Lawyer Tech Competence: 5 Debacles You Can Avoid
It’s harder than ever for lawyers to meet the ethical obligation to keep their technology skills up-to-date. You have to not only learn about new legal tools, but also the latest technologies that clients use.
Thanks to the blistering pace of change in the way we conduct business and our lives, there are more and more ways modern legal representation can go sideways. Lack of facility with technology can upend your ediscovery process, compromise client confidentiality, or give increasingly savvy hackers access to your computers. Yet not knowing won’t excuse you from professional embarrassment, client fury, malpractice allegations, discipline, or sanctions.
To help you avoid common missteps, we’ve gathered real-world examples in which tech-related errors led to headline-grabbing debacles.
What Exactly Is a Lawyer’s Duty of Technological Competence?
The American Bar Association updated the Model Rules of Professional Conduct in 2012 to expand what is meant by competence beyond matters of the law and its practice to also include an understanding of technology. Since then, 40 state bar associations incorporated the change, including California, which became the 39th state to adopt the ethical duty of tech competence in March 2021. The expectation, in short, is that attorneys “keep abreast of the changes in the law and law practice, including the benefits and risks associated with relevant technology.”
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”
– ABA Model Rule 1.1, Comment 8
Following are illustrations of what can go wrong very publicly when practitioners don’t understand technology. While the ethics rules don’t require lawyers to become experts on every kind of technology, some of the errors could really happen to anyone. That said, they clearly show why the requirement is in place and what can go wrong when attorneys fail to understand the use and impact of technology.
1. Avoid Redaction Disasters
Redaction failures are among the most common technology errors. Security technologist Bruce Schneier told Law.com in 2018 that redaction mistakes happen because “people don’t know how to use the technology.” The method requires facility with the technology, and “If you don’t have it, you don’t realize you’ve screwed up.”
Lack of skill with redaction tools tripped up attorneys for former presidential campaign chairman Paul Manafort. In one high-profile example, defense lawyers failed to redact portions of text in a court filing that wound up revealing Manafort’s contacts with a Russian spy, likely impacting the length of his ultimate sentence. Though the redacted portions were covered by black bars, the underlying text could be revealed simply by copying and pasting the blacked out sections into a new document.
Lawyers in prominent corporate and government cases have made similar missteps. A few years ago, outside counsel for a major social media company filed an improperly redacted PDF in court, an error that revealed embarrassing information about the company’s discussions around user data. And a redaction oversight by the US government confirmed in 2016 that the FBI’s targeting of a secure email service was used to spy on Edward Snowden.
A tip from an NSA report on redaction: “The key concept for understanding the issues that lead to the inadvertent exposure is that information hidden or covered in a computer document can almost always be recovered. The way to avoid exposure is to ensure that sensitive information is not just visually hidden or made illegible, but is actually removed from the original document.”
2. Prevent Production Fiascos
Among an attorney’s ethical duties is to protect client data. That calls for an understanding of the ediscovery tools and practices involved in producing confidential or privileged information. The fallout in a defamation and breach of contract case against a major US bank highlights the risks.
In summer 2017, as part of a subpoena request, the bank’s outside counsel spearheading the production process accidentally sent a CD to the plaintiffs counsel containing confidential information on about 50,000 high-net-worth customers. The inadvertently produced materials included customer names, Social Security numbers, and financial details. Compounding the problem, the plaintiff and his lawyer took the news to the New York Times.
The data breach potentially violated state and federal consumer data privacy laws in the United States. And since some of the account owners were listed as non-US, the misstep also potentially violated overseas privacy laws. It also raised red flags with regulators.
The bank’s lawyer said she had misunderstood the role of the vendor handling the discovery, and also the technology being used. She said in an affidavit following the breach that she thought she had reviewed the full data set, when in reality she had only gone through the first 1,000 documents.
What I did not realize, was that there were documents that I had not reviewed. Unbeknownst to me, the view I was using to conduct the review had a set limit of documents that it showed at one time.”
