ETHICAL QUANDRIES RELATED TO PRESERVATION AND - PowerPoint Presentation

ETHICAL QUANDRIES RELATED TO PRESERVATION AND DISCOVERY OF ELECTRONIC EVIDENCE■ETHICAL OBLIGATIONS WHENA LAW FIRM’S COMPUTERSARE INFECTED WITH RANSOMWARE JOE COLANTUONO ISAAC KEPPLER COLANTUONO BJERG GUINN KEPPLER LLC www.ksmolaw.com

ETHICAL QUANDRIES RELATED TO PRESERVATION AND DISCOVERY OF ELECTRONIC EVIDENCE

By the end of 2019, the number of emails sent and received per day is expected to reach 246 Billion.Business emails comprise more than 50 percent of that number.Average legitimate business email per day, per user, is 77. THE REALITY FOR LITIGATION ATTORNEYS

A lawyer shall not:(a) unlawfully obstruct another party's access to evidence or unlawfully alter, destroy or conceal a document or other material having potential evidentiary value. A lawyer shall not counsel or assist another person to do any such act;K.R.P.C. 3.4(a)/M.R.P.C. 4-3.4(a) (Advocate: Fairness to Opposing Party and Counsel)

A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.  Comment 5: Thoroughness and Preparation: [5] Competent handling of a particular matter includes inquiry into and analysis of the factual and legal elements of the problem, and use of methods and procedures meeting the standards of competent practitioners . It also includes adequate preparation . The required attention and preparation are determined in part by what is at stake; major litigation and complex transactions ordinarily require more elaborate treatment than matters of lesser consequence. K.R.P.C. 1.1/M.R.P.C 4-1.1 (Competence)

[…]By signing, an attorney or party certifies that to the best of the person's knowledge, information, and belief formed after a reasonable inquiry:[the document] is complete and correct as of the time it is made… (3) Sanction for Improper Certification. If a certification violates this rule without substantial justification, the court, on motion or on its own, must impose an appropriate sanction on the signer, the party on whose behalf the signer was acting, or both. Fed. R. Civ. P. 26(g)

K.R.P.C. 3.3/M.R.P.C. 4-3.3 (duty of candor) – general application

Fed. R. Civ. P. 37(e): Failure to Preserve Electronically Stored InformationIf ESI that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it , and it cannot be restored or replaced through additional discovery, the court: (1) upon finding prejudice to another party from loss of the information, may order measures no greater than necessary to cure the prejudice; or (2) only upon finding that the party acted with the intent to deprive another party of the information’s use in the litigation may: (A) presume that the lost information was unfavorable to the party; (B) instruct the jury that it may or must presume the information was unfavorable to the party; or (C) dismiss the action or enter a default judgment.

IDENTICAL TO FEDERAL RULEKANSAS - KSA § 60-237(e)

(a) Scope. Any party may serve […] a request to: (1) Produce […] any designated documents (including […] electronic records, and other data compilations from which information can be obtained , translated, if necessary, by the requesting party through detection devices into reasonably usable form) […]; ( c ) Response. […..] (4) Method of Production. A party who produces documents for inspection shall produce them as they are kept in the usual course of business or shall organize and label them to correspond with the categories in the request . Missouri Supreme Court Rule 58.01.

Effective August 28, 2019Includes language similar, but not identical to, federal rules.Includes provision that ESI need not be produced if the information is not reasonably accessible because of undue burden or cost, except upon a showing of good cause.MISSOURI – SB 224

Is there a duty to preserve?Did party fail to take reasonable steps to preserve?Can the evidence be restored or replaced through additional discovery?Did the party intend to deprive adverse party?Stovall v. Brykan Legends, LLC (D. Kan. February 2019)

Duty attaches when litigation is “likely”.Written notification, Discovery request, subpoena, complaint. Requires more than just “risk”.Boundaries of duty vary. Party’s sophistication and size;Nature of dispute. The duty to preserve can evolve with the case issues. Marten Transp., Ltd. v. Plattform Advert., Inc. , (D. Kan. Feb. 8, 2016)

“Intent to deprive”. Crossfit, Inc. v. N.S.C.A., (S.D. Cal. May 26, 2017)The Cure for Chronic Disease? Dangerous Exercise Fad?

Civil Rights case where photos were critical evidence.Metadata established alteration by Plaintiff.Technical Competence? Diligence? Lawrence v. City of New York (S.D.N.Y. July 27, 2018)

Preservation letters should not be overbroad.Consider responding to preservation letters like a discovery request.Preserve/disable routine deletion of information at least as to the “key players”. PRESERVATION LETTERS AND ROUTINE DELETION POLICIES

ETHICAL OBLIGATIONS WHEN RANSOMWAREINFECTS A LAW FIRM’S COMPUTERS The likelihood of an unauthorized intrusion into a law firm’s computer system is a recognized hazard, and failure to take precautions is a recognized lack of due diligence. Utah Bar Journal, Vol. 30, No. 5, p. 38 (2017): “The question is not whether you and your law firm's IT systems will be attacked. The questions are when and whether your security protocols and practices will protect you and your client.

KANSAS STATUTEK.S.A. 50-7a02 Security Breach; Requirements(a) A person that conducts business in this state, or a government, governmental subdivision or agency that owns or licenses computerized data that includes personal information shall , when it becomes aware of any breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused . If the investigation determines that the misuse of information has occurred or is reasonably likely to occur , the person or government, governmental subdivision or agency shall give notice as soon as possible to the affected Kansas resident . . .

