these same restrictions (as it is always unethical pursuant to Rule 8.4 for an attorney to attempt to avoid the Rule by having a non-lawyer do what she cannot). Finally, if a lawyer learns of juror misconduct through a juror’s social media activities, the lawyer must promptly reveal the improper conduct to the court.
II. Analysis Of Ethical Issues Relevant To Juror Research
A. Prior Authority Regarding An Attorney’s Ability To Conduct Juror Research Over Social Networking Websites
Prior ethics and judicial opinions provide some guidance as to what is permitted and prohibited in social media juror research. First, it should be noted that lawyers have long tried to learn as much as possible about potential jurors using various methods of information gathering permitted by courts, including checking and verifying voir dire answers. Lawyers have even been chastised for not conducting such research on potential jurors. For example, in a recent Missouri case, a juror failed to disclose her prior litigation history in response to a voir dire question. After a verdict was rendered, plaintiff’s counsel investigated the juror’s civil litigation history using Missouri’s automated case record service and found that the juror had failed to disclosure that she was previously a defendant in several debt collection cases and a personal injury action. Although the court upheld plaintiff’s request for a new trial based on juror nondisclosure, the court noted that “in light of advances in technology allowing greater access to information that can inform a trial court about the past litigation history of venire members, it is appropriate to place a greater burden on the parties to bring such matters to the court’s attention at an earlier stage.” Johnson v. McCullough, 306 S.W.3d 551, 558-59 (Mo. 2010). The court also stated that “litigants should endeavor to prevent retrials by completing an early investigation.” Id.at 559.
Similarly, the Superior Court of New Jersey recently held that a trial judge “acted unreasonably” by preventing plaintiff’s counsel from using the internet to research potential jurors during voir dire. During jury selection in a medical malpractice case, plaintiff’s counsel began using a laptop computer to obtain information on prospective jurors. Defense counsel objected, and the trial judge held that plaintiff’s attorney could not use her laptop during jury selection because she gave no notice of her intent to conduct internet research during selection. Although the Superior Court found that the trial court’s ruling was not prejudicial, the Superior Court stated that “there was no suggestion that counsel’s use of the computer was in any way disruptive. That he had the foresight to bring his laptop computer to court, and defense counsel did not, simply cannot serve as a basis for judicial intervention in the name of ‘fairness’ or maintaining ‘a level playing field.’ The ‘playing field’ was, in fact, already ‘level’ because internet access was open to both counsel.” Carino v. Muenzen, A-5491-08Tl, 2010 N.J. Super. Unpub. LEXIS 2154, at *27 (N.J. Sup. Ct. App. Div. Aug. 30, 2010).
Other recent ethics opinions have also generally discussed attorney research in the social media context. For example, San Diego County Bar Legal Ethics Opinion 2011-2 (“SDCBA 2011-2”) examined whether an attorney can send a “friend request” to a represented party. SDCBA 2011-2 found that because an attorney must make a decision to “friend” a party, even if the “friend request [is] nominally generated by Facebook and not the attorney, [the request] is at least an indirect communication” and is therefore prohibited by the rule against ex parte communications with represented parties. In addition, the New York State Bar Association (“NYSBA”) found that obtaining information from an adverse party’s social networking personal webpage, which is accessible to all website users, “is similar to obtaining information that is available in publicly accessible online or print media, or through a subscription research service as Niexi or Factiva and that is plainly permitted.” (NYSBA Opinion 843 at 2) (emphasis added).
And most recently, the New York County Lawyers’ Association (“NYCLA”) published a formal opinion on the ethics of conducting juror research using social media. NYCLA Formal Opinion 743 (“NYCLA 743”) examined whether a lawyer may conduct juror research during voir dire and trial using Twitter, Facebook and other similar social networking sites. NYCLA 743 found that it is “proper and ethical under Rule 3.5 for a lawyer to undertake a pretrial search of a prospective juror’s social networking site, provided there is no contact or communication with the prospective juror and the lawyer does not seek to ‘friend’ jurors, subscribe to their Twitter accounts, send jurors tweets or otherwise contact them. During the evidentiary or deliberation phases of a trial, a lawyer may visit the publicly available Twitter, Facebook or other social networking site of a juror but must not ‘friend’ the juror, email, send tweets or otherwise communicate in any way with the juror or act in any way by which the juror becomes aware of the monitoring.” (NYCLA 743 at 4.) The opinion further noted the importance of reporting to the court any juror misconduct uncovered by such research and found that an attorney must notify the court of any impropriety “before taking any further significant action in the case.” Id. NYCLA concluded that attorneys cannot use knowledge of juror misconduct to their advantage but rather must notify the court.
