Joanna L. Storey Mishler

Senior Counsel
Rosing Pott & Strohbehn

501 W Broadway A380
San Diego , CA 92101

Email: jmishler@rosinglaw.com

See more...

A few years ago, a colleague from the Bar Association of San Francisco's Legal Ethics Committee and I started an annual tradition of presenting a CLE to our members about legal ethics lessons learned from fictional attorneys. We took the show on the road, and most recently, I presented the topic to the La Jolla Bar Association.

We set the stage with examples of how fictional attorneys handled a thorny ethics issue and then broke down how the attorney got it wrong (or right) by applying the California Rules of Professional Conduct (CRPC). We offer practical guidance on how the principles discussed might affect your work.

In this article, I highlight one of our cybersecurity favorites from past programs. Take a seat, sit back and enjoy the show.

In Season 6, Episode 5 of "The Good Wife" ("Shiny Objects"), firm leader Diane Lockhart is working on her firm-issued laptop in the office, surrounded by other attorneys working on their laptops. Her screen goes blank and this message pops up: "Your Files Have Been Encrypted." The message includes a shiny red button to "Access Files."

Without consulting anyone and with a serious and puzzled look on her face, Lockhart clicks the button. The screens of all other attorneys go blank, and Lockhart sees a new message: "Trojan Lock. All files on your computer and all drives connected to it via intranet servers are encrypted." If the firm does not pay $50,000, the bad actor will delete their files. 

The firm is in trial and has lost all access to the client's file. There is no backup available because the firm elected not to pay for a backup system. Lockhart and her partners decide not to tell the client or law enforcement for fear of losing the client and losing the firm's reputation. Instead, they enlist the help of their in-house investigator, who hacks the hacker's computer and threatens the hacker to persuade him to release the files.

There is much to unpack in this scenario.

As a threshold matter, Comment 1 to California Rule of Professional Conduct ("CRPC") 1.1 requires a lawyer to "keep abreast of the changes in the law and its practice, including the benefits and risks associated with relevant technology." Here, Lockhart clicked the unexpected pop-up message link without knowing its source. If she had kept abreast of cybersecurity scams, she would have known to stop, assess and consult with her IT professional before proceeding.

Next, CRPC 1.6 and Business & Professions Code section 6068, subdivision (e)(1) provide for a lawyer's duty to maintain client confidences. ["To maintain inviolate the confidence, and at every peril to himself or herself to preserve the secrets, of his or her client"]. ABA Formal Opinion 477R (Securing Communication of Protected Client Information) offers practical guidance for how lawyers can secure communication of protected client information by breaking down the trifecta duties of competence, confidentiality and communication.

Here, Lockhart's firm failed to "understand and use reasonable security measures," as suggested by the Opinion. At minimum, the firm failed to have a backup of client files.

Lockhart's firm also failed to have a plan in place for managing the cybersecurity breach. Had they consulted California Formal Ethics Opinion No. 2020-203, they would have known about their duties to "take reasonable steps to secure their electronic systems to minimize the risk of unauthorized access," to "conduct a reasonable inquiry to determine the extent and consequences of the breach," and "to notify any client whose interests have a reasonable possibility of being negatively impacted by the breach."

CRPC 1.7(b) (Conflict of Interest: Current Clients) is implicated because the firm continued to represent the client in the ongoing trial while secretly trying to regain access to that client's file. Certainty, "the lawyer's representation of the client will be materially limited by . . . the lawyer's own interests" in this circumstance. CRPC 1.7(d)(1) is also relevant; how can Lockhart "reasonably believe" that she can "provide competent and diligent representation" to a client in trial when she cannot access that client's file?

Finally, CRPC 5.3 (Responsibilities Regarding Nonlawyer Assistants) is also relevant. Subsection (a) states: "a lawyer who individually or together with other lawyers possesses managerial authority in a law firm, shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that the nonlawyer's conduct is compatible with the professional obligations of the lawyer."

Here, Lockhart gave the investigator carte blanche authority to identify the hacker and retrieve the files. The investigator hacked the hacker and threatened him. Under CRPC 5.3(c) and CRPC 8.4(a), Lockhart is responsible for the investigator's unlawful conduct and may be subject to discipline for misconduct.

On a related cybersecurity topic, wire and ACH transfer scams intended to divert and fraudulently acquire client funds associated with business deals, real property transactions and settlements are becoming more sophisticated and prevalent.

CRPC 1.1 is again implicated. Lawyers need to educate themselves about the risks associated with wire transfers - even if the lawyer does not typically wire funds. But knowing is only part of the battle.

Lawyers also have a duty to communicate to the client "the means by which to accomplish the client's objectives in the representation" and to "explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation." CRPC 1.4(a)(2) and CRPC 1.4(b). In this context, a lawyer has a duty to adequately and effectively inform the client about risks associated with the transfer of funds.

CRPC 1.15 is also implicated, as is sets forth the duties a lawyer has to safekeep funds and property of clients and other persons.

What does this mean from a practical standpoint? Educate yourself and your client about the risks of wire and ACH transfers and then act on what you have learned. Here is a starting point for implementing reasonable security measures:

1. Warn clients about potential wire fraud associated with the subject matter of your representation - both in the engagement letter and just before funds are to be exchanged.

2. Warn clients to call the lawyer's office using a trusted phone number to verbally confirm the account number and routing number before initiating any wire transfers, or, better yet, verbally confirm the instructions via video conference.

3. Warn clients to carefully verify the email address of emails that appear to be from you, specifically checking for an altered username or domain.

4. Warn clients not to accept wire transfer instruction changes that are received via email.

5. Remind yourself to heed the same warnings that you give to clients.

6. Expressly document wire instructions in written agreements about settlements or business deals, or expressly document in written agreements that a wire transfer is not an acceptable form of payment.

7. Be diligent and frequently educate yourself about how to mitigate the risk of wire transfer fraud.

8. Ensure that your firm uses reasonable security measures to protect client information - start by reviewing the guidance offered in ABA Formal Opinion 477R. And consult an IT professional.

The Rosing Pott & Strohbehn Ethics and Risk Management Team writes a monthly legal ethics column with practical insights to assist California practitioners in understanding cutting-edge ethics issues, manage risk and ensure compliance. More about the Team and the authors can be found at https://rosinglaw.com/people/.

Heather Rosing is a founding partner, Dave Majchrzak is general counsel and a partner, and Christine Rosskopf and Joanna Storey Mishler are senior counsel at Rosing Pott & Strohbehn.