By Laurence Banville
Emergent technologies have already altered our lives in unprecedented ways. For practicing attorneys, these innovations pose both risks and benefits. Perhaps the greatest risk is not remaining current on technological change relevant to a given attorney’s practice area. In coming years, the legal terrain may begin to shift in lock-step with technological change, even as the law struggles to adapt to and create appropriate rules governing the ethical implications of new developments.
Consider a surgeon who uses data transmitted by a wrist-based fitness tracker to diagnose patients. In the near future, a misdiagnosis will more often be caused by poorly-programmed algorithms than error-prone humans. Liability may change fundamentally. Who is ultimately responsible for a product’s failure when design is less a matter of physical conformation than layers of interfacing software? If nothing else, the parties involved in any one products liability litigation could multiply exponentially.
Technologically-inept attorneys should take note. In 2013, the American Bar Association (ABA) approved a new resolution, incorporating technological proficiency as a core requirement for competent representation. The ABA Model Rules make clear that as attorneys, we owe clients a duty of competence. See ABA Model Rule 1.1 (“A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.”) While this is nothing new, being required to keep pace with a rapidly-changing technological landscape certainly is. As now set forth in Comment 8 to the ABA’s Model Rule 1.1:
“To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.” (Emphasis added).
To date, at least 25 states have adopted the American Bar Association’s language on technological competency in their own ethical rules. New York’s State Bar Association approved a similar change to its comments to New York Rule of Professional Conduct (RPC) 1.1 on March 28, 2015, but opted to clarify the duty. Per the Comment 8 to RPC 1.1, a New York attorney should:
“keep abreast of the benefits and risks associated with technology the lawyer uses to provide services to clients or to store or transmit confidential information.”
While the ABA has said that this change should not “impose any new obligations” on practicing attorneys, the intent is clear: get with the times. See Jamie S. Gorelick & Michael Traynor, Report to the House of Delegates (2012), http://www.americanbar.org/content/dam/aba/administrative/ethics_2020/2012_hod_annual_meeting_105a_filed_may_2012.authcheckdam.pdf.
How proficient one should stay, though, is still something of a gray area. We cannot all be computer wizards, and the technologies considered “relevant,” and the degree of technological expertise an attorney needs, are likely to differ depending on an attorney’s practice area. Corporate attorneys, for example, would do well to understand the ramifications of using outdated encryption software to protect intellectual property. Few clients, on the other hand, would want or need an Alan Turing, the man who led the team that broke the German codes during World War II and the father of computer science, as their attorney in a personal injury matter.
As far as discovery of electronically stored information (ESI) is concerned, few questions will have simple answers. We are not, however, completely in the dark. While there are still some cases that live entirely on paper, there is no case that could not, at least potentially, involve ESI. Even so, a lot of attorneys are practicing in the Middle Ages, according to Robert Ambrogi at Above the Law, balking even at the concept of e-discovery. See Robert Ambrogi, “This Week in Legal Tech: Ethics and Technology Competence,” Above the Law, July 11, 2016, http://abovethelaw.com/2016/07/this-week-in-legal-tech-ethics-and-technology-competence/.
As a recent opinion (Formal Opinion No. 2015-193) from the State Bar of California Standing Committee on Professional Responsibility and Conduct makes clear, it is no longer acceptable to be a Luddite on this point:
“The ethical duty of competence requires an attorney to assess at the outset of each case what electronic discovery issues might arise during the litigation, including the likelihood that e-discovery will or should be sought by either side. If e-discovery will probably be sought, the duty of competence requires an attorney to assess his or her own e-discovery skills as part of the attorney’s duty to provide the client with competent representation. If an attorney lacks such skills and/or resources, the attorney must try to acquire sufficient learning and skill, or associate or consult with someone with expertise to assist.”
At the least, you should know that you do not know enough. Then ask for help. The California opinion suggests reaching out to other attorneys (either in your own firm or outside it), relevant software vendors or even your own client if they possess the necessary expertise. Id.
