New Proposed Rule for Self Reporting

The newly proposed rules regarding trust accounting are designed to better protect the public by facilitating the early detection of theft and internal errors in attorney trust accounts.  One proposed rule in particular represents a fairly significant change in the reporting requirements when an error or misappropriation is discovered in the trust account.  Currently (at least until the Supreme Court certifies any proposed rules  the Bar submits) Rule 1.15-2(o) of the Rules of Professional Conduct requires a lawyer who discovers misappropriation or misapplication of trust funds to inform the State Bar of this discovery.  Many attorneys already interpreted this rule as requiring a report to the State Bar even when there was just a clerical or accounting error in the trust account.  Ethics Counsel with the State Bar confirmed, however, that this rule was not intended and did not require an attorney to self-report every mistake or accounting error in the trust account. As everyone has made a mistake involving the trust account at one time or another, to require every error to be reported would be unreasonable and unduly burdensome on the State Bar.

The newly proposed Rule, however, would now require, not only self-reporting misappropriation or intentional misapplication of trust funds, but also any mistake in the trust account if the error is not discovered and rectified on or before the next quarterly reconciliation.  The proposed amendment is as follows:

(p) Duty to Report Misappropriation. A lawyer who discovers or reasonably believes that entrusted property has been misappropriated or misapplied shall promptly inform the trust account compliance counsel (TACC) in the North Carolina State Bar Office of Counsel. Discovery of intentional theft or fraud must be reported to the TACC immediately. When an accounting or bank error results in an unintentional and inadvertent use of one client’s trust funds to pay the obligations of another client, the event must be reported unless the misapplication is discovered and rectified on or before the next quarterly reconciliation required by Rule 1.15-3(d)(1). This rule requires disclosure of information otherwise protected by Rule 1.6 if necessary to report the misappropriation or misapplication.

The new proposed language is in bold print. In the event that an attorney does not discover and rectify the mistake within the requisite time frame, at the point in time that the attorney DOES discover the problem, he or she must report that fact to the trust account compliance counsel, Peter Bolac.  It is interesting to note that the proposed rule appears only to require reporting when the banking or accounting error results in an unintentional and inadvertent use of one client’s trust funds to pay the obligations of another client, AND the misapplication is not discovered and rectified timely.  As there could be errors in the trust accounting that do not result in the use of one client’s trust funds to pay the obligation of another client, it appears these kinds of errors would never require self-reporting.  I wonder if that is what was intended…

Posted by | Comments Off on New Proposed Rule for Self Reporting

To Represent or Not Represent: Either Way, Put it in Writing

An article on Law360 makes a persuasive argument for engagement letters and provides:

Law firms facing malpractice claims are often the victims of their own failure to use strongly worded engagement letters that clearly define the limits of legal services being offered to clients…[1]

I also recently attended a CLE where the speaker said something that really caught my attention: Out of the several hundred malpractice cases filed, only a small handful had an engagement letter in place. And of those, only two truly contained the essential elements of an engagement letter.  Those numbers seem to strongly indicate two things: (1) attorneys are not seeing the value, and are not using, engagement letters; and (2) engagement letters are almost always necessary.

Engagement Letters

In certain situations, such as with contingency fees and business transactions with clients [See “Doing Business with Clients? Better Think Twice”], the Rules of Professional Conduct require that the agreement be in writing. However, even when it is not required, memorializing your agreement to represent a client in writing is a sound business practice and something we consistently do at my firm. A good engagement letter can promote communication, eliminate misunderstandings, and potentially prevent a malpractice claim.

All engagement letters are, however, not created equal.  A good letter will provide: (1) the nature of the services you will provide; (2) any exclusions from the scope of the engagement; (3) the fees and billing arrangements; (4) procedure for retainers; (5) specific requirements and responsibilities of the client during the engagement; (6) costs the client will be responsible for; and (7) when the engagement will begin.  Have the client sign the letter to acknowledge they have read, understand and agree to the terms.

An engagement letter is the best way to document and communicate the terms of the representation. When you and the client are on the same page, malpractice claims and complaints to the State Bar become far less likely.

Letters of Limited Engagement

The provision of unbundled legal services has become popular, particularly where clients would like to control costs or do not want or need full service.  If you do provide unbundled services, it seems a letter of limited engagement is essential.  Rule 1.2 of the Rules of Professional Conduct provides that a lawyer may limit the scope of the representation as long as the limitation is reasonable under the circumstances. Further, Comment 8 of the Rule provides that “a specification of the scope of representation will normally be a necessary part of any written communication of the rate or basis of the lawyer’s fee.”

If you don’t limit the scope of services in the engagement letter, you will likely be held to the default, and much higher, standard of “full service.”  A good letter of limited engagement will identify both the services that are being provided and specify which are not.  Once you set out the terms of the limited engagement, don’t stray from it into other services or matters without entering into a separate agreement.

