Quimbee logo
DMCA.com Protection Status

Ethically Safeguarding Your Practice

4.8 out of 5 Excellent(16 reviews)
Start your FREE 7-day trial
Preview this course and the rest of Quimbee's CLE library for free with a 7-day free trial membership.
Buy this course - $49
Get access to just this course for $49
Play video

Ethically Safeguarding Your Practice

Given the rise in more employees working remotely, constant changes in technology, increases in data breaches, and the rise in more frequent employee turnover, knowing how to safeguard your law practice - both internally and externally - has become increasingly important. Lawyers also tend to me immersed in the practice of law and not in the practice of protecting valuable data - not just client data - but the lawyer's own work product and intellectual property. It is more critical now then ever to know how to safeguard such valuable assets.


Colleen Quinn
Quinn Law Centers


Jillian Kuehl - Welcome to Quimbee CLE. Today we're here with attorney Colleen Quinn, who's gonna speak with us about ethically safeguarding your practice, both externally and internally. Colleen is the founder of Quinn Law Centers, where she practices personal injury, medical malpractice, employment law, family formation, and estate planning law. In today's program, Colleen is gonna teach us what the risks are in everyday operation of a law practice and how to both protect against and mitigate those risks. Welcome, Colleen.

Colleen Quinn - Thank you, Jillian. Happy to be here.

Jillian Kuehl - I'm so excited to have you.

Colleen Quinn - Thank you. Happy to talk about this topic. In my 33 years of practice, a lot of what I'm talking about today comes from kind of oops moments and things I wish I had done differently in my law practice, including, I recently separated from my former law partner and formed my Quinn Law Centers. So when we talk about safeguarding your practice, a lot of this is very personal to my own story as we go along. So we're gonna kind of launch into this topic, and I just have to tell folks that I am not an IT-type person. I have a background, my double major at William and Mary was in English and philosophy. And then, of course, I'm a lawyer. And you mentioned the areas of my practice, none of which are in any sort of technology fields. And so this presentation is not gonna get overly complicated.

But one thing I have learned is that we have an ethical duty to be aware of evolving technologies, and that is now being required of lawyers like me that are technically incompetent or incompetent when it comes to technology. So it's a struggle in many ways. Especially folks that are baby boomers like myself that don't have, didn't grow up with today's current technology either. So that's kind of my caveat. If I can learn it, so can you, okay? So the first thing we're gonna talk about is internal. We're gonna talk about internal safeguards. And we're gonna talk about planning, associate and staff theft. And if we think about vulnerable items in the office, you know, we typically, firms have credit cards. There's credit card usage. There's also access to check writing and trust accounts. Access to forms, contracts, questionnaires, system processing-type checklists and other documents that essentially are work product and are developed as part of a lawyer's practice. Our staff and associates have access to our feeder and client and marketing lists, which are things that have been developed and have value.

The client files. Access to marketing materials and access to research memos and briefs. I have one brief, it's a contested adoption brief that continues to morph and develop, but a lot of my clients have paid a lot of money that has gone into that brief. It's a valuable document in that regard. So if we think about things of value in our office, not just things like the furniture and physical things that, you know, pens or whatever that can be stolen. But if we think about some of the other, especially intellectual property-type stuff, we have things that do need to be safeguarded. And so I encountered in particular credit card theft. I had a paralegal use my firm credit card to run her deadbeat dads side business after she left the firm.

Jillian Kuehl - Oh no.

Colleen Quinn - So she had been running this business and basically used my credit card to do these, use these search engines to find these deadbeat dads that people were paying her to find. And so what I learned from that... And then after she left, I got this massive bill on my credit card for this business that she was running and did not know about it. And so she essentially moved to the other side of the United States. And so trying to sue her or go against her or whatever. And at that point, this was, it wasn't on my Amex or something where you could dispute the charges. I mean, these were charges. She had authorized on my card because I allowed her to use my firm card. And so it's really best not to let your paralegal have credit card information, unless you have a really, really trustworthy paralegal. And also if they're gonna have credit card or credit card information to put a limit on that, maybe $500 cap, $250 cap, if they definitely have to have the credit card.

So we wanna also check your statements regularly so that you know what is being put on the credit card. And you basically wanna let the staff person know that if there's any authorized use, unauthorized use, excuse me, that they could potentially be terminated for anything. So everything needs to be approved in advance if they're gonna put it on the credit card. And my mistake too is I probably should have canceled that credit card when my paralegal left so that she couldn't have used that credit card information after she left, which was another mistake that I learned from that. But credit card use and allowing access to the credit card is definitely something that we wanna be aware of and be very careful about. So. I think there are some other areas with regard to theft. Some other vulnerable areas. And one of those is actually kind of illustrated by an example of one of my colleagues.

So I had some academy colleagues, The Academy of Adoption and Assisted Reproduction Attorneys, that ran a surrogacy program. And they were all attending an annual conference with us. There were three attorneys, and they had a bunch of social workers that worked with them on their surrogacy program. And during the conference, they learned that their entire staff had left and took all the clients with them.

Jillian Kuehl - Oh my God.

Colleen Quinn - And took, yeah. And took the intake processes, the surrogacy contracts. And it was a real debacle because these were three attorneys that were integral to the academy. One of 'em had a very high profile leadership position. And I remember all being in the lobby of the hotel hugging them and everything 'cause in the middle of the conference they're... I mean, we walk out the door. And so they had to beat it back to their home state to try to rectify things, to try to get ahold of clients and say, "Hey, don't leave, stay with us," et cetera. And so that was a very learning experience in that regard. And so there are certain measures that can be put in place to prevent that from happening. One of 'em is having employment agreements for the staff with confidentiality provisions, nondisclosure provisions, non-use of property, return of property, non-solicitation and non-compete provisions. There are agreements that could be put in place with regards to associates that we'll talk a little bit in a moment about what, how lawyers have to be treated a little bit differently than staff because there's certain rules as to lawyers versus staff. And then the other thing is copyright contracts, et cetera, but you've gotta also check your state law to see what is exactly permissible or not permissible in that regard.