Where discovery misconduct is concerned, technological incompetence is unlikely to be a persuasive excuse. In response to an attorney who, after committing several e-discovery violations, said, “I have to confess to this court — I am not computer literate,” the Delaware Court of Chancery was unequivocal: “professed technological incompetence is not an excuse for discovery misconduct.” James v. Natl. Fin. LLC, No. 8931-VCL 2014 WL 6845560 (Del. Ch. Dec. 5, 2014). Delaware, it should be observed, is among the 25 states that have adopted the ABA’s change to the Rule 1.1 comment so far.
E-Mail Communications & Confidentiality
This may not be an earth-shattering revelation, but it bears repeating. Keeping client information confidential has become increasingly complex. Access a café wireless connection anywhere on earth and your communications have likely become vulnerable to third-party interception. Similar vulnerabilities may exist in your own office, at least if you currently use an unencrypted email service to communicate with clients.
Of course, interception of this sort is generally illegal, but when has something like the law ever stopped a hacker? While there is some debate as to whether the risk is more or less than that posed by traditional mail, ethics opinions clarify that lawyers generally may use email to communicate with their clients without running afoul of the ethics rules. See ABA Formal Op. 11-459 (2011). Nevertheless, law firms should take reasonable steps to ensure their email systems and data storage are secure. As Comment 17 to RPC 1.6 says:
“When transmitting a communication that relates to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of a lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the information is protected by law or a confidentiality agreement.”
In any event, even in the absence of the need for special protections, it’s a good idea to warn clients ahead of time that emails are vulnerable to third-party interception. Then act reasonably to safeguard any information relating to the representation. Where additional precautions may be necessary; encryption is a strong option, if not a requirement.
Security & Confidentiality in an Interconnected World
Think you, and your client’s confidential information, won’t be singled out by unscrupulous techno-savants? Not all of us will be, but it’s extraordinarily difficult to predict who or what hackers will target. It’s not as if these people are sitting down at their computers, finding unsecured web devices and attempting to gain access one-by-one. Software programs are ceaselessly scouring the internet for open web ports and our assumption should be that anything connected to the internet is vulnerable.
It turns out that even toasters are targets. In a recent test case, a reporter at The Atlantic created a virtual toaster using Amazon’s rental servers, mimicking the features of an unsecured web device. The “toaster” became victim to its first hack attempt within 41 minutes. The second attack came 14 minutes later. See Andrew McGill, “The Inevitability of Being Hacked,” The Atlantic, Oct. 28, 2016, http://www.theatlantic.com/technology/archive/2016/10/we-built-a-fake-web-toaster-and-it-was-hacked-in-an-hour/505571/.
If you think the idea of a web-connected toaster seems fanciful, think again. In fact, we already have one, although it’s only a prototype and something of a joke. It’s called Brad, and Brad’s very existence is prophetic. While Brad appears to be a normal household appliance, the toaster is actually linked to a network of similarly-interconnected kitchenwares. Choose to neglect Brad and he’ll complain, shaking his handle in frustration. Brad even has the capability to put himself up for sale on the internet. See Kyle VanHemert, “A Toaster That Begs You to Use It: Welcome to the Bizarro Smart Home,” Wired, March 17, 2014, https://www.wired.com/2014/03/addicted-products/.
It is not paranoid fantasy to suppose that, in the near future, everything, no matter how mundane, will be connected in some way to every other thing. A connection is, if nothing else, an avenue for entry, and thus a threat to confidential information.
Ensuring client confidentiality in an interconnected world will be difficult, unless you keep every client file on a dusty desktop that doesn’t have internet access.
The Internet of Things
On Oct. 21, 2016, Twitter, Amazon, Airbnb and Spotify were all brought down by a sophisticated distributed denial of service attack (DDoS). In a traditional DDoS attack, hackers enlist a mob of “zombie” (essentially hijacked) computers to overwhelm sites with floods of traffic. Twitter, however, was disrupted by traffic coming from things, an Internet of Things. See Kif Leswing, “A Massive Cyberattack Knocked Out Major Websites Across the Internet,” Business Insider, Oct. 21, 2016, http://www.businessinsider.com/amazon-spotify-twitter-github-and-etsy-down-in-apparent-dns-attack-2016-10.
