Cloud Computing Legal for Pennsylvania Bar Association
Cloud Computing Fred Wilf, Esq., Baer Crossey Dina Leytes, Esq., Griesing LawAmy Larrimore, The Empire Builders Group
Client-Lawyer Relationship Rule 1.1 CompetenceA lawyer shall provide competent representation to a client.Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.
Client-Lawyer RelationshipRule 1.6(a) Confidentiality Of Information(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).
Client-Lawyer RelationshipRule 1.6(b) Confidentiality Of Information(b) A lawyer may reveal information relating to the representation of a client to the extent the lawyer reasonably believes necessary: (1) to prevent reasonably certain death or substantial bodily harm; (2) to prevent the client from committing a crime or fraud that is reasonably certain to result in substantial injury to the financial interests or property of another and in furtherance of which the client has used or is using the lawyers services; (3) to prevent, mitigate or rectify substantial injury to the financial interests or property of another that is reasonably certain to result or has resulted from the clients commission of a crime or fraud in furtherance of which the client has used the lawyers services; (4) to secure legal advice about the lawyers compliance with these Rules; (5) to establish a claim or defense on behalf of the lawyer in a controversy between the lawyer and the client, to establish a defense to a criminal charge or civil claim against the lawyer based upon conduct in which the client was involved, or to respond to allegations in any proceeding concerning the lawyers representation of the client; or (6) to comply with other law or a court order.
Business in the Cloud - Common •Software as a service •Web services Social media Linkedin Wikipedia Google •Platform Physical Hardware Cloud - Amazon
Security Breach Generally speaking, it is • Adverse legal, regulatory and true that the ease of the business consequences cloud increases vulnerability – with • Sanctions imposed bysignificant consequences: regulatory agencies • Loss of business • Reputational risk • Cost of complying with statutory notification obligations • Cost of remediation
Cloud Fear - Mitigation On Premise Off Premise• Fire Employee(s) • Sue them• Take the Blame • Blame them• Claim against your • Claim against their insurance policy insurance policy
Due Diligence• Who at the service provider has • Does the provider have a privacy access to business records? and security policy?• Where is the service provider • What type of security is in place to located? ensure data breaches do not occur?• Does the service provider comply with • Does the provider have a policy to all regulatory requirements? be implemented in the case of a• How is the data stored – what is the data breach? data flow? • What does that policy provider for with regards to client operations in such a case? • What insurance or asset levels exist at the provider?
How does IT Bob Stack up? Due diligence process for outside providers tends to be common. Many providers are rejected as part of this process. Rarely would the internal alternatives pass if they were also subjected to the process.
Refusal to Approve Approval is a • Failure to adequately assess, approve and implementpoint in time, not technology (non-action) is a an ongoing significant exposure process • Exposure is reason new technology is rejected • Secure products become unsecure in short time frame • New tech presents the opportunity for more security • Compliance and legal education and approval cycle process • No case law
• Courts are wiling to recognizeJurisdiction personal jurisdiction based on What are all the location of cloud computinglocations in which services. you do business Forward Foods LLC v Next Proteins, Inc., 2008 BL virtually? 238516 (N.Y. Sup. 2008) • In some jurisdictions when weighing convenience of a forum, physical recordkeeping takes precedence. Gelmato S.A. v. HTC Corp., 2011 U.S. Dist. LEXIS 133612 (E.D. Tex. Nov. 18, 2011) • Compliance department requires instruction on these issues.
The Cloud and The World• There are no international rules governing cloud related concerns.• The EU Data Protection Directive provides that transfer of personal data may be made only to member states and to jurisdictions with adequate data security standards.• The US is NOT currently deemed to have adequate data security standards.
Issues in E-Discovery• Parties that store third party data should not expect to be shielded from discovery rules Columbia Pictures, Inc. v. Bunnell, 245 F.R.D. 443 (C.D. Cal. 2007)• FRCP require production based on “possession, custody or control”• If responding party has the ability to obtain data, it may be compelled to do so• Discoverable information is still protected by privilege, wherever it exists Tomlinson v. El Paso Corp.,245 F.R.D. 474 (D. Colo. 2007)
Protection of Trade Secrets• CFAA: Computer Fraud and Abuse Act • What is unauthorized access? • Employees, Third Party Providers, Social Media• Importance of policy vs. hardware controls U.S. v. Nosal, 642 F.3d 781 (9th Cir. 2011)• Social media • Use or Excessive Use • Social Media Policy
Summary• Ethics: Competence and Confidentiality• Matters of Business: • Cloud Fear vs. Risk “Skeletons” in IT Closet • Due Diligence and Point in Time Compliance• Matters of Law • Jurisdiction • The Cloud and the World • E-Discovery • Trade Secrets
Dina Leytes, Esq.firstname.lastname@example.orgFrederic Wilf, Esq., Partnerhttp://email@example.comAmy H. Larrimore, Chief StrategistThe Empire Builders Groupwww.amylarrimore.comwww.empirebuilders.biz215-645-2691 or firstname.lastname@example.org design, creativity & general awesomeness powered by: