WSR 24-01-046

RULES OF COURT

STATE SUPREME COURT

[December 7, 2023]

The Mandatory Continuing Legal Education Board, having recommended the suggested amendments to APR 11—Mandatory Continuing Legal Education (MCLE), and the Court having approved the suggested amendments for publication;

Now, therefore, it is hereby

(a) That pursuant to the provisions of GR 9(g), the suggested amendments as shown below are to be published for comment in the Washington Reports, Washington Register, Washington State Bar Association and Administrative Office of the Court's websites in January 2024.

(b) The purpose statement as required by GR 9(e) is published solely for the information of the Bench, Bar and other interested parties.

(c) Comments are to be submitted to the Clerk of the Supreme Court by either U.S. Mail or Internet E-Mail by no later than April 30, 2024. Comments may be sent to the following addresses: P.O. Box 40929, Olympia, Washington 98504-0929, or supreme@courts.wa.gov. Comments submitted by e-mail message must be limited to 1500 words.

dated at Olympia, Washington this 7th day of December, 2023.

Mandatory Continuing Legal Education (MCLE) Board

Staff Liaison/Contact:

Bobby Henry, Associate Director for Regulatory Services

Washington State Bar Association (WSBA)

1325 Fourth Avenue, Suite 600

Seattle, WA 98101-2539

206-727-8227

Efrem Krisher, Chair

MCLE Board

c/o Washington State Bar Association (WSBA)

1325 Fourth Avenue, Suite 600

Seattle, WA 98101-2539

The Mandatory Continuing Legal Education (MCLE) Board is suggesting amendments to rule 11 of the Admission and Practice Rules (APR). The purposes of the suggested amendments to APR 11 are to:

The suggested amendments do NOT increase the total number of credits required for a reporting period. Nor do they dilute the ethics and professional responsibility ("ethics") or law and legal procedure requirements.

The suggested amendments reduce the ethics requirement to five credits, because the one credit requirement for "equity" will become its own category as opposed to a subcategory of ethics as currently provided for in APR 11. Although "equity" will be a separate category for credit count and compliance, the definition of "equity" remains unchanged. Creating a separate "equity" category will make it easier for licensed legal professionals and WSBA staff both to understand that there is a one credit "equity" requirement each reporting period and to track compliance with the "equity" requirement. Therefore, although the suggested amendments will technically reduce the ethics requirement to five credits, there remain essentially six ethics credits required because "equity" will still be a required credit category.

The MCLE Board puts forth these suggested amendments to ensure each lawyer, limited license legal technician (LLLT), and limited practice officer (LPO) focuses on mental health and technology security topics (in addition to "equity" topics) at least once every three years. These are serious topics that can greatly impact a licensed legal professional's competency and ability to practice law and, if ignored, could result in serious consequences to the licensed legal professional, the client, the administration of justice, and the integrity of the legal profession. The proposed requirements, therefore, are primarily directed toward the protection of clients and the public, improving the competency of licensed legal professionals, and, ultimately, improving and preserving the integrity of the legal community as a whole.

One of the duties of the MCLE Board is to review and suggest amendments to APR 11 as necessary to fulfill the purpose of MCLE and for the efficient administration of these rules. APR 11 (d)(2)(i). Accordingly, in the Autumn of 2022, the MCLE Board appointed a committee to study and make recommendations regarding any subject areas that should be required learning for licensed legal professionals in Washington state. Following months of meetings, discussion, and research, the committee recommended two subject areas—mental health ethics and technology security ethics. Notably, the committee initially recommended the subject areas be focused on ethical considerations related to the two subjects.

In the Spring of 2023, the MCLE Board sought public comment on its proposal. Nearly 1,000 WSBA members responded to the survey with approximately 670 comments. Approximately 2/3 of members responding to the survey were opposed to the amendments and 1/3 were in support. Amongst the many reasons given for opposing the amendments were three in particular that the MCLE Board addressed:

(1) it would be too difficult to find presenters qualified to talk about both the proposed subject matters and the related ethical considerations which would likely result in a very limited number of qualifying topics and course offerings;

(2) it would be difficult for licensed legal professionals to find ethics CLEs specifically on the two proposed subjects noting that ethics credits are already the most difficult to complete; and

(3) it would be complicated and difficult for licensed legal professionals to track compliance with several subcategories of ethics in addition to the other requirements in APR 11.

