The Lawyers' Lawyer Newsletter - Recent Developments in Risk Management - Halloween 2020
Expand each of the topics below to learn more about the risk management issues and solutions covered in this edition of The Lawyers' Lawyer Newsletter.
Firm Administration – Expense Reporting – Oversight – Discipline
Trick or Treat Editors' Note: Aside from a global pandemic, is there anything more bizarre and troubling than lawyers stealing seemingly paltry sums from their own firms, partners, and employers? In the real world, happy endings are few and far between, so firms must employ necessary tools and infrastructure to stop expense theft before it starts.
Matter of Disciplinary Proceedings Against Bant, 2019 WI 107, 389 Wis. 2d 446, 936 N.W.2d 152
Risk Management Issue: How and how closely should firms track expense reporting?
The Opinion: From February 2014 through December 2016, Ms. Bant worked as an in-house attorney for an insurance company located in Wisconsin. Sometime during October 2016, Bant and her supervisor agreed that Bant would attend an ABA seminar in New Orleans. On October 31, 2016, Bant submitted a request for reimbursement of the $1,115 registration fee by way of a fabricated seminar registration receipt that Bant had created using computer software. The employer paid the requested sum, and Bant told her employer that she would fly to New Orleans on December 7, 2016 in order to attend the seminar on December 8 and 9. However, the seminar actually took place on November 3 and 4, and a co-worker spotted Bant in town on the morning of December 9, when Bant was allegedly in New Orleans for the seminar.
Sometime in December 2016, Bant uploaded, but had not yet submitted, a variety of elaborately fabricated travel receipts into her employer's expense system. Bant's supervisor confronted her and requested that Bant provide a timeline of her activities during her alleged trip. In response, Bant created an entirely false timeline and eventually claimed that she was physically assaulted while in New Orleans. In response to Bant's new claims, the company audited Bant's prior expense claims and discovered that Bant had previously made a fraudulent request for reimbursement for three nights at a hotel in Madison, Wisconsin. After these discoveries, Bant was terminated in December 2016. An ethics complaint followed.
Reviewing the findings of the referee, the Wisconsin Supreme Court concluded that Bant had violated Wisconsin's versions of Rule 8.4(c) and (f). 8.4(c) provides that "it is professional misconduct for a lawyer to engage in conduct involving dishonesty, fraud, deceit or misrepresentation," while 8.4(f) provides that it is misconduct for a lawyer to violate a statute, supreme court rule, supreme court order or supreme court decision regulating the conduct of lawyers. The court explained that it "take[s] a dim view of a lawyer's creation and use of false documentation for the purpose of misleading others." The court characterized Bant's actions as "affirmative acts of deception by creating false documentation for the sole purpose of misleading others," and further noted that her actions were "laced with calculated dishonesty." The court admonished Bant for doubling down on her story when questioned by her employer about the trip. Bant's license was suspended for six months.
Risk Management Solution: In addition to clients, courts, and opposing counsel, attorneys also owe ethical duties to their firms and employers. Rule 8.4's prohibition on dishonesty, deceit, and misrepresentation is not limited to clients, courts, or opposing counsel. The first and most important line of defense against fraudulent expense reporting is staff, who must be trained and reminded that their loyalty is to the firm and the firm's clients—not just the attorney to whom staff is assigned. In addition, law firms should have, and communicate, a clearly written policy regarding expense reporting, the firm's procedure for tracking expense reporting, and the system for expense reporting oversight. Expenses should be reviewed and approved by a supervising attorney or office manager in order to ensure expenses are legitimate, properly reported, and administratively tracked.
Confidentiality – Electronically Stored Information – Unauthorized Access
Trick or Treat Editors' Note: Little makes a lawyer's stomach churn more completely than the prospect of informing a client that its confidential information has been stolen from, or accessed on, the lawyer's system. If we lack strong and consistently applied security procedures, we choose to tempt this mostly avoidable risk.
The State Bar of California's Standing Committee on Professional Responsibility and Conduct Formal Opinion Interim 16-0002
Risk Management Issue: What are a lawyer's ethical obligations with respect to unauthorized access by third persons to electronically stored client confidential information in the lawyer's possession?
The Opinion: The State Bar of California's Standing Committee on Professional Responsibility and Conduct recently released Formal Opinion Interim No. 16-0002, which addresses a lawyer's ethical responsibilities arising from unauthorized third-party access of electronically stored client data.
With many lawyers now working remotely, the convenience—and risk—of electronically-stored client data has significance for more lawyers and clients than ever. In light of this "new normal" and the myriad of accompanying technological concerns, the Committee expanded upon its previously published analysis on the subject, Cal. State Bar Formal Opinion Nos. 2015-193 and 2010-179.