Non-engagement, or “I’m Not your Lawyer” Letters

Non-engagement letters are a good idea in every situation where a prospective client inquires about legal services but does not follow through and engage your services or if you decline the representation. This can include not only potential clients who you meet in-person, but also people who submit web inquires or emails, or even your neighbor looking for some legal advice.  The letter needs to clearly state that you will not be undertaking the representation of the client.  If the potential client provided any documents, you would want to return those with the non-engagement letter. You would not want to offer specific legal advice in the letter. However, if there is a pending deadline or a statute of limitation issue, you should note that and include a strongly-worded statement that s/he should immediately seek legal counsel.

Disengagement Letters 

Once the representation of a client has concluded, a disengagement letter is an effective way to make sure the client is aware that the work has been completed and that you are no longer acting on their behalf.  Disengagement letters can also be used to thank clients for placing their trust with you and your firm and letting them know you are there if they should need assistance in the future. So, not only can the letter potentially protect you from a malpractice claim or grievance, it can also be a good marketing tool.

*The above is provided for general information purposes and is not legal advice or opinion.

[1] Jeremy Heallen, “Weak Engagement Letters Fueling Malpractice Litigation.” Law360, 2 May 2014. Web. <http://www.law360.com/articles/533985/weak-engagement-letters-fueling-malpractice-litigation>.

Posted by | Comments Off on To Represent or Not Represent: Either Way, Put it in Writing

Conflict Waivers: When Clients Change Their Mind

In a prior blog, we discussed how to draft an effective written conflict waiver.  You may recall that an effective waiver, at a minimum, should be in writing – preferably signed by the client, describe the circumstances of representation, clearly address any conflict that exists or is foreseen, address the issue of confidentiality, and advise the client to seek independent counsel.  Once you have a signed conflict waiver from your client, what happens if a client changes his mind and tries to revoke that waiver.  Can he?  Is the lawyer required to withdraw from representing the other affected client?

2007 FEO 11 provides some guidance on this issue.  Although a client may revoke consent to a conflict or potential conflict for any reason, a lawyer may not necessarily have to withdraw from representing the other affected client.  The opinion cites the Restatement of the Law Governing Lawyers, which “indicates that if one client revokes his consent to representation without good reason, the lawyer may continue representing the other client in the matter if the lawyer and other client have already relied on the consent to their detriment.”  A client may be justified in revoking consent where there is a material change in circumstances, or a conflict arises which was in no way contemplated by the parties at the time the consent was signed.  A lawyer may have detrimentally relied upon the consent if a substantial amount of time has been spent preparing for the other matter, the lawyer has already shared confidential information permitted by the consent, or other opportunities for representation were passed upon in reliance upon continued representation.

Ultimately, the ethics opinion holds that “[i]n the absence of specific language in the consent agreement addressing the effects of repudiation, a lawyer is not required to withdraw from representing one client if the other client revokes consent without good reason and an evaluation of the factors set out in comment [21] and the Restatement favors continued representation.”  Such factors include (1) the nature of the conflict, (2) whether the client revoked consent because of a material change in circumstances, (3) the reasonable expectations of the other client, and (4) whether material detriment to the other client or the lawyer would result.

A lawyer acts ethically if he follows these guidelines in deciding that he may remain in a case; however, a court may ultimately weigh the equities of the situation and reach a different result.  The fact that a court did not agree with the lawyer’s determination in this regard, does not necessarily mean that the lawyer has violated any ethics rules.

Posted by | Comments Off on Conflict Waivers: When Clients Change Their Mind

Is My Blog Considered Attorney Advertising?

The Standing Committee on Professional Responsibility and Conduct of the State Bar of California (Standing Committee) recently published a proposed ethics opinion regarding attorney blogging.  (See Formal Opinion Interim No. 12-2006).  The opinion determines when an attorneys’ blog(s) may fall under the scope of the Rules of Professional Conduct (Rules) related to attorney advertising.  The opinion presented four different types of blogs and commented on whether they violated the Rules.

Blogs Including Attorney Successes:

The first kind of blog could be regulated regardless of whether it appeared as part of the lawyer’s website or not.  It did not include an invitation to retain the attorney but included specific representations regarding the quality of the attorney’s services.  For example, the blog included statements such as, “I won another case last week.  That makes 50 in a row, by my count.  Once again, I was able to convince a jury there was reasonable doubt.”  It also stated that the jury as “absolutely mesmerized by my closing argument.”  The Standing Committee believed that these statements in a blog, no matter where the blog appeared, could be regulated and violated the Rules which prohibit communications that are false, deceptive, or which tend to confuse, deceive, or mislead the public.

