Author’s Note: We have, unsurprisingly, heard from more lawyers than usual the previous year about closing a law practice. This post originally appeared as my Law PracticeTips column in the May, 2021 Oklahoma Bar Journal. It will be hosted on our new Closing Your Law Practice page on the OBA Management Assistance Program website, which also includes several related resources, including tips on closing your IOLTA trust account, closing a client’s access to the client portal  and a link to the OBA publication Planning Ahead Guide: Attorney Transition Planning in The Event of Death or Incapacity..

A lawyer’s final duty to the clients is often appropriately shutting down their law practice in a way that ensures clients’ interests are protected, which may include providing clients with appropriate departing advice and perhaps a referral to successor counsel. With proper advance planning, this can be handled more efficiently.

The closing of a private law practice can be, as Dickens famously wrote, the best of times or the worst of times. It may be the culmination of a multi-year planned winding down of a practice to enter retirement or an emergency situation brought on by failing health or death. Accepting a new employment offer or a judicial appointment often means the law office needs to be completely shut down within a relatively short time.

Sadly, a lawyer’s unexpected death may cause others to have to close the law practice, and without appropriate succession planning, those others may not be well prepared. The family of many a solo practitioner has had to rely on the local community of lawyers to assist them when a lawyer passes away unexpectedly.

This article is designed to assist lawyers with shutting down a law practice, whether it involves an individual lawyer making a personal decision or a lawyer who has been hired to assist the family of a deceased lawyer.

There are two available resources: one is for planning ahead, and the other relates to the implementation of the closing process.

OBA’S PLANNING AHEAD GUIDE

Advanced Planning and Properly Closing Client Matter Files Make the Law Office Closing Process Go Easier

All Oklahoma lawyers in private practice at every stage of their careers are advised to read and follow the guidance of the OBA’s Planning Ahead Guide: Attorney Transition Planning in the Event of Death or Incapacity. You may download your free copy by logging into MyOKBar and clicking the link to Attorney Transition Planning Guide. This detailed handbook includes useful forms for setting up an assisting attorney relationship to assist your client in the event of temporary or permanent inability to do so.

As noted on page 11 of the guide, “If your office is in good order, the Assisting Attorney will not have to charge more than a minimum of fees for closing the practice. Your law office will then be an asset that can be sold and the proceeds remitted to you or your estate. An organized law practice is a valuable asset. In contrast, a disorganized practice requires a large investment of time and money and is less marketable.”

OBA CLOSING A LAW PRACTICE RESOURCES

Your attention is directed to the OBA Management Assistance Program’s new Closing a Law Practice Resources at www.okbar.org/map/cylp. This is a newly designed collection for Oklahoma lawyers. OBA MAP has previously provided much of this information to Oklahoma lawyers and their representatives upon request. Now, this information is available for download on demand. There are more resources and checklists included there than included in this article.

Planning Your Exit

There are many details associated with retirement planning. The primary concerns for a lawyer who wants to permanently close their law practice include:

  1. Protecting clients from negative consequences related to the lawyer’s retirement. Normally this is done through a combination of concluding as many open matters as possible and closing those files during the winding up of the lawyer’s practice. Sometimes it means working with the client to transfer a matter to successor counsel. Sometimes it may mean withdrawing from a matter and documenting clearly that you have provided the client all information they need and are willing to cooperate with successor counsel when the client obtains successor counsel.
  1. Protecting the lawyer (or the lawyer’s estate) from future professional liability claims and protecting clients from a loss. Since professional liability insurance is typically sold on a “claims made” basis, once you no longer have professional liability insurance, you will be personally responsible for any claim made, even if it is based on conduct that occurred when you had coverage. Normally one protects against that risk by purchasing a tail policy (also known as extended reporting period) from one’s professional liability insurance carrier for a one-time fee. Then such claims will be covered by insurance.
  1. Protecting your “heirs” from unnecessary anxiety and frustration. While we wish you a long and happy retirement, when you close a law practice, it is important to make certain any future potential responsibilities can be handled even if you are not around to personally do so. Your legal heirs will have the rights and responsibility to handle your estate. But other “heirs” may be local lawyers who agree to pitch in and assist your family. You do not want their last memories of you to be “Why is everything such a mess?” or “Why aren’t there any written instructions?”

