Seattle-based Perkins Coie is a law firm darling of the high tech industry. It's also the 14th largest US firm by attorney headcount and ranks #42 on American Lawyer's 100 list of top grossing law firms. Hard-hitting firms are careful to avoid revealing client information, since doing so could be considered a breach of professional ethics. Recently, however, Perkins Coie inadvertently left enough of a trail to essentially out its own client as having been under investigation by the Federal Trade Commission.
Back in January, ACLU Principal Technologist Christopher Soghoian—a privacy researcher and activist who worked at the FTC between 2009 and 2010—noticed a line in one of the attorney bios on the website of the law firm Perkins Coie.
"Represented cloud computing provider in Federal Trade Commission investigation under Section 5 of the FTC Act regarding security practices for mobile access to cloud computing service," the bio said. "Investigation closed."
Section 5 of the FTC Act is the section prohibiting unfair or deceptive acts or practices in or affecting commerce. Soghoian, curious as to which cloud computing company had been the subject of such an investigation, recalled that Dropbox is one of Perkins Coie's clients and did a little deduction. "Tech reporters might want to call Dropbox and ask them if they've been investigated by the FTC," he tweeted.
As it turns out, Dropbox was not the company being referenced. It was actually one of Dropbox's competitors, Box.com, according to a partially redacted response to a Freedom of Information Act (FOIA) request.
Perkins Coie represented Box after it received a civil investigative demand in 2013, requiring it to provide specific details about its privacy policies and the ways it secures personal information. The investigation focused on security practices for mobile access to cloud computing. According to Box, the investigation was based on outdated research and all issues had been fixed by Box's internal security team prior to being contacted by the FTC.
Box was found not to have been responsible for any wrongdoing and the investigation was closed without incident. But Soghoian's tweet shows how increasingly, a law firm's promotional materials on the internet can be used to triangulate and find information that companies may not want exposed. Even if the client's name is left out, the anonymous details on a partner's profile can start a breadcrumb trail sufficient for interested members of the public to follow back to the client—and reveal information the client would likely want kept confidential.
This is particularly true when the anonymous details pertain to an investigation by a federal agency, in which case data is available to the public with a simple FOIA request.
When a company enters into an agreement with an attorney, it usually expects confidentiality to be of utmost importance. "Virtually every state—the exception being California—has adopted the American Bar Association's Model Rules of Professional Conduct. And one of those rules, rule 1.6, states that a lawyer shall not reveal any information relating to the representation of a client unless certain exceptions apply, one of them being client consent," said legal ethics lawyer Michael Downey. (The state of California follows Rule 3-100, a similar rule protecting client confidentiality.)
Downey is quick to point out that the burden is on attorneys to make sure they aren't revealing information that could possibly be used to link clients with attorneys and investigations without client consent. "The lawyers have the obligation to make sure people don't figure it out," he told Motherboard. "They can't just say 'we tried to make it vague and it wasn't good enough.'" Although it's permissible to discuss clients in hypothetical situations, law firms or their marketing departments don't always realize how seemingly vague information could reveal more than intended to industry insiders. If there's any risk at all, Downey recommends obtaining client permission.
"Content marketing is encouraging lawyers to talk about matters they've handled... in doing so we create that risk that someone's going to be able to piece it together."
While boasting about representing a specific type of company under investigation by a specific governmental entity may help promote business, this comes at a price: it leaves a trail for journalists, citizen reporters, investors, and even competitors to follow.
In 2009, the business litigation and arbitration law firm Quinn Emanuel Urquhart Oliver & Hedges printed a brochure revealing a $65 million settlement between Facebook and ConnectU. In 2007 and 2008, Kristine Ann Peshek, an assistant public defender in Illinois, wrote a blog in which she identified her clients by their first names, derivatives of their first names, or their jail identification numbers. (She also failed to disclose a false statement made by a client during the course of a guilty plea, which she'd also detailed in her blog.) The Illinois Supreme Court suspended her for 60 days and she also lost her job, which she'd held for 19 years.
