Catherine Sanders Reach - Competence and Confidentiality: Practice in the Post-Information Age
•Download as PPTX, PDF•
0 likes•635 views
The ABA Model Rules have changed, and there’s no escaping it—because state bar associations are adopting these changes. Providing competent representation now means having not only legal knowledge, but also technological skills in safeguarding electronic information. It shouldn’t be that difficult. Except lawyers (and clients) are glued to their smartphone and laptop screens. We’ll look at some of the ways that you and your firm can guard client confidentiality (and provide excellent service) while you’re at it.
Recommended
Recommended
More Related Content
Viewers also liked
Viewers also liked (15)
Similar to Catherine Sanders Reach - Competence and Confidentiality: Practice in the Post-Information Age
Similar to Catherine Sanders Reach - Competence and Confidentiality: Practice in the Post-Information Age (20)
More from Clio - Cloud-Based Legal Technology
More from Clio - Cloud-Based Legal Technology (20)
Recently uploaded
Recently uploaded (20)
Catherine Sanders Reach - Competence and Confidentiality: Practice in the Post-Information Age
- 1. Clio Cloud Conference 2014 SEPTEMBER 22 – 23, 2014 · CHICAGO, ILLINOIS
- 2. Clio Cloud Conference 2014 #ClioCloud9
- 3. Clio Cloud Conference 2014 #ClioCloud9
- 4. Rule 1.1 Lawyer’s Duty of Competence Rule 1.6 Confidentiality of Information Rule 5.3 Responsibilities Regarding Nonlawyer Assistance Rule Clio Cloud Conference 2014 #ClioCloud9
- 5. Clio Cloud Conference 2014 #ClioCloud9
- 6. “…including the benefits and risks of technology” Bd. Of Bar Overseers Office of the Bar Counsel, Public Reprimand No. 2013-21 (Oct. 9, 2013) Iowa Supreme Court Atty. Disciplinary Bd. v. Wright, 840 N.W.2d 295, 301-04 (Iowa 2013) In re Anonymous, 6 N.E.3d 903, 907 (Ind. 2014) In re John A. Goudge, 12PR0085 In the Matter of Cynthia E. Collie, Appellate Case No. 2012- 213164 (South Carolina (Oct. 17, 2013) Clio Cloud Conference 2014 #ClioCloud9
- 7. DEFINING “REASONABLE” Clio Cloud Conference 2014 #ClioCloud9
- 8. Clio Cloud Conference 2014 #ClioCloud9
- 9. Clio Cloud Conference 2014 #ClioCloud9
- 10. The States Weigh In On Cloud Computing • 18 states – so far as we know • Cropping up since 2006 • Topics include 3rd party access to electronic data, safekeeping property in electronic format, extranets, web-based email, SaaS, and “the Cloud” Clio Cloud Conference 2014 #ClioCloud9
- 11. Clio Cloud Conference 2014 #ClioCloud9
- 12. Clio Cloud Conference 2014 #ClioCloud9
- 13. Clio Cloud Conference 2014 #ClioCloud9
- 14. Clio Cloud Conference 2014 #ClioCloud9
- 15. Clio Cloud Conference 2014 #ClioCloud9
- 16. Clio Cloud Conference 2014 #ClioCloud9
- 17. Clio Cloud Conference 2014 #ClioCloud9
- 18. Catherine Sanders Reach, Director Chicago Bar Association Law Practice Management & Technology Phone: 312-554-2070 Csandersreach@chicagobar.org www.chicagobar.org/lpmt Follow me @catherinereach www.linkedin.com/in/catherinereach Clio Cloud Conference 2014 #ClioCloud9
- 19. Thank you for listening! Clio Cloud Conference 2014 #ClioCloud9
Editor's Notes
- Rule 1.1 – emphasize that a lawyer has a duty to keep abreast of changes in technology, including risks and benefits Rule 1.6 – address protecting client confidences from inadvertent and unauthorized disclosure, as well as unauthorized access Rule 5.3 – underscores lawyers should ensure nonlawyers outside the firm provide services compatible with the lawyer’s own obligation to protect client information. Change “Assistants” to “Assistance”.
- Rule 1.1 – emphasize that a lawyer has a duty to keep abreast of changes in technology, including risks and benefits Rule 1.6 – address protecting client confidences from inadvertent and unauthorized disclosure, as well as unauthorized access Rule 5.3 – underscores lawyers should ensure nonlawyers outside the firm provide services compatible with the lawyer’s own obligation to protect client information. Change “Assistants” to “Assistance”.