A Basic Checklist for Closing a Practice

  • Determine a target closing date and a date to stop taking new engagements.
  • Inventory open client files to determine status and actions to be taken.
  • Discuss extended reporting or tail coverage with your professional liability carrier well in advance of your target date so you can understand your options and the cost.
  • Inform your staff in person and in writing. Give a simple, truthful reason for the closure.
  • Inform your clients in person if able, but certainly in writing.
  • Complete all matters where that can be accomplished.
  • For litigation matters that cannot be completed, discuss with the client their options to obtain new counsel and follow up that discussion in writing. You may need to assist your clients by requesting extensions of time and resetting of hearings when possible.
  • If a client is obtaining new counsel, be certain an order allowing your withdrawal or a substitution of counsel is accomplished.
  • Make certain the client has been advised in writing of impending statutes of limitations and all other deadlines.
  • Notify former clients from recent years that you are closing your practice, reminding them of your file destruction policy and letting them know where their files will be stored between the closing and the ultimate destruction date.
  • Hopefully, you have already returned all original documents, such as original wills and contracts to former clients, along with any copies of documents they might need as a part of your normal file closing process. But if not, now is the time to do so.
  • You likely want to obtain a post office box and notify the post office to forward mail to that address after your office is closed. Check the box weekly at first and then monthly. Send change of address notices in response as warranted. Calendar when the mail forwarding expires as you may wish to renew it.
  • Notify the OBA of new contact information soon after closure.
  • Close your IOLTA trust account properly. A checklist for doing so is available from the Oklahoma Bar Foundation and the MAP resource page noted above.
  • Inform other professionals of the closure, including court officials and those who have provided services to your firm. If time is an issue, this may be done via postcards or email.
  • Notify landlords, utilities and other vendors who provide services to you. It is a good idea to review incoming mail for several months in advance for those who should be added to this list.
  • Appropriately cancel memberships, internet service and other subscriptions.
  • Prepare last-time records and send out final bills. These should also include the post office box address for those who may not remit timely.
  • Prepare disposition of office furniture and other office property. Computers and hard drives should not be transferred to third parties unless you are confident in your ability to permanently erase all data.
  • Your phone number is a valuable asset and may be transferred or sold to another law firm. This allows them to communicate that this office has been closed to those who were not informed and call the number.
  • Law books are bulky and have little resale value, especially if not updated. Ask other lawyers in your community if there is a new lawyer who might appreciate them as a gift.
  • An announcement on your website about the office closure is appropriate at some point. (Note: if you allow the website domain name to expire simply by not paying the renewal fee, it can be bought by someone else. Due to recent examples of fraud, it may be advisable to continue renewing old domain names even after you have discontinued the website.)
  • Your email can be configured to automatically respond with a message about the office closure and that should be left operational for some time. Some small firm lawyers may decide to keep the “office” email account as a personal email account. Retirement may also be a good time to “start over” with a new email address. A Microsoft 365 subscription may be a good, secure option then.
  • Hopefully, you have already utilized a password manager that you will keep for personal use. If not, a list of passwords should be prepared and securely stored physically (e., not on a computer).
  • If you practice in a smaller community that has a local newspaper, consider placing a notice of the closing in it. This could be beneficial to some former clients. This can be considered when a lawyer unexpectedly dies.
  • Cancel the law firm merchant account used for credit card processing, along with law firm credit cards as appropriate.

Obviously, this is not a comprehensive list, and the individual circumstances for each lawyer and law practice will vary.

What About Your Law License?

Broadly speaking, there are three ways for a lawyer to handle the lawyer’s license when retiring.

  1. The lawyer can resign. Then the individual no longer has the legal right to practice law in Oklahoma and has no professional obligation to comply with mandatory CLE requirements or pay bar association dues. They are also no longer a lawyer. Acceptance of a resignation is contingent on no pending disciplinary proceedings or grievances pending. However, if the lawyer changes their mind, a reinstatement hearing will be required to attempt to return to the practice of law in Oklahoma.
  1. The lawyer can maintain a law license and cease practicing law. Payment of dues to the OBA will continue. The benefit of this approach is you can easily change your mind if circumstances change. Filing an affidavit with the MCLE Commission that one did not practice law for the entire year relieves the lawyer of MCLE obligations, as does being a nonresident of the state for the entire year while not practicing law in Oklahoma. But be aware of the “December surprise.” We have talked with lawyers who did not practice law for almost a year and then made a small claims appearance or did some minor work for someone in December, which meant they had to satisfy MCLE requirements on short notice.
  1. The lawyer can take Retired Lawyer status. Lawyers 70 years of age and older can take retired lawyer status that means they no longer have to pay dues and satisfy other bar obligations. But they also cannot practice law. Retired lawyer is a convenient explanation when people request advice in the future. It acknowledges the lawyer’s career and also explains why they cannot offer legal advice. See www.okbar.org/governance for more details and the form to request the status. The member must have attained age 70 prior to Jan. 2. As stated at 5 O.S. Ch. 1, App. 1, Art. II, Sec. 2 (d), “An Active Member requesting Retired Member classification must have reached age seventy (70) prior to January 2nd of the year he or she is requesting to be reclassified to Retired Status and relieved from paying dues.”

Selling Your Law Practice

A lawyer who is retiring and intending to either not practice law in the future or practice in a different area is allowed to sell their law practice to another Oklahoma lawyer. The method of doing so is outlined in Oklahoma Rules of Professional Conduct Rule 1.17. Sale Of Law Practice. Comment 1 to the rule reminds us that, “The practice of law is a profession, not merely a business. Clients are not commodities that can be purchased and sold at will. However, under the conditions and requirements set forth in this Rule, a practice or an area of practice may be sold.” 1.17 states, in part, that “[t]he signed written consent of each client whose representation is proposed to be transferred to a purchaser must be obtained.” Notice to clients about the proposed transfer is outlined in the rule, and consent by clients is presumed if the client does not object or take other action within 90 days of the notice date.