Jillian Kuehl - And what are some of the most common provisions in employment contracts?

Colleen Quinn - That's a great question. So of course we wanna kind of explain what the job position is and what the duties of the position are, what the term of the employment is. Is it at-will employment? Typically, it's gonna be at-will employment. It's not gonna be termination for a cause. It's gonna be termination at-will. We wanna spell out what the compensation is gonna be. But then, in addition, we wanna look at the non-compete and non-solicitation and the confidentiality and use of information terms that are in the agreement. So the tricky thing here is that usually lawyers in a private practice cannot be subject to a non-compete. And what the American Bar Association has said is that, in the context of lawyers seeking employment with private law firms, the model rule of professional conduct, 5.6, restrictions on rights to practice, that prohibits lawyers from making a partnership, shareholders operating agreement, employment or other similar type of agreement that restricts the right of a lawyer to practice after termination of the relationship, except an agreement concerning benefits upon retirement. Or you also can't have a lawyer enter into an agreement in which a restriction on the lawyer's right to practice is part of the settlement of a client controversy.

So we have this very clear rule, model rule of professional conduct, that basically says you can't restrict lawyers. And that includes them being subject to a non-compete arrangement, which becomes a little bit trickier. And that is really subject to private practice. There are other rules with regard to outside of private this. So this is limited to private practice. But the ABA prohibition specifically prohibits non-compete agreements, and that's intended to protect the attorneys' professional autonomy and to ensure the freedom of clients to select counsel of their choice. And almost every state has adopted the same or similar version of that rule in their local rules of professional conduct for the lawyer. So Jillian, I think when we look at employees versus attorneys, it's a little bit different because the staff can be subject to a non-compete. But when we do have staff that is subject to non-compete, there are certain rules that go into whether you have a legitimate non-compete or not. And so one thing that we need to be aware of is if you are gonna put staff under a non-compete agreement, it has to be supported by adequate consideration. It can't be overly broad in geographic scope. It can't be for too long a period. One year is safer than two years. And it can't be overly broad in the nature of the restriction. In other words, you could have a paralegal that I've trained, say I've trained them in surrogacy law, or I've trained them in employment law. And I can say they can't go practice for somebody within a 50-mile radius in a year as a paralegal. But I can't say they can't go work as a janitor for an employment law firm, if that makes sense. So I've included in the materials some sample non-competes for employees, which basically spell out some of the restrictions. And some of the language that gets a little bit trickier is where we talk about the employee directly or indirectly competing. We have to be really careful about using the indirect language because the direct competition is gonna be more enforceable than when we throw in the word indirect. I did throw in the word indirect in the sample, but I just wanna point that out, that a narrower restriction would be to say that if they directly compete.

So by way of example, I give access to an employee, a paralegal that has access to all of my gestational carrier agreements, embryo donation agreements, et cetera, in my family formation practice. That's a real niche practice, and we copyright everything. If they then go and work for a direct competitor in that same field as a paralegal, I can lawfully restrict them from doing that, say, within a 50-mile or 30-mile radius, at least for a year for them to do that. And that's one way of safeguarding your practice, but we're gonna also talk a little bit more about, in addition to the non-compete, other provisions that we want to have them be subject to. And so it's gotta be in the non-compete. You kind of gotta spell out the value that you have put into the work product and the ownership that you have of that work product. And then the other thing is to spell out that you have given that person training and access, and that you may even want, in terms of "adequate consideration," to offer to pay for them to attend certain seminars or programs, or to give them a bonus at the end of the year. So that it's very clear that you have provided adequate consideration to them in exchange for them having access to that specialized knowledge. Does that make sense?

Jillian Kuehl - Yeah, I think that makes a lot of sense, and it isn't something that I necessarily would've thought of to make that enforceable, I guess. So you'd be sending them to training. A lot of people just think, "Oh, I'm gonna send them to training because it's helpful," but this is helpful to you in a whole different way.

Colleen Quinn - Right, right. But the thing is you don't wanna send them to training to get them trained in your area of practice, you know? Whether that's employment or family formation or whatever, and then they can go apply for a job with a direct competitor and say, "I've been working for Colleen Quinn, "and I have access to all her systems and all her documents. "And if you pay me X amount, I'll come work for you, "and I'll bring all this stuff with me." I mean, that's pretty scary.

Jillian Kuehl - Yeah, it's very scary.

Colleen Quinn - Right, but that paralegal then has that sort of leverage if you don't really safeguard yourself. And I had another associate, I've had two lawyer friends who have had associates leave and take a lot of the work product with them. So that's a little bit different than the non-compete. So we're gonna talk about that in a minute. In the rest of the materials, there is a pretty lengthy sample non-compete. And in there I also say that adequate consideration includes year-end bonuses. And there's a lot of good language in there that supports this full and "adequate consideration," including sending them to training, that sort of stuff. But you do wanna make sure that if you're gonna put these in place, you use the right language so that a court will make it enforceable, and it will be enforced in that regard.

Jillian Kuehl - Colleen, what about confidentiality provisions? If lawyers are moving, are they subject to those? And how are those different from non-competes?

Colleen Quinn - Yeah, that's a great question. So the staff can be subject to both confidentiality provisions. Also non-use provisions, non-disclosure provisions and non-compete provisions. Associates, lawyers, can't be subject to the non-compete, and you can't restrict them if a client wants to go with them. But you can ask them to sign a confidentiality provision as well as non-disclosure and non-use type provisions. And it's important to do that, to protect your intellectual property as well because in order to be able to claim intellectual property, you have to show that you have taken all sorts of measures to safeguard that property. And so I've gotten the materials, a sample confidentiality provision, as to client information. So that safeguards kind of client lists. I mean, I have on my client list, I probably have like about 5,000 clients with all of their emails and addresses. I mean, that is valuable because if I send out an announcement that, "Hey, I've just formed the Quinn Law Centers, "and here's my practice." And then I am able to use that. I mean, people pay good money to buy marketing lists. You have to purchase those lists.

