Malpractice Alert! Summer 2022

Amendments to Rules of Procedure 

On June 1, 2022, the Ohio House and Senate each adopted Senate Concurrent Resolution 16 disapproving certain amendments to the Rules of Civil, Criminal, and Juvenile Procedure and the Rules of Evidence adopted by the Ohio Supreme Court. Most of the amendments rejected related to allowing remote proceedings. The OSBA June 3, 2022 Weekly Legislative Report discusses the proceedings and rationale for the rejection.

The amendments that were not rejected by the General Assembly will become effective July 1, 2022.  Review these amendments carefully as some of the changes impose new disclosure and notice requirements:

• As amended, Civ.R. 4.7 does not apply waiver of service provisions to domestic relations matters as defined in R.C. 3105.011. Defendants in domestic relations may no longer extend the deadline for filing an answer by waiving service.
• Under amended Civ.R. 26, the initial disclosures required must include e-mail addresses for those individuals likely to have discoverable information.
• Per amended Crim. R. 12.1 and Crim. R. 12.2, criminal defendants who intend to argue alibi or self-defense must provide notice of these defenses 30 days before trial for felony cases and 14 days before trial for misdemeanor cases. The failure to provide notice may result in the exclusion of the evidence.
• Amended Evid.R. 404 states that any party intending to present evidence of any crime, wrong or act for a use permitted under Evid.R. 404 must provide written notice in advance of trial (unless good cause excuses lack of pretrial notice) and articulate the purpose of the evidence and the reasoning that supports that purpose. The rule applies to both civil and criminal proceedings.
• Under amended Juv.R. 24, the required disclosure of individuals likely to have discoverable information must now include telephone numbers and e-mail addresses and the disclosing party must identify the subjects of information that each individual is likely to have.

Amendments To Civil Fee Waiver Affidavit

Effective April 15, 2022, Civil Procedure Form 20- Civil Fee Waiver Affidavit has been amended. Pursuant to R.C. 2323.311 an indigent litigant must complete this form for a waiver of the prepayment of costs or fees. The amendment updates the appendix containing the dollar amounts that represent percentages of the federal poverty limit necessary to qualify for the waiver.

Proposed Amendments to the Rules of Superintendence on Ohio Sentencing Data Platform

Proposed amendments to the Rules of Superintendence for the Courts of Ohio, Sup.R. 38.01 and 44 would require that the Ohio Criminal Sentencing Commission establish, operate and maintain the Ohio sentencing data platform on behalf of the Supreme Court to facilitate the electronic collection, analysis and reporting of felony sentencing data and the production of uniform sentencing entries and method of conviction entries. The commission would also designate courts of common pleas to take part in a pilot project in which judges would complete “Uniform Sentencing Entry” and “Method of Conviction” forms to submit via the Ohio sentencing data platform.

The Supreme court will accept public comments until June 28, 2022.  Comments on the proposed amendments should be submitted in writing to: Sara Andrews, Director of the Ohio Criminal Sentencing Commission, Supreme Court of Ohio, 65 South Front Street, 5th Floor, Columbus, Ohio 43215, or email [email protected].

Adopted Amendments to the Rules of Superintendence for the Courts of Ohio

Amendments to the Rules of Superintendence for the Courts of Ohio Sup.R. 2, 5, 13, 16.06, 36.08, 48.04–48.06, and 57, effective July 1, 2022, adopting iCourt Task Force recommendations.

Amendments to the Rules of Superintendence for the Courts of Ohio Sup.R. 66, 66.03, 66.05, 66.06, 66.08, and 66.09, effective July 1, 2022, on Guardianship disputed visitation.

Amendments to the Rules of Superintendence for the Courts of Ohio new Sup.R. 91.01 through 91.09, effective September 1, 2022, on custody evaluator standards.

New Microsoft Vulnerability – “Follina” Zero-Day Bug

On May 30th Microsoft announced a security vulnerability was discovered involving the Microsoft Support Diagnostic Tool (“MSDT”). The MSDT collects information from users to send to Microsoft for analysis by support personnel to help resolve problems. Attackers discovered a way to access MSDT and use it to install malicious code, view, change, or delete data, or create new accounts.