Often the situation of a lawyer retiring and attempting to transfer the practice to a successor involves a certain period of working together to acquaint clients with the purchasing lawyer. If space is available, then depending on the lawyer’s specific plans for retirement, a lawyer who has gone to the office daily for decades might appreciate some free office space for some months, and the new lawyer could benefit from advice. If a lawyer is taking the bench, they can accept monthly payments from the purchaser based on a fixed sales price but cannot receive payments that are based on future fees.

Working Part Time After Retirement?

Many lawyers consider working part time after retirement. This may be because some additional earned income in retirement is desired or just to combat boredom in retirement. Working for another firm or company part time means the employer deals with professional liability insurance, paying for overhead and the like. Resigning that employment is usually like leaving any other job, although a rare situation where a client would be negatively impacted could implicate our ethical rules.

A solo practitioner who wants to slow down but “still practice some law” is a plan that sounds simple in theory but is more difficult to execute well in practice.

Slowing down often means ending the biggest overhead expense – support staff.  The lawyer who has worked with support staff assisting them over their career may misjudge the challenges of keeping a calendar, preparing billing statements and meeting appropriate deadlines without assistance. As the lawyer ages, this can become more challenging. It can be very difficult to practice law “part time.” Taking retainers on several new matters may make for a great week. But soon, the semi-retired lawyer may find their schedule is nearly as busy as before they retired but with much less net income.

The part-timer will likely have to pay nearly the same premium for professional liability insurance as if they were fully employed. They will also have to maintain their trust account. The lawyer will need a business-class computer, together with all the software, maintenance, internet access, need for tech support and other things that operating a business-class computer entails. Likely a printer and a business phone line will be required. MCLE requirements remain. Someone must be available to sign for certified mail in your absence. Will you have someone answering the phone for you or an answering service (or machine)? Will you still maintain your law firm website? Closing a physical business location can also dramatically impact the flow of potential new clients.

Lawyers who have not had support staff, particularly those who have made use of cloud-based practice management tools, are often better positioned to realistically judge what slowing down means for them.

If staying occupied is the goal, one might be better served by volunteering for Legal Aid Services of Oklahoma or another nonprofit where support staff help would be provided, and that entity would pay for professional liability insurance and overhead.

If additional income in retirement is the main goal, then cultivating an “of counsel” relationship with a law firm can be a better option. The lawyer might continue to work for certain clients with the understanding that they are transitioning to becoming a client of the firm, or a law firm might need help with their own “overflow” work with compensation on an agreed basis. Then your primary business record-keeping obligation is not losing the 1099 or W-2 the firm provides you.

Providing limited scope legal services under District Court Rule 33 is another viable option today. OBA MAP has a limited scope legal services page at www.okbar.org/map/lss. The lawyer with extensive family law experience might enjoy referring the family law feuds elsewhere and limiting the practice to preparing agreed dissolutions and custody agreements and perhaps even occasionally going down to the “waiver docket” to have an agreed order entered. For this type of practice to generate significant income, online marketing will be required.

Closed Files

Closing a law practice means closing files. How simple or challenging this process is will be greatly impacted by how well the lawyer or firm has closed client files during their practice.

Some law firms have exemplary file closing procedures, which involve much more than putting paper-based client files in boxes and labeling them by year. The law firm’s goal should be that once a file is closed, it need never be opened again – unless it is needed by the client in the future, hopefully for a related new engagement. Those firms’ clients received back any original documents, copies of all relevant documents they might need and were reminded of the law firm’s file destruction date as a part of the file closing process. File destruction policies had also been covered in the engagement agreement.

Closed files can be scanned and stored digitally to save on closed file storage costs as long as proper data security and backup procedures are followed.

Note that it is best to keep retainer agreements (where the client signed off on the file destruction policy), receipts from clients who picked up a copy of their file and a list of all destroyed files for an extended period (perhaps permanently) after the files are destroyed.

The law firm should have already established a client file destruction policy. The attorney’s client file has two general purposes after a matter is concluded: 1) Retain for the client the records of a recently closed matter should the client need them and 2) to preserve documentation of attorneys properly handling the matter should there be a grievance or other claim filed against the lawyer. The first goal may be accomplished by giving the client a complete copy of the file and obtaining a receipt that the client has received it. The Oklahoma Rules of Professional Conduct do not require a file be retained for a stated period of time. However, the rules do require that records related to trust accounting be retained for at least five years. As a practical matter, a lot of information in the client file involves trust account expenditures. So, many lawyers determine they will retain their closed files for a five-year period after closing or longer. But pay attention to some types of matters, such as a friendly suit involving a minor plaintiff, where a longer file destruction period should be set.

