Disciplinary Matter? You May Be Covered

As a busy professional with limited time, one of the last things you want to receive is an official letter from your licensing board or agency about a complaint that has been filed against you.  To make matters worse, hiring experienced counsel to represent you in such a matter may be important but is almost certainly an unanticipated expense.  Fortunately, coverage for such representation from professional liability carriers has become increasingly common in recent years.  One of the first things you should do if you receive such a disciplinary or ethics complaint is to check your professional liability insurance policy and determine if you have coverage.

Historically, liability carriers for physicians, dentists, therapists and other medical professionals have been more likely to contain coverage for representation in disciplinary proceedings than insurers for other professionals.  Increasingly, professional liability carriers for attorneys and other professionals have begun offering such coverage.  Some of these carriers pay the attorney directly and others provide reimbursement coverage, which requires the professional to pay the attorney first and then seek reimbursement from the carrier, typically up to a certain limit.  The amount of coverage can vary significantly, typically in a range from $5,000-$25,000, and generally it has no deductible, unlike malpractice coverage.  Most carriers allow the professional to select the attorney of their choice.

As an example, Lawyers Mutual Liability Insurance Company of North Carolina (LML NC) insures a large number of attorneys in this state.  It recently has amended its policy to include several additional benefits that do not trigger the insured’s deductible amount, including reimbursement coverage in disciplinary proceedings.  This provision is being incorporated into new policies or upon renewal of existing policies.  Under the amended policy, LML NC will reimburse its insured for legal fees paid to an attorney representing the insured as a result of a disciplinary proceeding.

Generally, to trigger such reimbursement coverage, the disciplinary proceeding must be:

(a) related to the provision of legal services on or after the prior acts date of the insured in the policy (generally excluding acts prior to coverage with LML NC); and

(b) first initiated against the insured and reported to LML NC during the policy period or any extended reporting period (“tail” coverage).

Reimbursement coverage is excluded in the following situations:

1.   the insured has been convicted of a felony for conduct giving rise to a disciplinary proceeding; or

2.   the proceeding results in discipline of the insured because of theft, embezzlement, misappropriation, or other unauthorized withdrawal or misapplication of funds.

If coverage is provided under the conditions in sections a and b and is not excluded under 1 and 2 above, LML NC will reimburse the insured up to $5000 per policy period.  This is an excellent additional benefit now being provided for the first time to many lawyers in North Carolina.  For many grievances with the State Bar that are not overly complex or document intensive, the reimbursement amount will cover representation by an experienced attorney at that informal stage.

This reimbursement coverage, however, likely would only cover a small portion of a case referred to the Disciplinary Hearing Commission for a formal evidentiary hearing.  It is yet another reason why it’s important to seek representation by counsel experienced with State Bar matters at the early and informal stages of the proceedings.  Most all of us know the expression that a lawyer who represents himself or herself has a fool for a client.  While that may be an overstatement, it is difficult to be objective in representing yourself while being attacked, often by a client that you have gone out of your way to help.

One of the great aspects of LML NC is that its in-house counsel are very proactive about early intervention and pre-suit, claims repair assistance before the problem gets out of control if contacted early by an insured.  Our firm has a similar philosophy about grievance or disciplinary matters and highly recommends that lawyers and other professionals get assistance and representation as early in the process as possible.  For more information about the grievance process and whether you need to retain counsel, review http://brockerlawfirm.com/state-bar/grievance/.  Regardless of your profession, if you receive an ethics or disciplinary complaint, first check your professional liability policy for coverage and then seriously consider retaining an attorney experienced in handling such matters.  For more information, review http://brockerlawfirm.com/general-board-process/overview/ .  If you have coverage now, take advantage of it and don’t have a fool for a client.

Posted by | Comments Off on Disciplinary Matter? You May Be Covered

Maintaining a Strong Professional Core

If you’ve been to a gym, attended almost any exercise class, or worked with a personal trainer in the last 5+ years, you almost certainly have heard these or similar words: “The key to success is developing and maintaining a strong core.”  This is true whether you are a runner, biker, swimmer, yogi, skier, or cross trainer, among many others.  It’s excellent advice but also has important applications outside of the gym for your health and fitness.  This same principle is just as essential in your professional life as in your personal life.  It applies whether you are a lawyer, physician, pharmacist, CPA, therapist, broker, or insurance agent, to name just a few.

In order to be successful in the long term, it is critical to develop a set of core principles around which you organize and operate your professional life and dealings.  Determining these core principles should be a very contemplative and deliberate process.  These core values must be personal to your situation and circumstances.  No one can provide others a standard, one-size-fits-all set of core values that will work for every person, situation or profession.