So the first sample I have is that you agree during the employment, you're gonna be privy to confidential client information, information that might be protected by the attorney-client privilege. And that you're gonna be bound by the requirements of confidentiality and not divulge the names of any clients or any detailed information. That's also important too, just for the clients to know that their information is protected. Their social security numbers, their phone numbers, their dates of birth, financial information that they might share. Confidential information about their particular case. They might have very personal information that's in the client file. So we wanna make sure that the clients know that they're protected, that our staff all signs these confidentiality provisions. And then the next thing is also not misappropriating or disclosing or making available for anyone for use outside the law firm's organization any of the, not just the client data, but then also any of the systems that are in place, the processes that are in place, the forms, the templates, any of the actual work product, briefs, research, contracts, just all of those things. And then in particular, the actual client lists themselves. We wanna make sure that those all fall under the confidentiality provisions. And so in the materials, I've got a very lengthy nondisclosure of confidential information that also talks about... Again, you want to put in there that, you want to show, that you have ownership of this material and that it's worth something.

So in the materials, the language includes, "employee understands and agrees "that any non-public information about the law firm "or the law firm's clients is the property of the law firm "and is essential to the protection of employer's goodwill "and to the maintenance "of the law firm's competitive position, "and accordingly should be kept secret." And then I list out what that information will include. "That information shall include, "but not be limited to information "concerning the law firm's marketing materials, "plans, proposals, pricing structures, "client lists, potential client lists." So those clients you're targeting. "Feeder or relationship lists." So could also include folks that are, you're connected with, that are sending you cases. "Sources of business, forms, system processing information, "pleadings, research, briefs, contracts, "strategies for development, marketing or advertising, "and any copyrighted materials or other confidential "or proprietary information belonging to the law firm "and relating to the law firm's affairs." We wanna make it very clear that we are covering everything that that law firm owns and that they have worked so hard to try to put together. And then you also want to have a return of property provision in the employment agreement. So that it's very clear anything that the law firm owns has to be returned and nothing can be kept. Because in these cases, what will happen is a staff person or a lawyer will, you know, they'll download everything and try to take it all with them. And so you wanna make it very clear that the employee acknowledges and agrees that the records, files, reports, computer diskettes, software, client files, any information. And then you list out everything again. The briefs, the pleadings, the PowerPoints, everything. Or anything that was developed or as part of the law firm. And even the things that the employee helps to develop, create or come into possession of during the employment needs to remain the sole property of the law firm. And so you have to be very clear, especially with associates who might be drafting briefs, who owns that brief? Me as the law firm I own it because I'm paying you to draft it.

Now, if you leave and you wanna use something as a writing sample, then we need to make sure we have an agreement about that. If you leave and you want to use a PowerPoint that you created, but you create it on my dime, me paying you to, directing you and giving you guidance on that, then we need to work out a separate agreement. Yeah, you could take that particular item with you. And I even have this, I have an internship program I've had since 2004. So all of my interns sign nondisclosure, non-use agreements, confidentiality agreements, and return of property. And we tell them because a lot of them will want to use some of the things they've done over the course of the internship. They will want to use them as writing samples. And so we'll say you need to get permission for any writing samples.

And I need to review that writing sample. We need to make sure that there are no client names in the writing sample or private information about the clients, but we also wanna make sure there's not information about the client's "situation," like their story or whatever that's in that writing sample that might reveal who that client is, you know? And so we might actually have to change some of the facts or the details and make it a more "fictional" writing sample in order for them to use that type of writing sample. But it's really critical 'cause I don't want a client to find out that a research memo that was in their case, that talks about the specific facts of their situation. Maybe it's an employment situation, where there was a sexual assault. And there's detailed information about what that sexual assault is, and there's detailed information about that employer that might, you know, somebody might be able to figure out. So we've gotta make sure that we kind of make it more general. And so I make it very clear. I just, before starting this program, I got off the phone. I was interviewing somebody to be a part-time intern. And I said, "You're gonna be subject to a non-disclosure, "a non-use agreement, et cetera. "Do you have any problem with that? "Because I've worked really hard to develop all the systems "and things that I've put in place with my practice. "And so you will be subject to that agreement." So we wanna make it very clear in advance that they're gonna be subject to that type of document.

Jillian Kuehl - No, I think that's smart and that makes sense. And now, unfortunately, you are gonna have employees leave, it happens. So what about non-solicitation provisions? How do those work?

Colleen Quinn - Yeah, so it's tricky. Again, here you have a divide between how you treat a staff person, such as a paralegal or an administrative assistant, versus how you treat an associate. So non-solicitation, it involves non-solicitation of employees, and there's also non-solicitation of clients. And so basically you can have the employee agree that following the termination of their employment, they cannot directly or indirectly solicit or induce or attempt to solicit or induce any present or future employee of the law firm to leave the law firm for any reason whatsoever or hire any individual employed by the law firm. And that can be enforceable as to staff. Same thing with staff. You could have non-solicitation of clients. And you can basically tell the staff person that they, have them agree that they cannot try to solicit away clients or prospective clients. However, it's different with attorneys. With attorneys, you very clearly, under all the model rules of professional conduct, ethical rules. You very clearly can't tell them that they can't take clients because it's the client that gets to decide. And so if the client really likes that associate, has developed a good relationship with them, then that client is free to go with the associate. And in fact, when an associate leaves, most states require that a joint letter go to the client that basically says, "Jane Doe has left the firm of Quinn Law Centers. "And you have the choice of staying with Quinn Law Centers "or going with Jane Doe. "Please check the box below with regard to "who you want to keep your file "and who you wanna continue your relationship with." And so we cannot restrict lawyers with regard to not soliciting the clients because it's the client's choice. The client gets to decide.

