DGRead 19.12.15

Rocket Docket Interview Series – What Does Partner Billy Ruhling Have to Say?; What Happened on This Day in Years Past; Tis the Season to Be Savvy—Lawyers and Computers

The Basic Cyber Tool Box for Lawyers

By Zachary Deubler

It’s hard not to have your eyes glaze over when someone mentions the word “technology” and the legal profession in the same sentence. When technology experts using phrases like VPN, Block-chain, encryption, the Cloud, Artificial Intelligence, Data Recovery, lawyers tend to tune out and understandably so. However, since February of 2019, thirty-five states have expressly included knowledge of technology in the official comments for their Rules of Professional Conduct.1 Most states have adopted language similar to comment 8 of the ABA Model Rule 1.1, which states that “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”2 Moreover, in 2012, Model Rule 1.6 was amended to include the following section “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”3 The amalgamation of these two rules require that lawyers keep up-to-date, to a reasonable degree, with changes in technology while at the same time making reasonable efforts to prevent disclosure of client information. All of this to say, a lawyer needs to have a basic understanding of how Computers and IT play a role in their practice. 4

While we do not pretend that this article addresses all of the complex areas of technology in the practice of law, we do highlight some key areas to consider while you move into the new year. We encourage you to think about the implementation of some of the basics like VPN, Cloud File Sharing, and Data Recovery.

VPN:

Though Virtual Private Network (“VPN”) technology has been out for quite some time, there has been a resurgence of the technology in the news as of late. There are two different uses for VPN technology. The first is a VPN server, and the second is a VPN service. Though they are very similar because they use the backbone technology, their uses are totally different. A VPN server is a business solution for accessing your office files on the road through a secure connection. A VPN server is nothing more than a software program that runs on your office PC 24 hours a day, waiting for you (the VPN client) to connect to it remotely. Once the connection is made to the VPN server, you will have access to your office PC files and other resources in the office – just as if you were physically sitting in front of your computer at your physical office. VPN servers can even be used to get your iPhone, iPads, and Android phones onto your work network and access your client files. Depending on how your VPN server is set-up, it will also include all the benefits of a VPN service, discussed below. A VPN server is not simple to set-up and will require an IT contractor to come for installation and maintenance.

A VPN service is not used for accessing files, but instead, is used to protect your online activity – banking, e-mailing, and other sensitive tasks – from being intercepted and observed. A VPN service allows you to conduct sensitive online activities on public networks – such as coffee shops, trains, hotels, courts. Normally, you would avoid these public networks when working, but with a VPN service, you can conduct your sensitive transactions online knowing your internet traffic is encrypted. To use a VPN in this manner requires that you pay for a VPN service, which can cost anywhere from $35 a year to $10 a month. Though not as fully functional as a VPN server, the VPN service is a DIY project and can easily be accomplished on your own without having to hire outside help.

Cloud File Sharing:

Clients have come to expect an easy way to collaborate with their lawyers. This is due in large part because the internet has gone mainstream and enabled simplicity of services – from banking to ordering a pizza. This has conditioned consumers to expect real-time communication and collaboration. To meet this demand, the vast majority of lawyers use unencrypted e-mail as the primary means of collaboration – e-mail is the default file sharing service – with little regard to the security of the documents contained within that e-mail.5 As discussed above, lawyers have an ethical obligation to ensure that their client’s confidential information remains secure, which includes the way we send and receive documents.

First, assume the worst. Law firms may face different risks depending on the practice area, but every firm should assume that someone is trying to access your files and recognize that though some file-sharing providers can get close, there isn’t a service or company available that can ensure data remains 100 percent confidential.6 Second, educate your clients and staff that “smart” (and not easy) collaboration is the goal of a legal practice. This education can come in the form of retainer agreements and an upfront conversation at the beginning of the matter regarding the way the firm shares and receives documents. Third, and perhaps hardest of all, is stick to your plan. It will be hard to scrap the plan when the first client (or staff member) complains that they have to enter a password every time they receive a document, or that the attachment won’t open on their phone. There are a number of venders to choose from, but there are several key things to keep in mind when picking a vendor: (1) use [a] reliable company or product to feel secure with confidentiality and ease of use; (2) know from the beginning that the product you are using is in your control and is safe for the firm and the firm’s clients; and (3) understand the geographic location of the file sharing services systems, their security, and what they have the ability to do with the files that are shared via their system.7

Data Recovery:

Imagine this: An employee at a firm opens an email attachment and, unbeknownst to them, there’s a program called Cyberlocker hidden in the e-mail, searches their computer and all of the computers on their network for MS Office documents, PDF files, JPG files, and a variety of other types of files. Once this Cyberlocker finds all the files, it encrypts (locks) them with a key only known to the hacker. Now, no one can open any of the firm’s files, move/copy them, or do anything with them without a key to unlock the files. That key is being held for ransom and their data is in someone else’s control. Depending on if the firm was prepared with data backup, they could be back up and running within the same day; or they could be down for days/weeks with massive amount of work product destroyed. In fact, “the FBI has reported that law firms are often viewed as “one-stop shops” for attackers (with information on multiple clients) and it has seen hundreds of law firms being increasingly targeted by hackers.”8

The mantra of all firms, as it relates to security breaches, should be “when, and not if.” Indeed, in 2012 then-FBI director Mueller said “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”9 In 2014, the ABA adopted a resolution on cybersecurity that “encourages all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations. A program that is tailored to the nature and scope of the organization and the data and systems to be protected. The organizations covered by it include law firms.”10

As a first step in realizing that goal, all firms should have an individual(s) designated to be responsible for developing and coordinating a security policy. For those starting out, a good basic rule is to have at minimum two back-up locations: one back-up in your office (a local back-up drive) and the second is off-site in a secure cloud (just in case the building burns down, or a power surge damages your in office computer).

Conclusion:

Follow the advice that we often give our clients, “recognize when you’re out of your element and get professional help and guidance.” We are primarily lawyers, and though we enjoy the immense benefits of the digital world that we practice in, we did not go to school to get a degree in cybersecurity or computer coding. Making sure we protect ourselves and our clients will often require that we seek the advice of the experts and work with trained professionals to ensure that we are conducting ourselves in the most efficient, and secure, manner possible. While we don’t pretend to be experts ourselves, we think that it’s incumbent upon our profession to help each other make better and smarter moves as we all progress in this ever-increasing digital universe.

 

1 Tech Competence, https://www.lawsitesblog.com/tech-competence (last visited 12/9/19).
2 ABA Model Rule 1.1 Competence-Comment, https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_1_competence/comment_on_rule_1_1/ (last visited 12/9/19).
3 ABA Model Rule 1.1 Competence-Comment, https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_6_confidentiality_of_information/ (last visited 12/9/19).
4See ABA Opinion 477R—Securing Communication of Protected Client Information, https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_opinion_477.authcheckdam.pdf (last visited 12/9/19).
5 File-Sharing in the Legal Industry, LexisNexis Survey (2014) https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=11&ved=2ahUKEwjG_ImDgqnmAhVlTd8KHRsiBtkQFjAKegQIChAC&url=https%3A%2F%2Fwww.lexisnexis.com%2F__data%2Fassets%2Fpdf_file%2F0017%2F46061%2Fdocument-security-report.pdf&usg=AOvVaw00yr_xnLqoMSVqzjiR28dG (last visited 12/9/19).
6 See What The Dropbox Hack Means for Lawyers, Above the Law (2016) https://abovethelaw.com/2016/09/what-the-dropbox-hack-means-for-lawyers/?rf=1 (last visited 12/9/19).
7 Law Firm File Sharing: Attorneys in Their Own Words, ABA, (2017) https://www.americanbar.org/groups/gpsolo/publications/gpsolo_ereport/2014/august_2014/law_firm_file_sharing_attorneys_in_their_own_words/ (last visited 12/9/2019). See also 2018 Cloud Computing, ABA, (2019) https://www.americanbar.org/groups/law_practice/publications/techreport/ABATECHREPORT2018/2018Cloud/ (last visited 12/9/19).
8 2018 Cybersecurity, ABA (2019) https://www.americanbar.org/groups/law_practice/publications/techreport/ABATECHREPORT2018/2018Cybersecurity/ (last visited 12/9/19).
9 Id.
10 Id.

DGRead 19.12.01

Cool Facts About Lawyers; Rocket Docket Update: Medical Cannabis: It’s OK, But It’s Not Legal—What Does This Mean for the Workplace?

CBD in the workplace: What does it mean for you?

by Jonathan R. Mook and Bethany Coan
DiMuroGinsberg, PC

With Virginia’s new medical cannabis laws taking effect, there are a lot of questions about the impact the use of medical cannabis products may have in the workplace. At present, Virginia’s cannabis laws are limited to CBD (cannabidiol) oils and other products with low amounts of THC (tetrahydrocannabinol, the active ingredient in marijuana). But that doesn’t mean issues won’t arise from your employees who may be using such products.

CBD oil is extracted from the marijuana plant and has made an appearance in the news recently due to its pharmaceutical properties, void of the “high” typically associated with THC. Presently, Virginia law permits cannabis oils with at least 15 percent CBD oil or THC-A and no more than five percent THC.