- The standard of care for confidentiality has long been determined by what is reasonable, however it was left to the discretion of attorneys to determine the definition of “reasonable”. In the updated Comment [16] to Rule 1.6 the Commission proposed and the House approved a five point “checklist” for determining reasonableness of lawyer efforts to maintain confidentiality: Sensitivity of information Likelihood of disclosure without safeguards Cost of additional safeguards Difficulty of implementing safeguards Extent to which the safeguards adversely affect lawyer’s ability to represent clients Mere disclosure, by itself, does not trigger discipline. In discussing the duties under Rule 1.6 the Commission made it clear that they understand that lawyers can’t guarantee electronic security any more than they can guarantee the physical security of documents stored in a file cabinet or offsite storage facility. Just like fires and floods, computer systems can suffer catastrophic events or they can be hacked. The new Rule does not impose a duty on lawyers to achieve the unattainable. Importantly, mere inadvertent or unauthorized disclosure of, or unauthorized access to this information does not, by itself, constitute a violation of the Rule. As we’ve seen recently, even the most security conscious entities can be hacked.
- 24 states studying the adoption, 10 states adopted
- Stay up to date Know what you don’t know You aren’t guaranteeing that information is secure from any unauthorized access Lawyer should periodically review vendor’s security measures Special circumstances warrant special precautions
- Business stability – how long has vendor been in business, funding, operating record, client recommendations, reviews, etc. Examine vendor’s policies and procedures for handling confidential information Review of Terms of Use, license agreement, privacy policy, service level agreement, et al Evaluate vendor’s security including firewalls, encryption techniques, SSL, intrusion detections systems Electronic records containing confidential data, including backups, are protected with encryption If vendor has security breach will lawyer be notified? Provide the firm with the right to audit the providers security procedures and obtain copies of any security audits performed Vendor has enforceable obligation to preserve security Basecamp down on Monday because of a DDoS due to a hacker demands for money or a DDoS (twist on ransomeware?) Also affected Meetup, Fotolia, GitHub and others Clients deemed to have impliedly authorized to make confidential data accessible to vendor pursuant to Rule 1.6a Client may need to be informed about the nature of cloud based services used, and the impact on the client’s matter TOS, SLA, or separate agreement that states vendor will keep firm information confidential and inaccessible, in compliance with ethics rules Cloud provider acknowledges enforceable obligation to preserve confidentiality Lawyer is notified if cloud provider is served with process requiring the production of law firm data Guaranteed uptime with failure resulting in service credits/$$ Ensure the provider agrees it has no ownership or security interest in the data Employs proper security protocols: firewalls, password protection, encryption, anti-virus, etc. Employees must receive training on and abide by end user security measures, including strong passwords and regular replacement of passwords Have secondary way to access the internet Provide availability of unrestricted access to data, ability to access the data through alternate means What is vendor’s process to comply with data that is subject to a litigation hold If vendor is breached lawyer should tell client if client data affected How does vendor back up data? Vendor must protect data from loss due to destruction, degradation, or loss Investigate vendor’s business continuity plan, including server locations Determine location of servers specified geographic area, and if outside the US the firm must first determine the hosting jurisdiction’s privacy and data security laws, as well as protections against unlawful search and seizure Implement electronic audit trail to monitor who is accessing the data Law firm will have a method of retrieving data in a non proprietary format if law firm terminates use of product, vendor dissolves, or otherwise has a break in continuity If law firm terminates or discontinues use of product, vendor is contractually obligated to return or destroy hosted data
- Before identifying some of the myriad ways in which lawyers can get into trouble with technology (as well as offering a few practical suggestions), let’s first scope the opportunity. As of 2012, every day, people create 2.5 quintillion (yes, that’s a word — just add 18 zeroes) bytes of data;1 It is estimated that 90 percent of the data in the world today has been created in the last two years; Collectively, each day, people send approximately 145 billion email messages; and A great deal of this data either is stored on a mobile device or may be accessed remotely. In short, there is a lot of electronic information out there that lawyers, along with almost everyone else on the planet, store, access, and use. Of course, that also means there is no shortage of opportunities for things to go horribly wrong. For example: Companies’ IT systems are attacked an average of two million times . . . per week;2 Annually, travelers lose thousands of mobile devices at U.S. airports, including laptops, mobile phones, and portable data drives;3 and According to a recent study by a mobile security company, every 3.5 seconds, someone in America loses a cellphone.4 Usually, it occurs in a coffee shop. And if you live in Seattle, well, it stands to reason that it’s the number-two city for lost cellphones.