And even with paralegals leaving, but that gets a little bit trickier. A client could become very attached to a paralegal. And as long as the, even if the paralegal's under a non-solicitation of client agreement, if the client is the one, it's clear that the client chooses to go with that paralegal, then we can't enforce that particular provision. On the other hand, if the paralegal is trying to unlawfully solicit the client on the side or whatever, then that could be enforceable as long as it's very clear that they're trying to woo the client away, as opposed to it being driven by the client's initiative. Same thing too on the employee piece. If a paralegal leaves and is trying to recruit another paralegal out of my practice, and I have them having signed a non-solicitation of employee agreement, I've got a pretty good shot at stopping them and saying, "You're in violation of your non-solicitation "of employee agreement." However, if that paralegal that's still with me has become super good friends with the one that left, and she of their, or he or she, of their own accord choose to leave, I can't do anything about that because they have, that's a personal choice. And it's the same thing with the attorneys. Oftentimes an associate will have their own paralegal, and if the attorney leaves and that paralegal says, "Well, I wanna go with Jane Doe. "She and I have yinged and yanged with each other "for several years now, and I wanna go with her." Then there's really nothing that I'm gonna be able to do with regard to that paralegal leaving and going with Jane Doe. That's gonna not be something I'm gonna be capable of enforcing because that paralegal has that right, and that option to go ahead and leave with Jane Doe, if that's what she wants to do.

So the non-solicitation of clients can apply to staff, but will not apply to lawyers. Clients get to choose who they want to go with. The non-solicitation of employees. You can try to bind both staff and even a lawyer by that, but ultimately an employee that leaves, it's up to them whether they want to leave. The main thing that you're trying to control though, is a staff person or a lawyer that leaves trying to aggressively recruit somebody away from you. And so that can have a little more teeth to it, and you should at least put that type of agreement in place.

Now, all of these provisions, you want to have an injunctive relief provision. And so I've included that in the materials. You wanna make sure that you have the right to immediately go to court and immediately enjoin or stop whatever that staff person or that lawyer is doing. And so having an injunctive relief provision is really important, but you don't wanna just have the injunctive relief provision. You also need to act on it, and you need to act on it quickly. I have a case right now with an employment client who is, there's some issue of whether he's in violation of his non-compete, we've been trying to work it out. And basically as time goes by, more and more and more and more time goes by, and his ex-employer does not do anything to act on seeking injunctive relief. Well, the less a court's gonna enforce that. Because basically you're saying that this is a threat to my practice, and this is going to harm my practice. And so if it's gonna harm your practice, you need to move on it fast. You need to go ahead and get that injunctive relief fast. The longer you wait, the less the court's gonna think that you're being harmed or that you're subject to harm. So you wanna move on them really quickly.

And then you also wanna have a provision. And I've given that in the materials. You wanna have a provision that, if the period of non-solicitation or non-compete is gonna be for a year and they've gone and they've been violating that for, say, several weeks before you get into court. Well, you want those several weeks to be tacked on to that year. So I've got a provision in there that basically says that the restrictive period will be extended by the time which they've been in breach of the agreement. So you also wanna have a reasonableness of restraint provision, which is basically that the parties agree that the restraint or the restrictions are reasonable and will be enforceable. And that basically they're reasonable because of the investment that I have put into training my staff, cultivating my client base, those sorts of things.

So you wanna have a reasonableness of restraint provision, and I've included that in the materials. And then you also wanna have what's called a restrictive covenants of the essence provision. And what that provision is, is it's basically saying that the restricted covenants are of the essence of this agreement, and they shall be construed as independent of any other provision. And so you basically want to have a specific restricted covenants of the essence and say that "the law firm will at all times "maintain the right to seek enforcement of the provisions, "whether or not they've previously refrained "from seeking enforcement," and that you, even if they violate one and you let that go, you still have the right to enforce a subsequent violation of another provision. So that's another provision to include. But I always recommend that if somebody's in breach, you do wanna try to move on it as quickly as possible and seek that injunctive relief. And then finally you wanna have an attorney fees and cost provision. So you want to say that if they are in breach, that you are entitled to get your attorney fees and costs, if you do prevail in seeking enforcement and the judge agrees that your provision should be enforced, then you have the right to get attorney fees and costs as a result of the breach by that staff person or that attorney.

Jillian Kuehl - Great. And so what about protecting your documents and copyright of documents? How does that work?

Colleen Quinn - Yeah, so I started copywriting my gestational carrier agreements when I had clients approach me, potential clients approach me, and say, "Oh, we already "have our gestational carrier agreement in place. "And all we need you to do is the parentage action "or get us the birth certificate." And then I would say, okay, 'cause in Virginia, as part of our process for family formation, we have to use the contract as part of the process to get the birth certificate. And I was being handed my own contract. Like I was being handed my own contract that it was like a version of it from five years ago. It wasn't the most up-to-date one. But what I was finding is that basically my essence of a contract. Each one changes depending on the circumstances, but the base contract was out there on the internet and being used. And so I started realizing I need to protect this, and I need to copyright it and prevent the misuse of what is intellectual property. And it's something that I've worked on, and I've developed over time and continue to develop over time. And I had debates with my colleagues in the Academy of Adoption and Assisted Reproduction Attorneys and also in the ABA Assisted Reproductive Technology Group. We've had debates about this. And I really think I've convinced most everybody because now more and more of my colleagues are having misuse of their contracts and finding that, oh, that somebody that had access to the contract because they were an egg donor or a sperm donor or an embryo donor, whatever, they had access to that contract, a gestational carrier or surrogate. And then once they decide to go through that process again is now reusing the contract. And so by copywriting it and saying that you could be prosecuted for illegally using this contract, we're stopping or hoping to stop the misuse.

So it really started more so with misuse by the public in general. But we also have to be concerned about... I have two colleagues that have had associates leave and try to take their contracts with them. And so by copywriting, it also protects against, internally safeguarding as well as externally safeguarding, that work product, which is really important, especially for unique types of work product. And by putting that copyright provision on there and then doing the other measures to try to safeguard, that becomes really important. We even had, it was crazy. I had one gestational carrier who sent me the contract, told me she was represented by this other lawyer. It was my contract. And I knew that lawyer had just started out in practice and had not developed her own contract. Picked up the phone, called that lawyer's supervisor and said, "This woman says she's represented "by your associate and has sent me basically "what is my contract. "And she's saying the contract's already in place." And I was gonna represent these intended parents that she had matched up with. And she was trying to say they didn't need to spend money on legal fees because she already had a contract all ready to go. Turns out that the lawyer she named in the contract, she had never contacted. And that associate was ticked off when she found out her name was being used. And that this woman was saying that she was represented and that this contract had been prepared by this other lawyer, which all she had done is she had taken my contract and essentially used it. And then she didn't even realize it was my contract, even though it was copyrighted. And I put the copyright provision at the bottom. And it was just like, "Honey, you've stolen this contract." And then she disappeared. And we never heard from her again.

