Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Privacy and Technology in Your Practice: Why it Matters & Where is the Risk


Published on

This presentation was given during the 2019 DBA Technology Summit

Published in: Law
  • Be the first to comment

  • Be the first to like this

Privacy and Technology in Your Practice: Why it Matters & Where is the Risk

  1. 1. Privacy andTechnology inYour Practice: Written and Presented By: Craig C. Carpenter Thompson & Knight LLP Charles M. Hosch Hosch & Morris PLLC T. Hunter Lewis Duffee + Eitzen LLP Honorable Emily Miskel District Judge, 470th Judicial District Court Collin County Additional Research and Compilation: George Shake Joshua Dossey Duffee + Eitzen LLP Why it matters and where is the risk
  2. 2. Data Breaches for Law Firms Craig C. Carpenter,Thompson & Knight, LLP
  3. 3. What’s a breach? Breaches are a Privacy and Security Issue • Privacy: • Duty to maintain confidentiality • “We will keep your information secure and make sure it is not accessed by unauthorized parties.” • Cyber Security: • Physical, technical, administrative safeguards • Criminal act • 18 U.S. Code § 1030 – Computer Fraud and Abuse Act • Tex. Penal Code § 33.02 – Texas Breach of Computer Security
  4. 4. Law Firms are Not Immune • Mandiant reported that at least 80 of the top 100 law firms in the country, by revenue, had been hacked by 2011. • Logicforce has reported that about 2/3 of law firms have experienced some sort of data breach. “law firm”
  5. 5. In Fact, Law Firms are LucrativeTargets • Corporate Deals • Trade Secrets • Financial Data • Privileged Communications/Information • Personal Data • Health Data • Export-ControlledTechnology
  6. 6. Types of Attacks • InsiderThreat • VendorThreat • Phishing • Spear Phishing • Ransomware • Wire transfer fraud
  7. 7. Compliance • Rules of Professional Responsibility • State notification regulations • Data subject • AGs • Credit Agencies • International notification regulations • Industry-specific data
  8. 8. Compliance Issues for Law Firms • Is it a “breach”? • Who owns the data? • Law firm? • Client? • Other law firm? • Other law firm’s client? • Is it subject to a protective order? • Privileged information How does it impact your practice?
  9. 9. Costs What are the practical implications? • Breach investigation • Breach mitigation • Regulatory responses • Breach notification • Customer Relations • Reputational damage • Down time
  10. 10. InitialTakeaways from the Recent Capital One Breach 1. Having a plan and contacts in place makes a huge difference 2. Know what data you have and where it is located 3. Understand your vendor/third party vulnerabilities 4. “Hacking” has been a crime for a while now 5. Post-breach communication is critical 6. Lawsuits quick to follow
  11. 11. Capital One Breach Lawsuit 1. Negligence 2. Negligence Per Se 3. Breach of Implied Contract
  12. 12. Privacy & Technology Questions? Craig C. Carpenter Thompson & Knight, LLP O: 214-969-1154
  13. 13. Cybersecurity vs. Privacy Charles M. Hosch, Hosch & Morris, PLLC
  14. 14. What’s the difference? “Cybersecurity” and “Privacy” Of course you can’t have privacy without security. But what’s the difference?
  15. 15. At a Glance: Cybersecurity • Asks, “How do I secure my data and keep it from being ‘hacked,’ breached,’ stolen, lost, or fumbled?” • Applies to: All data, including both commercial and personal information. Privacy • Asks, “Assuming I can keep my data secure (a huge ‘if’), how can I use the “personal information” within my data?” Applies to: “Personal” or “personally identifiable” information. (Definitions vary. May extend to data that can be linked to households, and/or include inferences you draw from raw data.)