Using hypotheticals, the Interim Opinion addresses four factually diverse scenarios: a lawyer losing a laptop and forcing the data to be remotely wiped; another lawyer temporarily misplacing a smartphone overnight in a restaurant; a receptionist unknowingly falling victim to a ransomware link, resulting in firm payment; and a lawyer working remotely on an unprotected Wi-Fi network that resulted in the hacking of client data. While all involve different devices and types of employees, each of these individuals may have run afoul of the ethical obligations to employ reasonable measures to keep client data safe from unauthorized access.
These four hypotheticals implicate the rules of competence and confidentiality. The competence rule (Model Rule 1.1) and the duty to safeguard clients' information (Model Rule 1.6 and Bus. & Prof. Code, § 6068(e)) require lawyers to make reasonable efforts to protect such information from unauthorized disclosure or destruction. However, as ABA Formal Op. No. 18-483 explains, the duty to make reasonable efforts to preserve clients' confidential information does not "require the lawyer to be invulnerable or impenetrable."
According to Cal. State Bar Formal Op. No. 2015-193, the threshold requirement is that lawyers have a basic understanding of the "benefits and risks associated with relevant technology." The Interim Opinion reiterates this and adds that this obligation can be met by learning where and how confidential client information is vulnerable to unauthorized access. This inquiry "must be made with respect to each type of electronic device" incorporated into the lawyer's practice.
While the duties of competence and confidentiality do not create a strict liability standard, the Interim Opinion suggests that "a legal standard for 'reasonable' security is emerging. That standard rejects requirements for specific security measures (such as firewalls, passwords, or the like) and instead adopts a fact-specific approach to business security obligations that requires a 'process' to assess risks, identify and implement appropriate security measures responsive to those risks, verify that the measures are effectively implemented, and ensure that they are continually updated in response to new developments."
The Interim Opinion also discusses a lawyer's duty to communicate in the event of an attack seeking to access, download, or destroy client information. Model Rule 1.4(a)(3) and Business and Professions Code Section 6068(m) require lawyers to keep clients "reasonably informed about significant developments" relating to the lawyer's representation. This would include a circumstance in which the client's confidential information is misappropriated, destroyed, or otherwise compromised, or where a lawyer's ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode. ABA Formal Op. No. 483.
With respect to the details of a required disclosure, the Interim Opinion provides that the lawyer "shall explain a matter to the extent reasonably necessary to permit the client to make informed decisions" as to what to do next, if anything. (Model Rule 1.4(b)). "In a data breach scenario, the minimum disclosure required to all affected clients under Model Rule 1.4 is that there has been unauthorized access to or disclosure of its information, or that unauthorized access or disclosure is reasonably suspected of having occurred. Lawyers must advise clients of the known or reasonably ascertainable extent to which client information was accessed or disclosed." ABA Formal Op. No. 18-483. Beyond the ethical obligations of disclosure, there may very well be instances where federal statutes such as HIPAA also require notification.
Editor's Note: This issue has been addressed by other states and was discussed in the September 2012 edition of the Lawyers' Lawyer Newsletter. In addition, Hinshaw regularly publishes Cyber Alerts addressing this and related topics.
Risk Management Solution: This Interim Opinion addresses the dangers associated with digitally-stored data. While convenient, lawyers must be attentive to the potential vulnerabilities each of their devices and systems and be diligent in upholding legal duties owed to clients. Records of reasonable efforts and informed analysis will be the best evidence of compliance with the rules and various duties owed to clients.
Representing the Estate Executor – Ethical Duty – Confidentiality – Withdrawal
Trick or Treat Editors' Note: One of the four horsemen of the apocalypse—third-party claims—is thundering down upon lawyers. The grim spectre of non-client duties and related lawsuits should be enough to frighten all of us into taking extra steps to protect ourselves and our firms.
New York State Bar Association Ethics Opinion No. 1194
Risk Management Issue: Does a lawyer for an estate executor have an ethical duty to the estate's beneficiaries? What disclosures or other steps, if any, is a lawyer permitted and/or required to make if the lawyer suspects wrongdoing by the client executor?
The Opinion: In a June 11, 2020 opinion, the New York State Bar Association's Committee on Professional Ethics considered the following estate-related topics: (1) whether a lawyer representing an estate's executor owes ethical duties to the estate's beneficiaries; (2) whether an executor's lawyer may withdraw if the lawyer suspects wrongdoing by the executor; (3) what disclosures the executor's lawyer is required or permitted to make in that circumstance; and (4) how to treat the executor's fee after a withdrawal.