So, but that associate and I, we, and her supervisor, we continue to laugh about it. But then we're also like, yeah, we definitely need to make sure that we're keeping these copyright provisions in place. And so I've included in the materials both the copyright symbol, sample copyright provision, and then at the bottom of the contract, you wanna put the copyright provision. You wanna say, "Copyright, Colleen M. Quinn." Date, or month and date, and then you wanna have a sample copyright provision in the contract itself. And so I've included a sample of what that looks like. And you wanna make sure that you put it at the bottom of every single page on that document as well. So it's very, very clear that the entire document is copyrighted.

Jillian Kuehl - So aside from documents, what about other intellectual property at the firm and how would that protection work?

Colleen Quinn - Yeah, so this has reared its ugly head recently on a personal note. So I, my practice, it's been an evolving practice, and I was with a mid-size law firm. And I was doing employment and insurance defense work. And then that switched over to employment. And we say we "defected" to the other side because we fired our insurance clients, and we switched over to doing personal injury work at that time. So I was doing personal injury work and employment work. And I had started this adoption practice, when I first got out in practice in 1989. And then it's kind of evolved into the surrogacy practice. So when I left one firm and went to this mid-size firm in downtown Richmond, I said, "Can I keep doing this adoption and surrogacy work?" And they're like, "Yeah, sure, you can keep doing it." You know, they saw it as kind of a little frivolous fun practice on the side, and I kept developing it. But when you went to the firm website, you either went right or you went left. You either went to the corporate section, or you went to the personal injury, medical malpractice side. And there really wasn't a place for my adoption and surrogacy work. So we had this little button for like a family law spot, and you didn't go right or left. You kind of went up, and it was a little bit hidden.

But what I realized is that if I was gonna build out that practice, I needed to have my own website, my own site lit. So I developed the Adoption and Surrogacy Law Center, and I registered a fictitious name certificate for the Adoption and Surrogacy Law Center, purchased the domain names for that. Began to develop the SEO, et cetera. And so you would actually, you could actually access that site lit outside of the law firm, or there was a couple of ways through the law firm website you could get to it. But I developed that as my own site lit and developed my own Adoption and Surrogacy Law Center. Well, kind of liking that concept, I then developed a Woman's Injury Law Center as part of my personal injury and employment practice. And so I, again, purchased the domain name, started to build out website content, et cetera, for the Woman's Injury Law Center. And then things were getting rocky at that firm. There were a number of people leaving. It was looking like the firm was gonna implode. And I was working with this executive dialogue group with the National Association of Women Business Owners, the local chapter that I belong to. And I... People were finding Colleen Quinn, the adoption lawyer, but they were being referred to me for my personal injury or employment practice, so they're like, "Do I have the right lady?" Or they're being referred to me for adoption work or surrogacy work. And they're finding the personal injury employment lawyer. And they're like, "Do we have the right lady?"

So I formed the Quinn Law Centers as kind of an umbrella over the centers. And then I formed a third center called The Personal Injury and Employment Law Center. And when that firm blew up, I had my own website, the Quinn Law Centers, that I could bring to another law firm. So I came to a new law firm, and I said, "I've got these centers. "They're gonna stay on a separate WordPress platform. "But what we can do is we can kind of "integrate it into the law firm site." So somebody goes to what was the Quinn site. They click on the adoption button. It spits them over to the adoption servicing law center. So I formed these Quinn Law Centers as my identity. Well, recently I got into a dispute with my ex-partner over the separate website, and he wanted me to take everything from my website and move it to the firm platform. And I said, "I'm not doing that. "This is my intellectual property. "It's what I've worked on for years and years. "I've paid 25 to 30 grand in website development on it." And you can't just take the words and move them. I mean, it's an integrated website that has 20 years of SEO now, and it's got keywords, it's got domain names. It's a living, breathing animal. It's not just something you take, and you plunk the words to another spot.

And plus I have an associate that wants to take over the Adoption and Surrogacy Law Center. So she wants to own that. So what I've learned... And so now I've formed the Quinn Law Centers, and I've got my own new logo and everything, but we're still having a little bit of a dispute over the Adoption and Surrogacy Law Center piece. And so I have my fictitious name certificates for all of my centers. I recently formed another one called The Family and Estate Planning Law Center. So I've got fictitious name certificates for all of those. I've got domain name ownership for all of those. And I make sure that I am protecting, I mean, I'm making sure that my interns sign non-disclosure agreements and non-use, and my associates do as well. And what I have learned from this experience is I should have had a very clear ownership agreement before I came with my last law firm that said, "I own that, that's my intellectual property." To make it very clear. So I've learned from that experience. And I have included the new logo that I have for the Quinn Law Centers, which, you know, that is intellectual property. So you wanna make sure that you put your logo on everything, and that you also make sure that it's very well protected.

Jillian Kuehl - The new logo is lovely by the way.

Colleen Quinn - Thank you so much.

Jillian Kuehl - Absolutely.

Colleen Quinn - It's funny 'cause the old tagline that I came up with was "focused results." And we had, the logo was black and white and very like, "arrgh!" but I'm not that kind of person. And I was talking to my job coach, and I showed him the logo. And you know my tagline now, the tagline is "building families and rebuilding lives," which was the tagline for the Quinn Law Centers. But my logo now with the Q and has the heart in it. And I'm like, is that too cutesy for a lawyer? And he's like, "Colleen, what you do is compassionate." And I'm like, "You're right, you're right." So yeah, I'm really loving it myself too.