New Virginia laws

Addressing medical cannabis last year, Governor Ralph Northam signed into law House Bill (HB) 1251, which expanded legislation to allow Virginia doctors greater flexibility in deciding the medical conditions they deem appropriate for prescribing medical cannabis. Previously, the law limited the medical use of cannabis to intractable epilepsy.

As of July 1, 2019, Virginia law “allows capsules, lozenges, and patches, and a limit of 10 milligrams of THC per dose.” The adjusted dosage puts Virginia on the same level allowed in California and Washington state for medical marijuana use.

Despite the growing number of laws in Virginia pertaining to medical cannabis use, CBD oils, and their medicinal properties, there remains an anomaly in the state’s criminal laws. As it stands now, the laws do not legalize medical cannabis use or CBD oil. They simply provide what is called an affirmative defense to its use. Through this affirmative defense, individuals can lessen or avoid the legal penalties if they are caught and charged for illegal possession of cannabis or its lowgrade oil. So, although CBD oil doesn’t contain any of the psychoactive components associated with THC and can be found at health stores and state-instituted dispensaries, under Virginia law, it’s still considered illegal.

Impact on the workplace

What do these changes in the law mean for Virginia employers? According to the National Conference of State Legislatures, only a few states are working on addressing “the possibility of employees being under the influence of medical cannabis during the course of their employment.” Unfortunately, Virginia isn’t one of the states, so Virginia employers are left in the unenviable position of facing great uncertainty. As a result, policies regarding the medical use by your employees of CBD oil and other types of medical cannabis are basically left up to you.

With doctors having the ability to prescribe cannabis for a wider range of medical conditions to their patients, the lines become increasingly blurred for handling issues involving cannabis (in all its various forms) in your workplace. This is particularly a difficult situation since medical cannabis and CBD oil still live in a gray, but illegal, area of Virginia law. Additional legislation is being considered to address the growing field of medicinal and recreational marijuana uses more directly. But for now, there are no hard and fast rules for you to follow.

Bottom line: Proceed with care

At this point, probably the best advice is to stick with your existing policies and procedures for dealing with drug use in your workplace. First, there’s no question you can prohibit your employees from being under the influence of any drugs (as well as alcohol) that would negatively affect their abilities to do their jobs safely.

Second, if you conduct drug testing of your job applicants or employees, you can continue to do so. The level of THC in the cannabinoid oils or other products Virginia physicians may prescribe for medical use should be lower than the level that would yield a positive result in any drug testing you institute.

If for some reason an applicant or employee who is using medicinal CBD tests positive for THC, you can still verify she has been legally prescribed CBD and assess whether CBD use would prevent her from safely performing her job functions. In making such an assessment, it’s important for you to consult with an experienced healthcare provider who can advise you of the job-related impact of an employee’s CBD use. You also should contact experienced employment counsel who can ensure the steps you may take pass legal muster under the various laws affecting the workplace, including the Americans with Disabilities Act (ADA). Given the present legal uncertainty, it’s wise to make sure that before you take any job action, you have a strong factual and legal basis for your decision.

Jonathan R. Mook is a founding partner with DiMuroGinsberg, PC and an editor of Virginia Employment Law Letter. He may be reached at jmook@dimuro.com or 703-684-4333. Bethany Coan is a legal assistant who provided much valued research assistance in preparing this article.

DGRead 19.11.15

Anxiety, Stress and PTSD! HR’s ADA Accommodation and Performance Management Roadmap; Rocket Docket Update; DiMuroGinsberg Welcomes Zachary Deubler!

DGRead 19.11.01

Who’s the Best? And What Makes That So?; Rocket Docket Update; HR Comply – The Essential Employer Update to Limit Liability and Drive Success

DGRead 19.10.15

Best Boss = Great Employee = Stellar Team; Rules! Rules! Rules!; Kick the Ball

New Virginia laws: Now’s the time to comply

by M. Jarrad Wright
DiMuroGinsberg, PC

Now that fall is here, it’s a good time for you to make sure you are in compliance with newly effective Commonwealth of Virginia laws affecting the workplace. This year, there are two such laws of which you need to be aware. One affects the scope of nondisclosure agreements, and the other requires you to provide certain personnel records to your employees.

Nondisclosure limitations

The #MeToo movement has highlighted the common practice in the resolution of sexual harassment claims to require employees to keep completely confidential any information regarding the complaint that was made. This practice has come under increased criticism for covering up the wrongdoing of corporate executives and enabling them to continue their harassing and untoward behavior.

Some advocates have gone so far as to call for the ban of such agreements based on public policy grounds. Indeed, in this year alone, proposed legislation relating to limiting or prohibiting nondisclosure agreements has been introduced in 16 states.