As set forth below, we largely agree with our colleagues at NYCLA. However, despite the guidance of the opinions discussed above, the question at the core of applying Rule 3.5 to social media—what constitutes a communication— has not been specifically addressed, and the Committee therefore analyzes this question below.
B. An Attorney May Conduct Juror Research Using Social Media Services And Websites But Cannot Engage In Communication With A Juror
1. Discussion of Features of Various Potential Research Websites
Given the popularity and widespread usage of social media services, other websites and general search engines, it has become common for lawyers to use the internet as a tool to research members of the jury venire in preparation for jury selection as well as to monitor jurors throughout the trial. Whether research conducted through a particular service will constitute a prohibited communication under the Rules may depend in part on, among other things, the technology, privacy settings and mechanics of each service.
The use of search engines for research is already ubiquitous. As social media services have grown in popularity, they have become additional sources to research potential jurors. As we discuss below, the central question an attorney must answer before engaging in jury research on a particular site or using a particular service is whether her actions will cause the juror to learn of the research. However, the functionality, policies and features of social media services change often, and any description of a particular website may well become obsolete quickly. Rather than attempt to catalog all existing social media services and their ever-changing offerings, policies and limitations, the Committee adopts a functional definition.
We understand “social media” to be services or websites people join voluntarily in order to interact, communicate, or stay in touch with a group of users, sometimes called a “network.” Most such services allow users to create personal profiles, and some allow users to post pictures and messages about their daily lives. Professional networking sites have also become popular. The amount of information that users can view about each other depends on the particular service and also each user’s chosen privacy settings. The information the service communicates or makes available to visitors as well as members also varies. Indeed, some services may automatically notify a user when her profile has been viewed, while others provide notification only if another user initiates an interaction. Because of the differences from service to service and the high rate of change, the Committee believes that it is an attorney’s duty to research and understand the properties of the service or website she wishes to use for jury research in order to avoid inadvertent communications.
2. What Constitutes a “Communication”?
Any research conducted by an attorney into a juror or member of the venire’s background or behavior is governed in part by Rule 3.S(a)(4), which states: “a lawyer shall not … (4) communicate or cause another to communicate with a member of the jury venire from which the jury will be selected for the trial of a case or, during the trial of a case, with any member of the jury unless authorized to do so by law or court order.” The Rule does not contain a mens rea requirement; by its literal terms, it prohibits all communication, even if inadvertent. Because of this, the application of Rule 3.5(a)(4) to juror research conducted over the internet via social media services is potentially more complicated than traditional juror communication issues. Even though the attorney’s purpose may not be to communicate with a juror, but simply to gather information, social media services are often designed for the very purpose of communication, and automatic features or user settings may cause a “communication” to occur even if the attorney does intend not for one to happen or know that one may happen. This raises several ethical questions: is every visit to a juror’s social media website considered a communication? Should the intent to research, not to communicate, be the controlling factor? What are the consequences of an inadvertent or unintended communications? The Committee begins its analysis by considering the meaning of “communicate” and “communication,” which are not defined either in the Rule or the American Bar Association Model Rules.
Black’s Law Dictionary (9th Ed.) defines “communication” as: “1. The expression or exchange of information by speech, writing, gestures, or conduct; the process of bringing an idea to another’s perception. 2. The information so expressed or exchanged.” The Oxford English Dictionary defines “communicate” as: “To impart (information, knowledge, or the like) (to a person; also formerly with); to impart the knowledge or idea of (something), to inform a person of; to convey, express; to give an impression of, put across.” Similarly, Local Rule 26.3 of the United States District Courts for the Southern and Eastern Districts of New York defines “communication” (for the purposes of discovery requests) as: “the transmittal of information (in the form of facts, ideas, inquiries or otherwise).”
Under the above definitions, whether the communicator intends to “impart” a message or knowledge is seemingly irrelevant; the focus is on the effect on the receiver. It is the “transmission of,” “exchange of’ or “process of bringing” information or ideas from one person to another that defines a communication. In the realm of social media, this focus on the transmission of information or knowledge is critical. A request or notification transmitted through a social media service may constitute a communication even if it is technically generated by the service rather than the attorney, is not accepted, is ignored, or consists of nothing more than an automated message of which the “sender” was unaware. In each case, at a minimum, the researcher imparted to the person being researched the knowledge that he or she is being investigated.