Although no one single set of core principles applies across all professions, they often have substantial overlap for many professionals.  The following set of core values is merely an example of those you may consider:

  1. Serve Clients: The essence and most important aspect of any profession is service to clients, patients or customers.  All critical decisions should consider whether the chosen path will improve you and your firm’s ability to serve clients or patients better. Without clients or patients, and providing good service to them, there is no profession or business.  Results are only one aspect of providing excellent service to clients.  Responsiveness, empathy and compassion are equally important to clients and patients.
  2. Be different: Don’t do what everyone else is doing already.  Find a practice area that you enjoy and concentrate in becoming the best professional you can be in that area.  Preferably, the practice area will be one that is not overcrowded and is likely to grow in the future.  Regardless, make sure that you enjoy doing it on a daily basis.  No amount of vacation can make up for practicing in an area or for clients that you don’t like.
  3. Choose wisely: This principle applies across the spectrum of decisions involved in your profession and practice, including selecting your clients or patients, choosing staff and others that will assist you, properly evaluating cases or professional matters initially, and determining how to structure and organize your office or practice, among various other important determinations. Making wise choices has a significant impact on your professional enjoyment, success and ability to serve clients or patients well.
  4. Work Smart: Hard work and dedication is an essential element of being a successful professional. These qualities are necessary but no longer sufficient, especially in the technological age.  There are now almost an unlimited number of ways to increase your efficiency and effectiveness.  You must make time to continually evaluate whether you are not only working hard but intelligently. This principle also affects the last core value.
  5. Live Balanced: Too many professionals emphasize the hard work and dedication at the expense of maintaining a balanced personal and professional life. This principle is almost cliché, constantly cited, but too often not followed.  In order to be successful and serve your clients well over the long term, you must set aside and make time to pursue, develop and maintain other interests and personal relationships.  An unbalanced life is a long-term formula for professional and personal problems, often leading to mental and physical health or substance abuse issues.

There are many other important core principles or values, besides the above examples, that you may decide are more appropriate to your personal and professional circumstances.  The most critical part is to carefully determine the ones that are the best suited for you and then remind yourself of them on a daily basis as the foundation for a successful professional life.  While developing that strong core is the essential first step, maintaining it is just as important.  Just like in the gym or other athletic endeavors, both developing and maintaining a strong core is an essential element of long-term professional success.

Posted by | Comments Off on Maintaining a Strong Professional Core

What To Do If You’ve Goofed

Have you ever made a mistake in your practice?  Of course you have.  We all have.  The question is what are you ethically required to do when that happens?  Must you disclose the mistake to the client? If so, what exactly do you have to tell him or her?  If your mistake was a doozy, do you have to tell the client he or she needs to seeks other counsel or that they may have a malpractice claim against you?

This is the subject of a newly proposed ethics opinion, Proposed 2015 FEO 4*.  According to the opinion, not all mistakes will need to be disclosed to the client.  Small, insignificant errors may not need to be disclosed.  Whether a mistake must be reported depends upon the materiality of the mistake.  Mistakes that would give rise to a malpractice claim must always be reported to the client.  Beyond that, here is what the proposed opinion says:

If the error will result in financial loss to the client, substantial delay in achieving the client’s objectives for the representation, or material disadvantage to the client’s legal position, the error must be disclosed to the client. Similarly, if disclosure of the error is necessary for the client to make an informed decision about the representation or for the lawyer to advise the client of significant changes in strategy, timing, or direction of the representation, the lawyer may not withhold information about the error. Rule 1.4. When a lawyer does not know whether disclosure is required, the lawyer should err on the side of disclosure or should seek the advice of outside counsel, the State Bar’s ethics counsel, or the lawyer’s malpractice carrier.

The question then becomes, if you must report the mistake to the client, what do you need to say?  The proposed opinion provides:

The lawyer must candidly disclose the material facts surrounding the error, including the nature of the error and its effect on the lawyer’s continued representation. If the lawyer believes that she can take steps to remedy the situation or mitigate or avoid a loss, the lawyer should discuss these with the client while informing the client that the client has the right to terminate the representation and seek other counsel. Rule 1.4.

The proposed opinion also makes clear that the attorney should not state or discuss whether the client may have a malpractice claim against the attorney, and should not give legal advice regarding such claim, as it is a conflict of interest to do so.   The attorney should, however, inform the client that it may be “advisable to consult with an independent lawyer with respect to the potential impact of the error on the client’s rights or claims.”  The proposed opinion also advises that the attorney need not

inform the client of the statute of limitations applicable to legal malpractice actions, nor is she required to give the client information about the lawyer’s malpractice insurance carrier or information about how to file a claim with the carrier. 