CONCLUSION

There is much to do to properly close a busy law practice. Hopefully, these resources will serve as a starting point for those undertaking this journey. Should you have additional questions concerning this subject, feel free to contact me or Practice Management Advisor Julie Bays, who can be reached at julieb@okbar.org.

Mary E. Vandenack

We enjoyed hosting Mary E. Vandenack,, Founder and Managing Member of Vandenack Weaver LLC, Omaha, Nebraska on the Digital Edge podcast. Her topic was Managing Your Law Firm Through Change. That is something all law firms have dealt with the past year..

But Mary has managed some amazing transitions with her law firm that began far before the pandemic, She has great lessons in bringing an entrepreneurial vision to law firm management and taking advantages of opportunities as they present themselves. Lawyers in smaller law firms that want to grow their practices will be well-served to listen to Mary’s journey, not to attempt to duplicate it, but to learn the how to analyze your opportunities.

Communication is something we all do every day. Some days we do it better than others. We have all had the experience of making some statement we immediately wish we could take back. Most of us would admit we could invest some time improving our communication skills. Managing your professional communications with clients is a critical skill and business process for lawyers today.

We have all heard the truism that the greatest single source of complaints against lawyers is failing to communicate. This used to largely mean failing to return phone calls. But now, as readers are aware, there are numerous technology-based paths a client can use to communicate with you. The fact that there are so many methods of communication can make tracking and responding to client inquiries more challenging. It is appropriate to limit the clients’ use of some of these methods. Just because a client first contacted a law firm via its Facebook page doesn’t mean it is appropriate to use Facebook Messenger to communicate during the representation.

Bad or nonexistent communication with clients has many other negative consequences. If a critical phase is underway in litigation and the client doesn’t get a response to their inquiries, a client’s attitude can rapidly go from offended to angry to worried that something has gone wrong with their legal matter. The client may forgive the communication failure, but they also may not forget. Damaging the bond of trust between attorney and client is something we all want to avoid. If the client feels they have been avoided and ignored at times during the representation, the client may be more skeptical of the lawyer’s recommendation about the resolution of the matter.

Those who investigate attorney misconduct are well aware that lengthy gaps in updating clients are often a symptom of a deeper problem. Whether it is research revealing the legal theory of the case is problematic or something worse, like a statute of limitations or court deadline having been missed, allowing the client to become frustrated or even angry with the lawyer just makes the situation worse. Negative news must still be communicated promptly. So, let’s cover some ways to improve your law firm’s client communication.

ALL SIGNIFICANT CLIENT COMMUNICATION MUST BE DOCUMENTED IN THE CLIENT FILE

It may not be possible to be perfect at that as sometimes we advise clients at nights and weekends by phone or run into them unexpectedly in public and discuss their matter. Some omissions in documentation will occur, but you do want to strive for perfection. The simple fact is a lawyer who handles many matters for many clients over many years will not be able to remember the details of every matter. That’s why lawyers have long maintained client files containing the documents associated with the case.

A lawyer needs to review the client file for the language in contracts, correspondence and other documents. It is unlikely you will always recall accurately the details of every phone conversation or personal discussion with the client unless you have good notes in the client file. A lawyer will handle many legal matters over a career. The client may only have one legal matter. Should a dispute later arise, the client will have very clear memories of every conversation with their lawyer about their divorce case or their neighbor suing them. If you believe the client is not recalling the communication accurately, documentation in the client file is your best, and sometimes only, defense.

We must communicate with the client during representation to assist our client in making good, strategic decisions. We must document client communications so we and others working on the matter in our law firm understand the matter’s status. We must also document client and third-party communications in the file for our own self-protection.

DELEGATION OF COMMUNICATION TASKS CAN IMPROVE EFFICIENCY

There will be times when an important project has to be completed, or there are other reasons why you cannot return a client’s telephone calls. If your law firm employs secretaries or legal assistants, they can assist you with client communications as long as they understand the principle noted above – if they don’t document their communication with the client in the client file, then it is like it never happened. Often, a good assistant can handle some of these returned calls completely, such as a client who isn’t sure of a court date or deadline. These are precisely the type of communications that you want to document in the client file. If the client fails to make a court appearance, seeing that someone from your office discussed the date with them personally last week brings a measure of comfort to the lawyer even as the lawyer deals with the situation.

Digital communications like emails, text messages and voicemails provide an accurate account of communication, but these are only valuable if one can locate them when needed. So, most of these need to be retained in some manner. Some things can be printed out to be included in a traditional paper-based client file, but some have to be retained in their native format.

I have noted before that enterprise texting tools, like ZipWhip, can be used to retain all text message communications. These tools also provide the benefit of allowing others to log in to assist with managing text messages. Law firm websites that have a “text us” feature on their website most likely use enterprise texting tools with staff members assigned to check the “inbox” at the beginning of each day and during each day. Practice management software tools make it easier for everyone working on a client file to document their communications easily.

