Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law

The ABA Issues Paper Concerning Client Confidentiality and Lawyers’ Use of Technology

On September 20, 2010, the ABA Commission on Ethics 20/20 Working Group on the Implications of New Technologies issued for comment its "Issues Paper Concerning Client Confidentiality and Lawyers’ Use of Technology."  The Commission is seeking public comment and has set a deadline of December 15, 2010. 

The Commission articulated its objective as follows:

The Commission is studying how lawyers use [certain] forms of technology as well as the current state of data security measures for each form of technology. The Commission’s efforts have been guided by the reality that information, whether in electronic or physical form, is susceptible to theft, loss, or inadvertent disclosure. The Commission’s goal is to offer recommendations and proposals regarding how lawyers should address these risks. To that end, the Commission invites comments on several confidentiality-related issues arising from lawyers’ use of technology.

The Commission's research to date, and the Issues Paper itself, focus on two categories of technology:  (1) cloud computing; and (2) "technology controlled by lawyers or their employees," including devices that can store or transmit confidential electronic information, such as laptops, cell phones, flash drives, scanners, and photocopiers.   The Issues Paper broadly defines "cloud computing" as "any service provided online and operated by a third party" or "services that are controlled by third-parties and accessed over the Internet."  That means everything from webmail (Hotmail, Gmail, etc.) to online data storage to software as a service (SaaS), e.g., Salesforce.com.

In the information security and privacy law community, we often talk about the problem of organizations conflating "compliance" with "security."  The Commission immediately recognizes this issue, noting that there is likely to be a difference between attorney use of these technologies that would be unethical and attorney use that would not be unethical but might be ill-advised from a security point of view.  Some of my information security friends might be troubled by the following statement by the Commission:

the Commission recognizes that there may be a gap between technology-related security measures that are ethically required and security measures that are merely consistent with “best practices.” For example, it may be consistent with best practices to install sophisticated firewalls and various protections against malware (such as viruses and spyware), but lawyers who fail to do so or who install a more basic level of protection are not necessarily engaged in unethical conduct. Similarly, it might be inadvisable to use a cloud computing provider that does not comply with industry standards regarding encryption, but it is not necessarily unethical if a lawyer decides to do so.

As a result of this perceived distinction, the Commission is considering three non-mutually exclusive options in terms of what its work product might be:  (1)  white paper/guidance; (2)  online resource; and/or (3)  proposed amendments to the Model Rules of Professional Conduct, such as Model Rules 1.1 (competency), 1.6 (duty of confidentiality), 1.15 (safeguarding client property), or the comments to those Rules.

Thus, as a preliminary matter, it is important to recognize that many lawyers who use the cloud and other technologies may take the view that they need NOT employ security best practices or even standard, cheap and easily implemented security controls because it is technically not "unethical" for them to opt against doing so.  The ABA will undoubtedly consider the consequences of this possibility in preparing its final work product.

Interestingly, the Commission also recognizes the existence of data security statutory law in a number of states that already requires lawyers and other organizations to maintain certain security controls:

The Commission recognizes that any guidance or rule amendments that it offers would have to operate within an increasingly large body of law that governs data privacy, some of which already applies to lawyers. For example, Massachusetts recently adopted a rigorous law on data privacy, . . . which applies to many lawyers and law firms (including those outside of Massachusetts) that have confidential information about Massachusetts residents.

You can read more about the Massachusetts data security regulations here.

Cloud Computing Confidentiality Issues

The ABA Commission has identified a number of confidentiality issues with respect to lawyer use of the cloud.  Notably, many of these issues have existed and still exist in contexts independent of cloud, including more traditional outsourcing and use of contract lawyers and staff.  It is curious that the cloud computing hype has brought these issues to the attention of the mainstream legal community for the first time.  Following are the confidentiality issues identified by the ABA Issues Paper:

● unauthorized access to confidential client information by a vendor’s employees (or sub-contractors) or by outside parties (e.g., hackers) via the Internet;

● the storage of information on servers in countries with fewer legal protections for electronically stored information [for more on this subject, read on here];