Jillian Kuehl - No, I think it's great. And it exemplifies what you do. So I think that's fantastic.

Colleen Quinn - Thank you.

Jillian Kuehl - So moving into a little bit of the ethics piece. So what is a lawyer's ethical duty when it comes to preventing data breaches?

Colleen Quinn - Great question. So ABA rule, Model Rule 1.6C says that, quote, "A lawyer shall make reasonable efforts "to prevent the inadvertent or unauthorized disclosure "of or unauthorized access to information "relating to the representation of a client." And then reasonable, that term reasonable "depends on the sensitivity of the information, "the likelihood of disclosure "if additional safeguards are not employed, "the cost of employing additional safeguards, "the difficulty of implementing the safeguards "and the extent to which the safeguards "adversely affect the lawyer's ability "to represent the clients, that is by making a device "or an important piece of software "excessively difficult to use in that regard." And I've included some hacker emails. So there's a difference between being hacked and having your email used, as opposed to somebody actually getting into your system, which are things that I've learned over time. And being held hostage for Bitcoin and not being able to operate. So simply somebody utilizing your email or having a phishing email to try to get information is very different than somebody actually having hacked your system and gotten into your system. These hacker emails, by the way, are hilarious. These hacker emails came through the academy listserv. And a lot of my colleagues got 'em, and it basically says that that this person has dirty pictures of me. And I've made a video showing how you satisfy yourself in the left corner of the screen. They're hilarious. And a whole bunch of us got 'em. We're like, "What?" Well, fortunately we just recognized that it was just nonsense and we didn't have to worry about it, especially 'cause everyone knew that I was like, "I'm like, dude, I don't have dirty pictures, okay?" So I don't have to worry. I hadn't made a video of myself doing dirty stuff, so I don't have to worry about this.

Jillian Kuehl - So you were good, you knew.

Colleen Quinn - So you don't really have to worry about those crazy emails, except for being embarrassed and then letting your friends know, "Somebody's got my email. "It looks like it's coming from me, "but it's not coming from me." And then you don't have to worry about these ones that it says, you know, "I've got your dirty pictures." That sort of thing, in that regard. But you do have to worry about the ones that are truly looking to hack your system.

Jillian Kuehl - Yeah so, it seems like some of these emails are obvious and a little, you know, they're funny, but what are hackers really looking for here?

Colleen Quinn - So when they do hack your system, they are looking for mining financial data and social security numbers and things that they can use to accomplish identity theft or actually getting access to credit card information, so they can misuse credit cards and everything. And a lot of law firms, like we don't keep personal social security numbers. We do have some dates of birth. We don't keep credit card information. We use Cleo where people input it into, we use kind of protected systems. We also have the ability to encrypt, but we don't keep credit card data. But what they can do is they can paralyze your operation by preventing you from being able to operate. They can shut you down in terms of being able to actually use your systems and access your data and then try to hold you hostage for Bitcoin. And I've actually been held hostage for Bitcoin twice.

Jillian Kuehl - Oh my gosh.

Colleen Quinn - And fortunately our IT guy regularly backs everything up onto the server, and every night... And we have an offsite backup. This was my former law firm. Now I'm going to the cloud, which is actually, I've studied up a lot on and have determined is better. There's a lot of controversy about that, but I really trust my IT guy. And also the nice thing is that we don't have to worry about backing everything up on a server. And I can access my stuff from anywhere that I have an internet connection. And with Microsoft 365, we can use encryption. But even though, we never had to pay Bitcoin, fortunately, but it still meant that our IT guy, you know, we were still shut down for a couple of hours while he reloaded everything up on our system and got us operating. And I had to pay him, you know, we had to pay him in order to restore everything and put it back in place. So that's why it is important to have good systems in place, in that regard. So they can hold you hostage for Bitcoin money. They're looking for employee and client information, such as social security numbers, dates of birth. They're looking for credit card information. They're also looking for potential client information, proprietary information. But the biggest thing is just shutting you down. And a lot of large employers have paid good money because they've been held hostage by hackers.

Jillian Kuehl - Wow. And so, why are law firms and lawyers targets?

Colleen Quinn - Because we're so naive. You know, it's amazing. So, and I've listed a couple of examples. In 2015, there was the theft of 289,000 from a San Diego law firm via a tech support fraud. In 2016, The Wall Street Journal reported that hackers stole information from inside trading companies. And then in 2016, there was a Panamanian law firm that had offshore shell companies to avoid taxes. And they had millions of documents obtained from them. And so you can see example after example, especially of law firms being hacked. And the reasons are lawyers lack training, lawyers suffer from sophisticated attacks on IT systems because of insufficient controls or being able to override those controls.

Lawyers have insufficiently protected email technology. You know, we tend to be more engrossed in the law than technology. And Verizon's 2015 Data Breach Investigative Report found that a law firm's legal department was far more likely to actually open a phishing email than all other departments. We work really fast and quickly. I do this myself, I move too fast. And so I'll open things right away without kind of inspecting them a little bit more. We're more trusting. We form relationships of trust with our clients and our colleagues. We respond more freely to an email that looks like it's coming from a trade group or a bank. We're responsive. we don't really always think before we click. And sometimes we can overestimate our technical skills. Humility's not always the strong suit, and stopping to ask IT departments for advice is not always our first response.

So we do run into problems in that regard. And then when that happens, when we have a data breach, we have the cost of paying the IT person, and then we might have to send out notice letters. "Hey, we've been subject to a breach." We might have to put up credit monitoring. We might have to notify our credit card companies. We've got indirect costs, which are basically we can be subject to a lawsuit. We can have reputational impact. We can have a loss of business during that period that we're shut down. And so there are definitely costs that are associated with these breaches. We also have the risks of them stealing our information, our client information.