WHAT IS THE LAWYER’S VALUE?

We provide legal services and solutions to problems based on our knowledge and training. Legal services often relate to the intangible. Court orders and other legal processes are often not well understood by our clients. Often, the value of our services is demonstrated through our communication with our clients. We listen to the facts of the situation and advise them of the legal challenge and our proposed solution. If your client is a business, its assistant general counsel may understand the legal challenge well. But for individuals who are hiring a lawyer for the first time or do so only infrequently, it is critical to provide them with brochures and handouts and other material to take home to review after they have retained you. These materials should generally cover the client’s type of legal problem. In some situations, the legal problem is obvious to the client (e.g., “I got arrested and don’t want to go to prison.”), but those clients still need clear reminders in writing about what they are supposed to do and, often more importantly, what they are not supposed to do.

Stress on the part of a receiver of the message is one of the classic communication barriers. The more stressed one is, the harder it is to recall a conversation that took place the previous day – or week. The types of matters that bring individuals to see a lawyer are often stress-causing events, such as a death in the family, being sued, being arrested, being terminated from employment or being injured in an automobile accident.

Handouts that these clients can review later to refresh their memories of your initial advice are very important. These should cover general information and frequently asked questions. All such brochures and handouts should contain contact information for the lawyer or law firm, including the website address. While the point of these communication tools is to assist this client, if you do a good job with your handout or brochure, you should not be surprised if the client shares it with a friend or relative who may become your client themselves in the future.

USE SIMPLE AND CLEAR LANGUAGE

For consumer clients, use a middle school vocabulary level to improve readability. Avoid legal jargon unfamiliar to the general public when you can, and when you must use it, explain what these terms mean. Lawyers like complete detailed and complete explanations, with caveats if they are needed. Today’s consumers like it short and sweet. If you are going to give today’s client a multipage handout, try to make certain the most critical information is on the front page.

APPRECIATE THE IMPORTANCE OF NONVERBAL ASPECTS OF COMMUNICATION

If you have a limited amount of time to return many client phone calls, be aware that while you have many matters, this may be the client’s only matter. Take a breath and focus between each call when returning several client calls. Avoid sounding stressed or rushed on the phone with clients.

Make certain your staff understands you should only be interrupted while talking with the client in your office if there’s an emergency or you receive communication pertaining to the client’s matter. Even if the client is understanding, interrupting a client meeting to take a call will be taken by some as they were less important to you than the caller, at least at that moment.

AUTOMATING CLIENT COMMUNICATION

There are now many tools that automate client communication. These tools can be very useful, such as setting up text message reminders before court appearances or client appointments with you in the office. But building good form letters for client communications is another great way to “automate” communication. Building checklists and workflows should result in many situations where when task #3 is completed, client communication #4 is automatically prepared for delivery. These should reiterate what has been accomplished and the next step.

WHAT CREATES UNHAPPY CLIENTS? VIOLATING THEIR EXPECTATIONS

A critical part of every new engagement or initial client interview should be setting reasonable expectations for the client, both in terms of potential results or resolutions and in terms of the time frame it will take to realistically accomplish the legal work. So, take some time to help the client have realistic expectations, both about the task ahead and the way your law firm operates. Take a few moments to explain that you will not always be available to take their phone calls or answer emails, but your policy is always to return them within 48 hours (or whatever your policy provides). Explain that your assistant may be available when you are not. If it is going to take a year before their matter can be heard, make sure the client understands that before they leave your office (or you close the videoconference). Always give your clients the opportunity to ask questions at the close of any one-to-one meeting discussing their case.

Make sure you stress to all your staff the level of friendly courtesy they are expected to display when dealing with your clients, even if the client is sometimes not having their best day when communicating with them.

BILLING IS ALSO A CLIENT COMMUNICATION OPPORTUNITY

The late J. Harris Morgan authored the ABA book, How to Draft Bills Clients Rush to Pay. In those books, the theme was that narrative statements in client billing should demonstrate both the value to the client and effort on the part of the lawyer. Today, we also note there are some clients who pay more attention to their bills than other communications they receive from the lawyer. So, don’t miss out on this communication opportunity.

CONCLUSION

“The single biggest problem in communication is the illusion that it has taken place,” is a quotation attributed to George Bernard Shaw.

While you will never know exactly what others are thinking, using the tips above will give you a better opportunity to make sure your client understands their legal matter and what your law firm is going to do to resolve it. Documentation provides the lawyer with a record to refer to should the lawyer’s services or communications with the client later be brought into question.

Would you invest just a few minutes doing something that will save you minutes each workday afterwards? Outlook users can quickly and easily automate several email actions to run sequentially using Quick Steps..

Open an email in Outlook and you see the Quick Steps in the Ribbon at the top. You can use the arrow in the lower right-hand corner to expand the view. There is a Create New command to build new Quick Steps.