● a vendor’s failure to back up data adequately;

● unclear policies regarding ownership of stored data;

● the ability to access the data using easily accessible software in the event that the lawyer terminates the relationship with the cloud computing provider or the provider changes businesses or goes out of business;

● the provider’s procedures for responding to (or when appropriate, resisting) government requests for access to information;

● policies for notifying customers of security breaches;

● policies for data destruction when a lawyer no longer wants the relevant data available or transferring the data if a client switches law firms;

● insufficient data encryption;

● the extent to which lawyers need to obtain client consent before using cloud computing services to store or transmit the client’s confidential information.

Acknowledging that cloud computing is a form of outsourcing, the Commission invites feedback on the extent to which the procedures outlined in ABA Formal Ethics Opinion 08-451 (describing a lawyer’s obligations when outsourcing work to lawyers and non-lawyers) should apply in the cloud computing context and seeks input into whether cloud computing should affect the Commission’s ongoing examination of possible amendments to Model Rule of Professional Conduct 5.3.

InfoLawGroup has written extensively about the due diligence and contract negotiation process for organizations looking to use the cloud.  The Commission acknowledges that those issues are equally relevant to lawyers considering using the cloud.  Specifically, the Commission seeks to determine which terms and conditions are essential for lawyers, such as:

● the ownership and physical location of stored data;

● the provider’s backup policies;

● the accessibility of stored data by the provider’s employees or sub-contractors;

● the provider’s compliance with particular state and federal laws governing data privacy (including notifications regarding security breaches);

● the format of the stored data (and whether it is compatible with software available through other providers);

● the type of data encryption; and

● policies regarding the retrieval of data upon the termination of services.

Interestingly, the Commission asks for comments on whether lawyers have an obligation to negotiate particular terms and conditions before incorporating cloud computing services into their law practices.

"Traditional" Technology Confidentiality Concerns

The ABA Commission also addresses more "traditional" technology issues in its Issues Paper. 

I have heard many lawyers express shock at the notion that they might not be able to use traditional email - whether locally-hosted or cloud-based webmail - to transmit sensitive information to a client.  What do you mean I can't send the HR data as an excel spreadsheet attached to an email? Lawyers assume that the attorney-client privilege has them covered.  However, the confidentiality concerns related to personally identifying information (Social Security numbers, medical information, financial account information, credit card numbers) raise new concerns and lawyers cannot forget that their clients - and their employees - are entrusting them with that information with an expectation that it will be protected in accordance with the laws and standards applicable to everyone else.  The ABA is starting to take notice and seems particularly concerned with mobile media in this regard:

[T]he Commission is considering whether to recommend that lawyers take certain precautions, such as:

● providing adequate physical protection for devices (e.g., laptops) or having methods for deleting data remotely in the event that a device is lost or stolen

● encouraging the use of strong passwords

● purging data from devices before they are replaced (e.g., computers, smart phones, and copiers with scanners

●installing appropriate safeguards against malware (e.g., virus protection, spyware protection)

● installing adequate firewalls to prevent unauthorized access to locally stored data

● ensuring frequent backups of data

● updating computer operating systems to ensure that they contain the latest security protections

● configuring software and network settings to minimize security risks

● encrypting sensitive information, and identifying (and, when appropriate, eliminating) metadata from electronic documents before sending them

● avoiding “wifi hotspots” in public places as a means of transmitting confidential information (e.g., sending an email to a client)

Do Lawyers Need Cyberinsurance?

Finally, the Commission goes as far as to seek comment on whether lawyers need to be procuring cyberinsurance and/or cyber liability insurance in addition to traditional professional liability coverage:  "The Commission seeks more information about cyberinsurance and cyberliability insurance, including the underwriting requirements for such insurance and whether typical professional liability policies provide inadequate coverage for technology-related claims and losses."

There is still ample time for interested persons and entities to comment on the ABA's Issues Paper - the deadline is December 15, 2010 and you can contact us for more information.