This is one of those rare instances where it appears that more disclosure is not necessarily better.   Still, before discussing any error with your client, the proposed opinion suggests consulting your liability carrier’s claims counsel about how they would want you to proceed and what information should be provided to the client.

Look for a later blog on whether you must withdraw from representation in the face of an error.

*This is not yet a final opinion, and is set to be heard at the July 2015 Ethics Committee meeting.

Posted by | Comments Off on What To Do If You’ve Goofed

New Proposed Rule for Self Reporting

The newly proposed rules regarding trust accounting are designed to better protect the public by facilitating the early detection of theft and internal errors in attorney trust accounts.  One proposed rule in particular represents a fairly significant change in the reporting requirements when an error or misappropriation is discovered in the trust account.  Currently (at least until the Supreme Court certifies any proposed rules  the Bar submits) Rule 1.15-2(o) of the Rules of Professional Conduct requires a lawyer who discovers misappropriation or misapplication of trust funds to inform the State Bar of this discovery.  Many attorneys already interpreted this rule as requiring a report to the State Bar even when there was just a clerical or accounting error in the trust account.  Ethics Counsel with the State Bar confirmed, however, that this rule was not intended and did not require an attorney to self-report every mistake or accounting error in the trust account. As everyone has made a mistake involving the trust account at one time or another, to require every error to be reported would be unreasonable and unduly burdensome on the State Bar.

The newly proposed Rule, however, would now require, not only self-reporting misappropriation or intentional misapplication of trust funds, but also any mistake in the trust account if the error is not discovered and rectified on or before the next quarterly reconciliation.  The proposed amendment is as follows:

(p) Duty to Report Misappropriation. A lawyer who discovers or reasonably believes that entrusted property has been misappropriated or misapplied shall promptly inform the trust account compliance counsel (TACC) in the North Carolina State Bar Office of Counsel. Discovery of intentional theft or fraud must be reported to the TACC immediately. When an accounting or bank error results in an unintentional and inadvertent use of one client’s trust funds to pay the obligations of another client, the event must be reported unless the misapplication is discovered and rectified on or before the next quarterly reconciliation required by Rule 1.15-3(d)(1). This rule requires disclosure of information otherwise protected by Rule 1.6 if necessary to report the misappropriation or misapplication.

The new proposed language is in bold print. In the event that an attorney does not discover and rectify the mistake within the requisite time frame, at the point in time that the attorney DOES discover the problem, he or she must report that fact to the trust account compliance counsel, Peter Bolac.  It is interesting to note that the proposed rule appears only to require reporting when the banking or accounting error results in an unintentional and inadvertent use of one client’s trust funds to pay the obligations of another client, AND the misapplication is not discovered and rectified timely.  As there could be errors in the trust accounting that do not result in the use of one client’s trust funds to pay the obligation of another client, it appears these kinds of errors would never require self-reporting.  I wonder if that is what was intended…

Posted by | Comments Off on New Proposed Rule for Self Reporting

To Represent or Not Represent: Either Way, Put it in Writing

An article on Law360 makes a persuasive argument for engagement letters and provides:

Law firms facing malpractice claims are often the victims of their own failure to use strongly worded engagement letters that clearly define the limits of legal services being offered to clients…[1]

I also recently attended a CLE where the speaker said something that really caught my attention: Out of the several hundred malpractice cases filed, only a small handful had an engagement letter in place. And of those, only two truly contained the essential elements of an engagement letter.  Those numbers seem to strongly indicate two things: (1) attorneys are not seeing the value, and are not using, engagement letters; and (2) engagement letters are almost always necessary.

Engagement Letters

In certain situations, such as with contingency fees and business transactions with clients [See “Doing Business with Clients? Better Think Twice”], the Rules of Professional Conduct require that the agreement be in writing. However, even when it is not required, memorializing your agreement to represent a client in writing is a sound business practice and something we consistently do at my firm. A good engagement letter can promote communication, eliminate misunderstandings, and potentially prevent a malpractice claim.

All engagement letters are, however, not created equal.  A good letter will provide: (1) the nature of the services you will provide; (2) any exclusions from the scope of the engagement; (3) the fees and billing arrangements; (4) procedure for retainers; (5) specific requirements and responsibilities of the client during the engagement; (6) costs the client will be responsible for; and (7) when the engagement will begin.  Have the client sign the letter to acknowledge they have read, understand and agree to the terms.

An engagement letter is the best way to document and communicate the terms of the representation. When you and the client are on the same page, malpractice claims and complaints to the State Bar become far less likely.