3. An Attorney May Research A Juror Through Social Media Websites As Long As No Communication Occurs
The Committee concludes that attorneys may use search engines and social media services to research potential and sitting jurors without violating the Rules, as long as no communication with the juror occurs. The Committee notes that Rule 3.5(a)(4) does not impose a requirement that a communication be willful or made with knowledge to be prohibited. In the social media context, due to the nature of the services, unintentional communications with a member of the jury venire or the jury pose a particular risk. For example, if an attorney views a juror’s social media page and the juror receives an automated message from the social media service that a potential contact has viewed her profile—even if the attorney has not requested the sending of that message or is entirely unaware of it—the attorney has arguably “communicated” with the juror. The transmission of the information that the attorney viewed the juror’s page is a communication that may be attributable to the lawyer, and even such minimal contact raises the specter of the improper influence and/or intimidation that the Rules are intended to prevent. Furthermore, attorneys cannot evade the ethics rules and avoid improper influence simply by having a non-attorney with a name unrecognizable to the juror initiate communication, as such action will run afoul of Rule 8.4 as discussed in Section II(C), infra.
Although the text of Rule 3.5(a)(4) would appear to make any “communication”—even one made inadvertently or unknowingly—a violation, the Committee takes no position on whether such an inadvertent communication would in fact be a violation of the Rules. Rather, the Committee believes it is incumbent upon the attorney to understand the functionality of any social media service she intends to use for juror research. If an attorney cannot ascertain the functionality of a website, the attorney must proceed with great caution in conducting research on that particular site, and should keep in mind the possibility that even an accidental, automated notice to the juror could be considered a violation of Rule 3.5.
More specifically, and based on the Committee’s current understanding of relevant services, search engine websites may be used freely for juror research because there are no interactive functions that could allow jurors to learn of the attorney’s research or actions. However, other services may be more difficult to navigate depending on their functionality and each user’s particular privacy settings. Therefore, attorneys may be able to do some research on certain sites but cannot use all aspects of the sites’ social functionality. An attorney may not, for example, send a chat, message or “friend request” to a member of the jury or venire, or take any other action that will transmit information to the juror because, if the potential juror learns that the attorney seeks access to her personal information then she has received a communication. Similarly, an attorney may read any publicly-available postings of the juror but must not sign up to receive new postings as they are generated. Finally, research using services that may, even unbeknownst to the attorney, generate a message or allow a person to determine that their webpage has been visited may pose an ethical risk even if the attorney did not intend or know that such a “communication” would be generated by the website.
The Committee also emphasizes that the above applications of Rule 3.5 are meant as examples only. The technology, usage and privacy settings of various services will likely change, potentially dramatically, over time. The settings and policies may also be partially under the control of the person being researched, and may not be apparent, or even capable of being ascertained. In order to comply with the Rules, an attorney must therefore be aware of how the relevant social media service works, and of the limitations of her knowledge. It is the duty of the attorney to understand the functionality and privacy settings of any service she wishes to utilize for research, and to be aware of any changes in the platforms’ settings or policies to ensure that no communication is received by a juror or venire member.
C. An Attorney May Not Engage in Deception or Misrepresentation In Researching Jurors On Social Media Websites
Rule 8.4(c), which governs all attorney conduct, prohibits deception and misrepresentation. In the jury research context, this rule prohibits attorneys from, for instance, misrepresenting their identity during online communications in order to access otherwise unavailable information, including misrepresenting the attorney’s associations or membership in a network or group in order to access a juror’s information. Thus, for example, an attorney may not claim to be an alumnus of a school that she did not attend in order to view a juror’s personal webpage that is accessible only to members of a certain alumni network.
Furthermore, an attorney may not use a third party to do what she could not otherwise do. Rule 8.4(a) prohibits an attorney from violating any Rule “through the acts of another.” Using a third party to communicate with a juror is deception and violates Rule 8.4(c), as well as Rule 8.4(a), even if the third party provides the potential juror only with truthful information. The attorney violates both rules whether she instructs the third party to communicate via a social network or whether the third party takes it upon herself to communicate with a member of the jury or venire for the attorney’s benefit. On this issue, the Philadelphia Bar Association Professional Guidance Committee Opinion 2009-02 (“PBA 2009-02”) concluded that if an attorney uses a third party to “friend” a witness in order to access information, she is guilty of deception because “[this action] omits a highly material fact, namely, that the third party who asks to be allowed access to the witness’ pages is doing so only because she is intent on obtaining information and sharing it with a lawyer for use in a lawsuit.” (PBA 2009-02 at 3.) New York City Bar Association Formal Opinion 2010-2 similarly held that a lawyer may not gain access to a social networking website under false pretenses, either directly or through an agent, and NYCLA 743 also noted that Rule 8.4 governs juror research and an attorney therefore cannot use deception to gain access to a network or direct anyone else to “friend” an adverse party. (NYCLA 743 at 2.) We agree with these conclusions; attorneys may not shift their conduct or assignments to non-attorneys in order to evade the Rules.