The New York State Bar Association Formal Opinion

In the meantime, on September 10, 2010, the New York State Bar Association Committee on Professional Ethics issued Opinion 842 on lawyer use of an outside online storage (i.e., cloud) provider to store client confidential information.  New York reached the same conclusion as the ABA in its preliminary assessment: 

A lawyer may use an online data storage system to store and back up client confidential information provided that the lawyer takes reasonable care to ensure that confidentiality will be maintained in a manner consistent with the lawyer's obligations under Rule 1.6.  In addition, the lawyer should stay abreast of technological advances to ensure that the storage system remains sufficiently advanced to protect the client's information, and should monitor the changing law of privilege to ensure that storing the information online will not cause loss or waiver of any privilege.

(Emphasis added).  What is "reasonable care"?  The NYSBA finds that "reasonable care" may include "consideration" of the following:

• ensuring that the cloud provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information;
   
• investigating the provider's security measures, policies, recoverability methods, and other procedures to determine if they are adequate;
   
• employing "available" technology to guard against reasonably foreseeable attempts to infiltrate the data; and/or
   
• investigating the provider's ability to purge and wipe any copies of the data and to move the data to a different host if the lawyer becomes dissatisfied or otherwise wants to change providers.

The NYSBA also points out that the lawyer must periodically reconfirm that the provider's security measures remain effective as technology changes.  Further, and not surprisingly, the NYSBA states that if the lawyer has information to suggest that the provider's security measures are not longer adequate, or if the lawyer learns of a breach of confidentiality at the provider, the lawyer must investigate whether there has been a breach of confidentiality of its client information, must notify clients, and must discontinue use of the service unless the lawyer receives assurances that the problems have been sufficiently remediated.  This sounds a lot like the first ever mandated breach notice requirement for attorney-client privileged information. 

Importantly and interestingly, in the hypothetical addressed by the NYSBA, the online system is password protected AND the data stored is encrypted.  Many, if not most, cloud solutions do not encrypt the data and rely on the user to do so himself or herself.  Query how the NYSBA would change its opinion in the absence of encryption.

The NYSBA also states that lawyers using cloud services must monitor not only changes in technology, but changes in the law relating to technology, citing recent cases like Quon and Stengart.

I am ready to bet that many lawyers already using the cloud (a)  do not encrypt their data; (b) have not investigated their cloud provider's security measures; and/or (c)  do not have a contractual provision requiring the cloud provider to notify them in the event of a data breach.  The NYSBA opinion should be a wake-up call to those lawyers to address these issues immediately.  Many will be lucky if they even have the ability to retrieve their information and transfer to a different provider with better security measures without incurring significant cost and burden.

California State Bar Standing Committee on Professional Responsibility and Conduct Proposed Formal Opinion Interim No. 08-0002 (Confidentiality and Technology)

The California State Bar Standing Committee on Professional Responsibility and Conduct (COPRAC) Proposed Formal Opinion Interim No. 08-0002 (Confidentiality and Technology), while still not final, also speaks to lawyer use of the cloud. 

The procedural history, and time that has already been devoted to this Proposed Opinion, demonstrates the difficulty that Bar associations face in keeping up with technology and technology law.  COPRAC tentatively approved the Proposed Opinion at its September 10, 2009 meeting, more than a year ago, for a 90‑day public comment distribution with a January 4, 2010 deadline. Subsequently, at its August 6 & 7, 2010 meeting, COPRAC revised the opinion in response to the public comments received and tentatively approved Formal Opinion Interim No. 08-0002 for an additional 30-day public comment distribution.  The most recent comment period closed on September 20, 2010.

The Proposed Opinion examines whether an attorney violates the duties of confidentiality and competence he or she owes to a client by using technology to transmit or store confidential client information when the technology may be susceptible to unauthorized access by third parties.  (Thus the question presented is somewhat more broad than the question addressed in the NYSBA opinion, which only looked at storage of encrypted data.)  Relying on Rules 3-100 and 3-110 of the Rules of Professional Conduct of the State Bar of California, as well as Cal. Bus. & Prof. Code section 6068(e)(1), the Proposed Opinion says - well, "it depends."

