Handling client property has become significantly more challenging in the digital age as electronic property requires new ways of labeling, identification, and preservation, not to mention that it can exist in several places at the same time.
In the good old days of physical property, life was simple. The stagecoach would drop off a box of gold nuggets, the attorney would open the box, count and weigh the nuggets, label the box with the client’s name (brown string and a manila tag worked well), place the box in a safe, record the information about the gold in a ledger (“One wood box containing five gold nuggets; total weight of gold: .5 ounces”), then summon a reliable young page to scurry down to the post office to telegraph the sender that the gold had arrived. When the client or third party needed the gold returned, the attorney would take out the ledger to identify the property, open the safe and retrieve the appropriately labeled box, count and weigh the nuggets to compare against the ledger, and then send the box to the client via stagecoach. The attorney would hire able security to ride shotgun, ensuring safe passage and protecting against all manner of highway men, road agents, and bushrangers. A few days later a telegram from the client might confirm safe receipt.
Today, however, property can be sent via email. An attorney receives a secret-formula via email and saves it to a hard drive on a personal computer. In the process the property may be copied to a temporary location on the computer or network. There is no box to label, nothing physical to examine, no safe to lock, no pen and ledger at the ready. A brief email might go back to the client to confirm receipt by the attorney. When the client needs the secret recipe returned there is no safe to open, no armed guards to hire, no box to move from one hand to another. If the property is “stolen” there is no cracked safe, no empty shelf, and no missing box. In fact, after a theft the attorney may have the secret recipe right where it was placed in a directory on a computer.
Client property is no longer limited to the physical realm. Property is increasingly electronic and attorneys are taking possession of greater volume and diversity of client property. Where yesterday an attorney might take control of a few hundred individual pieces of client property, today an attorney may hold hundreds of thousands or even millions of client documents—all of which may be property. Minnesota Rule of Professional Conduct (“MRPC”) 1.15(c) creates the following obligations with regard to property received from clients and third parties:
- Notify the client or third party of the receipt of the property.
- Identify and label the property and place it in safekeeping.
- Maintain other’s property separate from the lawyer’s property. (Comment 1)
- Maintain records of all property (for six years). (Rule 1.15(h))
- Return the property as requested.
So, how should one understand and treat electronic property in light of these rules? What does it mean to identify electronic property regardless of delivery channel (e.g., attached to an email, burned to a DVD, uploaded to cloud storage, or contained on an encrypted hard drive)? How can a lawyer label electronic property and generate accurate records? What does “separate” mean in the parlance of hard drives and servers and bits and bytes? And what does it means to “return” property: Must the lawyer destroy copies of data, or merely deliver copies to the client? The discussion starts with the level of care required by the rules and concludes with barriers to success and solutions to those obstacles.
Level of Care
MRPC 1.6 prohibits lawyers from knowingly revealing information relating to the representation of a client (subject to listed exceptions). The level of care specified by Comment 15 is competence. Comment 16 to Rule 1.6 requires that lawyers take “reasonable precautions” when communicating information related to representation. Reasonable precautions are those an ordinary person would use. The comment provides that lawyers need not implement “special security measures if the method of communication affords a reasonable expectation of privacy.” Opinion 19 specifically allows lawyers to use email and digital cellular phones to communicate client information.1 But Opinion 19 also creates a duty: Lawyers must look out for those who communicate with them and warn those who communicate via insecure means.
Consider this common scenario: a lawyer is emailing back and forth with a client about a confidential matter, confident that he is taking reasonable precautions in light of Opinion 19. During the communication the client attaches a secret formula and transmits the formula to the attorney. Two things have happened. First, the lawyer has received, and is now in possession of, client property, so Rule 1.15 kicks in and the lawyer must manage the property accordingly. Second, because of the heightened value of the communication, Opinion 19 may require the lawyer to consult with the client regarding the risks of email.2 The standard of care for protecting property of others is that of a professional fiduciary (Rule 1.15, Comment 1)—higher than the reasonableness requirement for protecting information. The fiduciary duty is the highest standard of care recognized by our legal system
(the California rule calls on the lawyer to protect client secrets “at every peril to himself or herself”).3 In this example, the lawyer’s duty of care has moved from reasonableness to fiduciary and the property must be handled according to Rule 1.15.
