Today: 1) why CC and mobile tech matters 2) what CC is 3) ethical and security issues.\n\nBottom line--CC is the future. For some firms, the current tech and security may be insufficient, but that will change quickly. Learn about it, understand it and position your firm for the future. \n
Information is changing--we must rethink &#x201C;information&#x201D;--be curious\n
Explore the benefits. Balance the risks. Be curious.\n\n
\nSimple definition of CC: data/software stored on someone else&#x2019;s server.\n
Mobile tech in the legal field is a given--after all lawyers were crackberry addicts before anyone else. So let&#x2019;s talk about cloud computing.\n
Legal specific apps (prac man, billing, doc management) and general apps (google apps, dropbox).\n
Legal specific apps (prac man, billing, doc management) and general apps (google apps, dropbox).\n
Ethics and security seems to be a thorny maze of issues.\n
ABA Ethics 20/20--my take--can&#x2019;t be tasked with supervising them re: their tech skills.\n
Note: Gmail language re: free email. Option is to use Google Apps--$50 per user per month.\n
Electronic Communications Privacy Act (ECPA)--no significant revisions since 1986\n
Smart, Ethical Use of Mobile, Tablet, & Cloud Computing Nicole Black Attorney, author and founder of lawtechTalk www.nicoleblackesq.com
What is cloud computing and why should you care?
A fundamentalist is a personwho considers whether a fact isacceptable to their faith beforethey explore it. As opposed toa curious person who exploresﬁrst and then considerswhether or not they want toaccept the ramiﬁcations. --Seth Godin
Cloud and Mobile Computing: Not a Trend• Cloud computing is the top technology trend for 2010 • By 2012, 20% of businesses will own no IT assets and will conduct business solely in the Cloud • By 2013, mobile phones will overtake PCs as the most common Web access device worldwide • By 2014, over 3 billion of the world’s adultpopulation will be able to transact electronically via mobile or Internet technology* Gartner’s Top Predictions for IT Organizations and Users, 2010 and Beyond: A New Balance
• Nearly 98% of respondents incorporated virtualizationtechnologies into their law ﬁrms.Some used virtual servers, while others brought virtualization to their desktop computers. • Nearly 84% of responding ﬁrms reported using SaaS-based products as well. Typically, however, cloud computingproducts were used for secondary functions like eDiscovery or human resources. *Am Law 2009 Tech Survey
• 80% of ﬁrms use cloudcomputing--mostly for non-critical tasks like e-discovery and HR • 60% of ﬁrms use cloud-based services for e-discovery or litigation support features, andmany use it for important (but not bread-and-butter) tasks likebeneﬁts or expense management •5% use cloud services for document management • 6% use it for storage *Am Law 2010 Tech Survey
“14% of law ﬁrms plan to invest in some type of cloud computing or software-as-a-service solution. However, it must be noted that lack of familiarity with cloud computing and related emerging technologies may be inhibiting adoption. Among attorneys, only 30% rate themselves as familiar with the concept of cloud computing, while only 45% claim knowledge of the concept of managed services.”* Comp TIA 2010 survey (a non-proﬁt trade association for the IT industry)
Cloud computing is a “type of computing that is comparable to gridcomputing, relies on sharing computing resources rather than having localservers or personal devices to handle applications. The goal of cloudcomputing is to apply traditional supercomputing power (normally used bymilitary and research facilities) to perform tens of trillions of computations persecond.”
Cloud computing is a “type of computing that is comparable to gridcomputing, relies on sharing computing resources rather than having localservers or personal devices to handle applications. The goal of cloudcomputing is to apply traditional supercomputing power (normally used bymilitary and research facilities) to perform tens of trillions of computations persecond.” Software as a service —or SaaS —is “[a] software delivery model in which a software ﬁrm provides daily technical operation, maintenance, and support for the software provided to their client.”