D. The Impact On Jury Service Of Attorney Use Of Social Media Websites For Research
Although the Committee concludes that attorneys may conduct jury research using social media websites as long as no “communication” occurs, the Committee notes the potential impact of jury research on potential jurors’ perception of jury service. It is conceivable that even jurors who understand that many of their social networking posts and pages are public may be discouraged from jury service by the knowledge that attorneys and judges can and will conduct active research on them or learn of their online—albeit public—social lives. The policy considerations implicit in this possibility should inform our understanding of the applicable Rules.
In general, attorneys should only view information that potential jurors intend to be—and make—public. Viewing a public posting, for example, is similar to searching newspapers for letters or columns written by potential jurors because in both cases the author intends the writing to be for public consumption. The potential juror is aware that her information and images are available for public consumption. The Committee notes that some potential jurors may be unsophisticated in terms of setting their privacy modes or other website functionality, or may otherwise misunderstand when information they post is publicly available. However, in the Committee’s view, neither Rule 3.5 nor Rule 8.4(c) prohibit attorneys from viewing public information that a juror might be unaware is publicly available, except in the rare instance where it is clear that the juror intended the information to be private. Just as the attorney must monitor technological updates and understand websites that she uses for research, the Committee believes that jurors have a responsibility to take adequate precautions to protect any information they intend to be private.
E. Conducting On-Going Research During Trial
Rule 3.5 applies equally with respect to a jury venire and empanelled juries. Research permitted as to potential jurors is permitted as to sitting jurors. Although there is, in light of the discussion in Section III, infra, great benefit that can be derived from detecting instances when jurors are not following a court’s instructions for behavior while empanelled, researching jurors mid-trial is not without risk. For instance, while an inadvertent communication with a venire member may result in an embarrassing revelation to a court and a disqualified panelist, a communication with a juror during trial can cause a mistrial. The Committee therefore re-emphasizes that it is the attorney’s duty to understand the functionality of any social media service she chooses to utilize and to act with the utmost caution.
III. An Attorney Must Reveal Improper Juror Conduct to the Court
Rule 3.5(d) provides: “a lawyer shall reveal promptly to the court improper conduct by a member of the venire or a juror, or by another toward a member of the venire or a juror or a member of her family of which the lawyer has knowledge.” Although the Committee concludes that an attorney may conduct jury research on social media websites as long as “communication” is avoided, if an attorney learns of juror misconduct through such research, she must promptly notify the court. Attorneys must use their best judgment and good faith in determining whether a juror has acted improperly; the attorney cannot consider whether the juror’s improper conduct benefits the attorney.
On this issue, the Committee notes that New York Pattern Jury Instructions (“PJI”) now include suggested jury charges that expressly prohibit juror use of the internet to discuss or research the case. PJI 1:11 Discussion with Others – Independent Research states: “please do not discuss this case either among yourselves or with anyone else during the course of the trial. . . . It is important to remember that you may not use any internet service, such as Google, Facebook, Twitter or any others to individually or collectively research topics concerning the trial. . . For now, be careful to remember these rules whenever you use a computer or other personal electronic device during the time you are serving as juror but you are not in the courtroom.” Moreover, PJI 1:10 states, in part, “in addition, please do not attempt to view the scene by using computer programs such as Goggle Earth. Viewing the scene either in person or through a computer program would be unfair to the parties. . . . “New York criminal courts also instruct jurors that they may not converse among themselves or with anyone else upon any subject connected with the trial. NY Crim. Pro. §270.40 (McKinney’s 2002).
The law requires jurors to comply with the judge’s charge and courts are increasingly called upon to determine whether jurors’ social media postings require a new trial. See, e.g.,Smead v. CL Financial Corp., No. 06CC11633, 2010 WL 6562541 (Cal. Super. Ct. Sept. 15, 2010) (holding that juror’s posts regarding length of trial were not prejudicial and denying motion for new trial). However, determining whether a juror’s conduct is misconduct may be difficult in the realm of social media. Although a post or tweet on the subject of the trial, even if unanswered, can be considered a “conversation,” it may not always be obvious whether a particular post is “connected with” the trial.
Moreover, a juror may be permitted to post a comment “about the fact [of] service on jury duty.”
In contrast to Rule 3.4(a)(4), Rule 3.5(a)(5) allows attorneys to communicate with a juror after discharge of the jury. After the jury is discharged, attorneys may contact jurors and communicate, including through social media, unless “(i) the communication is prohibited by law or court order; (ii) the juror has made known to the lawyer a desire not to communicate; (iii) the communication involves misrepresentation, coercion, duress or harassment; or (iv) the communication is an attempt to influence the juror’s actions in future jury service.” Rule 3.5(a)(5). For instance, NYSBA Opinion 246 found that “lawyers may communicate with jurors concerning the verdict and case.” (NYSBA 246 (interpreting former EC 7-28; DR 7-108(D).) The Committee concludes that this rule should also permit communication via social media services after the jury is discharged, but the attorney must, of course, comply with all ethical obligations in any communication with a juror after the discharge of the jury. However, the Committee notes that “it [is] unethical for a lawyer to harass, entice, or induce or exert influence on a juror” to obtain information or her testimony to support a motion for a new trial. (ABA 319.)