Notification of Receipt
Lawyers must notify the owner of property when the property has been received. While this rule is straightforward and applies without much difference to physical and electronic property, the volume of electronic property handled may present challenges. Notification should be accurate and complete as it is the first step in the property management process and can form the basis for resolving disputes.
Timing is perhaps the most important consideration in this rule: the notification must be prompt. Thorough identification of electronic property requires time and effort and technical burdens are no excuse for delayed notification. When the lawyer does not know the precise nature of received electronic property, she should at least send a very general notification that the property was received. This notification should either describe the type and number of physical media delivering the property or describe the files received via electronic transfer. Complete descriptions of the property received can be sent as information is gathered, but the initial notification must be prompt.
Identification & Labeling
MRPC 1.15 (c)(2) requires lawyers to promptly identify and label property belonging to clients and third parties. Identifying and labeling is a three-step process: 1) ascertain the nature of the property (identify); 2) affix a label to the property; 3) ensure that the label identifies who owns the property (identify). Identifying and labeling electronic property presents challenges beyond those encountered with physical property. This is because electronic property often includes a physical component (the media) and the information itself (which can exist apart from the delivery media). Therefore, beginning with the physical media:
- Identify the media as to unique, observable qualities such as quantity, size, color, and information printed on the face (custom label, serial number, MAC address). Take a picture! While this seems painfully obvious the first question asked when looking for lost media is, “what does it look like?”
- Affix a label to the property. This can be simple for a CD, but care must be taken for items such as laptops where cases, cords, and batteries might get separated. The labeling should be unique to the content of the media and should correspond to a unique inventory record.
- Identify the owner. The label should indicate that the property does not belong to the attorney and should specifically identify the proper owner.
The electronic, digitally encoded data that the media contain must also be identified and labeled. Do not confuse the physical disk with the data it contains. While a physical disk owned by a client is certainly property which must be appropriately handled, its value may pale in comparison to the property it holds. There is one way to identify the contents of electronic media: use a computer to read it. The lawyer may ask the sender to identify the contents but should not rely on this information without verifying it independently. The lawyer has a duty to identify the property: to inspect it; to ascertain the nature of the thing. An attorney who receives a disk labeled “Miscellaneous Vacation Photos” may inspect the contents and find secret recipes.
Using a computer to read electronic media is a task that most lawyers perform every day. But lawyers must be aware of the risks associated with connecting unknown electronic media to a personal computer. These risks include:
- The media may contain a virus which infects the host computer, the host network, and all manner of client files stored on the computer or network.
- The media may contain a virus which alerts the host’s installed antivirus software which in turn causes the host system to start deleting files from the media.
- The host system may write to the attached media. This is a minor issue for routine data but may be a big problem if the media is, or contains, electronic evidence.
- Attaching electronic media containing client property to a lawyer’s property may violate Comment 1 to Rule 1.15: “(a)ll property that is the property of clients or third persons, including prospective clients, must be kept separate from the lawyer’s business and personal property … .”
A minimum-level best practice is to always use a write-blocker when attaching client media to a computer.4 This will prevent the host from changing the media in any way. Once connected, the lawyer can identify the contents of the media. At minimum, a lawyer should record the number of files and the total volume (in megabytes or gigabytes) on the disk. A more complete inventory will offer more benefits at almost no higher cost. The contents of a disk can easily be output to a text file or spreadsheet. The method for obtaining this information varies by operating system (e.g., Windows, OSX, Linux) but generally a user can utilize anything from command line syntax to a specially built program to obtain the names of files, types of files, names of directories, and metadata values.