Experts report the exploit can be triggered in multiple ways, including from a “hover-preview of a downloaded file that doesn’t require any clicks using the preview pane in Windows Explorer. Microsoft recommends a workaround to avoid triggering an attack. The Cybersecurity & Infrastructure Security Agency (“CISA”) urges users to apply the necessary workaround.

Business Email Compromise

Business Email Compromise (“BEC”) is a scam that exploits the reliance on email to conduct business. The scam typically involves the compromise of legitimate business email accounts through social engineering or computer intrusion to access or redirect funds or personally identifiable information. The FBI reported in 2020 that BEC scams resulted in losses of $1.8 billion. That number grew to $2.4 billion in 2021.

Law firms are vulnerable to BEC scams because lawyers rely heavily on email to conduct business and often facilitate large monetary transactions. The variants of BEC scams that our policyholders report most frequently involve either wire transfer frauds or scams involving fraudulent checks. See our prior reports on these scams: Best Practices: Preventing Wire Fraud; May 10, 2022 OBLIC Alert; see also, Cyber Scams Again and Again, August 6, 2020 OBLIC Alert.

Our cyber-insurance partners at Tokio Marine created this BEC Guide to provide best practice recommendations for protecting against BEC scams.

These resources provide additional information related to BEC scams:

• OBLIC Cyber Toolbox – for training resources and sample policies to prevent scams 
• Business Email Compromise from the FBI – for a description of BEC scams and how to protect against them, and how to report them
• Business Email Compromise: The $43 Billion Scam, May 4, 2022, FBI Public Service Announcement #I-050422-PSA – for a description of BEC scams involving cryptocurrency
• 281 Arrested Worldwide in Coordinated International Enforcement Operation Targeting Hundreds of Individuals in Business Email Compromise Schemes; September 10, 2019, Department of Justice News Release – for an example of how BEC scams are carried out by criminal organizations

Avoiding Cybersecurity Threats When Marketing Your Firm

Lawyers often use social media platforms such as LinkedIn, Facebook and Twitter to get their information out to potential clients. The use of social sharing to post client testimonials or press releases and websites also market the firm.  Each of these can be entry points for cyberattacks.

The Marketing Issue of the ABA Law Practice Magazine listed seven steps for how law firms can stay safe while marketing their services:

• Conduct a risk assessment

See OBLIC’s CyberToolbox for information on a risk assessment

• Perform a penetration test

 A penetration test is an authorized simulated cyberattack on an information system that is performed to evaluate its security.

• Implement internal controls

Evaluate your internal controls in areas including human resources, physical security, information technology and vendor management, including evaluating who has permission to access the data, especially in this remote-working world.

• Assess your third-party vendors

Ensure that vendor is aware of the information security requirements and has the proper level of cybersecurity.

• Establish a social media usage policy

A social media policy provides guidelines on what attorneys and staff can and cannot share about your law firm and its clients on social media and other third-party platforms

• Monitor email security

Monitor all your inbound and outbound emails to detect any suspicious activity and use a domain-based method of authentication to identify spoof emails. Encrypt emails and set up DMARC (Domain-based Message Authentication Reporting and Conformance) records to prevent spoofed emails from being sent in your name without your knowledge.

• Educate and train your employee

 See OBLIC CyberToolbox for training materials

Cybersecurity Incident Response Plan

The importance of having timely security disclosures was emphasized in new guidance issued by the FTC Division of Privacy and Identity Protection – describing which consumers or companies should be notified of data breaches regardless of whether a breach notification law applies. Data Breach Response:  A Guide for Business provides information on what steps to take if personal information may have been exposed.

To prepare for cyber security attacks, every law practice should have an Incident Response Plan (“IRP”). If your practice does not have one, take the first step now to get started.  OBLIC’s CyberToolbox has a guided planning process and Sample IRP.  If you need help, we’re happy to walk you through it!

• Cybersecurity Incident Response- The Four Phase Plan (January 12, 2022, OBLIC Alert)
• OBLIC’s CyberToolbox
• NIST’s Computer Security Incident Handling Guide
• CISA Cybersecurity Incident & Vulnerability Response Playbooks