DVR devices, wireless routers, CCTV cameras, most recent home appliances — anything with a processor — will do. In fact, the web-connected devices recently used to shut down some of the internet’s most popular sites happen to be older, and less-protected, than those currently sitting in the homes of many Americans.
There are now more web-connected devices on earth than human beings. See Rod Soderberry, “How Many Things Are Currently Connected to the “Internet of Things” (IOT)?”, Forbes, Jan. 17, 2013, http://www.forbes.com/sites/quora/2013/01/07/how-many-things-are-currently-connected-to-the-internet-of-things-iot/ – 5648fa4d6379. The Internet of Things, a concept deftly characterized as “integration and interconnection of sensors and controls in a broad range of Internet-enabled devices, some paired with living things” by trial lawyer and computer forensic examiner Craig Ball, will only become more complex. See Craig Ball, “The Internet of Things Meets the Four Stages of Attorney E-Grief,” Ball in Your Court, Sept. 25, 2016, https://ballinyourcourt.wordpress.com/2016/09/25/the-internet-of-things-meets-the-four-stages-of-attorney-e-grief/. As it does, this emergent — and thoroughly new — interconnected world will change not only our duties surrounding client confidentiality, but the very practice of law itself.
Data Is Here to Stay
While the Internet of Things is unlikely to impact the IT operations of law firms directly, radically increased connectivity could have a significant effect on many of our cases. So will drastic increases in the amount of data being collected, often of a very sensitive nature. Social media evidence has already had an effect on innumerable cases.
Take the case of Kathleen Romano as an example. In 2010, Romano sued Michigan-based furniture manufacturer Steelcase, arguing that her fall from a “defective” chair had led to severe personal injuries. Romano’s ample use of “smiley faces” on MySpace told a different story, Steelcase contended. And while Romano claimed to be “homebound,” pictures posted to her daughter’s Facebook account showed the family enjoying a trip to Florida soon after the alleged accident had occurred. New York’s Supreme Court granted Steelcase access to Romano’s “current and historical” social media accounts, “including all deleted pages.” Six years later, the suit remains in litigation. Romano v. Steelcase Inc., 30 Misc 3d 426 (NY Sup. Ct. Sept. 21, 2010).
Will courts consider the personal data gathered by devices within the Internet of Things similarly discoverable? If determining the facts at issue is a goal, there is no reason to think it would not be in the appropriate case.
Determining whether or not a vehicle was malfunctioning during an accident will be simple. Or maybe the driver was checking his Facebook account just before the crash. Or maybe the vehicle repeatedly alerted him to signs of danger, but these warnings were ignored. All of these facts are, or soon will be, readily discoverable.
Similarly, the way that people track, assess and modify their own physical health is rapidly changing. Fitbit, Jawbone and other fitness trackers are likely to begin having a major impact on personal injury and workplace liability cases. Is your client wearing a Fitbit now? Sufficiently advanced, such technology could provide credible evidence as to the extent of her physical injuries, or that her injuries led to altered brain states, correlates of psychological trauma.
Once this regime takes hold, attorneys will have an unprecedented array of granular and accurate evidence at hand. Disparate streams of data will not, of their own accord, coalesce into a coherent picture, but with creativity and a good grasp of technology, attorneys will find new ways to tell compelling stories.
Laurence P. Banville is the Managing Partner at Banville Law, a personal injury firm in Manhattan.
DISCLAIMER: This article provides general coverage of its subject area and is presented to the reader for informational purposes only with the understanding that the laws governing legal ethics and professional responsibility are always changing. The information in this article is not a substitute for legal advice and may not be suitable in a particular situation. Consult your attorney for legal advice. New York Legal Ethics Reporter provides this article with the understanding that neither New York Legal Ethics Reporter LLC, nor Frankfurt Kurnit Klein & Selz, nor Hofstra University, nor their representatives, nor any of the authors are engaged herein in rendering legal advice. New York Legal Ethics Reporter LLC, Frankfurt Kurnit Klein & Selz, Hofstra University, their representatives, and the authors shall not be liable for any damages resulting from any error, inaccuracy, or omission.