K.S.A. 50-7a02 (b) An individual or a commercial entity that maintains computerized data that includes personal information that the individual or the commercial entity does not own or license shall give notice to the owner or licensee of the information of any breach of the security of the data following discovery of a breach, if the personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person. 

K.S.A. 50-7a02 (d) Notwithstanding any other provision in this section, an individual or a commercial entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of this section, is deemed to be in compliance with the notice requirements of this section if the individual or the commercial entity notifies affected consumers in accordance with its policies in the event of a breach of security of the system.

K.S.A. 50-7a02 (f) In the event that a person discovers circumstances requiring notification pursuant to this section of more than 1,000 consumers at one time, the person shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. . .of the timing, distribution and content of the notices.(g) For violations of this section, except as to insurance companies licensed to do business in this state, the attorney general is empowered to bring an action in law or equity to address violations of this section . . .

K.R.P.C 1.3 and Mo. Rule 4-1.3 DiligenceA lawyer shall act with reasonable diligence and promptness in representing a client.

K.R.P.C. 1.15(a) and (d) Mo. 4-1.15 Safekeeping Clients’ PropertyK.R.P.C. 1.15. Client-Lawyer Relationship: Safekeeping Property (a) A lawyer shall hold property of clients or third persons that is in a lawyer's possession in connection with a representation separate from the lawyer's own property. Funds shall be kept in a separate account maintained in the state of Kansas. Other property shall be identified as such and appropriately safeguarded. Complete records of such account funds and other property shall be kept by the lawyer and shall be preserved for a period of five years after termination of the representation.

Mo. Rule 4-1.15. Client Trust Accounts and Property of OthersA lawyer shall hold property of clients or third persons that is in a lawyer's possession in connection with a representation separate from the lawyer's own property. Client or third party funds shall be kept in a separate account designated as a "Client Trust Account" or words of similar import maintained in the state where the lawyer's office is situated or elsewhere if the client or third person consents.

Mo. Rule 4-1.15(d)Upon receiving funds or other property in which a client or third person has an interest, a lawyer shall promptly notify the client or third person. . . .[A]lawyer shall promptly deliver to the client or third person any funds or other property that the client or third person is entitled to receive and, upon request by the client or (f) Complete records of client trust accounts shall be maintained and preserved for a period of at least six years . . .

K.R.P.C. 1.4 and Mo. Rule 4-1.4 CommunicationK.R.P.C. 1.4. (a) A lawyer shall keep a client reasonably informed about the status of a matter and promptly comply with reasonable requests for information. (b) A lawyer shall explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.

K.R.P.C. COMMENT 4[4] In some circumstances, a lawyer may be justified in delaying transmission of information when the client would be likely to react imprudently to an immediate communication. Thus, a lawyer might withhold a psychiatric diagnosis of a client when the examining psychiatrist indicates that disclosure would harm the client. A lawyer may not withhold information to serve the lawyer's own interest or convenience. . . Mo. Rule 4-1.4. Communication (a) A lawyer shall: (1) keep the client reasonably informed about the status of the matter;

American Bar Association "Cybersecurity Legal Task Force"ABA Formal Opinion 477RAt the same time, the term “cybersecurity” has come into existence to encompass the broad range of issues relating to preserving individual privacy from intrusion by nefarious actors throughout the internet. Cybersecurity recognizes a post-Opinion 99-413 world where law enforcement discusses hacking and data loss in terms of “when,” and not “if.”

Kentucky Opinion KBA E-446Question #2: Does an attorney have an ethical responsibility to advise clients about cyberattacks . . . and/or breaches of security? Answer: Qualified Yes. An attorney is required to "... reasonably consult with the client about the means by which the client's objectives are to be accomplished." The 'means' employed by the attorney includes discussing the use of technology in client communications, the handling of confidential client information within the law firm, and the storage of that information.

Kentucky Opinion KBA E-446 cont’dan attorney is required to " . . . keep the client reasonably informed about the status of the matter (that the attorney is handling for the client.". . . . . . KRS 365.732 which imposes a statutory duty upon an 'information holder' to give written notice to persons affected by a computer security 'breach' . . . Thus, if an attorney failed to disclose to the client a breach involving the client's unencrypted personally identifiable information then the attorney may be unethically withholding that information to protect the lawyer's own interest to avoid a lawsuit or an ethical charge by the client . Similarly, the duty imposed by SCR 3.130 (1.15) to ' safekeep ' a client's 'property' not only applies to a trust account in which a client's funds are maintained, but also to the client's files; client data stored on the law firm's computer system or 'the cloud' . . .

STEPS TO REDUCE YOUR RISK AND LIABILITY   15+ character passwords Review of system security by an IT professional Create a policy limiting social media access on firm devices Prohibit remote access from locations where the data is not secure Prohibit personal use of the law firm’s network for streaming, downloading, and personal email Prohibit the use of personal devices for work on law firm business Establish a frequent backup system

CRYPTOCURRENCY THEFTS REACHED $1.7 BILLION IN 2018   Cyber criminals earn up to $2 Million Most attacks originate from overseas Majority only encrypt files & demand ransom The demand is often for a relatively small payment Ransomware can be rented

POTENTIAL LIABILILTY AND LOSSES     Legal liability to clients and to non-clients whose data the law firm has received  Legal liability to clients for the loss of client funds  Potential state regulatory liability for failure to comply with state statutes requiring notification of third party access into the firm’s computers  Direct expense incurred recovering data  Damage to the law firm’s reputation