Informational Blogs on Firm Website:

This blog was on the website of a law firm and included a series of articles written by one of the firm’s attorneys on topics that may interest the firm clients such as changes in tax law, information regarding wills versus trusts, etc.  Each blog post concluded with the statement, “for more information, contact” the author of the particular blog.  Though the Standing Committee did not seem to have any issue with the content, it did opine that the blog was a communication within the meaning of the Rules and was subject to regulation by the State Bar to the same extent as the law firm’s website.

Stand Alone Blogs:

The third type of blog was not a part of the attorney’s website.  The blogs posted by the attorney included information of interest to potential clients.  The blogs were intended to demonstrate the attorney’s knowledge of legal issues, enhance his reputation, and increase his business, but did not describe his practice or qualifications and contained no overt statements of his availability for professional employment.  However, several of the attorney’s blogs stated that if the reader had questions, to contact him.  The blogs also contained a hyperlink to the attorney’s professional web page.  The Standing Committee opined that if it were not for the concluding admonition to the blog readers to contact the attorney, the blogs would not be considered “communications” subject to the Rules.

Non-Legal Blogs by Attorneys:

In this scenario, an attorney wrote a blog about jazz artists, performances and recordings.  The blog was not part of the attorney’s professional website but did contain a link to the website in the by-line and the website contained a link to the blog.  Because the subject matter of the blog was not associated with the attorney’s practice area, the by-line would not be considered an “invitation.”  However, if the two were related, the by-line would be similar to “if you have questions, contact me.”  The Standing Committee opined that an attorney may blog about topics unrelated to the legal field, provided he does not actively use the blog to solicit business as an attorney.

Thus, the California Standing Committee’s conclusions are summarized as follows:

  1. Blogging by an attorney is subject to the requirements and restrictions of the Rules of Professional Conduct relating to lawyer advertising if the blog expresses the attorney’s availability for professional employment directly through words of invitation or offer to provide legal services, or implicitly through its description of the type and character of legal services offered by the attorney, detailed descriptions of case results, or both.
  2. A blog that is part of an attorney’s or law firm’s professional website will be subject to the rules regulating attorney advertising to the same extent as the website of which it is a part.
  3. A stand-alone blog by an attorney that does not relate to the practice of law or otherwise express the attorney’s availability for professional employment will not become subject to the rules regulating attorney advertising simply because the blog contains a link to the attorney or law firm’s professional website. (Formal Opinion Interim No. 12-0006).

North Carolina does not currently have an opinion on attorney blogging; however, based on the NC Rules of Professional Conduct and prior ethics opinions, it is likely that the NC Ethics Committee would agree with the proposed California opinion.

Rule 7.2 governs attorney advertising through written, recorded, or electronic communication, including public media.  This Rule clearly includes written blogs published on firm websites and most likely includes those that are not, if the attorney either discusses his services/accomplishments or invites a potential client to contact him regarding the subject of a legal blog.  “Advertising involves an active quest for clients…” and “may entail the risk of practices that are misleading and overreaching.”  Rule 7.2, Comment 1.

Rule 7.1 prohibits false or misleading communications about the lawyer or the lawyer’s services.  A communication is false or misleading if it is likely to create an unjustified expectation about results the lawyer can achieve.  See Rule 7.1(b).  “This Rule governs all communications about a lawyer’s services, including advertising permitted by Rule 7.2.”  Rule 7.1, Comment 1.  “Truthful statements that are misleading are also prohibited by this Rule.”  Rule 7.1, Comment 2.

Though there are no NC ethics opinions directly on point, there are many which address similar issues in attorney advertising.  Some of these include 2009 FEO 16, 2012 FEO 8, 2010 FEO 11, 2005 FEO 14, and 2012 FEO 1.  See opinions at www.ncbar.gov.

In order to avoid any issues with the State Bar, it is a good idea to ensure that any legal blog you post is compliant with the advertising rules, as there is a strong likelihood the State Bar would take the position that it is a communication it can regulate.

Posted by | Comments Off on Is My Blog Considered Attorney Advertising?

Mixing Business with Pleasure: Dual Relationships

If you have a client or patient that you connect with on a personal level, is it okay to have a social as well as a professional relationship?  It depends on your profession and what type of personal relationship.  Most professions prohibit a sexual or romantic relationship with a current patient/client.  The rules differ significantly among the professions, however, for non-romantic relationships with current or even former clients/patients.

For example, attorneys are generally permitted to have business and non-sexual relationships with current clients, as long as any dealings are fair and the relationship does not interfere with the attorney’s representation or independent judgment.  Like most professions, lawyers cannot have a sexual relationship with a current client, unless it pre-dated the representation.[1]  However, as soon as the representation ends, counselors at law may begin a romantic relationship with a former client.