Infecting our computer with malware. Oh, I had that. I had my own personal computer. What looked to me was like somebody from Apple had notified me that I... That my, that basically my protective wear, my malware, had expired, and I needed to notify them. And so I contacted them. I was a real idiot about this. The person wasn't from Apple. And then the person said, "Well, I need to get into your computer." And I started giving him the information to get into my laptop. And then he started asking me question after question. And I just got really like, "Oh my gosh, I don't." I'm thinking this person's not legit. And so I immediately, I was on the phone with him, but he was also into my computer. And I immediately shut down, and he got very angry at me. "What are you doing?" And I said, "This doesn't feel good to me. "This doesn't..." And he started cussing at me and calling me things. Well, he was mining my computer for my financial data. And then I called Apple, and they told me that that guy was not legit. And the notification I got that told me that my Apple protection had expired was false. And so then they gave me all the safeguards that I needed to follow. And I mean, I've got a law degree, you know? But how stupid, how stupid could I be? And if you, in surveys, you see that a lot of lawyers that admit it, like I am, we've been subject to data breaches and do stupid things like me responding to that your protection, your Apple protection has expired, without going and calling a more legitimate Apple number and calling the number that was sent to me instead. Just really, really.

Jillian Kuehl - I mean, they're getting really, they're getting good at it, right?

Colleen Quinn - Yes.

Jillian Kuehl - So it looks like, "Oh, okay, Apple's email." I've done this too. I won't tell you my crazy story 'cause it's embarrassing, but it is, you know, they're getting really good at faking the company and all of that.

Colleen Quinn - Yes, yeah. You have to be really careful about, you know, don't just click on it, go investigate, you know? I pretty much send everything to my IT guy. "Is this legit, is this legit?" And most of the time he sends it, "He goes, no, no, no, no, no. "You're getting better at it, Colleen."

Jillian Kuehl - The answer is most of the time, "No, it's not legit."

Colleen Quinn - Right, yeah. So to prevent a data breach, rules, things I have learned. Turn off, log off your computer if it's gonna be inactive for a short period of time. Use strong passwords. It drives me nuts. I had to change my pass codes like every three months, and they are like, I don't know, 18 digits long. But I just put together these kind of memory tips and terms. We wanna make sure we put in place a procedure to protect client information when an employee leaves the firm, which are those agreements we talked about. Encrypting client information, using... Networking computer systems should log user activity. You wanna make sure you've got software that protects yourself from malware and from malicious infections. And that you have firewalls. Clear your desk of paper documents when you're not in use. You can have a, you know, cleaning crew can come in, and they can find pass codes and whatnot, if you've got stuff laying out or it's not under lock and key. Keep an inventory of all the computing devices, wipe electronic data off the computing devices before they're transferred, sold or reused, and then have agreements about technology storage, handling access with any third-party vendors. And do background checks on the third party vendors, make sure you really know who they are.

You also wanna be aware of data breach response laws because there are a lot of states that require you to notify your clients if you do have a data breach. There are certain states that actually require encryption. I know Nevada and Massachusetts do. And then there's a patchwork of state laws with varying definitions of how to handle and what to do if you are subject to a data breach. So you really need to know your state laws in that regard. If you have an international practice, you need to know about the GDPR, which I never would've thought about, but my surrogacy practice is international. We have a lot of international clients. And so the GDPR is the General Data Protection Regulation that went into effect in the European Union in 2018. And it provides standardized Europeans privacy rules for processing of personal data. And I've got more information on one of the slides in the materials about that, but you do need to be aware of the European rules and that act if you're doing any sort of international practice.

Jillian Kuehl - And so obviously all law practices hold a lot of client information. And so what are attorneys duties in regard to encryption with clients?

Colleen Quinn - So again, that is state by state dependent. And in the materials, I noted that the Texas State Bar in 2015 determined that emailing unencrypted, confidential client information might be unethical. And they have certain identified situations in which email may be too insecure for confidential client communication. And so I've listed in the materials what the Texas State Bar determined in terms of its rules. But we're starting to see more and more states start to require encryption of emails. And so we don't have that yet in Virginia. I'm predicting it'll come down the pipe. But when we switched to that Microsoft 365, it does allow us encryption. So my prior retainer agreement language used to say, "As part of hiring us, "you recognize that our email system is not encrypted, "and we don't use encrypted technology." I've now changed that to say that, "if you want us "to use encryption, we do have it available to you." And fortunately the Microsoft 365 system is easier to use. It's not like this, you know, you gotta get the text, you gotta enter the code, et cetera. Once the client enters the pass code, and you've established that client relationship, you don't have to go through that whole mess each time of the pass coding, which is easier to use.

So far, none of the clients have really taken us up on it. But I do like with all, with the clients that do work for financial institutions and whatnot, they typically use encryption when they write to me. So you really just have to be aware of where we are headed with the encryption, but I think it's the way of the future. And if you're going to be updating your systems, definitely update your systems to ones that do allow for encryption like the Microsoft 365 platform that we're on. And the Texas State Bar said that electronic mail might become obsolete in a breach saturated era. And they said, quote, "Changes in the risk of interception "of email communication over time "may indicate that certain or perhaps all communication "should be sent by other means." So with all these breaches and whatnot, we have to be aware of rule 1.1, the duty of competence. And what's been added to that rule, in the comment, it says, "to maintain the requisite knowledge and skill, "a lawyer should keep abreast of changes "in the law and its practice, including the benefits "and risk associated relevant technology." So now it's being incumbent upon us to stay abreast of what are the risks of the current technology. What are the risks of using obsolete technology as well?

Jillian Kuehl - So you can't avoid the term metadata when you're talking about technology. What is metadata, and what do lawyers need to know about it?

Colleen Quinn - It's all that stuff you can't see in the document. I mean, really it's all the hidden information that's behind what you normally see. And so it can have all that transactional stuff about who's the author, what was the software used, what was the date it was written, what were the edits that were made along the way? It comes in a lot of different forms and a number of locations. In Word documents, for example, the metadata can include the tracked changes, the comments that you've made previously, text that was smaller than five points. It can have the previous authors that were involved with that document. And it's just all that stuff that's kind of behind the scenes, but can tell somebody else a whole lot about how your back and forth negotiations with your client went to get to a certain point. And so it serves a number of useful purposes, especially the identification organization and archiving of documents. And it's information that can be instrumental in providing a context to things. And I've been involved actually as a mediator in what metadata has to be produced in discovery, where a judge assigned me to look at the metadata and determine what was relevant, not relevant during discovery. And while usually it can be harmless, depending on the context, it also can include privileged, confidential information.