Specifically, the Proposed Opinion finds that the answer depends on the particular technology being used and the circumstances surrounding such use. Thus,

Before using a particular technology in the course of representing a client, an attorney must take appropriate steps to evaluate: 1) the level of security attendant to the use of that technology, including whether reasonable precautions may be taken when using the technology to increase the level of security; 2) the legal ramifications to a third party who intercepts, accesses or exceeds authorized use of the electronic information; 3) the degree of sensitivity of the information; 4) the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product; 5) the urgency of the situation; and 6) the client‟s instructions and circumstances, such as access by others to the client‟s devices and communications.

It is a safe bet that most lawyers using the cloud today have never undertaken such a risk assessment.

The hypothetical scenario addressed by the CA Proposed Opinion is also fascinating in that lawyers do it every day and the conduct implicates security concerns beyond cloud computing - specifically, use of public wifi:

Attorney is an associate at a law firm that provides a laptop computer for his use on client and firm matters and which includes software necessary to his practice. As the firm informed Attorney when it hired him, the computer is subject to the law firm‟s access as a matter of course for routine maintenance and also for monitoring to ensure that the computer and software are not used in violation of the law firm‟s computer and Internet-use policy. Unauthorized access by employees or unauthorized use of the data obtained during the course of such maintenance or monitoring is expressly prohibited. Attorney‟s supervisor is also permitted access to Attorney‟s computer to review the substance of his work and related communications.

Client has asked for Attorney‟s advice on a matter. Attorney takes his laptop computer to the local coffee shop and accesses a public wireless Internet connection to conduct legal research on the matter and email Client. He also takes the laptop computer home to conduct the research and email Client from his personal wireless system.

The CA Bar, not unlike the NYSBA, enumerates a number of factors attorneys should consider before using particular technology, as follows:

• The attorney's ability to assess the level of security afforded by the technology, including:
  
  
  • consideration of how the particular technology differs from other media use;
     
  • whether reasonable precautions may be taken when using the technology to increase the level of security; and
     
  • limitations on who is permitted to monitor the use of the technology, to what extent and on what grounds.

It is worth pausing here to note, as does the CA Bar in its Proposed Opinion, that many such reasonable precautions, such as encryption, firewalls, and password protection, are free or inexpensive and easily implemented: 

encrypting email may be a reasonable step for an attorney to take in an effort to ensure the confidentiality of such communications remain so when the circumstance calls for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous. . . . if an attorney can readily employ encryption when using public wireless connections and has enabled his or her personal firewall, the risks of unauthorized access may be significantly reduced. Both of these tools are readily available and relatively inexpensive, and may already be built into the operating system. Likewise, activating password protection features on mobile devices, such as laptops and PDAs, presently helps protect against access to confidential client information by a third party if the device is lost, stolen or left unattended.

Some free encryption services out there include Secret 1-2-3 for Outlook email, and TrueCrypt for disk encryption.

The Proposed Opinion also goes out of its way to admonish attorneys who are not comfortable with technology to get assistance from others who are conversant with technology and technology law:

Many attorneys, as with a large contingent of the general public, do not possess much, if any, technological savvy. Although the Committee does not believe that attorneys must develop a mastery of the security features and deficiencies of each technology available, the duties of confidentiality and competence that attorneys owe to their clients do require a basic understanding of the electronic protections afforded by the technology they use in their practice. If the attorney lacks the necessary competence to assess the security of the technology, he or she must seek additional information or consult with someone who possesses the necessary knowledge, such as an information technology consultant.

(Emphasis added.) 

But I digress.  Back to the list of factors the Ca Bar proposes attorneys should consider before using various technologies:

• legal ramifications to third parties of intercepting, accessing or exceeding authorized use of another person's electronic information.
   
• the degree of sensitivity of the information. If the information is of a highly sensitive nature and there is a risk of disclosure when using a particular technology, the attorney should consider alternatives unless the client provides informed consent.
   
• Possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product, including possible waiver of the privileges.
   