In contrast, other types of counselors, such as psychologists, clinical social workers, and other therapists, are generally prohibited from having personal or social relationships with current clients and with prior clients, at least for a period of time.   Also, to avoid any potential undue influence from the professional counseling relationships, ethics rules for some therapists effectively have a permanent ban on sexual relationships with past clients, while most rules prohibit romantic involvement for at least a couple years.[2]

Social media has blurred some of the personal/professional lines, especially as it relates to social but non-sexual relationships with current patients/clients.  For example, is it okay to friend or send/accept an invitation to connect on social media with a current client?  The answer varies depending upon the type of social media connection, even within a profession.  Most professional ethics rules have a difficult time keeping pace with rapidly expanding and changing technology and don’t provide clear guidance on these types of issues.  The best course is to check your professional rules, with your licensing board or call someone with experience in these areas before you mix business with pleasure concerning current or past clients.

[1] NC Rule of Professional Conduct 1.19.

[2] See, e.g., for Psychologists: 21 NCAC 54 .1608 and APA Code of Ethics, Standard 3: Human Relations, 3.05 Multiple Relationships; for LCSWs: 21 NCAC 63 .0504 Responsibilities in Professional Relationships; for LPCs: Rule 21 NCAC 53 .0102 and ACA Code A.5. Prohibited Non-counseling Roles and Relationships and A.6. Managing and Maintaining Boundaries and Professional Relationships; and for LMFTs: 21 NCAC 31 .0609 and AAMFT Code of Ethical Principles for Marriage and Family Therapists, Standard I, 1.3 through 1.5.

Posted by | Comments Off on Mixing Business with Pleasure: Dual Relationships

BYOD: “BRING YOUR OWN DEVICE (or DISASTER)”

BYOD (Bring Your Own Device) to work is becoming a common practice. The ABA, who jokingly- I think- referred to the trend as “Bring Your Own Disaster,” reports that more than 60% of employees use a personal device for work.  BYOD refers to a policy which allows or requires employees to use their personal devices, such as smartphones and tablets, to perform job responsibilities and access company data or applications.  Having a smart BYOD policy appears to have many advantages for both employees and companies including:

  • Employees like it because they are comfortable on their own device and do not have to carry more than one device.
  • It can decrease corporate costs because the employee pays for the device and the data service which, as we are all aware, can be expensive.
  • It can decrease training costs because employees are already familiar with the technology.
  • It may increase productively, and client satisfaction, because employees can work on the weekend and after hours.

However, as with most technology, there are numerous risks to be considered and managed.

Keep current on technology

Before you can mitigate the risks, you have to know what they are.  For more on risks, see CRN’s “Top 10 BYOB Risks Facing the Enterprise” here.

NC requires that lawyers keep abreast of changes in the law and its practice, including the benefits and risks associated with technology relevant to the lawyer’s practice.[1]  So lawyers do not have the luxury of burying our head in the sand and hoping everything is okay.  Instead, we are mandated to remain current in rapidly changing technology related to our practice.  It seems to me this mandate would include investigating ways to protect data in light of the BYOD trend.

I recently read an article, Millennials Don’t Care About Mobile Security, and Here’s What to Do About it, by Omar Eiferman, which I though provided an interesting suggestion: separate personal and corporate data on employee devices used for business utilizing multi-persona virtualization.

Eiferman explains:

Multi-persona virtualization creates multiple user personas at the operating system level on a single smartphone. This means a Millennial could have three or more separate personas: one for general use, one for sensitive personal applications such as finance and health, and one persona for professional use. Because personas are separated at the deepest level possible, malware on the personal persona could not get to the professional persona. Yet, a user can switch between both personas in seconds.

Rather than using blacklisting and other draconian measures to secure the entire phone, IT can simply manage the professional persona… Multi-persona virtualization would allow IT departments to manage the context in which apps are used – without controlling what employees do on their personal personas.

I unfortunately do not know enough about multi-persona virtualization (except that is sounds interesting) to advocate implementing this measure or not, but I included it because I thought it was a great example of the security risk management options available. Another security measure I came across:  The employee’s device may be remotely wiped if the device is lost or stolen, the employment is terminated for any reason, or a breach is detected. The important thing is to evaluate and implement security measures which adequately mitigates the risks associated with BYOD.

Implement BYOD written policy

Once you, or your IT department/consultant, determine the best practices for security risk management in your firm, the next step is to develop and implement a written BYOD policy for employees.   You would likely want to address, among other things, the following:  (1) acceptable and unacceptable uses; (2) the devices which are allowed; (3) who will address connectivity and configuration issues; (4) whether the company will provide reimbursement for some of the cost for the device and/or data plan; (5) who will own the applications and data; (6) security issues including: password protection, encryption tools, data storage on the device, firewalls and use of private networks vs. free public Wi-Fi; and (7) an exit strategy if the employee leaves the company.

Once the policy is in place, consider drafting an agreement for employees to sign indicating they read and understand the policy. And after implementation, don’t forget to educate the staff regularly on the policy and, most importantly, enforce it.

