• Save
Ethics and Security of Cloud Computing for Lawyers
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Ethics and Security of Cloud Computing for Lawyers

Uploaded on

Presented at Clio Cloud Conference, Sept. 23, 2013

Presented at Clio Cloud Conference, Sept. 23, 2013

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • This is a comprehensive presentation that highlights compliance with the new HIPAA requirements effective today. However, what steps should be taken within the office to ensure that each firm remains in compliance? I know at MerusCase, we have taken the necessary steps to ensure that PHI is protected while our clients use our cloud-based practice management system. Internally we are ensuring that all data is encrypted and that no PHI is left vulnerable.
    Are you sure you want to
    Your message goes here
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 4,579

http://www.lawsitesblog.com 3,043
http://lawyerist.com 1,306
http://cloud.feedly.com 127
http://newsblur.com 28
https://twitter.com 23
http://www.newsblur.com 17
http://www.feedspot.com 7
http://digg.com 6
http://feedproxy.google.com 3
http://beforeitsnews.com 3
http://www.goldmanslawassociates.com 3
http://translate.googleusercontent.com 2
https://lawyerist.com 1
http://plus.url.google.com 1 1
http://feedly.com 1 1
http://cp.100ws.com 1
http://feed.tswartz.com 1
http://inoreader.com 1 1
http://reader.aol.com 1
http://www.google.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Ethics and Security of Cloud Computing for Lawyers Clio Cloud Conference September 23, 2013 Robert J. Ambrogi, Esq.
  • 2. 17 ethics panels ...
  • 3. The ethical issues at stake Lawyers have duty to safeguard confidential client information. Lawyers have duty to protect client property, including client files, from loss. Lawyers have a duty to be competent in technology.
  • 4. Every ethics panel agrees on two points ... 1. Lawyers may use the cloud. 2. Must take reasonable steps to minimize risk to confidential information and client files.
  • 5. Alabama State Bar Ethics Opinion 2010-02 Arizona State Bar Formal Opinion 09- 04 California Formal Opinion No. 2010- 179 Connecticut Bar Association Informal Opinion 2013-07 Florida Bar Opinion 12-3 Iowa State Bar Ethics Opinion 11- 01 Maine Professional Ethics Commission Opinion 194 Massachusetts Bar Association Opinion 12-03 New Hampshire Bar Association Opinion 2012-13/4 New Jersey Advisory Committee on Professional Ethics Opinion 701 Nevada State Bar Formal Opinion No. 33 New York State Bar Association Opinion 842 of 2010 North Carolina 2011 Formal Ethics Opinion 6 Oregon Formal Opinion No. 2011- 188 Pennsylvania Formal Opinion 2011-200 Vermont Bar Association Opinion 2010-6 Virginia Legal Ethics Opinion 1872
  • 6. North Carolina 2011 “A law firm may use SaaS if reasonable care is taken to minimize the risks of inadvertent disclosure of confidential information and to protect the security of client information and client files.” “A lawyer must fulfill the duties to protect confidential client information and to safeguard client files by applying the same diligence and competency to manage the risks of SaaS that the lawyer is required to apply when representing clients.”
  • 7. “The degree of protection to be afforded client information varies with the client, matter and information involved. But it places on the lawyer the obligation to perform due diligence to assess the degree of protection that will be needed and to act accordingly.” “Whatever form of SaaS is used, the lawyer must ensure that there is unfettered access to the data when it is needed. Likewise the lawyer must be able to determine the nature and degree of protection that will be afforded the data while residing elsewhere.” Iowa State Bar Ethics Opinion 11-01
  • 8. “A competent lawyer using cloud computing must understand and guard against the risks inherent in it.” “There is no hard and fast rule as to what a lawyer must do with respect to each client when using cloud computing. The facts and circumstances of each case, including the type and sensitivity of client information, will dictate what reasonable protective measures a lawyer must take when using cloud computing.” “Competent lawyers must have a basic understanding of the technologies they use. Furthermore, as technology, the regulatory framework, and privacy laws keep changing, lawyers should keep abreast of these changes.” New Hampshire 2012-13/4
