Each Thursday we present a significant excerpt, usually from a recently published book or journal article. In every case the proper permissions have been obtained. If you are a publisher who would like to participate in this feature, please let us know via the site’s contact form.
© 2017 American Bar Association. All rights reserved.
Slaw readers can receive a 10% discount on purchase of this book. Use the discount code TAOH17 at checkout; this offer is valid from 1/26 – 4/26.
Sheila M. Blackford (@sheilablackford) is a Practice Management Advisor for the Oregon State Bar Professional Liability Fund since 2005. A former sole practitioner, teacher, and marketing director in the financial services industry, she provides confidential practice management assistance to Oregon attorneys to reduce their risk of malpractice claims, enhance their enjoyment of practicing law, and improve their client relationships through clear communication and efficient delivery of legal services.
Excerpt: Chapter 2 – Safeguarding Property
Safeguarding Client Information
Trust accounting is only a small piece of safeguarding property. In the big picture, you hold much more than money belonging to your clients and third parties. Estate planning attorneys may hold original wills and trusts; real estate attorneys may hold original deeds and building permits; corporate attorneys may hold original stock certificates and corporate minute books; personal injury attorneys may hold photographs of injuries and the defective equipment that caused them, and the list goes on.
Personally Identifiable Information
No matter what your practice area, you hold client files containing personally identifiable information or sensitive personal information for each of your clients, such as name and address, date and place of birth, Social Security number (USA) or Social Insurance number (Canada), driver’s license number, passport number, account numbers at financial institutions, and credit card numbers. Personally identifiable information is information that can be used on its own or with other information to identify, locate, or contact a person. Obviously, it must be safeguarded from falling into the wrong hands, meaning that we have a duty to protect our clients’ most valuable possessions from becoming subject to identity theft.
Check with your jurisdiction regarding reporting requirements should there be a theft or unauthorized access of this protected information. For example, Rule 10-4 of the Rules of the Law Society of British Columbia has provisions on notifying the Society’s executive director should you lose care and control of client documents.
You will want to check with your jurisdiction’s bar regulatory agency as well as any statute or law that may require notification of a data breach affecting personal information. For example, Oregon’s Data Breach Notification Law, which went into effect January 1, 2016, requires business and government agencies to notify the Oregon Attorney General’s office when the personal data of at least 250 Oregonians have been compromised.
Other Information and Documents
What about other property? A fiduciary should protect property from being lost, damaged, or destroyed. Since lawyers frequently hold securities and other important documents, a professional fiduciary would keep these in a bank safety deposit box or some other proper receptacle, not in an unlocked, leaky shed behind rusting garden tools. Some have used such a shed and have been disciplined for their negligent handling of client property.
The important consideration is that the storage should be selected with care. Just putting original wills in manila folders in banker boxes in a storage room does not ensure that they will remain in pristine condition. If one lives in a wet climate, it becomes important that paper client files are stored in a humidity-controlled environment safe from mold and insects. Some law firms store original wills and other important documents in special fireproof safes instead of in a bank safe deposit box.
Be sure to keep an adequate and up-to-date inventory of all client property so that it can be located, identified, and returned. You are expected to keep such an inventory. Part of proper safeguarding is to create and maintain records of this property so that clients or third parties can be reunited with their property.
Practice Tip: Consider maintaining a scanned copy of all client documents that are in your care and store those data in a secure, off-site storage location, such as in a cloud backup, just in case a fire, flood, or natural or man-made disaster destroys the original documents.
Safeguarding Money in a Trust Account
To properly safeguard money in your trust account, keep accurate records for each subaccount belonging to clients and third parties. Be careful, anytime you write a check from your trust account, to verify that the client has adequate funds to cover the check. Never just guess about your client’s balance; verify it.
Ensuring the Money Is Actually in the Account
Be sure to wait until any funds deposited into the trust account are actually collected by your bank before making a disbursement. Otherwise you will be using money belonging to other clients. For example, if you deposit $10,000 from Mr. Jones into your trust account that held $50,000, you may think you have sufficient funds to immediately write a trust account check on behalf of Mr. Jones for $500. Your $500 check in reality is being withdrawn from the funds of your other clients because the funds from Mr. Jones have not yet been collected from his bank. This can happen when a lawyer confuses collected funds with available funds.
Whenever you make a deposit, your bank may indicate that a certain amount of money is available. It is. It was already in your trust account. “Funds are available” does not mean that your bank has received the funds from the issuing bank. The question to ask your bank is whether the funds have been collected from the issuing bank and deposited into your client trust account.
How long should you wait after depositing a check? Check with your state bar association’s ethics counsel, with a practice management adviser for your bar or law society, or with your bank. Oregon recommends the 3-5-10 day rule. Allow three banking days for a check drawn on a local bank, five banking days for a check drawn on a bank in the same state, and ten banking days for a check drawn on a bank located out of state. A banking day is when a bank is open for conducting business, Monday through Friday except for any legal holidays. This protocol was worked out with the head of disciplinary services years ago, and local banks have not seen the need to change it. As long as you have and adhere to a policy of waiting a reasonable amount of time for various checks to be processed, you should be safe from inadvertent overdrafts caused by depositing a check that was not honored by the issuing bank.