Here is an example of how this works. There are two other people in my Department, Nickie Day and Julie Bays. I email both frequently. I built a Quick Step called Email J&N. When I use it, it opens a blank email already addressed to Julie and Nickie. That is not a huge time saver, but it is definitely quicker than opening a blank email and adding them both in the To: field. However, suppose you have a corporate client who always wants the same four people copied on an email. Or ten clients with similar requirements. You can automate that in less than a minute. If an assistant general counsel is added or replaced, you just edit the Quick Step.

Another great Quick Step is Reply and File. Instead of just replying you can automate filing the original email in a particular folder when you send the reply instead of leaving it in your inbox. You could create many of these: R&F Smith Corp, R&F Big Client and so forth.

Quick Steps are simple automations relating only to actions you do in Outlook. But if you can make a four-step process you do several times daily into one click, you will be glad you did. Learning to do this is easy. Just open any email and click Create New.

So, if your firm wants a better tool for interoffice communication than email should you use Slack or Teams? That was the framework for a presentation “Collaborating: What is the Best Tool?” at ABA TECHSHOW 2021.

However, the TECHSHOW planning board asked John E. Grant, the founder of Agile Attorney Consulting and Kenton Brice, Director of Technology Innovation, University of Oklahoma College of Law to do this presentation. These two might have a bit of a reputation for being overachievers. So, they “over-engineered” their paper for the session, in their words. And that benefits you as much of their written materials has now been posted to Grant’s Agile Attorney blog.

The first post is Slack vs. Teams for Lawyers: What do you need? This contains a simple explanation of this binary decision-making process. They are even some simple flow charts to help with this decision. It is not the most difficult technology use decision you will ever make.

Now is where the overachiever part comes into play. The second post is How to Evaluate Law Firm Technology. Evaluating technology purchases is a challenge for many types of businesses and law firms are no exception. Most lawyers love researching to solve their client’s problems much more than they love researching their business operation tools. This post contains a very sophisticated analysis which is very useful for any lawyer, especially one without a technology background.

But wait, there’s more. A third post, Frameworks for Defining Problems in Your Law Practice, delves into defining a firm’s legal ops problem and Jobs To Be Done (JTBD). This is simple and approachable for those of us who do not have MBA’s. One thing all lawyers appreciate from our law practices is you get a much better answer when you ask the right question.

These posts are all relatively short, beginning with the simple Slack vs. Teams question and moving on to more broad analysis. If you oversee technology purchases for your law firm, all three are great reads. If you are not in charge of that, then maybe you should share this blog post with the one who is.

Many media outlets covered the plight of Stefan Thomas, the man who, as of January 2021, had $250 million worth of bitcoin trapped in his Bitcoin wallet. He secured the keys to the wallet on an IronKey flash drive. I recall in one 60 tips presentation years ago noting the Mission Impossible feature of the IronKey that provides extra security by terminally encrypting the contents of the drive after 10 incorrect password entry attempts. Yes, the data does self-destruct. Mr. Thomas lost the paper with his password written on it and, after a few wrong guesses, now has two password attempts left. In his defense, when he received the 7,002 Bitcoin in 2011 as payment for making an animated video, the value of bitcoin was much less.

His IronKey now is in a secure location, and Mr. Thomas hopes some future cryptographers will one day crack it. I’m not sure you could outline a more severe case of pain resulting from forgetting a password.

There are ways to better secure your accounts without running the risk of locking them up “forever.”

As I’ve noted previously, I believe lawyers should be using a password manager to organize and use appropriate, complex and unique passwords for every login. I still believe that, but now there is more to consider.

PASSWORDS ALONE DO NOT PROVIDE ADEQUATE SECURITY

You read that correctly. Passwords alone are no longer sufficient protection for the most important accounts you log in to.

Originally, it was believed that it sufficed for a user to memorize two different items, the username and password, and log in using those. But now, most websites (and people) use their email addresses for their username. This has the advantage of being something the user won’t forget and the disadvantage of being easily discoverable in most situations.

So, the password is the only remaining “secure” information in the login process.

According to some online security services, 90% of passwords can be cracked in less than six hours. That number sounds high to me, but I have little doubt about the significant risk. Today, there are powerful hacker tools that can test millions of passwords every second. Longer passwords containing characters and numbers are more time consuming to crack. And those who do not use a password manager tend to use the same password for many sites, which means when one account is cracked, the criminals may have the password for many.

So, you need another secure bit of data, another factor.

THE NEED FOR TWO-FACTOR AUTHENTICATION

Most readers are familiar with two-factor authentication (2FA). Hopefully, you are already using this with your bank account and other financial accounts. The more accurate term is multifactor authentication, but I am going to use 2FA in this article just because it is more readable than MFA.

A common shorthand way to describe the additional factor used for 2FA is something you know, something you have or something you are (biometrics). Something we have with us almost all the time is our mobile phone. The most common method of 2FA is by SMS text messaging. When you enter your username and password into a site, the site responds by sending you a code via text message that must be entered to complete the login process. Sometimes this can be done by email, which is also not secure.