Thoroughness may also require that the lawyer record the hash value of the files on the disk, or of the disk itself. A hash value is a digital finger print, a unique mathematical identifier that is specific to a file which serves to confirm the integrity of the file.5 Recording hash values, and sending them to the client with the receipt notification, is the most diligent method a lawyer can use to confirm that what was sent is what was received, and perhaps more important, that what is returned to the client is what was sent from the client.
Once identified, the electronic contents of media should be labeled if the contents will be copied from the original media. The most accessible method for labeling electronic property is by organizing files in named directories where the name of the directory serves as a label. If files are going to be commingled in directories with the lawyer’s property then the actual filename should be changed as this is the most apparent form of labeling. Many different document management programs and databases can be implemented to facilitate labeling electronic files. These programs use virtual tags, folders, labels, and metadata values to facilitate the identification and labeling requirements of the Rules and may be a worthwhile investment.
Keep It Separate
Comment 1 to MRPC 1.15 explicitly requires that lawyers keep client property separate from the lawyer’s business and personal property. This rule does not require a lawyer to maintain separate computers or hard drives for client property; the goal is to keep the property distinct, divided, discrete, or apart. Just as a lawyer may keep client funds in the same trust account (when supported by appropriate records) and may keep valuables locked in the same office as personal property, a lawyer may keep client computer files on the same hard drive, even the same directory, as the lawyer’s personal property.
The directory structure that a user sees when using an operating system is purely logical; it does not represent physical reality. In fact, computer files belonging to different clients and the lawyer may be side-by-side on a hard drive, even overlapping when considered at the cluster level. However, through proper directory structure and naming conventions these files are separated for practical purposes. It is this organization which is crucial to satisfy the requirements of the Rules. Proper naming and foldering will prevent electronic property from becoming commingled or lost and will facilitate identification for record-keeping purposes.
Maintain Proper Records
MRPC Rule 1.15 (c)(2) requires that lawyers maintain records of client property and third-person property and “render appropriate accounts … regarding them.” Appendix 1 to the Minnesota Rules of Professional Conduct specifies the records which must be kept concerning property other than cash. Section (I)(8) instructs lawyers to specifically identify all property held in trust for clients. The stated exception is that “routine files, documents and items, such as real estate abstracts, which are not expected to be held indefinitely, need not be so recorded but should be documented in the files of the lawyer as to receipt and delivery.” Section II of Appendix 1 describes the books and records which must be kept for “property received and disbursed outside the attorney’s fiduciary capacity.”6 The difference in the record-keeping requirement is specific identity versus documentation as to receipt and delivery. Note that the identification phase is untouched by Appendix 1. In fact, a lawyer needs to undertake a rigorous identification process in order to determine the nature of the property and thus effectively discern which records must be kept.
The records maintained must specifically identify all property held in trust. While a paper-based system will meet the minimum requirements, a lawyer who attempts to write out strings of hash values or hundreds of thousands of file names will certainly drain many ink bottles and prematurely wear down the hand-cut goose quill. Lawyers will find that spreadsheets are suitable record-keeping platforms. Appendix 1 of the Rules offers guidance regarding the information that should be recorded.
For each item received the lawyer should record the date received, the owner of the property, the reason the property was sent to the attorney, and a description of the property. The description can be a hash value, a list of files, or even a link to a file that contains a directory listing of the property. The record should also include a path to where the data is stored (if electronic) and where the media is stored (if physical). Last, the record should include information about how the property was returned to the owner, including tracking for physical shipments and appropriate confirmation for electronic transfers.
Return the Property
Now that the property has been received, identified and labeled, and records have been maintained, what remains is delivering the property back to the client or third party upon request. Electronic property is unique in that it can be in two places at one time. The secret recipe received via email can be returned via email—yet the attorney can still retain a copy of the property.
Copies of electronic property can be retained by a lawyer to the extent that the property is part of the file. This means that retention policies (destruction policies) should be explicit about the categories of electronic property received during the course of representation and the expected disposition of the property when representation concludes.7 This understanding could be formed as early as the engagement letter or as late as the termination letter.