• "The urgency of the situation. If use of the technology is necessary to address an imminent situation or exigent circumstances and other alternatives are not reasonably available, it may be reasonable in limited cases for the attorney to do so without taking additional precautions."
   
• Client instructions - if a client has instructed an attorney not to use certain technology or an attorney is aware that others have access to the client's electronic devices or accounts and may intercept or be exposed to confidential client information, then such technology should not be used in the course of the representation.

It seems unlikely that most attorneys today have a provision in their engagement letters that describes "the nature of the information to be transmitted with the technology, the purpose of the transmission and use of the information, the benefits and detriments that may result from transmission (both legal and nonlegal)."  Query whether it is even possible to obtain such informed consent in the initial engagement letter given the rapid changes in technology and security risks.  Does this mean that the attorney must email the client to obtain consent each time he/she logs in at a hotel or at Starbucks?  What about BlackBerry and iPhone use?

Like the NYSBA, the CA Bar is not merely concerned with privilege - it also proposes requiring assessment of the impact of disclosure of non-privileged but still confidential information, something lawyers rarely consider:  "[h]arm from waiver of attorney-client privilege is possible depending on if and how the information is used, but harm from disclosure of confidential client information may be immediate as it does not necessarily depend on use or admissibility of the information, including as it does matters which would be embarrassing or would likely be detrimental to the client if disclosed."

So, how does the CA Bar answer the hypothetical question about the associate's use of wifi in the coffee shop and/or at home?  The answer may surprise you:

• wifi in the coffee shop (or at a hotel or in the airport, etc.) is off limits unless the attorney uses security measures and/or notifies the client and obtains informed consent: 

"due to the lack of security features provided in most public wireless access locations, Attorney risks violating his duties of confidentiality and competence in using the wireless connection . . . to work on Client‟s matter unless he takes appropriate precautions, such as using a combination of file encryption, encryption of wireless transmissions and a personal firewall."  The Proposed Opinion provides a non-exhaustive list of local security features available for use on individual computers (operating system firewalls, antivirus and antispam software, secure username and password combinations, and file permissions) as well as network safeguards that may be employed (network firewalls, network access controls such as virtual private networks (VPNs), inspection and monitoring).

But that's not all the Bar thinks would be required in some (unidentified) circumstances:  "Depending on the sensitivity of the matter, Attorney may need to avoid using the public wireless connection entirely or notify Client of possible risks attendant to his use of the public wireless connection, including potential disclosure of confidential information and possible waiver of attorney-client privilege or work product protections, and seek her informed consent to do so." 

And the Bar is quick to note its belief that client files stored on a computer may be at risk regardless of whether the attorney has a file open when an attorney is using an unsecure network connection without firewalls.

• wifi at home is fine IF the wireless systems has been configured with appropriate security features - otherwise, notice and client informed consent may be necessary. 

So, at least according to the ABA, the NYSBA and the CA Bar, cloud computing and technology are no longer just for us technogeek lawyers.  That's enough ethics and cloud for now (and probably for the month, right?).  More to come soon.

The Definitions of "Creditor" and "Credit"

"Creditor" and "credit" are defined terms under the FACTA Red Flags Rule. The Fair and Accurate Credit Transactions Act (FACTA) (15 U.S.C. § 1681a(r)(5)) incorporates by reference the definitions of "creditor" and "credit" found in the Equal Credit Opportunity Act (ECOA). The ECOA defines "creditor" as "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit." 15 U.S.C. § 1691a(e). The ECOA defines "credit" as "the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor." 15 U.S.C. § 1691a(d).

The FTC's Position

As noted in the AMA complaint, the FTC's position on the application of the Red Flags Rule to physicians (and to attorneys) was first spelled out on April 30, 2009 in a footnote of its "Extended Enforcement Policy: Identity Theft Red Flags Rule":

In FACTA, Congress imported the definition of creditor from the [ECOA] for purposes of the [FCRA]. This definition covers all entities that regularly permit deferred payments for goods or services. The definition thus has a broad scope and may include entities that have not in the past considered themselves to be creditors. For example. creditors under the ECOA include professionals, such as lawyers or health care providers, who bill their clients after services are rendered.