New requirements

One of those states is Virginia, where the general assembly passed a law limiting the confidentiality requirements an employer may impose on an employee. At the beginning of this year’s general assembly session, Delegate Karrie Delaney (D-Centreville) introduced House Bill (HB) 1820. The bill prohibits an employer from requiring a current or prospective employee—as a condition of employment—to sign confidentiality agreements or nondisclosure agreements that have the purpose of concealing the details relating to sexual assault claims, including rape, forcible sodomy, sexual battery, and aggravated sexual battery.
The legislation says such a nondisclosure provision is against the Commonwealth’s public policy and is void and unenforceable. The general assembly unanimously passed HB 1820, and Governor Ralph Northam signed it. The new law became effective on July 1, 2019.

Steps to take

The law applies to new confidentiality provisions being executed and renewals of nondisclosure agreements. Nonetheless, courts interpreting the new statute are likely to prohibit the enforcement of any provision in a current agreement that doesn’t conform to the new legal requirements. Accordingly, you should review your current nondisclosure agreements, including those that may be in your employee handbook, to make sure the language could not be read as running afoul of the new law.

Also, when drafting new agreements for your employees to sign, keep the new law’s limitations in mind. Given the importance of this issue, especially in the wake of mounting criticism of—and hostility to—nondisclosure restrictions, it’s advisable to consult with knowledgeable employment counsel to make certain your agreements won’t be struck down as against public policy.

Personnel records

In the past, private-sector Virginia employers haven’t needed to provide either current or former employees with access to their personnel files or other records, nor were employees or former employees entitled to copies of their records. That was then. In July, a new legal requirement took effect. Now, under new Virginia Code § 8.01-43.1, you must provide the following records to current and former employees:

  • Dates of employment with your company;
  • Their wages or salary during their employment;
  • Their job description and job title; and
  • Any injuries sustained during the course of employment.

Upon receipt of a written request, you will need to provide the records within 30 days. The law allows you to charge a reasonable fee per page for copying the records if they are kept in paper format and a reasonable fee for providing electronic records. If you need more than 30 days, you must provide a written notice of the delay. Such written notice will give you another 30 days to comply.

Narrow exceptions

The only statutory exception to producing the required records is if the employee’s treating physician or clinical psychologist, in the exercise of professional judgment, has determined that releasing the records is reasonably likely to endanger the life or physical safety of the employee or another person. In this limited circumstance, you still must provide the records if they are to go to the employee’s attorney or authorized insurer, rather than directly to the employee. Of course, this exception is very narrow, so in most cases you will need to comply with the new law’s disclosure and production requirements.

Penalties/compliance

Failure to abide by the new legal requirement can have serious consequences. Employees can enforce the new law by subpoenaing the documents from you. If you then intentionally refuse to comply with the subpoena, you may end up in court. If the court finds you failed to follow the law, it may award damages, costs, and attorneys’ fees. That is a result you don’t want to face.

Accordingly, you should review your employee handbooks, policies, and employment agreements to ensure the provisions dealing with the production of employee records conform to the new legal requirements. It’s also important to follow the time limits for record requests. To ensure that is done, you may want to designate a person within HR who is responsible for receiving, evaluating, and ultimately responding to personnel records requests. By doing so, you will be far less likely to run afoul of the new law, especially the 30-day window to respond to a written request.

Potential legal concerns

In addition to making certain you have the procedures in place to provide personnel records to current and former employees, you need to bear in mind that the records you produce, especially wage and salary information, won’t necessarily stay confidential. The documents may well be circulated among your employees who will be able to compare what they are paid to that of their colleagues.

For many employers, this may not present any problem. There always is a potential, however, that wage comparisons will indicate disparities in what employees are paid that might create legal problems for you. For example, if most of your female employees are paid less than their male peers doing comparable jobs, the wage disparity may well indicate sex discrimination.

To avoid any potential problems down the road, now is a good time to take a look at your pay practices. If disparities exist, be prepared to provide a business-related reason for the differences. If, in the course of your analysis, you determine some of the wage disparities aren’t business-justified, then you should take steps to correct any problem. Because wage disparity issues raise potential liability concerns, consult with employment counsel about how best to deal with the situation. An ounce of prevention truly will outweigh any costs of having to defend against a charge of discriminatory pay practices.

M. Jarrad Wright is an attorney with DiMuroGinsberg PC and a contributor to Virginia Employment Law Letter. He may be reached at mjwright@dimuro.com.

DGRead 19.10.01

The Rocket Docket Interview Series—Interview with Jarred Wright; A Blind Man and a Website Part 2;Is Obesity a Disability Under the ADA?

DGRead 19.09.15

Happy Anniversary DGRead!!!; The Ultimate View From The Bench; Gun Violence—Summer of Tragedy