- Computer Use Policies & Training Make sure you, and your staff, follow best practices online. Records Retention, squirreling away data Data Breach Response Plan Start (and End) at the Top Sans Policy bank Revoke Power Don’t ignore patches and updates. Recently the SANS Ouch Newsletter was distributed as a compromised PDF. XP, Office 2003 buh bye Records Retention, squirreling away data Lookout: SECURITY & ANTIVIRUS Backed by the Mobile Threat Network, Lookout protects you from bad stuff that can slow down your phone or make unauthorized charges to your wireless bill with over-the-air, real-time updates. • Detect and remove viruses and spyware that can hide in apps, email attachments, or phone files. • Scan every number you click to call from your mobile browser and we’ll alert you if dialing the number might have unintended consequences, like wiping your phone. • Schedule antivirus scans for when it makes sense for you with weekly/daily options. • **Block dangerous URLs that can steal your private information like logins and passwords - 40% of people will click an unsafe URL from their smartphone this year! • **See the data that each of your apps can access with Privacy Advisor. FIND MY PHONE Ever lose your phone or have it stolen? It’s a horrible feeling and it happens to most people at least once a year. But not all hope is lost. Lookout gives you the best chance at finding your lost phone or tablet. • Find your phone on a Google Map instantly from Lookout.com. (simply log-in!) • Sound a loud alarm or make your phone SCREAM to find it even if it’s on silent! • Locate your phone, even if your battery is dying. Automatically see its last known location at Lookout.com to give you the best chance at finding your missing phone. • **Remotely lock your phone from Lookout.com to prevent unauthorized use. • **Wipe the data from Lookout.com to rest assured that no one will have access to your info. BACKUP & RESTORE We all have things that we cherish on our phones. Save an extra copy of the personal data on your phone for those “just in case” moments. Access all your data online, quickly and easily, at Lookout.com. • Back up your precious contacts automatically. • Restore all your contacts to your existing phone or tablet from your Lookout.com account • **Protect your valuable pictures and call history automatically. • **Transfer your contacts, pictures, and call history to a new device from Lookout.com
- Security is paramount and the big question people ask vendors. Because so many companies are using The Cloud they want easy ways to express that they are compliant with security standards. However, the standards are still vey much in development. In fact, certain catch phrases such as “SAS 70 Type 2 Certification” are misleading. If you see “SAS 70 Type 2 Certification” know that SAS 70 has been superseded and it was never a certification. It is an audit report (Statement on Auditing Standards) developed by the American Institute of Certified Public Accountants (AICPA) and was superseded by SSAE16, with the SOC2sm report generated by the auditor. Further it is highly unlikely that the vendor would share the results of the report and there is no pass/fail per se. Other standards being developed include ISO 27000 series (ISO 27001 (information security management) – 27006) and some others such as those being developed by the National Institute of Standards and Technology Computer Security Division from the federal government, as well as regulations requiring compliance such as HIPAA and HITECH. There are also third party certifications from providers like Trust – E and Verisign, but ultimately there is not currently one single seal of approval that would put a law firm at ease for using a particular product. There are, however, a number of efforts to create complete standards. One entity that is coming close to an overall standard for cloud computing is the Cloud Security Alliance, which currently has a self-assessment, a certification and attestation, and the STAR registry of entities that have agreed to offer transparency and assurance by posting results of their self-assessment and certifications.
- Security is paramount and the big question people ask vendors. Because so many companies are using The Cloud they want easy ways to express that they are compliant with security standards. However, the standards are still vey much in development. In fact, certain catch phrases such as “SAS 70 Type 2 Certification” are misleading. If you see “SAS 70 Type 2 Certification” know that SAS 70 has been superseded and it was never a certification. It is an audit report (Statement on Auditing Standards) developed by the American Institute of Certified Public Accountants (AICPA) and was superseded by SSAE16, with the SOC2sm report generated by the auditor. Further it is highly unlikely that the vendor would share the results of the report and there is no pass/fail per se. Other standards being developed include ISO 27000 series (ISO 27001 (information security management) – 27006) and some others such as those being developed by the National Institute of Standards and Technology Computer Security Division from the federal government, as well as regulations requiring compliance such as HIPAA and HITECH. There are also third party certifications from providers like Trust – E and Verisign, but ultimately there is not currently one single seal of approval that would put a law firm at ease for using a particular product. There are, however, a number of efforts to create complete standards. One entity that is coming close to an overall standard for cloud computing is the Cloud Security Alliance, which currently has a self-assessment, a certification and attestation, and the STAR registry of entities that have agreed to offer transparency and assurance by posting results of their self-assessment and certifications.
- In some cases lawyers will not be able to get all the answers they want, especially with mega corps. Levels of sensitiviy in the reasonableness standard: five point “checklist” for determining reasonableness of lawyer efforts to maintain confidentiality: Sensitivity of information Likelihood of disclosure without safeguards Cost of additional safeguards Difficulty of implementing safeguards Extent to which the safeguards adversely affect lawyer’s ability to represent clients