In the matter at issue, the lawyer represented an executor in the probate of an estate. The decedent's will provided for a gift to the executor, but left most of the decedent's estate to charitable organizations. After the probate petition was filed, the lawyer learned of the existence of a transfer-on-death designation, which gave the executor a significant portion of the decedent's estate.
In New York, TOD designations do not necessarily require the involvement of an attorney or witnesses. This particular TOD designation was created after the decedent's will. Thus, many of the decedent's assets that would have been distributed to charities were instead be transferred to the executor. In fact, before the lawyer knew about the TOD designation, the executor had already transferred funds into the executor's own account.
The executor gave the lawyer conflicting explanations regarding how the decedent executed the TOD designation. The lawyer repeatedly requested a copy of the TOD designation, but the executor refused to provide it. Furthermore, the lawyer had reason to believe the executor would not disclose the TOD distribution to the court. In the lawyer's opinion, both the court and the New York Attorney General's Charities Bureau would consider such an omission to be misleading and fraudulent.
Based on these circumstances, the lawyer stated an intent to withdraw from representing the executor, and returned the advance fee payment. The executor directed the lawyer to keep the fee because it was earned; however, the lawyer refused to do so.
In responding to the lawyer's inquiry, the Committee referred the lawyer to a prior ethics opinion, NYSBA Ethics Op. 1034, where the Committee opined that an executor's lawyer owes no duty to the beneficiaries of an estate. The Committee avoided comment on whether privity with the estate lawyer is required for an heir to have standing to bring a legal malpractice case against the lawyer.
With respect to the lawyer's withdrawal from the representation, the Committee concluded that the lawyer had the right to withdraw from the representation, based on RPC 1.16, which permits and—in certain circumstances—requires a lawyer to withdraw from representing a client. According to the Committee, several of the circumstances enumerated in 1.16 permitted the lawyer to withdraw, including where: (1) the client insists upon taking action with which the lawyer fundamentally disagrees; (2) the client fails to cooperate in the representation or makes the representation unreasonably difficult for the lawyer; or (3) the client persists in a course of action involving the lawyer's services that the lawyer reasonably believes is criminal or fraudulent. In addition, the Rules require the lawyer to withdraw if the lawyer's continued representation would result in a violation of any of the Rules of Professional Conduct or of the law.
As to the lawyer's duty to make disclosures regarding the executor's conduct, the Committee cited Rules 1.6 and 3.3, which, respectively, require a lawyer to maintain client confidentiality and take remedial measures when the lawyer knows a client is engaging—or intending to engage—in criminal or fraudulent conduct related to a proceeding before a tribunal. Those remedial measures may include disclosing confidential information about a client's fraudulent intentions or actions.
The question here is whether this lawyer had the requisite knowledge of the client's intent to commit fraud on the court. First, the lawyer needed to determine whether the client's omission of the TOD designation would be fraudulent or criminal conduct; the Committee did not speak to that legal issue. But, even assuming that omission was fraudulent or criminal, the lawyer only had a "suspicion" that the client would keep the TOD designation from the court. According to the Committee, the lawyer must know that the client will omit the fact in order to trigger the lawyer's duty to engage in remedial measures, including potential disclosure to the court.
Even if RPC 3.3 did not mandate disclosure to the court, the lawyer could still make a disclosure under RPCs 1.6(a)(3), 1.6(b)(2), or 1.6(b)(6). Those Rules permit, but do not require, disclosure where a lawyer "reasonably believes" that disclosing the information is "necessary" to "prevent the client from committing a crime" or if it is required by "law or court order." This situation assumes that the client's omission of the TOD designation constitutes a crime, fraud, or other violation of law.
Finally, with respect to the advance fee, the Committee indicated that the lawyer was free to keep the funds, donate them to one of the estate's beneficiaries, or donate them to a charity of the lawyer's choosing.
Risk Management Solution: Where a lawyer represents the executor of an estate and believes that the executor may be acting fraudulently or criminally, the lawyer owes no duty to the estate's beneficiaries and may withdraw pursuant to RPC 1.16. The lawyer has a duty to disclose confidential information to the court only when the client's intended actions in the proceeding constitute criminal or fraudulent conduct, if other remedial measures have failed, and if the lawyer knows the client has engaged—or will engage—in such conduct. The level of knowledge required is quite high. When faced with this difficult situation, lawyers should carefully review their state's version of the Rules and related comments, and consult with general or ethics counsel.