The ABA Model Rules have changed, and there’s no escaping it—because state bar associations are adopting these changes. Providing competent representation now means having not only legal knowledge, but also technological skills in safeguarding electronic information. It shouldn’t be that difficult. Except lawyers (and clients) are glued to their smartphone and laptop screens. We’ll look at some of the ways that you and your firm can guard client confidentiality (and provide excellent service) while you’re at it.
6. “…including the
benefits and risks of technology”
Bd. Of Bar Overseers Office of the Bar Counsel, Public
Reprimand No. 2013-21 (Oct. 9, 2013)
Iowa Supreme Court Atty. Disciplinary Bd. v. Wright, 840
N.W.2d 295, 301-04 (Iowa 2013)
In re Anonymous, 6 N.E.3d 903, 907 (Ind. 2014)
In re John A. Goudge, 12PR0085
In the Matter of Cynthia E. Collie, Appellate Case No. 2012-
213164 (South Carolina (Oct. 17, 2013)
Clio Cloud Conference 2014 #ClioCloud9
10. The States Weigh In On Cloud Computing
• 18 states – so far as we know
• Cropping up since 2006
• Topics include 3rd party access to electronic data,
safekeeping property in electronic format,
extranets, web-based email, SaaS, and “the Cloud”
Clio Cloud Conference 2014 #ClioCloud9
18. Catherine Sanders Reach, Director
Chicago Bar Association
Law Practice Management & Technology
Phone: 312-554-2070
Csandersreach@chicagobar.org
www.chicagobar.org/lpmt
Follow me @catherinereach
www.linkedin.com/in/catherinereach
Clio Cloud Conference 2014 #ClioCloud9
19. Thank you for listening!
Clio Cloud Conference 2014 #ClioCloud9
Editor's Notes
Rule 1.1 – emphasize that a lawyer has a duty to keep abreast of changes in technology, including risks and benefits
Rule 1.6 – address protecting client confidences from inadvertent and unauthorized disclosure, as well as unauthorized access
Rule 5.3 – underscores lawyers should ensure nonlawyers outside the firm provide services compatible with the lawyer’s own obligation to protect client information. Change “Assistants” to “Assistance”.
Rule 1.1 – emphasize that a lawyer has a duty to keep abreast of changes in technology, including risks and benefits
Rule 1.6 – address protecting client confidences from inadvertent and unauthorized disclosure, as well as unauthorized access
Rule 5.3 – underscores lawyers should ensure nonlawyers outside the firm provide services compatible with the lawyer’s own obligation to protect client information. Change “Assistants” to “Assistance”.
The standard of care for confidentiality has long been determined by what is reasonable, however it was left to the discretion of attorneys to determine the definition of “reasonable”. In the updated Comment [16] to Rule 1.6 the Commission proposed and the House approved a five point “checklist” for determining reasonableness of lawyer efforts to maintain confidentiality:
Sensitivity of information
Likelihood of disclosure without safeguards
Cost of additional safeguards
Difficulty of implementing safeguards
Extent to which the safeguards adversely affect lawyer’s ability to represent clients
Mere disclosure, by itself, does not trigger discipline. In discussing the duties under Rule 1.6 the Commission made it clear that they understand that lawyers can’t guarantee electronic security any more than they can guarantee the physical security of documents stored in a file cabinet or offsite storage facility. Just like fires and floods, computer systems can suffer catastrophic events or they can be hacked. The new Rule does not impose a duty on lawyers to achieve the unattainable.
Importantly, mere inadvertent or unauthorized disclosure of, or unauthorized access to this information does not, by itself, constitute a violation of the Rule. As we’ve seen recently, even the most security conscious entities can be hacked.
24 states studying the adoption, 10 states adopted
Stay up to date
Know what you don’t know
You aren’t guaranteeing that information is secure from any unauthorized access
Lawyer should periodically review vendor’s security measures
Special circumstances warrant special precautions
Business stability – how long has vendor been in business, funding, operating record, client recommendations, reviews, etc.
