Why aren’t law firms held accountable for violations of ethics rules that harm consumers? We often see reports that confidential client information may have been compromised by cyberattacks or security breaches involving inadequately protected data. Who’s responsible?
In most U.S. jurisdictions, only individual lawyers are disciplined for ethical violations that harm consumers. However, roughly half of lawyers practice in a law firm setting. And associates in medium-to-large firms have no influence over firm systems, such as conflicts checks, calendaring or trust accounting. If attorney regulation is aimed at protecting consumers, perhaps law firms—as well as individual lawyers—should be regulated.
This idea resurfaced during last month’s meetings of the Association of Professional Responsibility Lawyers (APRL) and related bar associations. I participated in the joint panel, “Chick’n Little, is the Sky Falling? Law Firm Entity Regulation: The End of the World or the New Order?”
Attorney regulation should protect consumers
The reality is that most U.S. jurisdictions have a reactive, complaint-based lawyer disciplinary system. Once a consumer feels her attorney did something wrong, she can complain to the bar or grievance counsel in that state, and an investigation may be triggered. Punishment may eventually be meted out to the errant attorney. But this would likely be long after the consumer was harmed.
As stated in the Preamble to the Model Rules of Professional Conduct:
“…The profession has a responsibility to assure that its regulations are conceived in the public interest and not in furtherance of parochial or self-interested concerns of the bar. Every lawyer is responsible for observance of the Rules of Professional Conduct. A lawyer should also aid in securing observance by other lawyers. Neglect of these responsibilities compromises the independence of the profession and the public interest which it serves.” (Emphasis added.)
Taking the case of confidentiality of information as an example, Rule 1.6 of the Rules of Professional Conduct states that a lawyer shall not reveal information relating to the representation of a client except in certain circumstances and must act competently to safeguard such information against unauthorized or inadvertent disclosure.
The comments explain that if unauthorized access or inadvertent disclosure occurs, a lawyer may not have violated the ethical rule if s/he made reasonable efforts to prevent the access or disclosure. And what are considered reasonable efforts of an individual attorney who may be an associate in a large firm? Shouldn’t the firm, as well as individual lawyers, have requirements to safeguard client information? That’s where entity regulation could come in.
What is entity regulation?
Entity regulation refers to regulating law firms as well as the lawyers and, possibly, others who work at the law firm. Entity regulation can be applied to a subset of entities. For example, in Australia entity regulation has been applied only to incorporated legal practices.
As I have written before, Australia, England and Wales, and parts of Canada use some form of entity regulation that supplements (but doesn’t replace) individual lawyer responsibility for ethical behavior. In England and Wales, the Legal Services Act of 2007 requires all alternative business structures (law practices that may be owned in whole or part by those who aren’t lawyers) to be regulated as entities. Entity regulation was subsequently introduced for barristers on an optional basis.
Generally, the jurisdictions that regulate entities create accountability by requiring entities to have management systems in place that ensure employees conduct themselves in an ethically and fiscally responsible manner. Each entity nominates a person or persons to be accountable on behalf of the entity for compliance with ethical legal practice and proper finance and administration of the organization.
Advantages of entity regulation
Proponents articulate five inter-related benefits to entity regulation. Entity regulation would:
- encourage regulators to spend their resources improving the management and culture of the firm, thereby preventing client harm rather than focusing on individual conduct warranting discipline after the fact;
- remove the unfairness of holding a single lawyer in the firm responsible for system failures when others in the firm, or the firm itself, could be held responsible;
- mitigate a common problem in handling complaints, i.e., identifying the lawyer to which the objectionable conduct is attributable;
- create a system whereby everyone in the firm has a stake in the firm’s compliance with high professionalism standards;
- improve the quality of legal services, or at least reduce the number of complaints.
Research in New South Wales showed that the rate of complaints for entities that completed their initial assessments was two-thirds lower than for entities that weren’t subject to entity regulation. Moreover, research showed that 71 percent of firms that completed the self-assessment process modified their firms’ policies, systems and procedures. Forty-one percent of firms reported strengthening management after the assessment process.
A regulator could impose discipline in a situation when identifying the underlying offender isn’t practical. Vicarious discipline against the legal entities themselves may create accountability for an ethical violation. Thereafter, a disciplined firm could dispense individual blame for the underlying offense if warranted by its own internal investigation.
Movement toward proactive regulation
Although no U.S. jurisdiction currently regulates entities, we may be seeing movement from reactive, discipline-based attorney regulation toward proactive management-based regulation (PMBR). The PMBR course, introduced by Jim Grogan of the Illinois ARDC at The Future is Now: Legal Services 2016 and recently instituted in Illinois, is a shining example of proactive regulation.
As of 2019, any attorney who represents at least one private client and doesn’t have professional malpractice insurance is required to take a four-hour interactive, online self-assessment course regarding the operation of their law firm. The eight modules cover topics such as protecting client information, conflicts of interest, fees, billing and trust accounts, as well as attorney wellness, civility, professionalism and diversity.
Attorneys who aren’t required to take the online assessment tool are encouraged to do so anyway. All attorneys who take the course receive free CLE credit. This approach encourages firm leaders to focus on developing systems and processes to entrench ethical conduct in firm culture.
Illinois’s attitude toward attorney regulation is progressive, and other jurisdictions may be jumping on board. For example, Colorado and New Mexico have taken steps toward more proactive attorney regulation.
Proactive regulation vs. lawyer discipline
When looking at lawyer regulation through the lens of protecting the public interest, there’s a big difference between disciplining attorneys who’ve violated an ethical rule and regulating future behavior.
Although no U.S. jurisdiction prospectively regulates law firms the current rules hold some lawyers responsible for the ethical behavior of others in the firm. Model RPC 5.1(a) provides that partners and lawyers with “comparable managerial authority” in a firm “shall make reasonable efforts to make sure that the firm has in effect measures giving reasonable assurance that all lawyers in the firm conform to the Rules of Professional Conduct.”
Managing and supervising attorneys have similar responsibilities to oversee the ethical conduct of firm personnel who aren’t lawyers under Model Rule 5.3.
Most U.S. jurisdictions, including Illinois, have adopted Model Rule 5.1. As law professor Prof. Laurel Terry of Pennsylvania State University, Dickinson Law wrote, Rule 5.1 provides a powerful tool for regulators to proactively increase client and public protection.
For example, regulators could ask on the yearly registration statement whether the attorney has obligations under Rule 5.1. A follow-up question asking whether the attorney has complied with the rule or if they’d like to access resources, linked in the document, to ensure compliance could be posed.
The courts of New York and New Jersey each adopted slightly modified versions of Rule 5.1. Those states make law firms entities (in addition to supervising attorneys) responsible for reasonable efforts to ensure all lawyers comply with the ethical rules. Thus, although New York and New Jersey law firms may be disciplined for their lawyers’ violations of the ethical rules, there have been few prosecutions of firms under those rules.
In today’s legal practice many, if not most, lawyers practice in some sort of entity setting. Regulating the entities in which lawyers practice would support the development of better systems to protect consumers. Because the purpose of regulation is to protect consumers, the time for entity regulation may have come.