(Emphasis added.)

In May 2009, the FTC published another document on its website entitled "'The ‘Red Flags’ Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft.”  That document stated as follows:

Health care providers may be subject to the Rule if they are “creditors.” Although you may not think of your practice as a “creditor” in the traditional sense of a bank or mortgage company, the law defines “creditor” to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, health care providers who regularly allow patients to set up payment plans after services have been rendered are creditors under the Rule. Health care providers are also considered creditors if they help patients get credit from other sources — for example, if they distribute and process applications for credit accounts tailored to the health care industry.

In a press release dated July 29, 2009, the FTC referenced a document that provided answers to frequently asked questions (FAQs), which reiterated its position that attorneys and health care providers are required to comply with the Red Flags Rule when their billing arrangements qualify them as creditors under FACTA and the ECOA:

the definition of "creditor" is broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. . . . Examples of groups that may fall within this definition are utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies.

The AMA's Position

The AMA argues that physicians are not creditors under the Rule and that the practice of allowing deferred payment by patients, particularly in emergency circumstances, serves a number of purposes unique to the profession:

. . . The practice of not demanding payment at the time care is provided serves several purposes. It gives a benefit to patients who are often under stress when receiving care. It underscores that the physician has a fiduciary relationship with the patient and thereby furthers the patient-physician relationship. Where the patient is insured, the practice enables the insurer to determine what portion of the bill is covered and what amount should be billed to the patient. Because the amount that the patient will owe the physician is not certain at the time that services are provided, the physician does not defer payment of a “debt” by billing after the patient is treated. In many cases, a physician is not entitled to bill patients immediately upon providing services under contracts with health insurance carriers.

Physicians also provide emergency medical care to patients whose identifying information may be unknown to them and who may even be unconscious. In some emergency situations, which may occur for certain physicians on a regular basis, there is no practical way for the physician to bill for his or her services at the time of those services. Further, it would violate the norms of human decency, not to mention principles of ethical conduct . . . , for a physician to demand payment at the time of service in such situations. Indeed, federal law requires a physician to provide services to a patient in an emergency condition without regard to the patient’s ability to pay. See 42 U.S.C. § 1395dd.

The AMA further argues that the Red Flags Rule would interfere with the patient-physician relationship and a physician's ethical responsibilities:

the FTC’s attempt to impose a duty upon physicians to investigate each patient’s identity in advance of treatment conflicts with basic precepts concerning the patient-physician relationship and physicians’ ethical responsibilities to safeguard that relationship. “From ancient times, physicians have recognized that the health and well-being of patients depends upon a collaborative effort between physician and patient.... The patient-physician relationship is of greatest benefit to patients when they bring medical problems to the attention of their physicians in a timely fashion, provide information about their medical condition to the best of their ability, and work with their physicians in a mutually respectful alliance.” AMA, Ethical Opinion 10.01 (“Fundamental Elements of the Patient-Physician Relationship”). Because the success of diagnosis and treatment depends on patients’ willingness to divulge often private and highly sensitive information to their physicians, the patient-physician relationship “is based on trust and gives rise to physicians’ ethical obligations to place patients’ welfare above their own self-interest and above obligations to other groups, and to advocate for their patients’ welfare.” AMA, Ethical Opinion 10.015 (“The Patient-Physician Relationship”). Contrary to these obligations, the FTC requires physicians to approach each new patient with skepticism concerning his or her identity. As a result, the FTC’s Extended Enforcement Policy compromises physicians’ ability to gain new patients’ trust, which is essential to the well-being of patients.

Finally, the AMA argues that, when Congress intends to regulate the practice of medicine, it does so expressly (e.g., in enacting the Health Information Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

The Court's Analysis in ABA v. FTC

Naturally, the analysis of the District Court in ABA v. FTC (currently on appeal) is of interest here.  In that case, the court applied the test for review of agency action set forth in Chevron, U.S.A., Inc. v. Natural Resources Defense Council, Inc., 467 U.S. 837 (1984), and concluded that the FTC's actions violated the Administrative Procedure Act and must be rejected "because the Red Flags Rule cannot be properly applied to attorneys in the overly broad manner in which the Commission seeks to enforce it."