In light of these comments, at its meeting on June 16, 2023, the MCLE Board decided to untie those proposed subjects from professional ethics. In addition, the MCLE Board decided to create separate credit categories for the subjects to increase the breadth of discussion of those important topics and availability of course offerings while making it easier for licensed legal professionals to track their compliance. The MCLE Board, at a special meeting on June 14, 2023, approved the final language for the suggested amendments.

The MCLE Board then sought support from the WSBA Board of Governors which added the topic to its agenda for the WSBA Board of Governors meeting on August 11, 2023. Following a presentation by the MCLE Board and a discussion among governors, the WSBA Board of Governors voted on each of the two new subjects individually. In a vote of 6-5, the Board of Governors voted to support the stand-alone mental health requirement. However, in a vote of 4-6-1, the Board of Governors voted against supporting the stand-alone technology security requirement. The MCLE Board met on August 13, 2023, and decided to submit the suggested amendments to the Court without further changes.

The MCLE Board presents the following as important factors in support of the suggested amendment for a new requirement for all licensed legal professionals to complete one credit each reporting period in technology security for the protection of electronic data and communication.

Legal professionals have an ethical and common law duty to take competent and reasonable measures to safeguard client information. They also have contractual and regulatory duties to protect confidential information. Rules 1.1, 1.3, and 1.4 of the Rules of Professional Conduct (RPC) address lawyers' core ethical duties of competence, diligence, and communication with their clients. Possessing technological knowledge to safeguard client information as a fundamental requirement is explained in comment eight to RPC 1.1 which states that in order for legal professionals to, "[m]aintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practices, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject." (Emphasis added.) With the advent of the global pandemic and an increasing number of legal professionals practicing "virtually," it is imperative that lawyers, and all legal professionals, stay cognizant of their ethical responsibilities.1

With each passing year, cybercrimes become more rampant and cyber insecurity results in increasingly costly and catastrophic events. "The rate of global weekly cyberattacks rose by 7% in the first financial quarter of 2023 compared with the same period in 2022" with an average 1,248 attacks per week and one of out of every 40 of those targeting a law firm or insurance provider.2 "More than a quarter of law firms in a 2022 American Bar Association survey said they had experienced a data breach, up 2% from the previous year."3 Electronic security breaches today are now so prevalent, that the question is not if, but when, it will happen. The Federal Bureau of Investigation Internet Crime Compliant Center ("IC3") received 847,376 complaints relating to extortion, identity theft, and personal data breaches representing potential losses exceeding $6.9 billion in 2021.4 The IC3 receives an average of over 2,300 cybercrime complaints each day, with over 6.5 million complaints since the IC3's inception in 2000.5 Washington state is ranked as the 9th highest state where internet crime victims reside.6 Washington state victims reported losing $157,454,331 in 2021 as a result of internet crimes.7

In 2021, the IC3 received 19,954 compromised business email complaints resulting in adjusted losses at nearly $2.4 billion.8 The cybercrimes involved sophisticated scams targeting businesses, including law firms, and individuals, such as law firm clients, performing monetary transfers. Criminals will hack emails and spoof business representatives' credentials to initiate fraudulent wire transfers.

Law firms are being specifically targeted. Such targeted attacks have become so frequent that the State Bar of Texas maintains an updated list on their blog notifying attorneys of recent scams.9

Additionally, back in October of 2018 the American Bar Association warned,

Data breaches and cyber threats involving or targeting lawyers and law firms are a major professional responsibility and liability threat facing the legal profession. As custodians of highly sensitive information, law firms are inviting targets for hackers. In one highly publicized incident, hackers infiltrated the computer networks at some of the country's most well-known law firms, likely looking for confidential information to exploit through insider trading schemes.10