Then there's the threat of social media. In 2013, JK Rowling's attorney Chris Gossage was fined £1,000 after he revealed her pen name to his wife's best friend, who spilled the beans to a journalist over Twitter. (And sometimes it's the clients themselves—or their children—who reveal the information online, rather than the attorneys, like when an $80,000 settlement was overturned last year after the confidential details were posted by a litigant's daughter.)
Downey believes that content marketing and improved search engines could create issues for attorneys in the future. "Content marketing is encouraging lawyers to talk about matters they've handled, and so the natural inclination is to give more information about what we've done and in doing so we create that risk that someone's going to be able to piece it together, and there's a lot more corporate intelligence going on where people are tracking this stuff," he said. That's because services that make it easy to find out which companies were represented by which firm in court, which can be easily cross-referenced with information from law firms' websites.
It's not just law firms that are vulnerable to making errors while maintaining an online presence. Businesses of all stripes as well as low-level workers regularly feel the sting of oversharing and social media gaffes gone viral. Screenshots and archives can give even the most hastily deleted or quickly corrected website errors prolonged exposure. While these efforts can be done for good—leading to exposure of wrongdoing, for example—many situations aren't as clear cut.
If curious outsiders use a piecemeal investigative approach, they may come to inaccurate conclusions. For example, people may infer that the FTC targeted a company because its security practices were inadequate. In fact, an inquiry by the FTC can determine exactly the opposite, not leading to any enforcement action—as appears to be the case with Box.
Perkins Coie attorney Todd M. Hinnen, the Privacy & Security practice partner who co-represented Box in the FTC investigation, told me that he believed that the information was confidential and improperly disclosed by the FTC, and that the appropriate protection would be for the FTC to not expose the identities of companies who are subject to investigation unless the FTC takes enforcement action against the company or enters a consent decree with them. "It is correct that the information about ongoing investigations is protected. However, once an investigation has been closed, then the type of information you received from us is not protected. This is information that was properly disclosed," said FTC Deputy Director of Public Affairs Peter Kaplan. Although the FTC does not issue a press release if no enforcement action is taken, some information is still available for closed investigations through public records requests. This information is limited, and only includes facts of the investigation. Anything that a company produces to the FTC, such as documents, is protected.
The FTC can redact information from public records requests for a variety of reasons, one of which is to avoid sharing trade secrets or confidential business information. Of the 53 responsive records in this specific FOIA request, 49 pages or portions of 49 pages were redacted for various reasons, in part because they constituted commercial or financial information.
Hinnen further stated that they plan to express their concern about the disclosure of their client's identification and communications with the FTC and based on the feedback from them, they would evaluate their practices.
Alluding to specific investigations in marketing materials has the potential to undermine clients' wishes for confidentiality
He was quick to point out that it's common for websites to mention individual attorneys' experience in representing clients to the FTC. "There's no more of a trail in saying we represented a cloud provider than if we said we represented a technology company and you followed up with a FOIA request and they identified a file. I think you would find that line in the bio of just about every privacy practitioner who practices in front of the FTC," Hinnen said.
It's true that descriptive language is common on personal profiles of partners on law firm websites. "The reason to do that is to show prospective clients that they're in the big leagues; that they're representing other big companies like them," said Soghoian.
"One of the things that's going on here is that law firms are being told, ''if you want to get clients, you have to show that you have precise expertise in this type of matter.' So what they're trying to do is really emphasize that expertise," said Downey.
But alluding to specific investigations in marketing materials has the potential to undermine clients' wishes for confidentiality, and even lead to financial damage if the company is public and vulnerable to share price and market value fluctuations, Downey said.
Downey predicts that law firms disclosing too much information without client permission could learn this lesson the hard way. "Law firms, particularly law firms that represent big clients, frankly are going to lose clients over it in addition to embarrassing clients and they're going to learn that the obligations of client confidentiality extend to their marketing," he said. "If you want to be known as a good lawyer, it's far better to be known as the lawyer who never discloses client secrets than as someone who discloses secrets for their own benefit."