Practice Tip: Check with your local jurisdiction for best practice guidelines for developing your own protocol for when deposited funds can be used. Canadian practice advisers recommend calling your bank and following its directions with regard to how long to wait before a deposit has “cleared” the banking system to be reasonably certain that the funds are in your trust account.
Protecting against Wrongful Access
Safeguarding the money in your trust account also includes protecting the means of accessing this account. Be sure to keep your supply of trust account checks and deposit slips in a locked drawer. They can be used to gain unauthorized access to the money you have been entrusted with. Because trust accounts usually hold a large amount of money, they are very attractive to thieves, fraudsters, and embezzlers. It is a bad idea, and may be forbidden in your jurisdiction to have an ATM account linked to your trust account.
In Canada, practice advisers recommend having your bank disable the ability to withdraw cash from your trust account via an ATM machine. Otherwise, it is too easy for funds to be wrongfully accessed.
Unfortunately, there have been instances of embezzlement of the trust account by a staff member who slips out to use the trust account ATM card to steal cash. Even if your bank imposes a limit on the cash amount available to be withdrawn via an ATM, you can get into serious trouble. If you don’t monitor your trust account closely, you embolden the embezzler to repeat the act of embezzlement, so that it becomes a habit you won’t discover until your trust account becomes overdrawn. The embezzler may be someone who comes into your office to help you with billing or may be someone who works for your bank and, from assisting you with your balance, has identified your trust account as not being closely monitored. Similarly, using signature stamps can facilitate embezzlement. It is dangerous to use a signature stamp, especially if it is not locked up and its use closely monitored. You can prove a forged signature but how could you prove wrongful use of a signature stamp? And if you engage in online banking for your trust account, be careful to have up-to-date anti-malware on your computer and use secure passwords lest a cybercriminal gain access to your trust account. We tend to worry about the security of the online banking site, when the real insecurity is in tracking malware on our computer.
Know of scams that involve your trust account. The use of counterfeit cashier checks is a popular way for fraudsters to steal trust account funds. Typically the counterfeit cashier check will be issued for a greater amount than necessary. The fraudster will demand an immediate refund of the funds paid in excess. By the time you discover that the cashier check is counterfeit, your fraudster is long gone with the money you refunded from the trust account. Always check with the issuing bank if there are any doubts or questions. Be on hyper alert for scams before a three-day bank holiday, which is a popular time to strike, and then avoid detection until after the banking holiday, by which time the fraudster is long gone.
Safeguarding Digital Property
Virtually every law firm uses a computer that holds digital property and from which it will send and receive e-mail and access the Internet. Most have a smartphone containing client e-mails and contact information. Many use cloud storage or cloud-based software on a subscription basis. Safeguarding this digital client property means understanding the proper measures to take to protect confidential client information from unauthorized access or attack. Cybersecurity is a critical topic as people scramble to address the increasing danger of being hacked; being infected by malware such as Trojans, worms, and key loggers; or becoming the latest victim of ransomware that holds digital data hostage until they pay the ransom for the decryption of locked data or the physical theft of a laptop, smartphone, or USB device.
If you elect to do online banking, it is important to consider that trust accounts frequently hold thousands of dollars and thus are highly attractive to cybercriminals. Ensure that you understand the dangers of accessing your trust account online, and take necessary safeguards to protect this account from unauthorized access. If your computer has become infiltrated by key logger malware, your password to access your trust account online could be captured by this spyware and used to steal money belonging to your clients and third parties. There has been at least one reported case of a law firm being targeted by a fraudster who was able to log into the firm’s trust account.
Using Two-Factor Authorization
Whenever available, utilize two-factor authorization by combining something you have, such as a fingerprint, iris scan, or USB key, with something you know, such as a strong password or passphrase. You have been using two-factor authentication for years every time you have used an ATM machine: you must insert your physical ATM card and key in your PIN number before you can withdraw cash, make a deposit, or check your balance. You may also be using a two-step verification system such as Google Authenticator, which works with your Google Account and requires both a password and a code that the system sends to you as either a text message or an automated voice message. You may think this is equivalent to wearing a belt and suspenders; it’s more equivalent to being tech savvy.
Staying Current with Technology
It is our ethical obligation to understand the technology that impacts our ability to provide competent legal services to our clients. Consider becoming actively involved with the ABA Law Practice Division to stay current on technology through informative articles, books, continuing legal education (CLE) classes, and the annual ABA TECHSHOW. Check the Resources section for further information.