The Committee concludes that an attorney may research potential or sitting jurors using social media services or websites, provided that a communication with the juror does not occur. “Communication,” in this context, should be understood broadly, and includes not only sending a specific message, but also any notification to the person being researched that they have been the subject of an attorney’s research efforts. Even if the attorney does not intend for or know that a communication will occur, the resulting inadvertent communication may still violate the Rule. In order to apply this rule to social media websites, attorneys must be mindful of the fact that a communication is the process of bringing an idea, information or knowledge to another’s perception—including the fact that they have been researched. In the context of researching jurors using social media services, an attorney must understand and analyze the relevant technology, privacy settings and policies of each social media service used for jury research. The attorney must also avoid engaging in deception or misrepresentation in conducting such research, and may not use third parties to do that which the lawyer cannot. Finally, although attorneys may communicate with jurors after discharge of the jury in the circumstances outlined in the Rules, the attorney must be sure to comply with all other ethical rules in making any such communication.
AMERICAN BANKRUPTCY INSTITUTE
The Essential Resource for Today’s Busy Insolvency Professional
Straight & Narrow
By JAMES B. KOBAK, JR. AND IGNATIUS A. GRANDE
Social Media Ethics: Keeping Up with Changing Obligations
ocial media continues to impact the legal world in ways that could not have been fore seen only 10 years ago. Bankruptcy attorneys in particular are finding themselves using social media more often and are utilizing it for a variety of purposes, with the rise of bankruptcy blogs and the active use of applications such as LinkedIn. Many active users undoubtedly have a mix of motives: staying in touch with colleagues; commenting about and keeping up-to-date with legal developments; letting people know of important events in their personal or professional lives; and, in the back of some minds but undoubtedly in the forefront of others, using it as a tool to cultivate name recognition and develop business.
Social media and the ease with which one can store and post information and communicate with large groups of people continue to create challenges for all attorneys, including bankruptcy attorneys. An attorney must think before he/she tweets, posts on Facebook, Snapchats2—or puts anything on the Internet, for that matter.3 An attorney also has an obligation—or at least a professional interest—to advise clients on how to manage their social media accounts consistently with legal positions, but an attorney must abide by professional responsibility rules and obligations when doing so.
Over the past year, ethics committees and bar associations have continued to issue opinions and guidance on how attorneys can use social media, and attorneys and their clients have demonstrated how these platforms can be misused in ways that create ethical issues. It is more important than ever before for attorneys to be aware of the pitfalls, as well as the opportunities, that have been created by changing technology.
A bankruptcy attorney who uses any form of social media—or has clients who do—needs to understand how different social media platforms work and needs to be aware of the existence of any ethics rules or opinions that may affect the attorney’s use or their client’s use of social media. In other words, developments in this area affect virtually every bankruptcy professional, both technophobe and technophile alike.
This article alerts insolvency practitioners to recent developments in three areas: the duty to advise clients on social media use without running afoul of spoliation rules; the possible need to conform online communication to a number of disparate state advertising and solicitation rules; and the duty to protect confidential information in electronic, as well as physical, form. The case law, professional responsibility rules, and ethics opinions and comments are rapidly evolving and can vary by state.
Social Media Use and Privacy Settings
Clients may post information or remarks on social media that might be inconsistent with later legal positions that they may wish to adopt in insolvency proceedings or other contexts. Such postings may inadvertently divulge information that they would have preferred that creditors or a trustee not know. Social media postings may also serve as fodder for endless and embarrassing discovery or cross examination, as well as unwittingly violate the rights of third parties. An attorney may consider it good practice, and even part of diligent representation, to advise about what should or should not appear on a client’s website, social media feeds and even blogs.
Although content on a social media platform may seem to be different from emails or electronic files, the information stored on social media platforms is subject to the same preservation requirements as other forms of data. (Since social media can provide a treasure trove of information in many cases, it is becoming more and more important for attorneys to advise clients on the proper use of social media as it relates to their cases.) It has been clear for several years that an attorney cannot advise a client to delete a social media account or delete content when the information found on the social media account is subject to a litigation hold.4 More recently, ethics opinions have focused on the related issue of how a lawyer can—and may have a duty to—advise a client regarding changing social media privacy settings.