This basic form of 2FA means that even if a hacker got into the online service and pilfered all the usernames and passwords, they would still not be able to access your account because they wouldn’t have your mobile phone to receive the required code via text message.

You should already use 2FA for any financial accounts, any online shopping service you have allowed to remember your credit card number, medical portals and confidential client information. If you have social media accounts, using this method will likely mean you will never have to post, “Please do not accept any invitations from me. I’ve been hacked.”

A critical account to secure with 2FA is your Microsoft 365 account. If a hacker steals your password, it grants them the ability to send out emails pretending to be you, view and change your calendar and access all documents you have stored in OneDrive. In many ways, this is the “keys to the kingdom” hack.

But sadly, using SMS text messaging for 2FA, this simple and most common method, is no longer the best practice.

Although I cannot stress strongly enough how much more secure SMS text messaging is than not using any method of 2FA.

SMS TEXT MESSAGE AUTHENTICATION IS MUCH MORE SECURE THAN SKIPPING 2FA ENTIRELY, BUT SMS TEXTS ARE NO LONGER THE BEST 2FA METHOD

Unlike end-to-end encrypted messaging, such as WhatsApp or Signal, SMS is built on an infrastructure with known security weaknesses. Apple’s iMessage is encrypted, but that only applies when transmissions are iMessage to iMessage. So, normally the code is sent via SMS and therefore not encrypted.

The risks of using SMS text messages for authentication are somewhat technical. One risk is your cell phone carrier can be scammed into giving someone else access to your codes. It is easier to “steal” a cell phone number, transferring the account to a new device than one would hope, especially if the bad actors have the number and other personally identifiable information, such as the last four digits of your social security number. A data breach at any employer could easily provide that information. Malware can be unknowingly installed on users’ phones that scans for these SMS passcodes and sends them to a wrongdoer. Interception of SMS messages is another additional insecurity, even if it is uncommon.

Phishing exploits can also trick people into compromising their SMS.  Forbes contributor Zak Doffman profiled an Iranian SMS 2FA attack named Rampant Kitten.

Check Point warned of an SMS 2FA attack just last month, “an Android backdoor that extracts two-factor authentication codes from SMS messages, records the phone’s voice surroundings and more.” The “Rampant Kitten” operation, attributed to Iranian hackers, intercepted 2FA codes for otherwise secure Google and Telegram accounts. The attack was brutally simple, Check Point told me, an app pushed out to users via social engineering that asked for permission to read SMS messages.

For more in-depth technical information, refer to National Institute of Standards and Technology Special Publication 800-63B, Digital Identity Guidelines, Authentication and Lifecycle Management. Section 5.1.3.3, Authentication using the Public Switched Telephone Network, provides, “Verifiers SHOULD consider risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret.”

PSTN is essentially the telephone network, wired and wireless.

One should secure all financial accounts properly not only to avoid today’s risks but to prepare for tomorrow’s increased risks.

Executive Summary

Using 2FA is very important. The SMS texting method is simple, even if not totally secure, although compromises of SMS seem relatively rare right now. If you have a bank or retirement account you access online, that is a vulnerability. A single compromise could cause some life-altering pain. A 2FA system that doesn’t use SMS is superior, but it is far better to use SMS 2FA than none at all.

WHAT ARE MORE SECURE AUTHENTICATION METHODS?

Some well-known services provide their own 2FA method. Some already provide a method that does not involve SMS text messaging.

If you have a Facebook account, that is a good opportunity to work through setting up 2FA. Facebook has made it very simple. See the Facebook page “Login Alerts and Two-Factor Authentication.” Facebook also provides a code generator that can avoid SMS entirely. See Facebook’s “What is Code Generator and how does it work?” Facebook will only require the code when you log in from a new, different device, so it won’t impact your use in most cases.

Two methods that provide a high level of security with 2FA are authenticator apps and physical tokens.

AUTHENTICATORS

Authenticators generate codes on your phone or mobile device.

Even if an attacker tricked your cell phone company into moving your phone number to their phone, they would not be able to get your security codes. The data needed to generate those codes remains securely on your phone. It never travels through the SMS text messaging system.

The first thing to know about authenticators is many password managers also include an authenticator service as a part of the subscription. LastPass, in particular, gets good reviews for its application.

Google authenticator is a popular, free and well-regarded authenticator. It is available for both Android and iPhone. It can be used with a broad number of services, including those provided by Microsoft.

Most reviewers recommend Authy. But I appreciate that most Android users will likely use Google authenticator. Similarly, firms committed to Microsoft 365 might decide to use the Microsoft authenticator.

There are certainly many options. See Gizmodo’s “The Best Authenticator Apps for Protecting Your Accounts” and Android Authority’s “10 best two-factor authenticator apps for Android”.

PHYSICAL SECURITY KEYS

I have not used physical security keys for authentication. These are currently used mainly by larger corporations. I do know you are never supposed to store the physical security key in your computer bag, and for most of us, the best option is to store it on our keyring. I also know there will be minor annoyances and major annoyances (“I left all my keys at the garage because my car is getting repaired”) when these security tools are implemented. It’s not a key you want to misplace.