The IC3 report details a complaint filed by a victim law office in June 2021 regarding a wire transfer of more than $198,000 to a fraudulent U.S. domestic account.11 However, other law firms have reported bigger breaches with higher stakes at risk. In May of 2020, law firm hackers behind a ransomware attack on a New York celebrity law firm threatened to publish compromising information on former U.S. President Donald Trump if they did not receive their $42 million demand.12 As proof, the hackers gained access to sensitive client information and published legal contracts related to the law firm's client, Madonna.13 The hackers also released 2.4 GB of legal data related to client Lady Gaga.14

One in four law firms that participated in the ABA's 2021 Legal Technology Survey reported their firms experienced a data breach at some time.15 A breach includes incidents like a lost/stolen computer or smartphone, hacker, break-in, or website exploit.16 The actual number of victim firms could be higher as the firm may have experienced a security breach and never detected it.17 The survey revealed that only 53% of law firms have a policy to manage the retention of information/data held by the firm, and only 36% of respondents have an incident response plan.18

Law firms are not the only legal targets. In May of 2020, a ransomware attack hit Texas courts and took down the courts' websites and case management systems for the state's appellate and high courts.19 While there is no evidence that hackers accessed sensitive or personnel information, the hack left Texas' top civil and criminal courts without a working case management system or internet in their offices which forced staff to put out rulings over Twitter.20

The fact is, anyone with a computer connected to the Internet is susceptible to a cyberattack from computer hackers who use phishing scams, spam email, instant messages and bogus websites to deliver dangerous malware to the computer.21 Once the malware program is installed on the computer, it may quietly transmit the user's private and financial information without their knowledge.22 During the period of March 2021 to February 2022, 153 million new malware programs, including ransomware programs, were discovered.23 This is a 5% increase from the previous year.24

Unfortunately, the learning curve is steep for users who find their computers infected.25 26 Continuing education in this field is necessary given the pace of technology development. Cyberattacks that will occur in a few years' time are not conceivable today.

The following are only a few examples of technology scenarios that lead to professional pitfalls for legal professionals. CLEs on these topics can give members critical guidance that prevent negative outcomes for legal professionals and their clients.

Do firms have an ethical duty to notify their clients if a breach occurs? If so, there is a significant ethical issue not being addressed by lawyers given only 24% of the law firms nationwide that reported a breach in the ABA 2021 Legal Technology Survey notified their clients of the data breach.27

It has become commonplace for lawyers to connect to public wi-fi when working in coffee shops or hotels.28 However, by doing so, the lawyer can expose confidential and privileged client information because the "packets" or pieces of information they send or receive from their devices can be intercepted and decoded.29 Additionally, lawyers may be tricked into logging on to a fake wi-fi network set up by cyber criminals to look like the legitimate public wi-fi network.30 And unknowingly, offer up their clients' information to criminals on a platter.

Law firms are increasingly using Artificial Intelligence such as "chatbots" to deliver legal services and communicate with clients about their legal needs.31 As such, do legal professionals have an ethical duty to train and supervise bots?32 Can a legal professional or law firm be disciplined for the conduct of a chatbot? Chatbots have access to a person's personally identifiable information and other sensitive financial and medical data. Thus, are law firms in the United States that service international corporate clients subject to the requirements of the General Data Protection Regulation enacted in the European Union?

Legal professionals use text messages to contact prospective clients.33 Legal professionals also use texting to communicate with existing clients.34 The use of text messages raises concerns whether and how confidentiality can be maintained in these communications and what steps a legal professional should take to ensure client information is protected. At a minimum, is the legal professional aware that others may have access to the client's mobile device? Additionally, text messages are not kept by the cellular provider indefinitely for future reference. Therefore, do legal professionals need to transfer and backup text messages from their mobile phones to their computers?