The Philadelphia Bar Association recently issued an ethics opinion that stated that a lawyer may advise a client to change the privacy settings on his/her social media page, as long as the lawyer does not instruct or permit a client to delete or destroy any “relevant” content “so that it no longer exists.”5 The committee found that changing the privacy settings was acceptable; even though a change would restrict immediate access to the content of the site, a change in privacy settings does not prevent the opposing party from being able to obtain such information through discovery or by a subpoena.
Florida also has issued guidance on this point. In January 2015, the Florida State Bar Association’s Ethics Advisory Committee issued a proposed advisory opinion, noting that “a lawyer may advise a client to use the highest level of privacy setting[s] on the client’s social media [accounts].”6 The committee also concluded that, “[p]rovided that there is no violation of the rules or substantive law pertaining to the preservation and/or spoliation of evidence, a lawyer also may advise that a client remove information relevant to the foreseeable proceeding from social media pages as long as an appropriate record of the social media information or data is preserved.”7
What Makes Social Media Communications Advertising?
For several years, bar associations and ethics opinions have found that attorneys who advertise on social media should be subject to the same requirements that are otherwise in place. In 2012, a California Ethics Opinion held that “[t]he restrictions imposed by the professional responsibility rules and standards governing attorney advertising are not relaxed merely because such compliance might be more difficult or awkward in a social media setting.”8 New York attorneys were also recently provided with specific guidance on what usage may constitute advertising.
On March 10, 2015, the New York County Lawyers Association (NYCLA) Professional Ethics Committee weighed in on the ethical implications for lawyers who use social media websites to promote their services when it issued Formal Opinion 748. The opinion focused solely on the use of LinkedIn by attorneys. The committee determined that attorneys may maintain profiles on LinkedIn “containing information such as education, work history, areas of practice, skills and recommendations written by other users.”9 However, if a lawyer wants to include information other than education and employment history, such as a detailed description of practice areas and work done in previous employment positions, that attorney may need to use the words “attorney advertising” if the purpose of the profile could reasonably be deemed to be seeking to be retained by clients and the audience included was not limited to lawyers and present or former clients. A LinkedIn pro file in New York should also have the disclaimer, “[p]rior results do not guarantee a similar outcome” if it includes “(1) statements that are reasonably likely to create an expectation about results the lawyer can achieve, (2) statements that compare the lawyer’s services with the services of other lawyers, (3) testimonials and endorsements of clients, or (4) statements describing or characterizing the quality of the lawyer’s or law firm’s services.”10
This opinion is the first to provide such detailed information on attorney advertising. The New York State Bar Association (NYSBA) Social Media Guidelines had previously stated that social media posts used “primarily” for business purposes are subject to the attorney advertising and solicitation rules. The NYCLA opinion and others have not addressed how to deal with other forms of social media, such as Twitter and Facebook. Attorneys, especially those in New York, must now be cognizant that advertising activity on social media will likely be treated similarly to advertising activity that is in print or on the Internet. In some states, this treatment could entail storing copies of social media profiles or even filing with disciplinary authorities.
Another notable requirement of Formal Opinion 748 is the requirement that attorneys should “periodically” check their LinkedIn profiles in order to monitor what is posted on their profiles by others, by way of endorsements or recommendations that originate from other users. The NYCLA opinion states that “[ w]hile we do not believe that attorneys are ethically obligated to review, monitor and revise their Linkedin sites on a daily or even weekly basis, there is a duty to review social networking sites and confirm their accuracy periodically, at reasonable inter vals.”11 This requirement is another example that attorneys can no longer glide by with an ignorance of what social media is; once they set up profiles, they may need to actually monitor them in some way and keep track of what people might be posting on their sites. Some may well evaluate whether participation in too many forms of social media is worth the effort.