Letters of Limited Engagement

The provision of unbundled legal services has become popular, particularly where clients would like to control costs or do not want or need full service.  If you do provide unbundled services, it seems a letter of limited engagement is essential.  Rule 1.2 of the Rules of Professional Conduct provides that a lawyer may limit the scope of the representation as long as the limitation is reasonable under the circumstances. Further, Comment 8 of the Rule provides that “a specification of the scope of representation will normally be a necessary part of any written communication of the rate or basis of the lawyer’s fee.”

If you don’t limit the scope of services in the engagement letter, you will likely be held to the default, and much higher, standard of “full service.”  A good letter of limited engagement will identify both the services that are being provided and specify which are not.  Once you set out the terms of the limited engagement, don’t stray from it into other services or matters without entering into a separate agreement.

Non-engagement, or “I’m Not your Lawyer” Letters

Non-engagement letters are a good idea in every situation where a prospective client inquires about legal services but does not follow through and engage your services or if you decline the representation. This can include not only potential clients who you meet in-person, but also people who submit web inquires or emails, or even your neighbor looking for some legal advice.  The letter needs to clearly state that you will not be undertaking the representation of the client.  If the potential client provided any documents, you would want to return those with the non-engagement letter. You would not want to offer specific legal advice in the letter. However, if there is a pending deadline or a statute of limitation issue, you should note that and include a strongly-worded statement that s/he should immediately seek legal counsel.

Disengagement Letters 

Once the representation of a client has concluded, a disengagement letter is an effective way to make sure the client is aware that the work has been completed and that you are no longer acting on their behalf.  Disengagement letters can also be used to thank clients for placing their trust with you and your firm and letting them know you are there if they should need assistance in the future. So, not only can the letter potentially protect you from a malpractice claim or grievance, it can also be a good marketing tool.

*The above is provided for general information purposes and is not legal advice or opinion.

[1] Jeremy Heallen, “Weak Engagement Letters Fueling Malpractice Litigation.” Law360, 2 May 2014. Web. <http://www.law360.com/articles/533985/weak-engagement-letters-fueling-malpractice-litigation>.

Posted by | Comments Off on To Represent or Not Represent: Either Way, Put it in Writing

Conflict Waivers: When Clients Change Their Mind

In a prior blog, we discussed how to draft an effective written conflict waiver.  You may recall that an effective waiver, at a minimum, should be in writing – preferably signed by the client, describe the circumstances of representation, clearly address any conflict that exists or is foreseen, address the issue of confidentiality, and advise the client to seek independent counsel.  Once you have a signed conflict waiver from your client, what happens if a client changes his mind and tries to revoke that waiver.  Can he?  Is the lawyer required to withdraw from representing the other affected client?

2007 FEO 11 provides some guidance on this issue.  Although a client may revoke consent to a conflict or potential conflict for any reason, a lawyer may not necessarily have to withdraw from representing the other affected client.  The opinion cites the Restatement of the Law Governing Lawyers, which “indicates that if one client revokes his consent to representation without good reason, the lawyer may continue representing the other client in the matter if the lawyer and other client have already relied on the consent to their detriment.”  A client may be justified in revoking consent where there is a material change in circumstances, or a conflict arises which was in no way contemplated by the parties at the time the consent was signed.  A lawyer may have detrimentally relied upon the consent if a substantial amount of time has been spent preparing for the other matter, the lawyer has already shared confidential information permitted by the consent, or other opportunities for representation were passed upon in reliance upon continued representation.

Ultimately, the ethics opinion holds that “[i]n the absence of specific language in the consent agreement addressing the effects of repudiation, a lawyer is not required to withdraw from representing one client if the other client revokes consent without good reason and an evaluation of the factors set out in comment [21] and the Restatement favors continued representation.”  Such factors include (1) the nature of the conflict, (2) whether the client revoked consent because of a material change in circumstances, (3) the reasonable expectations of the other client, and (4) whether material detriment to the other client or the lawyer would result.

A lawyer acts ethically if he follows these guidelines in deciding that he may remain in a case; however, a court may ultimately weigh the equities of the situation and reach a different result.  The fact that a court did not agree with the lawyer’s determination in this regard, does not necessarily mean that the lawyer has violated any ethics rules.

Posted by | Comments Off on Conflict Waivers: When Clients Change Their Mind

Is My Blog Considered Attorney Advertising?