  • 9. Florida Bar Opinion 12-3 Lawyers have an obligation to remain current not only in developments in the law, but also developments in technology that affect the practice of law. Lawyers who use cloud computing … have an ethical obligation to understand the technology they are using and how it potentially impacts confidentiality of information relating to client matters, so that the lawyers may take appropriate steps to comply with their ethical obligations.
  • 10. Massachusetts Bar Ethics Opinion 12-03 “Lawyer remains bound to follow an express instruction from his client that the client's confidential information not be stored or transmitted by means of the Internet.” “He should refrain from storing or transmitting particularly sensitive client information by means of the Internet without first seeking and obtaining the client's express consent.”
  • 11. 1. Company Due Diligence Is this a solid company with a good operating record? Do others recommend the company? What is in the TOS and privacy policy?
  • 12. 2. Unrestricted access to data Can I get my data whenever I want? Is the data stored elsewhere in the event I'm denied access? “Optionally, upon request by the Subscriber, all Content associated with the subscription will be replicated at a regular interval, to an offsite storage server accessible only to a reputable data escrow agent (“Escrow Agent”). The replicated Content (“Escrowed Data”) will be held under the terms of a separate agreement among Themis, the Subscriber, and the Escrow Agent (“Escrow Agreement”).”
  • 13. 3. Termination of relationship If I terminate the service, can I retrieve my data? If the service is terminated due to my non- payment, what happens to my data? If the company shuts down, can I get my data? Will the data be available in a non-proprietary format?
  • 14. “At LexisNexis we believe strongly that the data you place in LexisNexis Firm Manager belongs to you! To provide you with the comfort that you retain control of your critical client-privileged information and work product: • “Your administrator can export your data at any time. • “If you cancel your subscription, we maintain your data online for 6 months. … At any time you can decide to purge your data, removing it from LexisNexis systems. • “If you purge your data, your client privileged work product is removed from our systems … [and] from our backup tapes as well.”
  • 15. 4. Password Protection Passwords required? Is two-step verification available? Automatic log-out? Account monitoring for suspicious activity?
  • 16. 5. Protection of confidentiality Lawyer must ensure “that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information.” -NYSBA Ethics Opinion 842
  • 17. 6. Data Encryption
  • 18. SSL = encryption in transit
  • 19. Encryption at rest
  • 20. Data backed up at least daily. Back-ups to multiple locations. 7. Data back-up
  • 21. Firewalls. Intrusion detection. Virus detection. Network usage. Application usage. Port scanning. 8. Network security
  • 22. Building access and security 24x7 on-site security. Multi-level access verification. Video monitoring of entrances and internal. Uninterruptible, redundant power At least two power grid connections. Battery banks. N+1 on-site generators. Cooling system HVAC systems with N+1 redundancy to keep climate at the optimum temperature and humidity levels. Fire detection and suppression Automatic, multi- zoned detection and suppression. Off-site alarm monitoring and dispatch. System monitoring Real-time monitoring of all systems. 9. Physical security of data centers
  • 23. • Auditing standards verifying that controls are in place to protect financial information. • Can apply to: • Data centers and colocation facilities. • SaaS providers. • Payroll processing companies. • Loan servicing companies. • Medical claims processors. SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II). • Reporting option specifically designed for data centers, SaaS vendors, and cloud-based businesses. • Evaluates: • System security. • System availability. • System processing integrity. • Confidentiality of information. • Privacy of personal information. SOC 2 Data Center Seals of Approval
  • 24. 10. Get Extra Security • Client-side encryption for Mac, Windows, iOS and Android. • Works with Dropbox, Box, Google Drive and Skydrive. • Can share with others, but they must also install Viivo. Viivo, www.viivo.com • Free, geeky disk encryption software for Windows, Mac and Linux. • Can be used to encrypt files before sending to Dropbox. TrueCrypt, www.truecrypt.org • Client-side encryption for Dropbox and other systems. Safebox, www.safeboxapp.com • Easy email encryption, works with webmail services such as Gmail as well as with Outlook. Enlocked, www.enlocked.com
  • 25. You need only Be reasonable … not paranoid
  • 26. www.lawsitesblog.com @bobambrogi ambrogi@legaline.com