Employee-owned devices at work can save the company time and money.  However, threats to a company stemming from these devices “can be as complex as a sophisticated malware attack designed to snoop on an employee’s browsing activity or as simple as a lost phone in a taxicab.” [2]  Given the benefits and risks and the high number of employees bringing their own devices to work, it may be time to think about developing a BYOD policy.

[1] N.C. Rules of Prof’l Conduct, Rule 1.1, Comment 8.

[2] http://www.crn.com/slide-shows/security/240157796/top-10-byod-risks-facing-the-enterprise.htm.

Posted by | Comments Off on BYOD: “BRING YOUR OWN DEVICE (or DISASTER)”

Non-Public Personal Information (NPPI) and the Real Estate Closing Attorney

Non-public Personal Information (NPPI) is personal identifiable data provided by a customer or client generally on a form or application.  It includes the first name or first initial and last name coupled with any of the following: Social Security number, driver’s license number, state-issued identification card, credit or debit card number, or other financial account numbers.  A North Carolina lawyer’s duty to protect this information is governed primarily by the NC Rules of Professional Conduct (Rules) and state law, but federal law may also be implicated, depending on who you are representing.

NC Rules of Professional Conduct

The requirements to protect confidential client information, which includes a client’s identity, are set forth in Rule 1.6 and its comments.  Absent certain exceptions, a lawyer “shall not reveal information acquired during the professional relationship with a client unless the client gives informed consent.”  Comment 3 explains that this Rule applies “not only to matters communicated in confidence by the client, but also to all information acquired during the representation, whatever its source.”  The lawyer must “act competently to safeguard information acquired during the representation of a client” against “unauthorized access by third parties” and “inadvertent or unauthorized disclosure by the lawyer or other persons … participating in the representation of the client.”  This duty extends to the transmission of client information.  Comments 19 and 20.  Further, a client can require a lawyer to employ security measures not required by the Rules.  Comments 19 and 20 are clear that whether a lawyer must take additional steps to safeguard information pursuant to state or federal laws is beyond its scope.

State and Federal Law

In addition to complying with the Rules, NC lawyers must also comply with security breach notification laws.  See N.C. Gen. Stat. §§ 75-61 and 71-65.  Lawyers representing lenders will also likely need to comply with the Gramm-Leach-Bliley Act (GLBA).  This Act requires that financial institutions explain their information-sharing practices to their customers and safeguard sensitive data.  Though it was held in American Bar Association v. Federal Trade Commission, 430 F.3d 457 (D.C. Cir. 2005) that GLBA does not directly apply to lawyers, if you represent an entity that is governed by GLBA, you must comply with GLBA as well as the Federal Trade Commission Privacy, Safeguard, and Disposal Rules.  GLBA requirements can be found here.

Bulletins & Newsletters

The Consumer Financial Protection Bureau’s April 2012 Bulletin made it very clear to lenders that they are not only responsible for complying with state and federal law governing the protection of NPPI, but they are also responsible for all of their service providers, third-party vendors, and supply chain vendors.  Several other agencies have released bulletins regarding this matter including: the Office of the Comptroller of the Currency, the FDIC, and the Federal Reserve. In response to the requirements regarding NPPI compliance, Wells Fargo published the Wells Fargo Title and Settlement Newsletter dated March 6, 2014 which stated that they were expanding and enhancing third-party oversight.  They stated that Wells Fargo supports American Land Title Association (ALTA) Best Practices and made it clear that those they work with need a plan in place to ensure compliance.

Best Practices for Closing Attorneys Representing Lenders

In the webinar entitled “Best Practices Boot Camp” presented by the North Carolina Closing Attorney Best Practices Task Force, Attorney Christopher J. Gulotta, Founder and CEO of Real Estate Data Shield, Inc., set forth the best practices to ensure NPPI compliance which includes the following:

  • Develop all required privacy and data security policies, procedures and plans including
    1. Information Security Plan
    2. Incident Response Plan
    3. Disaster Recovery Plan
    4. Secure Password Policy
    5. Electronic Communications and Internet Use Policy (i.e. employees should only access the internet for work-related matters and not personal use)
  • Assess your company’s risk profile
  • Educate and train your workforce (Nearly 40% of all breaches occur from an employee)
  • Secure your work flows
  • Ensure compliance of all service providers (i.e. off-site storage facilities, the cloud, etc.)
  • Implement a sound document destruction policy

 

Mr. Gulotta also presented his recommendations for Administrative Security Critical Controls, Physical Security Critical Controls, and National Security Critical Controls.  He advised that not only should you implement these policies, but you should inform lenders that you understand the pressure they are under from legislators and demonstrate that you have taken it seriously.  He suggests putting together a manual of policies and procedures and providing it to lenders before they request it, as lenders have identified security as their number one concern.  Mr. Gulotta’s detailed recommendations for closing attorneys representing lenders include the following:

A.  Administrative Security Critical Controls

  1. Staff Training – Have your staff sign an acknowledgement of your policies andprocedures before beginning work.  Conduct background checks of your employees.
  2. Create a Manual of Policies and Procedures
  3. Privacy Notice – Ensure any privacy notice posted on your website is accurate.Make sure the website designer has not posted something you are not living up to.
  4. Have a Shred-All Policy
  5. Implement Vendor Non-Disclosure Agreements
  6. Have a Clean Desk, Clean Office, and Clean Screen Policy – The desks at your office should be empty at the beginning and end of the day.  Any file not currently being worked on should be in a locked filing cabinet.  Only the files that someone is currently working on should be out.  If someone leaves their desk, they need to ensure any file they are working on is closed.  Privacy screens should be used on all monitors and should time out after one minute of activity.  Copy areas should be kept clean.  Employees should be trained on the use of any mobile devices.

 

B.  Physical Security Critical Controls

  1. Entryway Security & Sign-In Log – Have strong locks where the keys cannot be copied. Only personnel who need keys should have them.  Visitors should sign a log and you should check their identification.
  2. Clean Desk Policy
  3. Locked Filing Cabinets
  4. Security Cameras
  5. Privacy Screens
  6. Locked Offices – Offices of management or those dealing with critical documents should be locked.
  7. Shredding of Paper and Digital Media
  8. Locks on Computers – especially those near an entryway.

 

C.   Network Security Critical Controls

  1. Password Protection – Passwords should be a minimum of nine characters long and should use a combination of upper and lowercase letters, numbers, and special characters. A rule should be established that passwords must be changed every two to three months.
  2. Computer Screen Timed Lockout
  3. Use Various Brands of Firewalls
  4. Port Lockdowns – All USB Ports should be disabled except for those of one or two gatekeeper employees. These employees should scan any USB stick before anything is downloaded.
  5. Network Printers/Scanners – These devices are usually leased. Ensure your IT person sets these devices up to have their data deleted on a daily basis.  At the end of the lease term have a technician remove the disk and have a document destruction company destroy it and give you a receipt.
  6. Restrictive Access to Programs, Files, Etc. – Server Room should be a separate room with limited access. Employees should not be able to disable security software.
  7. Updates and Patches – Many breaches occur in between the date you receive an update or patch and the date you put it in place. Immediately incorporate updates and patches.
  8. Email Encryption – Sending an unencrypted email with NPPI is like sending a postcard with someone’s personal information on it. Call the party you are sending the secure email to and offer to walk them through it if needed.

If you are a closing attorney who represents lenders and you have not implemented or at least considered these policies, now is the time to get started.

The information in this blog was largely derived from the webinar entitled “Best Practices Boot Camp” first presented by the North Carolina Closing Attorney Best Practices Task Force on January 28, 2015.  See http://www.ncclosingattorneybestpractices.org/resources.html.

Posted by | Comments Off on Non-Public Personal Information (NPPI) and the Real Estate Closing Attorney

Think Before You Link: New NC Ethics Opinion on Social Media Connections

The Ethics Committee has now adopted an opinion[1] about the propriety of making and accepting invitations to connect and endorsements from judges and others on social media sites.  2014 FEO 8.  You can view the entire opinion by visiting the State Bar’s website and inserting the opinion number on the ethics page.  The opinion distinguishes between two types of “links” and also by who is making them– a judge or a lawyer.  For the first category – connections — the adopted opinion holds that an attorney may ordinarily accept an invitation to connect from a judge.  Opinion #1.  The lawyer generally also may send an invitation to connect with a judge.  Opinion #2.

The opinion warns that if the attorney is currently in proceedings before the judge at the time of the invitation, however, the Rules of Professional Conduct may require the lawyer to decline the invitation until the proceedings have concluded.  The lawyer must determine whether acceptance of the invitation during the pendency of a case will: (a) impair the lawyer’s ability to comply with the Rule 3.5 concerning ex parte communications and (b) amount to conduct that is prejudicial to the administration of justice in violation of Rule 8.4(d), among other Rules.

Ultimately, the opinion directs lawyers to be mindful of their obligation to protect the integrity of the judicial system and to avoid creating an appearance of judicial partiality.  The same criteria apply when deciding whether to send an invitation to a judge to connect. Opinions #1 and 2.  Based upon this opinion, the safest course is to wait to connect with a judge until you are not appearing before that judge, if possible.

The next part of the opinion deals with endorsements and recommendations.  On LinkedIn, you have an option to display your “skills & expertise” on your profile page.  Your connections can then endorse a skill or expertise for you and you get a notification of the endorsement.  If you do nothing, and the endorsement is for a skill you have selected to show, then that endorsement automatically will appear on your profile page.  You may edit the “skills & endorsements” section to “hide” selected endorsements or skills.  People can also post recommendations on your profile page.