  16. 16. Sources of Law: Cybersecurity • Trade Secret Law: Uniform Trade Secrets Act, Tex. Civ. Prac. & Rem. Code, Ch. 134A; Defend Trade Secrets Act, 18 U.S.C. §1836, et seq.; • State-based “Breach Response” statutes – All 50 States – e.g. Tex. Bus. Comm. Code §§ 521.002, 521.053; • Regulatory requirements in specific industries, e.g. NYS DFS; HIPAA Security Rule; GLBA; FTC Safeguards Rule; MA and CA Information Security Laws; UCC Article 4A; NAIC Insurance Data Security Model Law; City of Chicago (Ordinance, MCC § 2-25-090); PCI-DSS; • Requirements in privacy statutes, e.g. CCPA; • FTC Act, 15 U.S.C. Sec. 5. Privacy • -In US, mostly “sector-specific,” e.g. HIPAA for healthcare; Gramm-Leach- Bliley for financial institutions; FERPA for education; FCRA for credit reports and background checks, etc.; • Most privacy statutes are not preemptive, so states and state industry regulators can overlap; • For Europe (including tracking Europeans from US), comprehensive privacy regulation under GDPR; • Movement toward comprehensive state statutes, e.g. California Consumer Privacy Act (“CCPA”) taking effect in 2020 • FTC Act, 15 U.S.C. Sec. 5. • Key Regulators: • Federal: FTC, OCR, and SEC • State: State AGs • Individual: Class Action Lawyers
  17. 17. General Principles and Standards Cybersecurity • Use reasonable measures to protect the confidentiality, security, and integrity of data; • Note that what is enough to be “reasonable” varies according to how sensitive the particular data is; • What is “reasonable” evolves over time; • There is no such thing as perfect security – good information security program documentation is critical. Privacy FTC Fair Information Principles: • Notice/Awareness: Tell people what data you’re going to collect, and why; • Choice/Consent: Get their consent; • Access/Participation: Let people see their data, correct mistakes in it, have it back or move it if they wish; • Integrity/Security: You and your vendors use it only for the consented purpose, keep it secure, dispose of it responsibly; • Enforcement/Redress: (Think $5
  18. 18. Cloud Computing and Legal Technology Q: What are cloud services? A: Third-party services to which you can outsource some or all of your IT requirements. Q: What types of requirements can you outsource (partial list)? A: Top-level “Infrastructure” (e.g. to AWS or Microsoft); Middle-level “Platforms” (e.g. SalesForce or SQL Server); and/or User-friendly “Applications” (e.g. Abacus, Practice Panther, Clio). *You’ll have different responsibilities, and different contracts, for each “layer.” ( Q: What do I most need to know about Legal Tech? A: Most legal-tech services: (i) Are running on a cloud platform hosted by a third-party, (ii) Present their own security and privacy risks, and are (iii) probably relying on other vendors to provide aspects of their services to your firm.
  19. 19. Contracting Key Topics (partial list) PRIVACY PERFORMANCE Automatic Renewal? SECURITY Confidentiality Copyright Infringement Cost Third-Party Issues Inappropriate/Illegal Use Scalability Data Ownership Modifications/Changes Accessibility Geolocation Governing Law/Venue Data Recovery WARRANTIES SERVICE LEVEL AGREEMENTS Storage Term TERMINATION RIGHTS Compliance Training Breach Notification Audits VENDOR CONTROL SCOPE OF RIGHTS
  20. 20. Vendor Control Q: What does “vendor control” mean? A: Prudent Selection – Contracting – Monitoring – Management of vendors and service providers. Q: What are the keys to selecting and contracting with a vendor? A: Ethics/reputation; functionality; performance/service commitment; confidentiality; security; data control; and ownership. Q: Is this required, or just best practice? A: Increasingly required. GDPR and CCPA effectively require Data Processing and Security Addenda, where your vendors pledge to require their vendors not to use personal data for anything except the purpose for which they’re hired; to require the same of their vendors; to keep personal information secure; etc. (TRANSLATION: don’t let your vendors’ vendors do a side hustle with your clients’ data – or with yours.)