You can find lots of online articles about the various physical keys and key “families.” ZDnet’s “Best Security Key in 2021” is a good starting point. Your attention is also directed to “YubiKey, Google Titan, RSA SecureID, and More: Seven Authentication Token Families Compared” from the Plurilock Blog.

At this point, I predict we will mainly see physical security keys implemented by large law firms with IT departments to support them and tech-savvy solo practitioners or small firm lawyers who find managing this type of device to be the simplest solution for those who are not fortunate enough to have an IT department.

ONE SMS WORKAROUND

Some services may require SMS text messaging for 2FA. One way to bypass this insecurity would be to set up a Google Voice phone number and use that for your 2FA because you can secure your Google accounts with 2FA. Then you log in to Google Voice to see the code. That method is probably too inconvenient for many frequently accessed accounts but is certainly an option for financial accounts that are not frequently accessed, like retirement accounts.

CONCLUSION

It’s time for two-factor authentication. In fact, it is past time. But 2FA will involve a few delays every day. It adds a bit more friction to your life – at least your online life. If all you want to do now is to implement SMS text messaging for your financial accounts, Microsoft 365 account and other accounts containing confidential client information, you will have made a significant improvement with your digital security.

Many will decide it is time to set up a more secure authenticator service or purchase physical security keys. The fact that many have implemented authenticators at this point should reassure you that implementation will not be overly challenging. Hopefully, this article and the sources cited in it will allow you to confidently move forward with your options for implementing 2FA more securely.

(Originally published in March 2021 Oklahoma Bar Journal https://www.okbar.org/lpt_articles/the-rise-of-two-factor-authentication-and-the-authenticators/)

Attorney@Work posted Takeaways and Tips From ABA TECHSHOW 2021 today.

I was happy to contribute, along with several legal technologists and practice management advisors. If you know me, you know I love ABA TECHSHOW. The takeaways on this featuree are wide-ranging and cover a diverse set of issues. I hope it will inspire you to attend the next ABA TECHSHOW, which will be held March 2-5, 2022.

Most who take the time to read this post will find something they can put to use right now and also some items for future planning.

Lawyers are trained to consider the negative implications of anything new. When the idea of chatbots on law firm websites first surfaced, many were concerned about the potential for malpractice liability based on poor advice from a chatbot. But giving legal advice is not something your law firm would ever want a chatbot to do.

Where a chatbot can excel is assisting visitors with quickly navigating your website, routine questions or directions on how to schedule an appointment, e.g. “You mentioned bankruptcy. Our law firm’s bankruptcy resource page is xyzxyz.com. Would you like to schedule an in-office or virtual appointment to meet with one of our bankruptcy lawyers? I can do that for you.” Hopefully that example shows how a bot can be valuable for the firm. Another response might be “You mentioned criminal law. Our firm does not do criminal defense. The Oklahoma Bar Association hosts a site called OklahomaFindALawyer which lets you search for lawyers doing that type of practice.”

Several lawyers in private practice who spoke at ABA TECHSHOW recently mentioned that they believed their law firms’ chatbots assisted them with getting website visitors to schedule an appointment to discuss a new matter, often using no staff time. Some law firms allow potential clients to schedule appointments right on their websites.

If your firm doesn’t offer that feature yet, the chatbot can say “Let me put you in touch with someone to schedule your appointment.” But that person will need to communicate by text. If the potential new client wanted to talk to someone on the phone, they would have placed a phone call. I also note one of the ABA TECHSHOW’s Start Up Alley Competition three winners in 2020 was a law firm intake qualification system featuring an AI-powered chatbot.

How to create a chatbot that works for you and your customers is an interesting read about one company’s development, initial failures and fine-tuning of their now-successful chatbot.

As most of you know, beginning with the March lock down I started posting daily tips and did that for all of 2020.

The most popular tip of the year was a fairly basic tip about reformatting Word documents and it pointed out how many Word users don’t know what all of those choices and buttons they see every day actually do.

So I am sharing this one once again. Feel free to share the link below with someone you know who might need to know this.

Removing Formatting from Word Documents (April 17, 2020)

Most lawyers now appreciate that an online presence and online marketing efforts are important for client development for most law practices. Your marketing efforts typically cost both time and money. Our latest Digital Edge podcast is How to Win Clients Online for Free! Our guest is Gyi Tsakalakiss, a former lawyer and the founder of AttorneySync, an online legal marketing agency that helps lawyers be where their clients are looking.

Gyi Tsakalakis
           Gyi Tsakalakis

Gyi stresses that some of the best ways to gain clients won’t cost you anything but time.

Personally I am always surprised at how many small  law firms have not claimed their Google My Business Page. But Gyi has many other budget-friendly tips.

Today you need a consistent and persistent ,marketing effort. These tips should help.