Why is all of this important?  The proposed ethics opinion says that it is okay to endorse a judge for skills or expertise (assuming you are not currently appearing before them).  Opinion #3.  Likely, this is permitted because it is really no different than sponsoring a judicial campaign or being listed publicly as a donor.  The lawyer also may accept endorsements and recommendations from persons other than judges as long as they are truthful and not misleading.  Opinion #5.

The opinion, however, holds that an attorney may not accept an endorsement from a judge under any circumstances or at any time because it would create the appearance of judicial partiality in violation of Rule 8.4(e).  Opinion #4.  Further, if a person who endorsed you later becomes a judge, you are required to remove or hide the endorsement from your profile if you know or reasonably should have known the person is or became a judge.  In the final adopted opinion, the State Bar added the reasonableness qualifying language.  Opinion #6.

Although the opinion primarily concerns the use of LinkedIn, it also applies to any social media site that allows public displays of connections, including endorsements or recommendations.  Opinion #7.    After reading the final opinion and before posting this blog, I decided I needed to figure out how to check my LinkedIn profile for people that may have become judges and might have endorsed or recommended me at one time.   Fortunately, no current judges endorsed me on LinkedIn so I didn’t have to learn how to hide or remove any.  Now I am off to figure out how to get onto our firm Facebook, Twitter and Google+ pages to check them as well.  Whose idea was it to set up all these social media sites anyway?

[1] This blog updates an earlier blog on the same topic.

 

Posted by | Comments Off on Think Before You Link: New NC Ethics Opinion on Social Media Connections

Email Encryption: HIPAA Considerations for Lawyers and CPAs

Currently, neither the NC State Bar nor the NC State Board of CPA Examiners specifically requires encrypted email, although licensees must take reasonable measures to ensure any client information maintained and transmitted is confidential and secure. On the other hand, the Health Insurance Portability and Accountability Act of 1996 [“HIPAA”] may require both lawyers and CPAs, under certain circumstances, to encrypt when acting as a “business associate” to a “covered entity.”

Could you be a “business associate” under HIPAA?

When HIPAA was first enacted, only covered entities, such as health care providers and health plans, were required to take steps to secure and prevent the unauthorized disclosure of certain types of individually identifiable protected health information [“PHI”] of their patients or members. The HIPAA privacy and security rules now apply not only to covered entities but also to their business associates. Further, with the new rules firmly in place, the U.S. Department of Health and Human Services is expected to become more aggressive in enforcing HIPAA. Given that lawyers and CPAs, who violate the rules while providing services to covered entities, may be subject to penalties of $100 to over $50,000 per violation, it is worthwhile to consider whether you are classified as a “business associate” under HIPAA.

HIPAA defines a business associate as any entity that creates, receives, maintains, or transmits PHI while performing a function, activity, or service on behalf of a covered entity including the provision of legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.[1]  So if you are performing legal or accounting services directly for, or on behalf of, a covered entity, such as a healthcare provider or healthcare plan, you are classified a business associate and, consequently, must meet the same standard of security for the protection of PHI as the covered entity.

HIPAA Encryption Requirement

The good news is that HIPAA does not necessarily require the use of email/fax encryption by covered entities and business associates. The security rule made the use of encryption for PHI an “addressable” implementation specification as opposed to a “required” specification. Therefore, before a covered entity or business associate can decide not to encrypt electronic transmissions of PHI, the entity must engage in a feasibility analysis. The analysis would consider the:

  • Size, complexity and capabilities;
  • Technical infrastructure, hardware and software security capabilities;
  • Costs of security measures; and
  • Probability and criticality of potential risks to electronic PHI.

Under the feasibility analysis, “[i]f the entity decides that the addressable implementation specification is “not reasonable and appropriate”, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose not to execute the implementation specification or any equivalent alternative measure and document the rationale for this decision.”[2] Thus, it is a violation of HIPAA to send unencrypted emails containing PHI while providing services to a covered entity without first having performed and documented the feasibility analysis.

As noted already, a single violation can carry a penalty as high as $50,000. On the other hand, encryption carries the benefit of qualifying for a “safe harbor” under HIPAA’s breach notification requirements.[3] A security incident that would otherwise require notification is not considered a breach if the PHI affected was encrypted and the encryption key had not been compromised. [4]

In summary, if the lawyer or CPA is performing a service on behalf of a covered entity which involves creating, receiving, maintaining, or transmitting electronic PHI, s/he would likely be a business associate under HIPAA.  Then, to determine if the covered entity and business associate should implement a mechanism to encrypt ePHI, the feasibility analysis discussed above should be conducted.

