It is well understood that changes in technology present challenges to legal practice that go beyond intellectual property litigation. For example, the growth in electronic discovery over the past decade has given rise to a new practice specialty, jurisprudence and supporting service industry. The parallel explosion in the use of social media and the cloud has created a wealth of electronic discovery issues, but also more complex and evolving problems involving data privacy and security. Lawyers need to find help with these issues, because although they are required to maintain some degree of competence in “staying abreast of technology” via the ABA Model Rules of Professional Conduct, they rarely have the level of technical expertise necessary to deal with the onslaught of complex computer technology problems their practice presents.
Social media involves the unfettered spread of thoughtlessly generated discoverable information, including new kinds of communications that may create problems where the parties should not be communicating under certain views of professional ethics. The line between what is public and private is blurred, with one perspective holding that the very notion of social media is antithetical to privacy. This blurring can create problems when a lawyer has an obligation to find certain facts but may be sanctioned if he looks in the wrong place, invading privacy.
Lawyers are not supposed to communicate with jurors, nor are they supposed to communicate with parties represented by counsel. However, just what constitutes a communication in the world of social media is unclear. A lawyer is permitted and arguably required to research public information about jurors, but if his research results in a notification to a juror that he has conducted such research, the lawyer may have engaged in impermissible communication with the juror. For a “real world” example, consider the notification that LinkedIn provides to a user whose profile has been viewed by another user. Web sites may routinely inform their owners of various information regarding visitors to the site. As a result, lawyers need to be very careful about the functionality of the social media services with which they interact in performing investigative research.
Similar issues regarding communications may arise when a lawyer researches a party represented by counsel. Professional responsibility rules prohibit direct contact with represented individuals represented by counsel, and instead require that any communication be initiated through counsel for the represented party. The lawyer who “friends” a represented party on Facebook should not expect immunity based on the notion that it is the social media service that generates the transmission of the “friend” request.
Certain jurisdictions take a dim view of participation in social media by the judiciary. Depending on where they sit, the judge may be prohibited entirely from being “friends” with lawyers who appear before him. In other places, such as New York, such social media activity may be merely strongly discouraged. The lawyer who is “friends” with judge, or who contemplates triggering such a “friendship,” must be wary of these issues so they do not become a factor in litigation to the detriment of his client’s interests.
Use of the cloud by lawyers, particularly where confidential client data is involved, is a much broader issue, but clearly encompasses social media under the broadest definition of the “cloud.” In the cloud, on top of having to sidestep impermissible contacts created by social media activity, lawyers need to proceed with caution directed at data security. The difficulties inherent in maintaining confidentiality of client data in a networked world are multiplied when that data is placed in the hands of a third party cloud services provider.
Lawyers using the cloud are in the uncomfortable position of having to take reasonable steps to ensure client data security. These steps may demand a multi-pronged approach. Certainly, there are contractual protections that should be established. Commitments by the cloud provider to provide security at some determinate level are basic. Other contractual avenues for enhanced protection include provisions for access to data in various contingencies, such as vendor bankruptcy, as well as for purging data when the arrangement with the vendor is terminated.
Other security measures more loudly demand that the lawyer augment his efforts with expert technical assistance. Various state bar opinions require lawyers to:
- Evaluate the nature of the vendor’s technology and periodically review its security measures (Arizona)
- Determine the degree of protection the vendor provides to its clients’ data (Iowa)
- Make sure that vendors are using available technology to guard against foreseeable infiltration attempts (New Jersey)
- Evaluate the vendor’s security and backup strategy (North Carolina)
Lawyers aiming to achieve this level of diligence will have to learn some basics about network security defenses such as firewalls, intrusion detection systems and patches, as well as physical or environmental security for data centers. It is probably safe to say that this subject matter does not form part of the curriculum at law schools, which strongly suggests that resort to technical experts is prudent.
Assuming, as is reasonable, that the world of networked computing services will continue to expand and grow in complexity, lawyers will continue to be challenged in ways that demand technical savvy. Social media and the cloud have made legal practice more difficult in some ways, and provided opportunities in others. Whether the difficulties or the opportunities tip the balance is up to the lawyer, but knowledge, acquired or borrowed, can only work in favor of success.