The use of unencrypted email to communicate with clients is generally accepted.35 However, the American Bar Association warns,

… cyber-threats and the proliferation of electronic communications devices have changed the landscape and it is not always reasonable to rely on the use of unencrypted email. For example, electronic communication through certain mobile applications or on message boards or via unsecured networks may lack the basic expectation of privacy afforded to email communications. Therefore, legal professionals must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters, applying the Comment [18] factors to determine what effort is reasonable.36

Despite the duty to keep abreast of the risks associated with relevant technology and that legal professionals increasingly use technology in their practice, most legal professionals lack training and experience in technology security to recognize and prevent a cyber-attack. These days, dangerous emails look like legitimate communications from your bank, Amazon, shipping carrier, or even your friend. With phishing, vishing, smishing, pharming, and spoofing tactics continually evolving and becoming more sophisticated and harder to detect, legal professionals not keeping up with the trends are at serious risk of jeopardizing client information and funds. The following statistics are troubling:

Keeping clients' information safe is no longer just about keeping hard paper copies secure. The rise of technology in the practice of law creates several risks and raises several ethical questions. The monetary and ethical risks of failing to keep up with the benefits and risks associated with technology are significant and therefore mandating continuing legal education in this area is necessary.

Technology Security education prevents cybercrime. The following statistics demonstrate the beneficial impact of technology security training:

By adding a required credit in technology security, Washington will join other states that recognize the necessity and value of this type of education to the legal profession. In 2023, Florida, New York, North Carolina and the U.S. Virgin Islands require or will require credits related to technology including topics related to cybersecurity.

The MCLE Board presents the following as important factors in support of the suggested amendment for a new requirement for all licensed legal professionals to complete one credit each reporting period in mental health.

Several recent studies concluded: Attorneys are prone to mental health issues, including substance abuse and addiction, depression, anxiety, and stress, more so than the general population. A nationwide study published in the Journal of Addiction Medicine in 2016 (the "ABA Study")43, supported by the American Bar Association, studying licensed attorneys currently employed in the legal profession, who voluntarily completed surveys sent by their respective bar associations. The study found:

The study concluded, "attorneys experience problematic drinking that is hazardous, harmful, or otherwise consistent with alcohol use disorders at a higher rate than other professional populations." Attorneys under 30 years old were found to be at the higher level of 32%. Further, the study found that the data underscore the need for resources devoted to address the issues of mental health and substance abuse within the legal profession, through prevention, as well as lawyers' assistance programs and, where necessary, treatment intervention. That 2016 study cited data from a 1990 study, specific to Washington State lawyers, which found that 18% of lawyers in Washington, at that time, were "problem drinkers," compared with an estimated 10% among American adults in the general population. The 1990 study found that 19% of Washington lawyers suffered from statistically significant elevated levels of depression, contrasted with estimated levels of depression in Western industrialized countries in the range of 3% - 9%.

Similarly, a recent survey conducted by ALM Intelligence and Law.com ("ALM Study")44 found:

Beyond self-assessment by respondents, the ALM Study also found that 62% of respondents know a colleague who is depressed, and 50% know a colleague with an alcohol problem.

Moreover, actual and perceived stigma is a contributing factor to mental health and addiction issues in lawyers. The ALM Study found that 65% of respondents felt they could not take extended leave to tend to mental health issues, and 77% were fearful of what their employer would think if they sought treatment through an extended leave.

The need to address these issues, and to do so as early as possible, relates directly to competence and fitness to practice law. The proposal to require one hour of MCLE credit every three years is a crucial link in addressing this problem. While other elements are necessary to address the problem, including lawyers' assistance programs, available treatment, etc., the MCLE requirement is an entry point to provide a broad base of legal professionals with the knowledge they need for self-assessment, creating avenues of community care to reduce mental health stigma in the legal profession, and knowledge and understanding of available tools and programs, including new developments.

A typical course may include current legal requirements and standards concerning competence and mental health issues, whether in oneself or colleagues; available resources, including lawyers' assistance programs; data concerning the prevalence of mental health issues in the profession; deeper understanding of the nature of mental health issues; tools for self-assessment; common warning signs in colleagues, and deeper understanding of causes and treatments.

The courses accredited to fulfill this requirement should not be designed nor viewed as a substitute for treatment. Nonetheless, requiring every legal professional to devote one hour every three years to education concerning these crucial issues will elevate the profession, improve the overall quality of legal services, and, ultimately, encourage greater public confidence in the integrity of the profession. Moreover, this requirement may encourage members to seek the help they need, and others to be supportive of their colleagues, while maintaining standards of excellence in the practice of law.