Staying current with technology is important for attorneys in the United States and Canada. In the United States, Comment 8 of ABA Model Rule 1.1, Competence: Maintaining Competence, provides the following:
 To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
In Canada, the Model Code of Professional Conduct of the Federation of Law Societies of Canada states in its preface:
The practice of law continues to evolve. Advances in technology, changes in the culture of those accessing legal services and the economics associated with practising law will continue to present challenges to lawyers. The ethical guidance provided to lawyers by their regulators should be responsive to this evolution. Rules of conduct should assist, not hinder, lawyers in providing legal services to the public in a way that ensures the public interest is protected.
Safeguarding confidential client information means evaluating each situation to decide on the best practice under the circumstances. For example, you may use encryption programs such as PGP (Pretty Good Protection) or Symantec’s Desktop Email Encryption when you are transmitting confidential information by e-mail, or VIIVO or Boxcryptor before storing client documents and files in cloud storage sites such as Google Drive, Dropbox, OneDrive, iCloud, and Box. Or maybe you want to turn on BitLocker, Microsoft’s native file encryption program, which allows full disk encryption to protect your client data in case your Windows laptop gets lost while you are traveling, or turn on FileVault to encrypt the startup disk on your Mac. There are many products available in all categories of encryption programs. Look for current reviews before making up your mind about what available program is best for your needs, whether it is encryption for e-mail, full disk, or cloud storage. You have options.
Knowledge of encryption starts with understanding how it works. Encryption is the conversion of data into an unreadable format known as ciphertext that requires the use of a secret password or key that enables the ciphertext to be decoded or converted back into readable plain text. There are two categories of encryption: asymmetric and symmetric. In an asymmetric system, each party has a public key and each has a private key. The lawyer sends data encrypted with the recipient’s public key. The recipient uses her private key to decrypt the message, and then uses the lawyer’s public key to encrypt the reply so the lawyer can decrypt it with his private key. Conversely, the symmetric system utilizes just one key, a private key, for both encrypting and decrypting the message.
The first use of encryption has been attibuted to an Egyptian scribe who in the 1900s b.c.e. used nonstandard hieroglyphs in a secret inscription. It is still considered one of the most effective ways to ensure data security. But do more than secure data from unauthorized view or access; you have to secure it from complete destruction by having a secure current backup of your data.
If you use encryption, use it consistently. Dave Bilinsky, practice management adviser with the Law Society of British Columbia, once shared that a lawyer used to back up data on an encrypted portable hard drive. The lawyer forgot the hard drive one day and backed up the firm’s data to an unencrypted flash drive, which was then lost. “A hard lesson to learn,” said Dave, “and one that you don’t wish to repeat. “
Trust but Verify
To safeguard digital property, you must be consistently diligent about securing it in all its forms. For example, smartphones are too often left unlocked so that they can be used quickly. And though many lawyers have backup systems in place for their computers, they trust instead of test. It is very important to conduct periodic test restores to check that your backup system is working.
Murphy’s Law and the Blank Backup
Some law firms have found that there was a malfunction of the backup system when they needed to restore their data to the most recent backup. One firm discovered that the backup tapes locked in its vault had been blank for the past six months. No periodic test restores alerted them to this disaster. What can you afford to lose? You may want to back up daily and perform test restores weekly. One busy lawyer protested the cost and hassle of backing up her computer. She called me the next week and shared that her computer crashed but thanks to Carbonite, she was back up and running in fifteen minutes.
Have a policy that provides clear directions about handling all things digital. It should cover how to identify something suspicious and how to handle the malware that shows up in your inbox. You will find it extremely helpful to have protocols in place about dealing with unexpected attachments and hyperlinks in e-mails purporting to come from clients, colleagues, or companies, and train your staff to follow these protocols.
Using Strong Passwords to Protect Data
Another important way of safeguarding confidential information requires using strong passwords of 14 to 16 mixed-case letters, numerals, and symbols; changing them on a 30- or 60-day basis; and using a unique password for each required login. Too many people use the same passwords for multiple applications and do not change them frequently or at all. Using a passphrase may enable you to follow guidelines. For example, the phrase My first car was a Mustard Yellow 1971 Volvo! becomes the 15-digit passphrase M1stcwaMY1971V!
Securely Storing Passwords
There are always too many passwords to remember, and it is not safe to write them down and keep them next to your computer or on a Post-it note under your keyboard. It is helpful to use a secure password wallet or password manager, such as LastPass, KeePass, 1Password or Robo-Form, or Keychain on a Mac, especially if it can generate sufficiently random passwords to use for websites. Writing passwords down in a notebook that you lock in a drawer or safe at night before going home is a dangerous practice because sooner or later the notebook will be lost or left out.
More about Cybersecurity
The days when we locked the outer door to our office and went home confident that client property was adequately protected are long gone. To learn more about cybersecurity, see the excellent resource Locked Down: Practical Information Security for Lawyers, Second Edition, by Sharon D. Nelson, David G. Reis, and John W. Simek (American Bar Association, 2016).