– Counsel for the bank
Ediscovery best practices call for careful review of digital documents, redaction of appropriate materials, encryption of data in transit, and protective orders or written confidentiality agreements between parties exchanging confidential documents. None of these appeared to be in place in this case.
3. Steer Clear of Collection Errors
It’s also important to choose your technology wisely – and to know its limitations. And if your legal team isn’t equipped to handle the ediscovery process, it’s crucial to work with someone who is.
Lawyers at an international law firm made a host of mistakes in the collection process while conducting discovery in an anti-competition case, including the improper use of Microsoft Outlook software to search for and collect data. As a result, the attorneys wound up missing hundreds of thousands of documents, nearly half of the potentially relevant documents in the case.
The failure led to a two-year postponement of the trial and an award of much of the plaintiff’s trial prep costs.
In ruling on the error, the court pointed to the lack of supervision as the root cause, with neither the law firm nor the company in-house IT team having the technical experience needed to manage a review of that size.
Neither ignorance nor lack of intent to harm shields lawyers from their ethical duty to understand ediscovery tools and properly vet their work.
4. Be Sure to Identify and Preserve Relevant Data
Lawyers need to understand the nuances between data stored on premises as opposed to in the cloud. In a trademark dispute between two electronic cigarette sellers, an Illinois District court judge cited a series of “missteps, misdeeds, and misrepresentations” as cause for significant sanctions on the defense counsel for their discovery failures.
In the case, lawyers flubbed ESI preservation, in part by failing to issue a litigation hold and to instruct their client to turn off automated deletion of relevant web emails or chats. What’s more, the lawyers apparently didn’t attempt to collect and preserve messages because they didn’t know they were stored online instead of on company servers. As a result, documents were spoliated and not produced in a timely fashion.
The judge stressed in his 2021 ruling that it’s the lawyer’s obligation to have “a reasonable understanding” of both the client’s information systems and of ESI and the law relating to identifying, preserving, collecting, and producing ESI.
In addition to a list of sanctions, the court required the attorneys to attend ESI training.
5. Beware of Hackers Targeting Law Firms
Law firms, with their troves of valuable client information, are a prime target for hackers. In 2019, ALM published a report showing hundreds of law firms of all sizes had reported breaches to state authorities in recent years. The actual number of such breaches is likely much higher, since the reporting is voluntary in many states.
Ransomware software and hacking group Maze hit a number of smaller law firms in South Dakota and Texas in recent years, holding their data hostage in return for payment for its release. In one instance, the group published a law firm’s hacked data. The released information included documents from personal injury cases and HIPAA consent forms.
Earlier this year, the American Bar Association warned about cyber criminals taking advantage of attorneys working from home in “a ransomware epidemic,” citing a 716% increase in ransomware attacks since 2019. Both the number of hacking groups and the level of sophistication of ransomware attacks is growing. For instance, less accomplished hackers can now buy ransomware-as-a-service (RaaS) on the dark web to gain access to systems that were compromised by more skilled hackers.
Cybersecurity is complex. Among the ABA’s recommendations is to stay current with your cybersecurity training, partner with your IT department, and ensure safe work-from-home practices. Check out the ABA’s full article including tips on how to protect yourself.
Just as ‘ignorance of the law excuses no one,’ ignorance of technology does not excuse lawyers from the responsibility of ensuring reasonable security practices are in place to protect client data.”
– The American Bar Association
Getting it Right
The errors that make it into the public eye are just the tip of the iceberg. Many technology failures never get caught. Most that do are settled out of court for various reasons. But mistakes can happen to anybody and the consequences can be truly damaging to your client and your practice.
The “I didn’t know” defense doesn’t fly anymore. Ethics rules require individual attorneys to be responsible for their own competence. So whether it’s through CLE courses, conferences, news, or blog sites, incorporate technical training into your continuing education repertoire. Or partner with an expert who complements your skills to cover your bases.
Whatever you do, if disaster strikes, don’t blame the paralegal.
Read our “Cybersecurity in the World of Ediscovery” report for an overview of best practices while working remotely and how to choose a secure ediscovery solution.