Other Potential Requirements for Business Associates

In addition to encryption considerations, under HIPAA, business associates may also need to:

(1) Execute Business Associate Agreements

Lawyers and CPAs may need to execute a business associate agreement with the covered entity.  The agreement should comply with the specifications required by HIPAA.  In addition, when the business associate must disclose PHI to a third party (i.e. expert witnesses, investigators, third party providers, etc.), s/he will need to execute a business associate agreement with the third party, to whom it provides PHI, which includes the same restrictions and conditions that originally applied to the business associate with respect to the information.

 (2) Implement HIPAA Policies with Documented Procedures

Business associates should implement and document policies and procedures to prevent, detect, contain, and correct security violations relating to ePHI.

(3) Perform HIPAA Training for Staff and Yearly HIPAA Security Reviews

Everyone that falls under HIPAA must perform HIPAA training for staff and yearly security reviews of their internal systems, their policies, and the flow of their ePHI into and out of their network, among other things.

Note that the list above is not inclusive of all functions a lawyer or CPA, who is classified as a business associate, may need to perform to be compliant under HIPAA. It is highly advisable for any professional who handles PHI while providing a service to a covered entity to consult an attorney practicing in the area of health care regulation to ensure compliance with the complex and changing laws surrounding the privacy and security related to PHI.

THIS INFORMATION IS NOT INTENDED TO BE LEGAL ADVICE.

[1]  See 45 C.F.R. § 160.103.

[2]  http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2001.html.

[3]  78 Federal Register 5644.

[4]  Id.

Posted by | Comments Off on Email Encryption: HIPAA Considerations for Lawyers and CPAs

The CPA Board Rules: They are a’ Changin’

The NC Board of CPA Examiners recently adopted amendments to its regulations in the following areas that may be relevant to your practice if you are a CPA or work with CPAs:

Self-Reporting of Convictions, Judgments, Discipline and Investigation

  • requiring CPAs to notify the board within 30 days of
    • any charge or arrest of a criminal offense, not just a conviction, plea or other resolution. § 08N .0208(a);
    • any settlement in lieu of a civil suit or criminal charge that is based on an allegation of professional negligence, gross negligence, dishonesty, fraud, misrepresentation, competence or violation of any federal, state or local law, regardless of any confidentiality clause in the settlement. § .0208(c);
    • any inquiry or investigation by the IRS or any State Department of Revenue Criminal Investigation Divisions pertaining to any personal or business tax matters. § .0208(d); and
    • the filing of any liens by the IRS or State Department of Revenue regarding the apparent failure to pay any tax amounts due. § .0208(e).

Peer Review

  • Requiring a CPA or CPA firm not currently providing services mandating participation in peer review program to register with that program within 30 days of the issuance of the first report provided to a client for such services. Services requiring a CPA or CPA firm to participate in the peer review program include: audits, reviews or compilations of financial statements, agreed-upon procedures or attestation engagements. § 08M .0105(a) &(b).

Basis for discipline

  • Adding another basis for discipline against CPAs within the definition of “discreditable conduct prohibited” to include:
    • misrepresentation in reporting CPE credits, and
    • entering into any settlement or other resolution of a dispute with a CPA that purports to keep its contents confidential from the Board. § 08N .0203(b).     

Modification of Discipline and Reinstatement of Certificates

  • Restricting rules concerning modification of disciplinary orders to apply only to permanent revocations by the Board (unless by consent). § 08I .0104(a);
  • Requiring affiants supporting reinstatement of a CPA certificate to be familiar with the facts of the revocation or discipline. § .0104(b); and
  • Making restitution of civil settlements, liens or other agreements with the aggrieved party an element of good cause necessary for reinstatement of a CPA certificate . § .0104(c).

CPA Firm ownership requirements

  • Requiring the CPA owner of a firm to actively participate in the business of the CPA firm as his or her principal occupation. § 08N .0302(e)(2). 

CPA Status

  • Eliminating “retired” status so a CPA is either active or inactive. 21 NCAC 08A .0301 (deleting section (32) and corresponding deletions and other changes throughout the regulations)

Application requirements

  • Imposing additional requirements and restrictions on applying for examination and for a CPA certificate, including:
    • prohibiting filing an application while serving a sentence resulting from criminal plea or conviction, including any type of probation. §§ 08F .0103 & .0502(c); and
    • requiring additional disclosure and documentation regarding a criminal plea or conviction or denial of any license by a state or federal agency. § 08F .0502(c).

CPE requirements

  • Ceasing to register CPE sponsors and relying upon those in good standing with the National Registry of CPE sponsors. § 08G .0403;
  • Requiring CPAs to receive and submit a certificate of completion for each CPE. § .0401;
  • Requiring monitoring mechanisms for internet-based CPE programs to ensure active participation by the CPA. § .0409; and
  • Allowing CPE credit for self-study based on national standard word count formulas.

For more detail about these recent changes to the rules, you can access the Board’s rules on its website.

Posted by | Comments Off on The CPA Board Rules: They are a’ Changin’