For summaries of a few ethics decisons: http://bit.ly/81K2jZ
Ethical issues to consider: A. Attorney client conﬁdentiality B.Compare/contrast to traditional outsourcing relationships C.Transborder data ﬂow D.Meeting obligations of “reasonable” security E.Electronic evidence/e-discovery
QUESTION: What are the ethical obligations oflawyers in regard to data stored on the hard drives of “storage media”. Florida Bar Ethics Opinion 10-12 (September 2010)
ANSWER:Lawyers who use devices that contain storage media such ascomputers, printers, copiers, scanners, cellular phones, personaldigital assistants, ﬂash drives, memory sticks, facsimile machines andother electronic or digital devices must take reasonable steps toensure that client conﬁdentiality is maintained and that the deviceis sanitized before disposition, including: (1) identiﬁcation of thepotential threat to conﬁdentiality along with the development andimplementation of policies to address the potential threat toconﬁdentiality; (2) inventory of the Devices that contain HardDrives or other Storage Media; (3) supervision of nonlawyers toobtain adequate assurances that conﬁdentiality will be maintained;and (4) responsibility for sanitization of the Device by requiringmeaningful assurances from the vendor at the intake of the Deviceand conﬁrmation or certiﬁcation of the sanitization at thedisposition of the Device.
Lawyers using these devices must familiarize themselves with new technologies and“have a duty to keep abreast of changes in technology to the extent that the lawyer can identify potential threats to maintaining conﬁdentiality.” Also, lawyers must take reasonable steps to ensure that client conﬁdentiality is maintained. One important part of this duty includes the obligation to identify any “potential threat(s) to conﬁdentiality along with the development and implementation of policies to address the potential threat to conﬁdentiality.”The Committee noted that lawyers who use mobile devices also have a supervisory responsibility that extends to not only to the lawyer’s own employees but to “entities outside the lawyer’s ﬁrm with whom the lawyer contracts to assist in the care and maintenance of the Devices in the lawyer’s control.” Part of the lawyer’s supervisory duty requires that the lawyer obtain assurances from any nonlawyers who will have access to conﬁdential information that conﬁdentiality of the information will be maintained.
QUESTION:Whether an attorney can use an online system to store conﬁdential client data and, if so, what steps must be taken to ensure the data are secure? New York State Bar Association’s Committee on Professional Ethics, Opinion 842 (September 2010)
ANSWER:It is permissible for attorneys to store conﬁdential client data in thecloud, but only if reasonable steps are taken to ensure the data would beadequately protected from unauthorized disclosure: “A lawyer may usean online data storage system to store and back up client conﬁdentialinformation provided that the lawyer takes reasonable care to ensurethat conﬁdentiality will be maintained in a manner consistent with thelawyer’s obligations under Rule 1.6. In addition, the lawyer should stayabreast of technological advances to ensure that the storage systemremains sufﬁciently advanced to protect the client’s information, andshould monitor the changing law of privilege to ensure that storing theinformation online will not cause loss or waiver of any privilege.”Importantly, the committee noted that “exercising ‘reasonable care’ under Rule1.6 does not mean that a lawyer guarantees that the information is securefrom any unauthorized access.”
QUESTION:“May a lawyer use an e-mail service provider that scanse-mails by computer for keywords and then sends ordisplays instantaneously (to the side of the e-mails inquestion) computer-generated advertisements to usersof the service based on the e-mail communications?” The New York State Bar Association Committee on Professional Ethics, Opinion 820-2/08/08
ANSWER:“Unless the lawyer learns information suggesting thatthe provider is materially departing from conventionalprivacy policies or is using the information it obtains bycomputer-scanning of e-mails for a purpose that, unlikecomputer-generated advertising, puts conﬁdentiality atrisk, the use of such e-mail services comports with DR4-101…A lawyer may use an e-mail service providerthat conducts computer scans of e-mails to generatecomputer advertising, where the e-mails are notreviewed by or provided to other individuals.”
QUESTION:The question addressed in this opinion is whether a lawyer violatesSCR 156 by storing confidential client information and/orcommunications, without client consent, in an electronic format ona server or other device that is not exclusively in the lawyer’scontrol.State Bar of Nevada Standing Committee on Ethics and Professional Responsibility,Formal Opinion No. 33
ANSWER:In order to comply with the rule, the lawyer must act competently andreasonably to safeguard confidential client information and communicationsfrom inadvertent and unauthorized disclosure. This may be accomplishedwhile storing client information electronically with a third party to the sameextent and subject to the same standards as with storing confidential paperfiles in a third party warehouse. If the lawyer acts competently andreasonably to ensure the confidentiality of the information, then he or shedoes not violate SCR 156 simply by contracting with a third party to store theinformation, even if an unauthorized or inadvertent disclosure should occur...The ABA Committee addressed an issue much closer to that discussed herein Formal Opinion number 95-398, and concluded that a lawyer may give acomputer maintenance company access to confidential information in clientfiles, but that in order to comply with the obligation of client confidentiality, heor she “must make reasonable efforts to ensure that the company has inplace, or will establish, reasonable procedures to protect the confidentialityof client information.”