The Standing Committee on Professional Responsibility and Conduct of the State Bar of California (Standing Committee) recently published a proposed ethics opinion regarding attorney blogging.  (See Formal Opinion Interim No. 12-2006).  The opinion determines when an attorneys’ blog(s) may fall under the scope of the Rules of Professional Conduct (Rules) related to attorney advertising.  The opinion presented four different types of blogs and commented on whether they violated the Rules.

Blogs Including Attorney Successes:

The first kind of blog could be regulated regardless of whether it appeared as part of the lawyer’s website or not.  It did not include an invitation to retain the attorney but included specific representations regarding the quality of the attorney’s services.  For example, the blog included statements such as, “I won another case last week.  That makes 50 in a row, by my count.  Once again, I was able to convince a jury there was reasonable doubt.”  It also stated that the jury as “absolutely mesmerized by my closing argument.”  The Standing Committee believed that these statements in a blog, no matter where the blog appeared, could be regulated and violated the Rules which prohibit communications that are false, deceptive, or which tend to confuse, deceive, or mislead the public.

Informational Blogs on Firm Website:

This blog was on the website of a law firm and included a series of articles written by one of the firm’s attorneys on topics that may interest the firm clients such as changes in tax law, information regarding wills versus trusts, etc.  Each blog post concluded with the statement, “for more information, contact” the author of the particular blog.  Though the Standing Committee did not seem to have any issue with the content, it did opine that the blog was a communication within the meaning of the Rules and was subject to regulation by the State Bar to the same extent as the law firm’s website.

Stand Alone Blogs:

The third type of blog was not a part of the attorney’s website.  The blogs posted by the attorney included information of interest to potential clients.  The blogs were intended to demonstrate the attorney’s knowledge of legal issues, enhance his reputation, and increase his business, but did not describe his practice or qualifications and contained no overt statements of his availability for professional employment.  However, several of the attorney’s blogs stated that if the reader had questions, to contact him.  The blogs also contained a hyperlink to the attorney’s professional web page.  The Standing Committee opined that if it were not for the concluding admonition to the blog readers to contact the attorney, the blogs would not be considered “communications” subject to the Rules.

Non-Legal Blogs by Attorneys:

In this scenario, an attorney wrote a blog about jazz artists, performances and recordings.  The blog was not part of the attorney’s professional website but did contain a link to the website in the by-line and the website contained a link to the blog.  Because the subject matter of the blog was not associated with the attorney’s practice area, the by-line would not be considered an “invitation.”  However, if the two were related, the by-line would be similar to “if you have questions, contact me.”  The Standing Committee opined that an attorney may blog about topics unrelated to the legal field, provided he does not actively use the blog to solicit business as an attorney.

Thus, the California Standing Committee’s conclusions are summarized as follows:

  1. Blogging by an attorney is subject to the requirements and restrictions of the Rules of Professional Conduct relating to lawyer advertising if the blog expresses the attorney’s availability for professional employment directly through words of invitation or offer to provide legal services, or implicitly through its description of the type and character of legal services offered by the attorney, detailed descriptions of case results, or both.
  2. A blog that is part of an attorney’s or law firm’s professional website will be subject to the rules regulating attorney advertising to the same extent as the website of which it is a part.
  3. A stand-alone blog by an attorney that does not relate to the practice of law or otherwise express the attorney’s availability for professional employment will not become subject to the rules regulating attorney advertising simply because the blog contains a link to the attorney or law firm’s professional website. (Formal Opinion Interim No. 12-0006).

North Carolina does not currently have an opinion on attorney blogging; however, based on the NC Rules of Professional Conduct and prior ethics opinions, it is likely that the NC Ethics Committee would agree with the proposed California opinion.

Rule 7.2 governs attorney advertising through written, recorded, or electronic communication, including public media.  This Rule clearly includes written blogs published on firm websites and most likely includes those that are not, if the attorney either discusses his services/accomplishments or invites a potential client to contact him regarding the subject of a legal blog.  “Advertising involves an active quest for clients…” and “may entail the risk of practices that are misleading and overreaching.”  Rule 7.2, Comment 1.

Rule 7.1 prohibits false or misleading communications about the lawyer or the lawyer’s services.  A communication is false or misleading if it is likely to create an unjustified expectation about results the lawyer can achieve.  See Rule 7.1(b).  “This Rule governs all communications about a lawyer’s services, including advertising permitted by Rule 7.2.”  Rule 7.1, Comment 1.  “Truthful statements that are misleading are also prohibited by this Rule.”  Rule 7.1, Comment 2.

Though there are no NC ethics opinions directly on point, there are many which address similar issues in attorney advertising.  Some of these include 2009 FEO 16, 2012 FEO 8, 2010 FEO 11, 2005 FEO 14, and 2012 FEO 1.  See opinions at www.ncbar.gov.