Examine vendor’s policies and procedures for handling confidential information
Review of Terms of Use, license agreement, privacy policy, service level agreement, et al
Evaluate vendor’s security including firewalls, encryption techniques, SSL, intrusion detections systems
Electronic records containing confidential data, including backups, are protected with encryption
If vendor has security breach will lawyer be notified?
Provide the firm with the right to audit the providers security procedures and obtain copies of any security audits performed
Vendor has enforceable obligation to preserve security
Basecamp down on Monday because of a DDoS due to a hacker demands for money or a DDoS (twist on ransomeware?) Also affected Meetup, Fotolia, GitHub and others
Clients deemed to have impliedly authorized to make confidential data accessible to vendor pursuant to Rule 1.6a
Client may need to be informed about the nature of cloud based services used, and the impact on the client’s matter
TOS, SLA, or separate agreement that states vendor will keep firm information confidential and inaccessible, in compliance with ethics rules
Cloud provider acknowledges enforceable obligation to preserve confidentiality
Lawyer is notified if cloud provider is served with process requiring the production of law firm data
Guaranteed uptime with failure resulting in service credits/$$
Ensure the provider agrees it has no ownership or security interest in the data
Employs proper security protocols: firewalls, password protection, encryption, anti-virus, etc.
Employees must receive training on and abide by end user security measures, including strong passwords and regular replacement of passwords
Have secondary way to access the internet
Provide availability of unrestricted access to data, ability to access the data through alternate means
What is vendor’s process to comply with data that is subject to a litigation hold
If vendor is breached lawyer should tell client if client data affected
How does vendor back up data?
Vendor must protect data from loss due to destruction, degradation, or loss
Investigate vendor’s business continuity plan, including server locations
Determine location of servers specified geographic area, and if outside the US the firm must first determine the hosting jurisdiction’s privacy and data security laws, as well as protections against unlawful search and seizure
Implement electronic audit trail to monitor who is accessing the data
Law firm will have a method of retrieving data in a non proprietary format if law firm terminates use of product, vendor dissolves, or otherwise has a break in continuity
If law firm terminates or discontinues use of product, vendor is contractually obligated to return or destroy hosted data
Before identifying some of the myriad ways in which lawyers can get into trouble with technology (as well as offering a few practical suggestions), let’s first scope the opportunity.
As of 2012, every day, people create 2.5 quintillion (yes, that’s a word — just add 18 zeroes) bytes of data;1
It is estimated that 90 percent of the data in the world today has been created in the last two years;
Collectively, each day, people send approximately 145 billion email messages; and
A great deal of this data either is stored on a mobile device or may be accessed remotely.
In short, there is a lot of electronic information out there that lawyers, along with almost everyone else on the planet, store, access, and use. Of course, that also means there is no shortage of opportunities for things to go horribly wrong. For example:
Companies’ IT systems are attacked an average of two million times . . . per week;2
Annually, travelers lose thousands of mobile devices at U.S. airports, including laptops, mobile phones, and portable data drives;3 and
According to a recent study by a mobile security company, every 3.5 seconds, someone in America loses a cellphone.4 Usually, it occurs in a coffee shop. And if you live in Seattle, well, it stands to reason that it’s the number-two city for lost cellphones.
Computer Use Policies & Training
Make sure you, and your staff, follow best practices online.
Records Retention, squirreling away data
Data Breach Response Plan
Start (and End) at the Top
Sans Policy bank
Revoke Power
Don’t ignore patches and updates. Recently the SANS Ouch Newsletter was distributed as a compromised PDF.
XP, Office 2003 buh bye
Records Retention, squirreling away data
Lookout: SECURITY & ANTIVIRUSBacked by the Mobile Threat Network, Lookout protects you from bad stuff that can slow down your phone or make unauthorized charges to your wireless bill with over-the-air, real-time updates.
• Detect and remove viruses and spyware that can hide in apps, email attachments, or phone files. • Scan every number you click to call from your mobile browser and we’ll alert you if dialing the number might have unintended consequences, like wiping your phone.• Schedule antivirus scans for when it makes sense for you with weekly/daily options. • **Block dangerous URLs that can steal your private information like logins and passwords - 40% of people will click an unsafe URL from their smartphone this year!• **See the data that each of your apps can access with Privacy Advisor.
FIND MY PHONEEver lose your phone or have it stolen? It’s a horrible feeling and it happens to most people at least once a year. But not all hope is lost. Lookout gives you the best chance at finding your lost phone or tablet.
• Find your phone on a Google Map instantly from Lookout.com. (simply log-in!)• Sound a loud alarm or make your phone SCREAM to find it even if it’s on silent!• Locate your phone, even if your battery is dying. Automatically see its last known location at Lookout.com to give you the best chance at finding your missing phone.• **Remotely lock your phone from Lookout.com to prevent unauthorized use.• **Wipe the data from Lookout.com to rest assured that no one will have access to your info.
BACKUP & RESTOREWe all have things that we cherish on our phones. Save an extra copy of the personal data on your phone for those “just in case” moments. Access all your data online, quickly and easily, at Lookout.com.
• Back up your precious contacts automatically. • Restore all your contacts to your existing phone or tablet from your Lookout.com account• **Protect your valuable pictures and call history automatically.• **Transfer your contacts, pictures, and call history to a new device from Lookout.com
Security is paramount and the big question people ask vendors.
Because so many companies are using The Cloud they want easy ways to express that they are compliant with security standards. However, the standards are still vey much in development.
In fact, certain catch phrases such as “SAS 70 Type 2 Certification” are misleading. If you see “SAS 70 Type 2 Certification” know that SAS 70 has been superseded and it was never a certification. It is an audit report (Statement on Auditing Standards) developed by the American Institute of Certified Public Accountants (AICPA) and was superseded by SSAE16, with the SOC2sm report generated by the auditor. Further it is highly unlikely that the vendor would share the results of the report and there is no pass/fail per se.
Other standards being developed include ISO 27000 series (ISO 27001 (information security management) – 27006) and some others such as those being developed by the National Institute of Standards and Technology Computer Security Division from the federal government, as well as regulations requiring compliance such as HIPAA and HITECH.
There are also third party certifications from providers like Trust – E and Verisign, but ultimately there is not currently one single seal of approval that would put a law firm at ease for using a particular product. There are, however, a number of efforts to create complete standards. One entity that is coming close to an overall standard for cloud computing is the Cloud Security Alliance, which currently has a self-assessment, a certification and attestation, and the STAR registry of entities that have agreed to offer transparency and assurance by posting results of their self-assessment and certifications.
Security is paramount and the big question people ask vendors.
Because so many companies are using The Cloud they want easy ways to express that they are compliant with security standards. However, the standards are still vey much in development.
In fact, certain catch phrases such as “SAS 70 Type 2 Certification” are misleading. If you see “SAS 70 Type 2 Certification” know that SAS 70 has been superseded and it was never a certification. It is an audit report (Statement on Auditing Standards) developed by the American Institute of Certified Public Accountants (AICPA) and was superseded by SSAE16, with the SOC2sm report generated by the auditor. Further it is highly unlikely that the vendor would share the results of the report and there is no pass/fail per se.
Other standards being developed include ISO 27000 series (ISO 27001 (information security management) – 27006) and some others such as those being developed by the National Institute of Standards and Technology Computer Security Division from the federal government, as well as regulations requiring compliance such as HIPAA and HITECH.
There are also third party certifications from providers like Trust – E and Verisign, but ultimately there is not currently one single seal of approval that would put a law firm at ease for using a particular product. There are, however, a number of efforts to create complete standards. One entity that is coming close to an overall standard for cloud computing is the Cloud Security Alliance, which currently has a self-assessment, a certification and attestation, and the STAR registry of entities that have agreed to offer transparency and assurance by posting results of their self-assessment and certifications.
In some cases lawyers will not be able to get all the answers they want, especially with mega corps. Levels of sensitiviy in the reasonableness standard:
five point “checklist” for determining reasonableness of lawyer efforts to maintain confidentiality:
Sensitivity of information
Likelihood of disclosure without safeguards
Cost of additional safeguards
Difficulty of implementing safeguards
Extent to which the safeguards adversely affect lawyer’s ability to represent clients