Duty of Competence in Technological Matters
Times have changed in the practice of law, and many governing bodies are now indicating that attorneys should have some expectation or duty of competence as it relates to technology. In 2012, the American Bar Association’s (ABA) House of Delegates voted to amend Comment 8 to Model Rule 1.1, which pertains to competence, to revise the section that requires lawyers to “keep abreast of changes in the law and its practice” to include keeping up with “the benefits and risks associated with relevant technology.” In January 2015, New York State adopted a version of the ABA Comment that similarly imposes a duty to keep abreast “of the benefits and risks associated with technology the lawyer uses to provide services to clients or to store or transmit confidential information.”12
In addition, some ethics committees have directly tied this duty of competence to the social media world. In September 2014, the Pennsylvania Bar Association interpreted Rule 1.1 of the Model Rules of Professional Conduct to require that lawyers have “a basic knowledge of how social media websites work,” as well as the ability to advise clients about the legal ramifications of using these sites.13 In June 2015, the updated Social Media Ethics Guidelines from the Commercial and Federal Litigation Section of the New York State Bar Association suggest that an attorney possess an understanding, at a minimum, of the most basic functions of how each system works, what information (particularly client confidences) might be exposed, to whom and how, and the ethical impact of the usage.14
The practice of law and the manner in which professionals and nonprofessionals alike function and communicate have changed dramatically in recent years. Understanding how social media and technology works and will impact one’s practice is becoming more of a necessity, both practically and as a matter of professional responsibility. Some large companies are now insisting on strict guidelines for communication protocols and protection of sensitive data, and a market for cyber insurance has even developed. Ethics rules and opinions have not yet opted to require specific measures such as encryption, but some ethics committees and bar associations are beginning to consider such measures. Good bankruptcy lawyers devote time to staying up to date with developments relevant to their chosen field, which now includes developments in the new and changing technologies that they use to interact with colleagues, adversaries and clients. abi
Editor’s Note: Stay connected with ABI on Facebook (facebook.abi.org), Twitter (twitter.abi.org) and LinkedIn (linkedin.abi.org).
Reprinted with permission from the ABI Journal, Vol. XXX/V, No. 10, October 2015.
The American Bankruptcy Institute is a mu/U-disciplinary, non partisan organization devoted to bankruptcy issues. AB! has more than 12,000 members, representing all facets of the insolvency field. For more information, visit abi.org.
Carol Buckler is Professor of Law at New York Law School. She has served as New York Law School’s Interim Dean, Associate Dean for Academic Affairs and Associate Dean for Professional Development.
She teaches legal ethics, civil procedure and courses in the clinical and professional skills program. Professor Buckler has participated in several initiatives and committees in connection with legal education, professionalism and access to justice, including as Co-chair of the Statewide Law School Access to Justice Council; and as member of Law School Conference Planning Committee of the Task Force to Expand Access to Civil Legal Services in New York, the New York State Bar Association Committee on Legal Education and Admission to the Bar, the New York County Lawyers Association Task Force on Professionalism and the New York County Lawyers Association Ethics Institute. She is a cum laude graduate of Yale College and Harvard Law School.
Joseph J. Bambara is currently In House Counsel and a VP of technology architecture at UCNY, Inc. His e-mail address is firstname.lastname@example.org. For the last 20 years, he has been acting as Counsel for small to mid-size technology firms in the metro area including Crosspondmedia.com, Piranhamedia.com and Engagedmedia.com. He is expert on legislation addressing technology and his summary background is as follows:
Private Practice as Corporate IP Counsel handling Contracting for Software for all platforms (enterprise/mobile/client) with all outsourcing developer countries including China, India, Eastern Europe, etc. Expert in legal compliance with State and Federal laws, including ECPA, HIPAA, COPPA, CAN-SPAM and DMCA. Additionally responsible for Trademark/Copyright applications as well as establishing policy around mobile marketing;
Strong base of CIO/System Architect experience in the implementation of enterprise and mobile device software featuring hands on background in application development (JAVA, XML, Web Services, HTML5/CSS/Ajax/Angular for Android/Apple and data base administration (ORACLE, mySQL, MS SQL-SERVER, Sybase) coupled with good system architect skills.
Author of Sun Certified J2EE Architect Study Guide McGraw Hill, 2003, 2007 and 3rd edition in 2013, SQL 7 Developer’s Guide, IDG Books, 2000, J2EE Unleashed, SAMS, 2001 and many computing articles.
Legal Tech Expert/Educator: prepared and presented numerous courses on technology and the law covering Cloud, Mobile and Social Networking
Technology Attorney of 2010 New York Enterprise Report; Featured Faculty at Lawline.com Attorney CLE course covering same.
Business experience includes banking, financial, securities, manufacturing, health care, legal and insurance. Well versed in a variety of computer languages, vendor software and hardware mobile and internet development with Java and releated technologies
Mr. Bambara has a Bachelor’s and a Master’s degree in Computer Science. He holds a Juris Doctorate in Law and is admitted to the New York State Bar. He has taught various computer courses for CCNY’s School of Engineering. He is member of the New York County Lawyers Association Cyberspace Committee and an active member in the International Technology Law Association.
Specialties: Authored 10 internationally published hardcopy books on various enterprise technologies and have done presentations of the material all over US and Western Europe and Scandinavia. Presented multiple law and technology seminars for LawLine.com, National Constitution Center, New York County Lawyers Association and New York City Bar Association
JAMES B. KOBAK, JR. serves as General Counsel at Hughes Hubbard & Reed LLP where he chairs its Practice Standards, Procedures and Ethics Committee and formerly chaired its Antitrust Practice Group. He is a graduate of Harvard College and the University of Virginia Law School where he was the Associate Editor of the Law Review. Mr. Kobak cunently serves as lead counsel to the SIPA Trustee for the liquidations of Lehman Brothers Inc. and MF Global, Inc. He taught seminars on antitrust/intellectual prope1iy issues for over a decade at Fordham and University of Virginia Law Schools and served as editor of the ABA Antitrust Sections’ publication Intellectual Property Misuse: Licensing and Litigation.