In order to avoid any issues with the State Bar, it is a good idea to ensure that any legal blog you post is compliant with the advertising rules, as there is a strong likelihood the State Bar would take the position that it is a communication it can regulate.

Posted by | Comments Off on Is My Blog Considered Attorney Advertising?

Mixing Business with Pleasure: Dual Relationships

If you have a client or patient that you connect with on a personal level, is it okay to have a social as well as a professional relationship?  It depends on your profession and what type of personal relationship.  Most professions prohibit a sexual or romantic relationship with a current patient/client.  The rules differ significantly among the professions, however, for non-romantic relationships with current or even former clients/patients.

For example, attorneys are generally permitted to have business and non-sexual relationships with current clients, as long as any dealings are fair and the relationship does not interfere with the attorney’s representation or independent judgment.  Like most professions, lawyers cannot have a sexual relationship with a current client, unless it pre-dated the representation.[1]  However, as soon as the representation ends, counselors at law may begin a romantic relationship with a former client.

In contrast, other types of counselors, such as psychologists, clinical social workers, and other therapists, are generally prohibited from having personal or social relationships with current clients and with prior clients, at least for a period of time.   Also, to avoid any potential undue influence from the professional counseling relationships, ethics rules for some therapists effectively have a permanent ban on sexual relationships with past clients, while most rules prohibit romantic involvement for at least a couple years.[2]

Social media has blurred some of the personal/professional lines, especially as it relates to social but non-sexual relationships with current patients/clients.  For example, is it okay to friend or send/accept an invitation to connect on social media with a current client?  The answer varies depending upon the type of social media connection, even within a profession.  Most professional ethics rules have a difficult time keeping pace with rapidly expanding and changing technology and don’t provide clear guidance on these types of issues.  The best course is to check your professional rules, with your licensing board or call someone with experience in these areas before you mix business with pleasure concerning current or past clients.

[1] NC Rule of Professional Conduct 1.19.

[2] See, e.g., for Psychologists: 21 NCAC 54 .1608 and APA Code of Ethics, Standard 3: Human Relations, 3.05 Multiple Relationships; for LCSWs: 21 NCAC 63 .0504 Responsibilities in Professional Relationships; for LPCs: Rule 21 NCAC 53 .0102 and ACA Code A.5. Prohibited Non-counseling Roles and Relationships and A.6. Managing and Maintaining Boundaries and Professional Relationships; and for LMFTs: 21 NCAC 31 .0609 and AAMFT Code of Ethical Principles for Marriage and Family Therapists, Standard I, 1.3 through 1.5.

Posted by | Comments Off on Mixing Business with Pleasure: Dual Relationships


BYOD (Bring Your Own Device) to work is becoming a common practice. The ABA, who jokingly- I think- referred to the trend as “Bring Your Own Disaster,” reports that more than 60% of employees use a personal device for work.  BYOD refers to a policy which allows or requires employees to use their personal devices, such as smartphones and tablets, to perform job responsibilities and access company data or applications.  Having a smart BYOD policy appears to have many advantages for both employees and companies including:

  • Employees like it because they are comfortable on their own device and do not have to carry more than one device.
  • It can decrease corporate costs because the employee pays for the device and the data service which, as we are all aware, can be expensive.
  • It can decrease training costs because employees are already familiar with the technology.
  • It may increase productively, and client satisfaction, because employees can work on the weekend and after hours.

However, as with most technology, there are numerous risks to be considered and managed.

Keep current on technology

Before you can mitigate the risks, you have to know what they are.  For more on risks, see CRN’s “Top 10 BYOB Risks Facing the Enterprise” here.

NC requires that lawyers keep abreast of changes in the law and its practice, including the benefits and risks associated with technology relevant to the lawyer’s practice.[1]  So lawyers do not have the luxury of burying our head in the sand and hoping everything is okay.  Instead, we are mandated to remain current in rapidly changing technology related to our practice.  It seems to me this mandate would include investigating ways to protect data in light of the BYOD trend.

I recently read an article, Millennials Don’t Care About Mobile Security, and Here’s What to Do About it, by Omar Eiferman, which I though provided an interesting suggestion: separate personal and corporate data on employee devices used for business utilizing multi-persona virtualization.

Eiferman explains:

Multi-persona virtualization creates multiple user personas at the operating system level on a single smartphone. This means a Millennial could have three or more separate personas: one for general use, one for sensitive personal applications such as finance and health, and one persona for professional use. Because personas are separated at the deepest level possible, malware on the personal persona could not get to the professional persona. Yet, a user can switch between both personas in seconds.