First, the court found that "it was not 'the unambiguously expressed intent of Congress,' Chevron, 467 U.S. at 842-43, to bring attorneys within the purview of the FACT Act and thus subject them to regulation by the Commission's Red Flags Rule." Footnote 9 of the court's decision, while dicta, is particularly interesting for purposes of the new AMA lawsuit.  There, the court rejected the FTC's reliance on a particular Sixth Circuit case regarding medical providers:

The Court is not persuaded that the Commission's reliance on Barney v. Holzer Clinic, Ltd., 110 F.3d 1207 (6th Cir. 1997), is sound given that the Sixth Circuit expressly refused to address the question of whether a medical services provider was a creditor under ECO Act, id. at 1209 . . . and made findings to the contrary, id. at 1211 ("The provision of medical treatment under this program is not a credit transaction, either under the technical language of the ECO[ Act] or in the more common sense of the term, any more than is a court-appointed attorney's agreement to represent an indigent defendant.").

(Emphasis added.)

The court also rejected the FTC's reliance on the Federal Reserve Board's staff notes to Regulation B (which state that, if a doctor or lawyer allows the client or customer to defer the payment of a bill, that deferral of debt is credit for purposes of the “incidental credit” regulation, even though there is no finance charge and no agreement for payment in installments).  The court did so "because those interpretations were made in a context totally unrelated to identity theft, and therefore the Court is not convinced that it is proper to presume that Congress intended to adopt the Regulation B interpretations when it enacted the FACT Act. Accordingly then, absent any legislative history showing that the Federal Reserve Board's staff's interpretation of Regulation B was actually considered by Congress when enacting the FACT Act, and given that the purposes of the FACT Act and Regulation B do not square with one another, the Court cannot draw the inference the Commission urges."

The court also noted that monthly billing by lawyers is driven by practical considerations:  "Invoicing clients for services previously rendered, instead of demanding immediate payment when service is provided is more likely an outgrowth of practicality and necessity, rather than an attempt to provide clients credit."

Although the court resolved the issue under the first prong of Chevron, it went on to determine that, "even if [it] were to reach question two of Chevron by finding that the FACT Act did not foreclose the Commission's regulation of attorneys, it would still find that the Commission's interpretation of the FACT Act and its resulting application of the Red Flags Rule to attorneys is unreasonable and therefore undeserving of deference." 

In its Chevron prong two discussion, the court took issue with the FTC's interpretation of what it means to "defer" payment, again noting the practicality of monthly billing by lawyers:

To invoice client at the end of each month is not delaying payment or giving a client a right to postpone payment. As a practical matter in the legal context, legal services are not the type of services that can in may instances be billed and payment received simultaneously with the occurrence of the services, as can be done, for example, when one's furnace is repaired or catering services are provided for a wedding.   . . . And as a practical matter, it would be unreasonable to expect attorneys to bill for services in any manner other than periodically, especially given the frequent unanticipated services attorneys have to perform for their clients or the practical reality that clients may lack the ability to immediately access funds when legal services unexpectedly have to be performed without delay. Not only would immediate billing and collection of fees and expenses be impractical, considering the unique nature of the practice of law, but contrary to the Commission's position, conducting a legal practice in that manner would be extremely costly and time consuming. It does not take much imagination to appreciate the added cost and burden attorneys would incur if they were required to immediately calculate, bill and collect their fees after each task is performed or else run afoul of the Commission's construction of the FACT Act through its adoption of the Red Flags Rule.

Query whether the same analysis should apply to physicians.  We shall see.

So, Must Physicians Comply with the Red Flags Rule by June 1?

Yes, for now.  Indeed, the BNA Privacy and Security Law Report reports that, pending resolution of the litigation, the AMA has encouraged physicians to comply with the rule, using online resources provided by the AMA.