  21. 21. Privacy & Technology Questions? Charles M. Hosch Hosch & Morris, PLLC O: 214-306-8980, ext. 102
  22. 22. Competent Representation T. Hunter Lewis, Duffee + Eitzen LLP Duffee + Eitzen LLP
  23. 23. SpecialThanks: George Shake Joshua Dossey Duffee + Eitzen LLP
  24. 24. Technological Competence Requirements In The Beginning…. • In 2012 ABA revised Model Rules of Professional Conduct, Rule 1.1, comment 8 to include the requirement for attorneys to maintain technological competence. • The ABA issues advisory opinions on ethics questions and can be cited as persuasive authority – these opinions and rules are not binding on state disciplinary authorities
  25. 25. ABA Model Rules of Professional Conduct Rule 1.1, comment 8 -Maintaining Competence [8]To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
  26. 26. Texas Implementatio n In The Beginning…. • At the state level, many states began passing legislation concerning technical updates to their statutory authority concerning process of service (to include electronic service), electronic signatures, electronic communication/notice, and electronic filing • In 2013, The Texas Supreme Court mandated electronic filing in civil cases to begin January 1, 2014, with full implementation by July, 2016.
  27. 27. Texas Key Rule Changes • Texas Rule of Civil Procedure 21 • Filing and Serving Pleadings and Motions • Texas Rule of Civil Procedure 21a • Methods of Service • Texas Rule of Civil Procedure 21c • Privacy Protection for Filed Documents
  28. 28. Texas Ethics Opinion Concerning then Current Rules 2016 – Texas Ethics Opinion 665 • In December, 2016 The Professional Ethics Committee For the State Bar of Texas issued Opinion No. 665. • This opinion addresses attorney’s responsibilities related to metadata. • The opinion reviewed the competency requirements of the previous version of Rule 1.01, Texas Disciplinary Rules of Professional Conduct. • Although this opinion addresses an attorney’s duty of competence related to technology, this opinion narrowly deals with metadata.
  29. 29. Texas Ethics Opinion Concerning then Current Rules 2016 – Texas Ethics Opinion 665 The opinion states: • [A] lawyer’s duty of competence requires that lawyers who use electronic documents understand that metadata is created in the generation of electronic documents, that transmission of electronic documents will include transmission of metadata, that the transmitted metadata may include confidential information, that recipients of the documents can access metadata, and that actions can be taken to prevent or minimize the transmission of metadata.
  30. 30. Florida became the first state to require lawyers to include Technology in their CLE 2017 – The First CLE Requirement in FloridaRULE 6-10.3 MINIMUM CONTINUING LEGAL EDUCATION STANDARDS (b) Minimum Hourly Continuing Legal Education Requirements. Each member must complete a minimum of 33 credit hours of approved continuing legal education activity every 3 years. At least 5 of the 33 credit hours must be in approved legal ethics, professionalism, bias elimination, substance abuse, or mental illness awareness programs, with at least 1 of the 5 hours in an approved professionalism program, and at least 3 of the 33 credit hours must be in approved technology programs. If a member completes more than 33 credit hours during any reporting cycle, the excess credits cannot be carried over to the next reporting cycle.
  31. 31. Texas Ethics Opinion Concerning then Current Rules 2018 – Texas Ethics Opinion 680 • In September 2018 The Professional Ethics Committee For the State Bar of Texas issues Opinion No. 680. • The opinion states: Rule 1.01(a) requires that lawyers exhibit “competence” in representing clients. In Opinion 665 (December 2016), the Committee applied Rule 1.01 to a question involving a lawyer’s inadvertent transmission to third parties of electronic metadata within client documents and concluded that the Rule’s “competency” requirement was applicable to a lawyer’s technological competence in preserving client confidential information. The Committee reiterates here the necessity of competence by lawyers and their staff regarding data protection considerations of cloud-based systems. • Again, the opinion addresses an attorney’s duty of competence related to technology, this opinion focuses on cloud-based systems, not technology as a broad issue.
  32. 32. 2019Texas Supreme Court Order February 26, 2019 the Texas Supreme Court orders that paragraph 8 of the comment to Rule 1.01, Texas Disciplinary Rules of Professional Conduct, is amended to include the requirement for attorneys to maintain technological competence. Thus, becoming the 36th and most recent state to do so.