Rather than using blacklisting and other draconian measures to secure the entire phone, IT can simply manage the professional persona… Multi-persona virtualization would allow IT departments to manage the context in which apps are used – without controlling what employees do on their personal personas.

I unfortunately do not know enough about multi-persona virtualization (except that is sounds interesting) to advocate implementing this measure or not, but I included it because I thought it was a great example of the security risk management options available. Another security measure I came across:  The employee’s device may be remotely wiped if the device is lost or stolen, the employment is terminated for any reason, or a breach is detected. The important thing is to evaluate and implement security measures which adequately mitigates the risks associated with BYOD.

Implement BYOD written policy

Once you, or your IT department/consultant, determine the best practices for security risk management in your firm, the next step is to develop and implement a written BYOD policy for employees.   You would likely want to address, among other things, the following:  (1) acceptable and unacceptable uses; (2) the devices which are allowed; (3) who will address connectivity and configuration issues; (4) whether the company will provide reimbursement for some of the cost for the device and/or data plan; (5) who will own the applications and data; (6) security issues including: password protection, encryption tools, data storage on the device, firewalls and use of private networks vs. free public Wi-Fi; and (7) an exit strategy if the employee leaves the company.

Once the policy is in place, consider drafting an agreement for employees to sign indicating they read and understand the policy. And after implementation, don’t forget to educate the staff regularly on the policy and, most importantly, enforce it.

Employee-owned devices at work can save the company time and money.  However, threats to a company stemming from these devices “can be as complex as a sophisticated malware attack designed to snoop on an employee’s browsing activity or as simple as a lost phone in a taxicab.” [2]  Given the benefits and risks and the high number of employees bringing their own devices to work, it may be time to think about developing a BYOD policy.

[1] N.C. Rules of Prof’l Conduct, Rule 1.1, Comment 8.

[2] http://www.crn.com/slide-shows/security/240157796/top-10-byod-risks-facing-the-enterprise.htm.

Posted by | Comments Off on BYOD: “BRING YOUR OWN DEVICE (or DISASTER)”

Non-Public Personal Information (NPPI) and the Real Estate Closing Attorney

Non-public Personal Information (NPPI) is personal identifiable data provided by a customer or client generally on a form or application.  It includes the first name or first initial and last name coupled with any of the following: Social Security number, driver’s license number, state-issued identification card, credit or debit card number, or other financial account numbers.  A North Carolina lawyer’s duty to protect this information is governed primarily by the NC Rules of Professional Conduct (Rules) and state law, but federal law may also be implicated, depending on who you are representing.

NC Rules of Professional Conduct

The requirements to protect confidential client information, which includes a client’s identity, are set forth in Rule 1.6 and its comments.  Absent certain exceptions, a lawyer “shall not reveal information acquired during the professional relationship with a client unless the client gives informed consent.”  Comment 3 explains that this Rule applies “not only to matters communicated in confidence by the client, but also to all information acquired during the representation, whatever its source.”  The lawyer must “act competently to safeguard information acquired during the representation of a client” against “unauthorized access by third parties” and “inadvertent or unauthorized disclosure by the lawyer or other persons … participating in the representation of the client.”  This duty extends to the transmission of client information.  Comments 19 and 20.  Further, a client can require a lawyer to employ security measures not required by the Rules.  Comments 19 and 20 are clear that whether a lawyer must take additional steps to safeguard information pursuant to state or federal laws is beyond its scope.

State and Federal Law

In addition to complying with the Rules, NC lawyers must also comply with security breach notification laws.  See N.C. Gen. Stat. §§ 75-61 and 71-65.  Lawyers representing lenders will also likely need to comply with the Gramm-Leach-Bliley Act (GLBA).  This Act requires that financial institutions explain their information-sharing practices to their customers and safeguard sensitive data.  Though it was held in American Bar Association v. Federal Trade Commission, 430 F.3d 457 (D.C. Cir. 2005) that GLBA does not directly apply to lawyers, if you represent an entity that is governed by GLBA, you must comply with GLBA as well as the Federal Trade Commission Privacy, Safeguard, and Disposal Rules.  GLBA requirements can be found here.

Bulletins & Newsletters

The Consumer Financial Protection Bureau’s April 2012 Bulletin made it very clear to lenders that they are not only responsible for complying with state and federal law governing the protection of NPPI, but they are also responsible for all of their service providers, third-party vendors, and supply chain vendors.  Several other agencies have released bulletins regarding this matter including: the Office of the Comptroller of the Currency, the FDIC, and the Federal Reserve. In response to the requirements regarding NPPI compliance, Wells Fargo published the Wells Fargo Title and Settlement Newsletter dated March 6, 2014 which stated that they were expanding and enhancing third-party oversight.  They stated that Wells Fargo supports American Land Title Association (ALTA) Best Practices and made it clear that those they work with need a plan in place to ensure compliance.