If property is not adequately organized a lawyer may be searching old hard drives, floppy disks, USB flash drives, and discarded computers for misplaced electronic property. A case out of New York dealt with this exact issue. A firm was unable to locate seven electronic files (which were commingled on unindexed back-up tapes), prompting the client to commence a proceeding to compel delivery of the files which resulted in an order to do so.8 The firm “moved for final judgment claiming that it had complied in good faith … and that the cost of searching for and retrieving the missing files would be onerous.” The court held that arguments regarding cost and burden are unavailing and ordered the firm to inspect the tapes for the files.9
The lesson from New York is that lack of property organization is no excuse: a lawyer who loses track of client property may be ordered to look until it is found. It is in the lawyer’s interest to take affirmative steps to organize electronic property. If the above advice is followed, returning electronic property will be cost-effective and accurate.
Barriers & Solutions
Despite a lawyer’s best efforts, mistakes happen. Property can get misplaced in a busy law office but there are practices which can mitigate accidents. In 2003, Minnesota Lawyer summarized a case emphasizing the need to have proper office procedures and nonlawyer training and supervision in place.10 The Rules do not spell out what constitutes reasonable policies and procedures, nor what type of training and supervision for nonlawyers is deemed adequate. Lawyers may choose to borrow advice from the Gramm-Leach-Bliley Act (“GLB”). The GLB requires the following:11
- A written information security program describing administrative, technical, and physical safeguards.
- A designated employee who coordinates information security.
- Risk assessment.
- Implementation of information security safeguards and monitoring of safeguards.
- Oversight of service providers.
- Ongoing evaluation and adjustment. 12
The six items can provide guidance as a lawyer endeavors to establish reasonable safeguarding procedures. Nothing here is overtly difficult or inaccessible. The work required is work that lawyers should be undertaking at least as a mental exercise. Following this framework and memorializing policies serves two purposes. First, the lawyer implements sound business procedures which should result in greater client satisfaction. Second, “policies and procedures that require client files and property to be clearly labeled and identified, securely stored and properly inventoried … will limit exposure to discipline (by the Minnesota Office of Lawyers Professional Responsibility).”13
Like the highway men of olde, lawyers today must be aware of bandits on the information superhighway. The last three years have marked a steady increase in hacking attempts against law firms. Mary Galligan of the FBI recently warned attendees at LegalTech New York that law firms are increasingly targeted by hackers.14 Law firms are vectors for attack because “(h)ackers see attorneys as a back door to the valuable data of their corporate clients.”15 Lawyers need to understand that they hold valuable client property and are prime targets for computer hackers and other online eavesdroppers. Unfortunately, examples abound of lawyers continuing to fall prey to online scams and cyber attacks.16 In August 2012 the ABA Commission on Ethics 20/20 stated that lawyers are to have a “… firm grasp on how electronic information is created, stored, and retrieved.”17 The ABA Model Rules of Professional Conduct were recently updated to include a comment that lawyers should “keep abreast of the benefits and risks associated with relevant technology.”18 Our fiduciary duty requires us to go beyond the usual and customary methods of transmitting and storing client property. We must anticipate the external threats posed by interlopers and protect client property while storing it on our computers and devices or hosting it in cloud services, when we electronically transmit property, and when we copy property to media for physical transfer.
There are a number of safeguards that competent lawyers will put in place. At the least, any computer system attached to the internet should utilize a router, firewall, antivirus software, and malware detection software. Email systems should utilize spam filters. Software should be regularly updated. Operating system updates should be faithfully implemented. Passwords should be strong, unique, and changed regularly. Suspicious emails should be deleted immediately. Mobile devices must be password protected. In extreme cases, client property should be kept on an air-gapped (closed) network with no access to the internet. Last, lawyers and their staff should be aware of social engineering and diligently protective of all information, no matter how seemingly benign.