And so it can be a significant risk of disclosing client confidentiality, especially if you're negotiating, and you basically are going back and forth with your client and saying, "oh, I'll do this gestational carrier agreement for 30,000." And you say, "No, let's go with 35." You don't want the other side to see that your client was willing to go with the 30,000 instead of the 35 to begin with. So a lot of law firms use existing client documents as templates to create new client documents. And that metadata includes the old client names, okay? So now we've just breached by giving client data to a new client that is confidential former client information. And even deleted text can remain in the document as metadata. And so the risk is that clients might be able to access that confidential information, opposing party might be able to access that confidential information. And it's pretty likely that unless you sanitize or clean a document or put it into PDF form, you've probably sent confidential information to the other side in your metadata and not even realized that you've done it.

Jillian Kuehl - Whoops.

Colleen Quinn - Yep.

Jillian Kuehl - Okay. So how can you minimize the risk when it comes to metadata?

Colleen Quinn - Yeah, so if you're sharing documents that need to be edited and returned, and you use your word processor's metadata, you wanna use the metadata's removal features. For example, MS Word document inspector, or a third party program like Workshare Protect. So you wanna basically "clean" or sanitize using one of these programs. You also might wanna consider using, putting it into a PDF Adobe Acrobat that can be used to convert documents to a locked PDF format before a file is sent. And you could adjust Acrobat's security options settings to include restrictions regarding certain metadata. Now this becomes tricky if you're trying to send a track change document to another attorney, so that they can make the tracked changes. Because if I send it to 'em in PDF, they can't send me the changes back. So that's why using one of these programs that allows you to "sanitize" the document while allowing the track changes to still come through is something to consider.

Jillian Kuehl - So if you're using track changes in documents, which I think most attorneys probably do, you know, are there risks with that? And what should we be considering when we're doing this track changes, and should we do it?

Colleen Quinn - Yeah. So that's a great question 'cause there are a lot of pros to track changes, but there are also cons, you know. So with the pros is that the client or the other attorney can easily see and accept the changes. It's really helpful with when small changes are being made, that you can see those more quickly. It's helpful when you're comparing various drafts, and it saves time in having to compare the drafts line by line and figuring out what got changed. The con is it becomes harder to read when there are a lot of edits. And if you forget to turn on track changes before you start editing, sometimes certain edits can be missed. You gotta be really careful to make sure you track change everything. A lot of people don't know how to use the track changes. And you wanna have an agreement with the other side beforehand that we, if I'm gonna use track change, you're gonna use track change too. So it's like you're both kind of on the same page. And then the biggest thing is forgetting to remove that metadata before sending it to opposing counsel. Because otherwise that entire history of all those track changes... 'Cause you might have made track changes with your client and then sent the document to the other side and then they might send it back. You wanna make sure that all the information you went back and forth with the client doesn't end up going to the other side.

Jillian Kuehl - Colleen, this is all--

Colleen Quinn - The. Go ahead.

Jillian Kuehl - This is all-This is all a little scary, right? So should we just go back to using pen and paper?

Colleen Quinn - You would, sometimes you think so, you know? The thing is is that, I mean, technology, it's like a blessing and a curse. I can't keep up with the emails now, but I can handle so many more client communications in a day than previously I could by just talking on the phone. Yeah, 'cause it's the emails back and forth, et cetera. And you know, we've got the track changes, and we also have the compare features in Word. And the compare features let you compare two documents immediately. The track changes allow you to see those changes. It's hard to go back to an old-fashioned way. And I will have some clients that they can't see the track changes in Word. So I'll send it to them in a PDF. Then they either print the PDF and hand write their changes, which then I have to then put into the document, or they send me the listing of the changes they want in the email, which now I have to put into the document, and that just slows the process down. So technology's fantastic because we're able to accomplish so much more in a shorter period of time, but we also have all of these different aspects. So we have the convenience versus the confidentiality. The technology, it saves time. It makes things more efficient. Some people like myself have terrible handwriting. So we wanna make sure that I'm not having to hand write the changes to the PDF 'cause nobody could read them.

But it's also detrimental because we've gotta worry about attorney-client confidentiality, work product, client privacy, and we've gotta make sure put all those safeguards in place with regard to the use of technology. So basically, just to kind of wrap up, we do have an ethical duty to safeguard our client data and stay apprised of available technologies that are out there. And we need to make sure we are using the most up-to-date technologies. It's so important to hire qualified IT help. I rely on my IT person very, very heavily, and I rely upon him to know what the latest technologies are, what the best technologies are in place, how to best protect my system. How to make sure that we're not gonna get hacked and held hostage for Bitcoin. We wanna make sure we have those internal systems in place with respect to staff and associates so that we have those agreements with them, those employment agreements. If you have interns, summer help, anybody coming in, you wanna make sure that they are assigning those documents. And we just wanna be really vigilant about safeguarding our intellectual property, making sure that we put those copyright provisions in place, making sure we make clear what our ownership is. And the 33 years in practice, it's all... It's all just been learning by the things that I should have done. I wish I had done earlier. And I continue to learn as I go, you know.

Jillian Kuehl - Well, we appreciate you sharing the lesson. So hopefully some people listening will be able to listen and then use your advice to avoid going through that themselves.

Colleen Quinn - I surely hope so, yep.

Jillian Kuehl - Well, thank you so much, Colleen. It was a pleasure.

Colleen Quinn - Appreciate it. All right, take care.

Start your FREE 7-day trial
Preview this course and the rest of Quimbee's CLE library for free with a 7-day free trial membership.
Buy this course - $49
Get access to just this course for $49

Course materials

Supplemental Materials

Practice areas

Course details

On demand
1h 11m 18s

Credit information