4th Amendment issuesIn a decision issued by the United States District Court, District of OregonOpinion and Order in In re: US, Nos. 08-9131-MC, 08-9147-MC, (2009), thegovernment successfully argued that it need not notify the account holder regardinga warrant that is served upon the ISP holder of the email account (gmail). Inreaching its decision, the court gave lip service to the concept that emails areentitled to Fourth Amendment protection, but then stated:“Much of the reluctance to apply traditional notions of third party disclosure to thee-mail context seems to stem from a fundamental misunderstanding of the lack ofprivacy we all have in our e-mails. Some people seem to think that they are asprivate as letters, phone calls, or journal entries. The blunt fact is, they are not.”
In comparison, however, see footnote 7 from the October 2009 Memorandum andOrder issued by the United States District Court, Eastern District of New York, inUS v. Ciofﬁ, Case No. 08-CR-415 (FB):One preliminary matter is not in question: The government does not dispute thatTannin has a reasonable expectation of privacy in the contents of his personal emailaccount. See United States v. Zavala, 541 F.3d 562,577 (5th Cir. 2008) ("[C]ellphones contain a wealth of private information, including emails, text messages, callhistories, address books, and subscriber numbers. [The defendant] had a reasonableexpectation of privacy regarding this information."); United States v. Forrester, 512F.3d 500, 511 (9th Cir. 2008) ("E-mail, like physical mail, has an outside addressvisible to the third-party carriers that transmit it to its intended location, and alsoa package of content that the sender presumes will be read only by the intendedrecipient. The privacy interests in these two forms of communication are identical.The contents may deserve Fourth Amendment protection, but the address and sizeof the package do not.").
Security issues to consider:1. Encryption2. Geo-redundancy3. Data back ups4. Extraction of data
What questions should you ask cloud providers?
• What type of facility will host the data? • Who else has access to the cloud facility, the servers and the data and what mechanisms are in place to ensure that only authorized personnel will be able to access your data? How does the vendor screen its employees? If the vendor doesn’t own the data center, how does the data center screen its employees?• Does the contract include terms that limit data access by the vendor’s employees to only those situations where you request assistance? For full list see: http://bit.ly/hyFBxo
• Does the contract address conﬁdentiality? If not, is the vendor willing to sign a conﬁdentiality agreement?• How frequently are back-ups performed? How are you able to verify that backups are being performed as promised? • Is data backed up to more than one server? Where are the respective servers located? Will your data, and any back up copies of it, always stay within the boundaries of the United States? • How secure are the data centers where the servers are housed? • What types of encryption methods are used and how are passwords stored? Is your data encrypted while in transit or only when in storage? For full list see: http://bit.ly/hyFBxo
• Has a third party, such as McAfee, evaluated or tested the vendor’s security measures to assess the strength of, among other things, ﬁrewalls, encryptiontechniques, and intrusion detection systems? Are the audits of the security system available for your review? • Are there redundant power supplies for the servers? • Does the contract include a guarantee of uptime? How much uptime? Whathappens in the event that the servers are down? Will you be compensated if there is an unexpected period of downtime that exceeds the amount set forth in the agreement? • If a natural disaster strikes one geographic region, would all data be lost? Are there geo-redundant back ups? For full list see: http://bit.ly/hyFBxo
• What remedies does the contract provide? Are consequential damages included? Are total damages capped or are speciﬁc remedies limited? • Does the agreement contain a forum selection clause? How about a mandatory arbitration clause?• If there is a data breach, will you be notiﬁed? How are costs for remedying the breach allocated? • What rights do you have upon termination? Does the contract contain terms that require the vendor to assist you in transitioning from their system to another?• What rights do you have in the event of a billing or similar dispute with the vendor? Do you have the option of having your data held in escrow by a third party, so that it is fully accessible in the event of a dispute? Alternatively can you back up your data locally so that it is accessible to you should you need it? • Does the provider carry cyber insurance? If so, what does it cover? What are the coverage limits? For full list see: http://bit.ly/hyFBxo
Thanks for listening! Nicole Black Of Counsel, Fiandach & Fiandach Founder of lawtechTalk www.nicoleblackesq.comSocial Media for Lawyers: the Next Frontier published by the ABA in July 2010 (http://bit.ly/socmed4lawyersbook) Cloud Computing for Lawyers to be published by the ABA in May 2011