Best Practices for Closing Attorneys Representing Lenders

In the webinar entitled “Best Practices Boot Camp” presented by the North Carolina Closing Attorney Best Practices Task Force, Attorney Christopher J. Gulotta, Founder and CEO of Real Estate Data Shield, Inc., set forth the best practices to ensure NPPI compliance which includes the following:

  • Develop all required privacy and data security policies, procedures and plans including
    1. Information Security Plan
    2. Incident Response Plan
    3. Disaster Recovery Plan
    4. Secure Password Policy
    5. Electronic Communications and Internet Use Policy (i.e. employees should only access the internet for work-related matters and not personal use)
  • Assess your company’s risk profile
  • Educate and train your workforce (Nearly 40% of all breaches occur from an employee)
  • Secure your work flows
  • Ensure compliance of all service providers (i.e. off-site storage facilities, the cloud, etc.)
  • Implement a sound document destruction policy


Mr. Gulotta also presented his recommendations for Administrative Security Critical Controls, Physical Security Critical Controls, and National Security Critical Controls.  He advised that not only should you implement these policies, but you should inform lenders that you understand the pressure they are under from legislators and demonstrate that you have taken it seriously.  He suggests putting together a manual of policies and procedures and providing it to lenders before they request it, as lenders have identified security as their number one concern.  Mr. Gulotta’s detailed recommendations for closing attorneys representing lenders include the following:

A.  Administrative Security Critical Controls

  1. Staff Training – Have your staff sign an acknowledgement of your policies andprocedures before beginning work.  Conduct background checks of your employees.
  2. Create a Manual of Policies and Procedures
  3. Privacy Notice – Ensure any privacy notice posted on your website is accurate.Make sure the website designer has not posted something you are not living up to.
  4. Have a Shred-All Policy
  5. Implement Vendor Non-Disclosure Agreements
  6. Have a Clean Desk, Clean Office, and Clean Screen Policy – The desks at your office should be empty at the beginning and end of the day.  Any file not currently being worked on should be in a locked filing cabinet.  Only the files that someone is currently working on should be out.  If someone leaves their desk, they need to ensure any file they are working on is closed.  Privacy screens should be used on all monitors and should time out after one minute of activity.  Copy areas should be kept clean.  Employees should be trained on the use of any mobile devices.


B.  Physical Security Critical Controls

  1. Entryway Security & Sign-In Log – Have strong locks where the keys cannot be copied. Only personnel who need keys should have them.  Visitors should sign a log and you should check their identification.
  2. Clean Desk Policy
  3. Locked Filing Cabinets
  4. Security Cameras
  5. Privacy Screens
  6. Locked Offices – Offices of management or those dealing with critical documents should be locked.
  7. Shredding of Paper and Digital Media
  8. Locks on Computers – especially those near an entryway.


C.   Network Security Critical Controls

  1. Password Protection – Passwords should be a minimum of nine characters long and should use a combination of upper and lowercase letters, numbers, and special characters. A rule should be established that passwords must be changed every two to three months.
  2. Computer Screen Timed Lockout
  3. Use Various Brands of Firewalls
  4. Port Lockdowns – All USB Ports should be disabled except for those of one or two gatekeeper employees. These employees should scan any USB stick before anything is downloaded.
  5. Network Printers/Scanners – These devices are usually leased. Ensure your IT person sets these devices up to have their data deleted on a daily basis.  At the end of the lease term have a technician remove the disk and have a document destruction company destroy it and give you a receipt.
  6. Restrictive Access to Programs, Files, Etc. – Server Room should be a separate room with limited access. Employees should not be able to disable security software.
  7. Updates and Patches – Many breaches occur in between the date you receive an update or patch and the date you put it in place. Immediately incorporate updates and patches.
  8. Email Encryption – Sending an unencrypted email with NPPI is like sending a postcard with someone’s personal information on it. Call the party you are sending the secure email to and offer to walk them through it if needed.

If you are a closing attorney who represents lenders and you have not implemented or at least considered these policies, now is the time to get started.

The information in this blog was largely derived from the webinar entitled “Best Practices Boot Camp” first presented by the North Carolina Closing Attorney Best Practices Task Force on January 28, 2015.  See http://www.ncclosingattorneybestpractices.org/resources.html.

Posted by | Comments Off on Non-Public Personal Information (NPPI) and the Real Estate Closing Attorney