Mobile devices have been around for a while. Their capabilities have grown so steadily, however, that many lawyers can’t remember the exact moments when desktop computers slipped off our desks and into our pockets – into our smartphones, tablets, and laptops. That might explain why so many lawyers have a mobile device but not a mobile device policy.1
This phenomenon may be the reason that a portion of your workload may have been outsourced right under your nose. Outsourcing usually conjures thoughts of contracting services with foreign vendors. But it can mean obtaining services from outside, especially in place of an internal source. So, when an employee carries work of the firm outside of the firm on a mobile device and works on it, haven’t you effectively outsourced legal services?
A deliberate, well-thought-out decision to outsource would mostly result in a written contract that ensured knowledge and competence of ethical rules. The contract may contain, for example, confidentiality provisions and establishing a secure way to share files. But, there is no corresponding internal policy for the use of mobile devices outside the firm.
Then someone in your firm accesses a file on their smartphone using StarBucks™ WIFI.
And works on the file.
The firm just obtained services from a source outside the firm.
And unless the firm has established policies about services being performed outside the firm, the risks are incalculable. Here are three things to consider when establishing written mobile device policies.
One: No Public WIFI
When a firm employee jumps on free WIFI, their communication becomes part of the WIFI provider’s data stream. It is governed by the WIFI provider’s policies. It is subject to subpoena or voluntary disclosure. There may or may not be privacy protections to protect the release of account numbers, passwords, personal information, and so on.
Even though public WIFI is evermore available, there is no way to include the providers of the WIFI (like Starbucks™) in a contract that ensures security.
More so, many public WIFI providers are so insecure that they do not restrict other people on the same public WIFI from seeing each other’s communications. The kid on the other side of the room may look like he is playing a video game when he is actually reading your emails as you send and receive them.
The easy solution is to have a written policy that prohibits the use of public WIFI for devices (smartphones, tablets, laptops, etc.) that contain firm files.
Two: No BYOD
Many organizations cut costs by simply requiring employees to BYOD – Bring Your Own Device. The employee’s personal device then fills up with a mixed bag of personal data and firm data.
This practice is problematic:
When an employee raises a privacy objection in response to a discovery request or subpoena;
Where a firm employee is suspected of inappropriate actions and the firm cannot legally access the cell phone;
Where the firm requires that firm files are backed up using an encrypted backup method. This concern is growing. The iPhone 7, for example, will be released with 32 GB of storage. This is enough storage to hold the files of a solo practice. It is difficult to backup only firm files without also backing up personal files. There is also the concern that the user manages the password and may refuse or be unable to provide it when it is most needed;
When the device is lost or stolen. Firm devices that contain client information should be configured to self-delete in the event they are lost or stolen.2 Firm employees that BYOD may see the deletion of their personal files as a privacy invasion.
A mobile device policy should draw a hard line between the firm’s device and personal devices. Firm devices should require a passcode to access and take the considerations above into account.
Three: Teach Your Mobile Device Policy
Do it yourself, ask a firm employee to do it, or ask a technology vendor to do it for you. Having a mobile device policy is meaningless if someone doesn’t understand it. It is worth a working lunch or an hour off-site to educate firm employees. Data security is only as strong as the one person that gets sloppy. Once your data is compromised, it is all compromised.
And here is a tip that makes reading this article worth it (if nothing else does.) Video your training. Then, each new hire can watch the video. By doing this you emphasize to the new hire the importance you place on the mobile device policy and that is one way to create a culture of compliance.
Even after evidence indicates we are wrong, we find it hard to change. Often it is because we are certain we are right. This risk of certainty is perhaps the most costly form of risk and the most manageable.1
Even after evidence surfaced that cigarettes contain toxic chemicals that kill, many intelligent, aware people keep smoking.
Even after manufactures started admitting that their “knock-off” brand contained exactly the same ingredients, many people keep buying the more expensive option.
Even after new technology made the old way of doing things absurd, many people refuse to embrace new technology.
And I could go on and on.
One of the reasons we do this is that it works. Certainty makes life more efficient. We don’t have to stop and ask a lot of questions or read or do research with each step we take. Once something proves effective, we do it again. Once someone proves trustworthy, we trust them again.
But There Is A Turn
But people do stop smoking. People do change brands and people do embrace new technology. At some point, evidence overwhelms us to the point we change.
The risk arises when we are so certain that the evidence has to not just prove that something or someone is better. It has to be overwhelming enough to prove we are wrong.
And who does the evidence have to overwhelm? A judge? No. A jury? No. This evidence has to overwhelm the harshest trier of fact, us. It has to convince us that the new way is better AND that we are wrong to hold onto something or someone we are certain is right.
The distance between what the relevant evidence proves and what we are certain of is risk. It is in this space that competitive advantage is lost, betrayal matures, and cancer metastasizes.
Managing the Risk of Certainty
The way to manage the risk of certainty is to hold belief loosely. Be willing to be wrong. Rather than openly committing to a position that may one day prove incorrect, commit to a process of improvement. What does this look like?