Mr. Kobak is a past president of the New York County Lawyers Association. He is a member of the Ethics Institute and Ethics Committee of the New York County Lawyers Association, the Committee on Standards of Attorney Conduct of the New York State Bar Association and the Professional Responsibility Committee of the New York City Bar Association. Mr. Kobak serves as one of two editorial advisors to the New York ethics treatise published by Oxford University Press. Mr. Kobak was awarded NYCLA’s Boris Kostelanetz President’s Medal in 2006.
Jonathan Stribling-Uss, Esq is the director of Constitutional Communications (Concomms.org). He has led trainings or CLEs for over a hundred attorneys on cyber-security, encryption, privacy rights, and attorney client communications. He has also done security audits or training for journalists, grantors, human rights workers, and technologists at the Center for Constitutional Rights, Thoughtworks, the International Development Exchange, the Bertha Foundation, the Legal Clinics of CUNY School of Law, Law for Black Lives, the Continuing Legal Resource Network at CUNY, and Brazil de Fato among others.
Pery D. Krinsky, Esq.
160 Broadway • Suite 603
New York, New York 10038
Pery D. Krinsky is the principal of Krinsky, pllc, where he focuses his practice on ethics-based defense litigation. Before forming his own law firm, Mr. Krinsky was associated with the law firm of LaRossa & Ross, and then the Law Offices Of Michael S. Ross.
Mr. Krinsky’s ethics-based defense litigation practice focuses on:
Federal & State Attorney/Judicial Ethics Matters, including: representing attorneys and law firms under investigation by disciplinary authorities and other government agencies; providing guidance to lawyers concerning the day-to-day practice of law; representing disbarred and suspended attorneys seeking reinstatement; advising and representing members of the New York State Judiciary in matters before the New York State Commission on Judicial Conduct; and assisting law school graduates in the admissions process.
Federal & State Criminal Defense Matters, including: defending clients against law-enforcement actions such as claims of securities fraud, antitrust, investment advisory fraud, health care fraud, tax issues, money laundering, RICO, and narcotics trafficking, among others; helping conduct internal investigations; addressing compliance issues; and responding to regulatory inquiries.
Mr. Krinsky is a frequent lecturer on topics involving ethics in litigation, personal and professional responsibility and academic integrity, including at: the N.Y. State Judicial Institute; the Appellate Divisions, First and Second Judicial Departments; the N.Y. State Bar Association; the N.Y. City Bar; the N.Y. County Lawyers’ Association; the N.Y. State Academy of Trial Lawyers; the N.Y. State Trial Lawyers Association; the Practicing Law Institute; the Bay Ridge Lawyers Association; the Queens County Bar Association; Sotheby’s Institute of Art; and law schools such as Brooklyn Law School, Columbia Law School and Fordham Law School.
Mr. Krinsky serves as the Chair of the Ethics Committee of the Entertainment, Arts & Sports Law Section of the N.Y. State Bar Association; and the Chair of the Committee on Professional Discipline of the N.Y. County Lawyers’ Association. Mr. Krinsky serves on the Board of Advisors of the N.Y. County Lawyers’ Association Institute of Legal Ethics; and is also a Member of: the Brooklyn Bar Association; the N.Y. State Bar Association’s Committee on Attorney Professionalism; the N.Y. City Bar Association’s Professional Responsibility Committee; and the N.Y. County Lawyers’ Committee on Professional Ethics.
Peter Micek leads the business and human rights team at Access Now (www.accessnow.org), an international organization that defends and extends the digital rights of users at risk around the world. Advocating for a more rights-respecting telecom and tech sector, Peter helps build norms at the intersection of human rights and technology. He also teaches a course at Columbia University’s School of International and Public Affairs (SIPA) on internet policy and governance.
Peter graduated cum laude from the University of San Francisco School of Law, and in 2010 published “A Genealogy of Home Visits” in the U.S.F. Law Review, critiquing surveillance of at- risk communities. As a law student, Peter defended independent journalists and engaged in Freedom of Information litigation at First Amendment Project. For five years, in San Francisco, Peter led youth and ethnic media development online at New America Media and KALW. Peter studied political science and journalism at Northwestern University in Evanston, IL. He is licensed by the state bars of California and New York, and has no cats.