Ethics and Security of
Cloud Computing for Lawyers
Clio Cloud Conference
September 23, 2013
Robert J. Ambrogi, Esq.
17 ethics
panels ...
The ethical issues at stake
Lawyers have duty to
safeguard confidential
client information.
Lawyers have duty to
protect c...
Every ethics panel agrees on two points ...
1. Lawyers may use the
cloud.
2. Must take reasonable
steps to minimize risk t...
Alabama State Bar
Ethics Opinion
2010-02
Arizona State Bar
Formal Opinion 09-
04
California Formal
Opinion No. 2010-
179
C...
North Carolina 2011
“A law firm may use SaaS if reasonable care is
taken to minimize the risks of inadvertent
disclosure o...
“The degree of protection to be afforded client
information varies with the client, matter and
information involved. But i...
“A competent lawyer using cloud computing must
understand and guard against the risks inherent in it.”
“There is no hard a...
Florida Bar Opinion 12-3
Lawyers have an obligation to remain current not
only in developments in the law, but also
develo...
Massachusetts Bar Ethics Opinion 12-03
“Lawyer remains bound to follow an
express instruction from his client that the
cli...
1. Company Due Diligence
Is this a solid company with a good operating record?
Do others recommend the company?
What is in...
2. Unrestricted access to data
Can I get my data whenever I want?
Is the data stored elsewhere in the event I'm denied
acc...
3. Termination of relationship
If I terminate the service, can I retrieve my
data?
If the service is terminated due to my ...
“At LexisNexis we believe strongly that the data you
place in LexisNexis Firm Manager belongs to you! To
provide you with ...
4. Password Protection
Passwords required?
Is two-step verification available?
Automatic log-out?
Account monitoring for s...
5. Protection of confidentiality
Lawyer must ensure “that the online
data storage provider has an
enforceable obligation t...
6. Data Encryption
SSL = encryption in transit
Encryption at rest
Data backed up at least daily.
Back-ups to multiple locations.
7. Data back-up
Firewalls.
Intrusion detection.
Virus detection.
Network usage.
Application usage.
Port scanning.
8. Network security
Building access and security
24x7 on-site
security.
Multi-level access
verification.
Video monitoring
of entrances and
int...
• Auditing standards verifying that controls are in place to protect financial
information.
• Can apply to:
• Data centers...
10. Get Extra Security
• Client-side encryption for Mac, Windows, iOS and
Android.
• Works with Dropbox, Box, Google Drive...
You need
only Be
reasonable
… not
paranoid
www.lawsitesblog.com
@bobambrogi
ambrogi@legaline.com
Ethics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for Lawyers
Ethics and Security of Cloud Computing for Lawyers
Upcoming SlideShare
Loading in …5
×

Ethics and Security of Cloud Computing for Lawyers

7,137 views
6,927 views

Published on

Presented at Clio Cloud Conference, Sept. 23, 2013

Published in: Technology, Business
1 Comment
1 Like
Statistics
Notes
  • This is a comprehensive presentation that highlights compliance with the new HIPAA requirements effective today. However, what steps should be taken within the office to ensure that each firm remains in compliance? I know at MerusCase, we have taken the necessary steps to ensure that PHI is protected while our clients use our cloud-based practice management system. Internally we are ensuring that all data is encrypted and that no PHI is left vulnerable.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
7,137
On SlideShare
0
From Embeds
0
Number of Embeds
5,022
Actions
Shares
0
Downloads
0
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Ethics and Security of Cloud Computing for Lawyers