In 2017 the ABA adopted the Model Rule for Minimum Continuing Legal Education and Comments ("ABA Model Rule")45, the first such promulgation since 1988. In addition to the inclusion of a diversity and inclusion requirement, one of the main highlights was the addition of a model mental health MCLE requirement. As the ABA stated:

The Mental Health and Substance Use Disorder Credit recognizes that requiring all lawyers to receive education about these disorders can benefit both individual lawyers and the profession. This requirement is in part a response to the 2016 landmark study conducted by the Hazelden Betty Ford Foundation and the American Bar Association Commission on Lawyer Assistance Programs, entitled, "The Prevalence of Substance Use and Other Mental Health Concerns Among American Attorneys."46

At the time, only five states had any form of mental health MCLE requirement. At present, at least eight states (as well as the U.S. Virgin Islands) have adopted some form of this requirement.

The clear trend is toward states and other jurisdictions adopting some form of a mandatory mental health CLE, whether as a separate requirement, or couched in terms of a "professional competence" requirement. This trend suggests the importance and value of a mandatory mental health CLE. The CLE requirement elevates the importance of mental health and self-care for legal professionals. Introducing this requirement can destigmatize mental health and promote awareness and self-care. By adding a required credit in Mental Health, Washington will join other states who recognize the necessity and value of this type of education to the legal profession.

The MCLE Board recommends that this suggested amendment become effective July 1, 2025, and apply to MCLE reporting periods beginning with the 2025-2027 reporting period and all reporting periods thereafter. This would allow for sufficient time for the WSBA to implement the necessary changes to the MCLE software and provide notice to licensed legal professionals and CLE sponsors.

I. Hearing: A hearing is not requested.

J. Expedited Consideration: Expedited consideration is not requested.

1. Suggested Amendments to APR 11 - Redline

2. Suggested Amendments to APR 11 - Clean

(a)-(b) [Unchanged.]

(1) Minimum Requirement. Each lawyer must complete 45 credits and each LLLT and LPO must complete 30 credits of approved continuing legal education by December 31 of the last year of the reporting period with the following requirements:

(i) at least 15 credits must be from attending approved courses in the subject of law and legal procedure, as defined in subsection (f)(1); and

(ii) at least sixfive credits must be in ethics and professional responsibility, as defined in subsection (f)(2);, with at least one credit in equity, inclusion, and the mitigation of both implicit and explicit bias in the legal profession and the practice of law.

(2)-(6) [Unchanged.]

(7) Carryover Credits. If a lawyer, LLLT or LPO completes more than the required number of credits for any one reporting period, up to 15 of the excess credits, two of which may be ethics and professional responsibility credits, may be carried forward to the next reporting period subject to the following limitations:

(d)-(e) [Unchanged.]

(f) Approved Course Subjects. Only the following subjects for courses will be approved:

(1) [Unchanged.]

(2) Ethics and professional responsibility, defined as topics relating to the general subject of professional responsibility and conduct standards for lawyers, LLLTs, LPOs, and judges, including equity, inclusion, and the mitigation of both implicit and explicit bias in the legal profession and the practice of law, and the risks to ethical practice associated with diagnosable mental health conditions, addictive behavior, and stress;

(3)-(7) [Unchanged.]

(g)-(i) [Unchanged.]

(j) Sponsor Duties. All sponsors must comply with the following the duties unless waived by the Bar for good cause shown:

(1) The sponsor must not advertise course credit until the course is approved by the Bar but may advertise that the course credits are pending approval by the Bar after an application has been submitted. The sponsor shall communicate to the lawyer, LLLT, or LPO the number of credits and denominate whether the credits are: "law and legal procedure" as defined under subsection (f)(1);, "ethics and professional responsibility" as defined under subsection (f)(2);,"equity, inclusion, and the mitigation of both implicit and explicit bias in the legal profession and the practice of law" as defined under subsection (f)(8); "technology security" as defined under subsection (f)(9); "mental health" as defined under subsection (f)(10); or "other," meaning any of the other subjects identified in subsections (f)(3)-(7).

(2)-(7) [Unchanged.]

(k) [Unchanged.]