It is the difference between saying, “this is how we do it” and “this is how we do it until a better way comes along.”
It is the difference between saying, “I trust him implicitly” and reconciling your bank account.
It is the difference between certainty and occasional verifying, even in long-term relationships.
Isn’t This Risky
There is some risk that comes with questioning. If questioned, a long-term friend may feel like you are not as close as they thought. There is some risk that comes with change. New technology almost always introduces new challenges into a process. But these risks are different. We anticipate the risk and manage the risk as they appear.
This is different than the risk of certainty that strikes when we are not anticipating it and are usually in the worst position to respond.
If risk is inevitable – and it is – it is best to trade the risk of certainty for a risk we can manage.
At some point, you have to make a decision about whether you are going to be among the attorneys that delegate or not. If you started your practice in an established firm, you made the decision early. Someone was already in place to answer the phone, make copies, and such. Someone else probably wrote the checks and reconciled the checking account. Your first legal work was most likely assigned by a partner (you were a delegee) and so you learned a delegation method from experience.
If you were a solo practitioner, you may have started out with no one to delegate to and so the fact that you had to make a delegation decision was clearer. You never have to delegate, but refusing to delegate tasks that do not require your unique skills and talent stunts your professional growth. Even so, there is some level of risk in every delegation. Here are four rules for minimizing this risk for lawyers.
Attorneys That Delegate to Lawyers
There is some level of comfort in delegating to lawyers because you might think, “they will never do anything to put their license at risk.” Or, you may think that an associate will certainly do quality work because they are building a reputation and they want it to be a good one. Rule #1: Don’t expect people to act in their own best interest.
It is true that most people who worked to complete law school and get admitted to practice will do what you would expect – work to build a good reputation and stay well within the professional rules. The challenge is that the people who won’t act in their own best interest aren’t required to wear a big orange ring with a capital “W” on it for “Warning.” They look like everyone else.
So, Rule #2: Maintain a reporting system when you delegate. Design a reporting system that allows you to independently verify the status of the task you delegated. If it is a written assignment, review of copy of a draft. If it is writing the checks for the office expenses, have the checks presented to you with evidence of the expense for your final signature.1
Establish check-in dates so you can monitor progress. When possible, monitor objective sources. Do not confuse delegation with abdication. Without check-ins, without reporting, you have abdicated. Abdication puts your life, at least your professional life in the hands of someone else. Is that ever a good plan? No.
Attorneys That Delegate to Non-Lawyers
Non-lawyer delegees pose an added burden. Most states have adopted Model Rule 5.3 in some form which requires that non-lawyer delegees not simply complete a task, but “…ensure that the [delegee]’s conduct is compatible with the professional obligations of the lawyer….”2 With such a heavy burden, strongly consider following Rule #3: Delegate in writing.
Communicate your requirements clearly with understandable expectations and deadlines. Your instructions should include a description of your desired end product, time estimates, and the context of the matter to help the delegee exhibit initiative in carrying out the assignment. Attorneys that delegate should provide the necessary resources including samples, precedents, citations, and other people that can help delegees get the job done right.
Writing out each delegation may seem like a lot of work, but it serves three purposes. One, it gives you an opportunity to consider what ethical implications the delegation may have. You may bark out an order thinking that the person receiving the order will not just do it but will do it the right way – like you would. But a non-lawyer delegee is not you and they are at risk of violating a rule that they are not even aware of. Written delegation instructions give you the opportunity to communicate how to do it right. Two, written instructions clearly communicate your expectations. Three, in the event that your intentions are ever questioned in an inquiry by a regulatory agency or your client, the contemporaneous written delegation is powerful evidence.
Guard Against Omissions
Delegees usually don’t want to be seen as a failure. If for no other reason, they want to keep their job. Also, as delegees faithfully complete tasks you have assigned them, they earn trust. Once trust is established, it is easy to start taking the delegee’s word that a task is completed properly rather than make an independent verification. Tasks that are halfway completed or done wrong often reveal themselves pretty quickly, but what about the task that is omitted altogether? Often the fact that a task is omitted does not reveal itself until the damage is great. Rule #4: Create systems for reviewing and keeping track of assignments you have delegated.
I knew one attorney that had one whole wall of his office converted into a whiteboard so that he could track the progress of work he had delegated. Another attorney showed me special shelves he had built so that his files could be displayed facing outward. Deadlines and delegated tasks were written on the face of each file. Many attorneys use software or apps to track the progress of delegated work. The best system isn’t necessarily the one with the most bells and whistles – it is the one you use.
There are tons of free resources available on how to make delegation itself work, read a book, take an online course. You can become a master at delegation. Remember, however, that when you delegate as an attorney, it is not enough to simply get it done. It has to be done the right way, at the right time, for the right reason.
I Should Have Had This Simple Habit, Why In The World Didn’t I? discusses in detail the delegation of bank account reconciliation. ↩
Rule 5.3, Responsibilities Regarding Non-Lawyer Assistants, 2013, American Bar Association, Center for Professional Responsibility, Model rules of professional conduct, Retrieved from: http://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct.html ↩