  1. 1. Ethics and Security of Cloud Computing for Lawyers Clio Cloud Conference September 23, 2013 Robert J. Ambrogi, Esq.
  2. 2. 17 ethics panels ...
  3. 3. The ethical issues at stake Lawyers have duty to safeguard confidential client information. Lawyers have duty to protect client property, including client files, from loss. Lawyers have a duty to be competent in technology.
  4. 4. Every ethics panel agrees on two points ... 1. Lawyers may use the cloud. 2. Must take reasonable steps to minimize risk to confidential information and client files.
  5. 5. Alabama State Bar Ethics Opinion 2010-02 Arizona State Bar Formal Opinion 09- 04 California Formal Opinion No. 2010- 179 Connecticut Bar Association Informal Opinion 2013-07 Florida Bar Opinion 12-3 Iowa State Bar Ethics Opinion 11- 01 Maine Professional Ethics Commission Opinion 194 Massachusetts Bar Association Opinion 12-03 New Hampshire Bar Association Opinion 2012-13/4 New Jersey Advisory Committee on Professional Ethics Opinion 701 Nevada State Bar Formal Opinion No. 33 New York State Bar Association Opinion 842 of 2010 North Carolina 2011 Formal Ethics Opinion 6 Oregon Formal Opinion No. 2011- 188 Pennsylvania Formal Opinion 2011-200 Vermont Bar Association Opinion 2010-6 Virginia Legal Ethics Opinion 1872
  6. 6. North Carolina 2011 “A law firm may use SaaS if reasonable care is taken to minimize the risks of inadvertent disclosure of confidential information and to protect the security of client information and client files.” “A lawyer must fulfill the duties to protect confidential client information and to safeguard client files by applying the same diligence and competency to manage the risks of SaaS that the lawyer is required to apply when representing clients.”
  7. 7. “The degree of protection to be afforded client information varies with the client, matter and information involved. But it places on the lawyer the obligation to perform due diligence to assess the degree of protection that will be needed and to act accordingly.” “Whatever form of SaaS is used, the lawyer must ensure that there is unfettered access to the data when it is needed. Likewise the lawyer must be able to determine the nature and degree of protection that will be afforded the data while residing elsewhere.” Iowa State Bar Ethics Opinion 11-01
  8. 8. “A competent lawyer using cloud computing must understand and guard against the risks inherent in it.” “There is no hard and fast rule as to what a lawyer must do with respect to each client when using cloud computing. The facts and circumstances of each case, including the type and sensitivity of client information, will dictate what reasonable protective measures a lawyer must take when using cloud computing.” “Competent lawyers must have a basic understanding of the technologies they use. Furthermore, as technology, the regulatory framework, and privacy laws keep changing, lawyers should keep abreast of these changes.” New Hampshire 2012-13/4
  9. 9. Florida Bar Opinion 12-3 Lawyers have an obligation to remain current not only in developments in the law, but also developments in technology that affect the practice of law. Lawyers who use cloud computing … have an ethical obligation to understand the technology they are using and how it potentially impacts confidentiality of information relating to client matters, so that the lawyers may take appropriate steps to comply with their ethical obligations.
  10. 10. Massachusetts Bar Ethics Opinion 12-03 “Lawyer remains bound to follow an express instruction from his client that the client's confidential information not be stored or transmitted by means of the Internet.” “He should refrain from storing or transmitting particularly sensitive client information by means of the Internet without first seeking and obtaining the client's express consent.”
  11. 11. 1. Company Due Diligence Is this a solid company with a good operating record? Do others recommend the company? What is in the TOS and privacy policy?
  12. 12. 2. Unrestricted access to data Can I get my data whenever I want? Is the data stored elsewhere in the event I'm denied access? “Optionally, upon request by the Subscriber, all Content associated with the subscription will be replicated at a regular interval, to an offsite storage server accessible only to a reputable data escrow agent (“Escrow Agent”). The replicated Content (“Escrowed Data”) will be held under the terms of a separate agreement among Themis, the Subscriber, and the Escrow Agent (“Escrow Agreement”).”
  13. 13. 3. Termination of relationship If I terminate the service, can I retrieve my data? If the service is terminated due to my non- payment, what happens to my data? If the company shuts down, can I get my data? Will the data be available in a non-proprietary format?
  14. 14. “At LexisNexis we believe strongly that the data you place in LexisNexis Firm Manager belongs to you! To provide you with the comfort that you retain control of your critical client-privileged information and work product: • “Your administrator can export your data at any time. • “If you cancel your subscription, we maintain your data online for 6 months. … At any time you can decide to purge your data, removing it from LexisNexis systems. • “If you purge your data, your client privileged work product is removed from our systems … [and] from our backup tapes as well.”
  15. 15. 4. Password Protection Passwords required? Is two-step verification available? Automatic log-out? Account monitoring for suspicious activity?
  16. 16. 5. Protection of confidentiality Lawyer must ensure “that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information.” -NYSBA Ethics Opinion 842
  17. 17. 6. Data Encryption
  18. 18. SSL = encryption in transit
  19. 19. Encryption at rest
  20. 20. Data backed up at least daily. Back-ups to multiple locations. 7. Data back-up
  21. 21. Firewalls. Intrusion detection. Virus detection. Network usage. Application usage. Port scanning. 8. Network security
  22. 22. Building access and security 24x7 on-site security. Multi-level access verification. Video monitoring of entrances and internal. Uninterruptible, redundant power At least two power grid connections. Battery banks. N+1 on-site generators. Cooling system HVAC systems with N+1 redundancy to keep climate at the optimum temperature and humidity levels. Fire detection and suppression Automatic, multi- zoned detection and suppression. Off-site alarm monitoring and dispatch. System monitoring Real-time monitoring of all systems. 9. Physical security of data centers
  23. 23. • Auditing standards verifying that controls are in place to protect financial information. • Can apply to: • Data centers and colocation facilities. • SaaS providers. • Payroll processing companies. • Loan servicing companies. • Medical claims processors. SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II). • Reporting option specifically designed for data centers, SaaS vendors, and cloud-based businesses. • Evaluates: • System security. • System availability. • System processing integrity. • Confidentiality of information. • Privacy of personal information. SOC 2 Data Center Seals of Approval
  24. 24. 10. Get Extra Security • Client-side encryption for Mac, Windows, iOS and Android. • Works with Dropbox, Box, Google Drive and Skydrive. • Can share with others, but they must also install Viivo. Viivo, www.viivo.com • Free, geeky disk encryption software for Windows, Mac and Linux. • Can be used to encrypt files before sending to Dropbox. TrueCrypt, www.truecrypt.org • Client-side encryption for Dropbox and other systems. Safebox, www.safeboxapp.com • Easy email encryption, works with webmail services such as Gmail as well as with Outlook. Enlocked, www.enlocked.com
  25. 25. You need only Be reasonable … not paranoid
  26. 26. www.lawsitesblog.com @bobambrogi ambrogi@legaline.com

×