Lawyers must also implement encryption. Encryption is the modern-day equivalent of the lockable safe. All sorts of encryption systems are available for lawyers to implement. When entire hard drives, specific directories, or individual files are encrypted a lawyer can prevent unauthorized access to electronic property. Even if a laptop is stolen, its contents are secure if encrypted at the disk level. Encrypted directories on a network render the files worthless to a hacker who successfully breaks through. Of course, CDs and DVDs that contain client property and are routinely shipped via third-party carriers (FedEx, UPS) should always be encrypted. An encryption program coupled with sound password management will secure client data many orders of magnitude above what is available with operating system log-ons and email-account passwords.
Today’s lawyers must realize that some client property they handle will exist as electronically stored data. Such property is subject to the usual ethics requiring safeguarding, yet application of the rules can be elusive because of electronic property’s unique characteristics. Competent lawyers will understand the intricacies of working with electronic property and will satisfy the rules accordingly.
James Keuning pays his taxes by working as the ediscovery practice manager at LuciData, Inc., a multidisciplinary consulting firm providing services in computer forensics, ediscovery, and internal threat management from offices in Minneapolis, Des Moines, and Denver.
1 Lawyers Professional Responsibility Board Opinions, Opinion No. 19, Using Technology to Communicate Confidential Information to Clients, Amended January 22, 2010, Available at https://www.revisor.mn.gov/court_rules/rule.php?type=pr&subtype=lawy&id=19
2 Arguing the risks of email security is beyond the scope of this article. However the emergence and ubiquity of mobile devices should create pause, especially given that between 36% and 62% of people do not password-protect mobile devices. See, http://blogs.mcafee.com/consumer/unprotected-mobile-devices and https://www.javelinstrategy.com/brochure/239
3 Cal. Rules of Prof. Conduct R. 3-100(A) (2013); see also Cal. Bus. & Prof. Code §6068(e)(1) (2013)
4 Apply this rule to hard drives and flash drives. CDs and DVDs (“optical media”) are generally not rewriteable and present a much lower risk of alteration.
5 See, http://tinyurl.com/eb4sg for a fair treatment of hash values.
6 This article will not untangle the apparent conflict between 1.15 and Appendix I. Specifically, 1.15 Comment 1 indicates that a “lawyer should hold property of others with the care required of a professional fiduciary” yet Section II of Appendix 1 indicates that some property is “received … outside the attorney’s fiduciary capacity.”
7 See, generally, Kenneth Jorgensen, “File Retention Policies And Requirements,” Minnesota Lawyer (December 2004) and Ries, David G., “Safeguarding Confidential Data: Your Ethical And Legal Obligations,” 36 Law Practice 4 (July/August 2010), available at: http://tinyurl.com/3e6luuv/
8 Sage Realty Corp. v. Proskauer Rose Goetz & Mendelsohn LLP, 294 A.D.2d 190, 743 N.Y.S.2d 72, (1st Dep’t 05/16/02).
9 See, id. The court held that the client must pay the costs of searching and retrieving the files, but tellingly stated, “…any dispute as to this cost shall be resolved by the Supreme Court … .”
10 Cassie Hanson, “When Client Property Is Lost Or Misplaced,” Minnesota Lawyer (11/03/2003) available at: http://tinyurl.com/nvcw8ff/
11 Thanks to David G. Ries for connecting the dots between legal practice and GLB. See, http://tinyurl.com/3e6luuv/
12 Standards for Safeguarding Customer Information, 16 C.F.R., Part 314.
13 See Cassie Hanson, supra n. 10.
14 Evan Koblentz, “LegalTech Day Three: FBI Security Expert Urges Law Firm Caution,” (02/01/2013) available at http://tinyurl.com/ofo7x5t/
16 Joe Patrice, “When Luddites Handle Cyber Security, You End Up With American Law Firms,” (02/03/2013), available at http://tinyurl.com/ow43orm/
18 ABA Model Rules of Professional Conduct, Rule 1.1, Comment 8.