  33. 33. Texas Ethics Opinion Concerning then Current Rules 2019 Texas Supreme Court Order Rule 1.01. Competent and Diligent Representation Comment: Maintaining Competence 8. Because of the vital role of lawyers in the legal process, each lawyer should strive to become and remain proficient and competent in the practice of law, including the benefits and risks associated with relevant technology. To maintain the requisite knowledge and skill of a competent practitioner, a lawyer should engage in continuing study and education. If a system of peer review has been established, the lawyer should consider making use of it in appropriate circumstances. Isolated instances of faulty conduct or decision should be identified for purposes of additional study or instruction.
  34. 34. How will Texas apply this change? 2019 Texas Supreme Court Order Rule 1.01. Competent and Diligent Representation • As of 9/1/2019, no appellate decisions in Texas reference the revised comment to the Rule. • Sister Jurisdictions may give rise to some guidance for Texas Courts (e.g. Delaware).
  35. 35. The Potential Future of the Competence Requirement James v. Nat’l Fin.LLC, C.A. No. 8931-VCL, 2014 Del. Ch. LEXIS 254 (Del.Ch. December 5, 2014). • The Court of Chancery has jurisdiction to hear all matters relating to equity, largely dealing with corporate issues, has a national reputation in the business community and is responsible for developing the case law in Delaware on corporate matters. Appeals from the Court of Chancery may be taken to the Supreme Court.
  36. 36. James v. Nat’l Fin.LLC • Delaware’s Lawyer’s Rules of Professional Conduct, Rule 1.1, Comment 8, was amended to include the language “including the benefits and risks associated with relevant technology.” ****(This is the Texas Language)**** Case Background • Class Action unconscionable loan practices civil lawsuit. • This opinion deals with a discovery dispute and sanctions. • The Plaintiffs propounded discovery requests related to the bank’s loan practices.
  37. 37. James v. Nat’l Fin.LLC Case Background • In the deposition of the Defendant bank’s representative he admitted to making errors in exporting data for the discovery response. • Court ordered Defendant bank to utilize an IT expert to respond to specific discovery requests. • Court ordered that the IT expert provide an affidavit describing the procedures it followed in extracting the data. • Defendant chatted with an IT expert for 20 minutes who wrote a letter stating that there was no way to property and easily convert paper records into an electronic database.
  38. 38. James v. Nat’l Fin.LLC Case Background • Plaintiff’s attorney pressed Defendant’s attorney for the required affidavit. Wait for it… Wait for it… • Defendant’s attorney stated that he did not know anything about it and tried to stay out of the process! • During the hearing on motion for sanctions (of course) Defendant’s attorney said…
  39. 39. James v. Nat’l Fin.LLC Case Background “I have to confess to this Court, I am not computer literate. I have not found presence in the cybernetic revolution. I need a secretary to help me turn on the computer. This was out of my bailiwick.”
  40. 40. James v. Nat’l Fin.LLC Holding The Court had some thoughts about this: • Professed technological incompetence is not an excuse for discovery misconduct and went on to quote comment 8 to Rule 1.1 of Delaware’s Lawyer’s Rules of Professional Conduct with the language “including the benefits and risks associated with relevant technology.” • The Court ordered the Defendant to pay Plaintiff’s attorneys fees and costs related to this discovery dispute.
  41. 41. Final Thoughts • While Texas does not have a specific Technology requirement for CLE, prioritize at least one CLE or Lecture concerning technology updates annually. • Refer to State Bar promulgated seminars concerning legislative updates and updates concerning e-discovery and new trends in technology in litigation. • Know what you don’t know… technology can outpace even the best of us!
  42. 42. Privacy & Technology Questions? T. Hunter Lewis Duffee + Eitzen, LLP O: 214-419-9010
  43. 43. The Judicial Perspective Hon. Emily Miskel, District Judge 470th Judicial District Court Collin County,Texas
  44. 44. Privacy & Technology Questions? Hon. Emily Miskel District Judge 470th Judicial District Court