legal issues in cloud computing,cloud computing and law,cyberlaw and cloud computing in india,prashant mali,cloud computing issues,cloud computing security
This presentation identifies and discusses certain ethical rules and opinions that apply to an Arizona lawyer's use of cloud computing in his or her practice. The concepts are generally applicable to lawyers in many other states as well.
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Jim Brashear
Presentation for the North Carolina State Bar seminar on Real Estate Hot Topics on February 20, 2015. This presentation focuses on email security and its role in complying with the ALTA Best Practice on Privacy and Protection of Non-Public Personal Information.
What I learned at the Infosecurity ISACA North America Conference 2019Ulf Mattsson
The 2019 Infosecurity ISACA North America Expo and Conference was held in New York City’s Javits Convention Center on November 20-21. With more than 50 sessions spanning 5 tracks, this conference offered the best-in-class educational content ISACA members and certification holders depend on, plus unprecedented access to leaders in the security industry.
Join Ulf Mattsson, Head of Innovation at TokenX for a conference recap webinar on the biggest takeaways
legal issues in cloud computing,cloud computing and law,cyberlaw and cloud computing in india,prashant mali,cloud computing issues,cloud computing security
This presentation identifies and discusses certain ethical rules and opinions that apply to an Arizona lawyer's use of cloud computing in his or her practice. The concepts are generally applicable to lawyers in many other states as well.
Raising the Bar for Email Security: Confidentiality and Privacy Standards tha...Jim Brashear
Presentation for the North Carolina State Bar seminar on Real Estate Hot Topics on February 20, 2015. This presentation focuses on email security and its role in complying with the ALTA Best Practice on Privacy and Protection of Non-Public Personal Information.
What I learned at the Infosecurity ISACA North America Conference 2019Ulf Mattsson
The 2019 Infosecurity ISACA North America Expo and Conference was held in New York City’s Javits Convention Center on November 20-21. With more than 50 sessions spanning 5 tracks, this conference offered the best-in-class educational content ISACA members and certification holders depend on, plus unprecedented access to leaders in the security industry.
Join Ulf Mattsson, Head of Innovation at TokenX for a conference recap webinar on the biggest takeaways
OSCON 2012 US Patriot Act Implications for Cloud Computing - Diane Mueller, A...OSCON Byrum
Presented by Diane Mueller, ActiveState @pythondj
Are you unsure what the security and privacy implications are for sensitive corporate data? US Patriot Act is causing many of us to hesitate on leveraging the cloud.
Organizations are thinking long and hard about the legal and regulatory implications of cloud computing. When it comes to actual corporate data, no matter what the efficiency gains are, legal departments are often directing IT departments to steer clear of any service that eliminates their ability to keep potential sensitive information out of the hands of Federal prosecutors.
Despite all the hype about every application moving into the cloud, some practical patterns are starting to emerge in the types of data corporations are willing to move to the cloud.
Covered in this session:
(a) Introduction to the US Patriot Act and Data Privacy issues Implications for on Cloud Computing Jurisdictional Issues
(b) Best Practices & Practical Patterns Classes of applications that best leverage the cloud
(c)What types of applications should stay on-premise Private Cloud Model(s) Building a Compliant Cloud Strategy
For more information:
email me at dianem {at} activestate {period} com
or ping me on twitter at @pythondj
visit http://activestate.com/stackato
In this work we highlighted some of the concepts of data privacy, techniques used in data privacy, and some techniques used in data privacy in the cloud plus some new research trends.
Protecting Data Privacy in Analytics and Machine LearningUlf Mattsson
In this session, we will discuss a range of new emerging technologies for privacy and confidentiality in machine learning and data analytics. We will discuss how to use open source tools to put these technologies to work for databases and other data sources.
When we think about developing AI responsibly, there’s many different activities that we need to think about. In this session, we will discuss technologies that help protect people, preserve privacy, and enable you to do machine learning confidentially.
This session discusses industry standards and emerging privacy-enhanced computation techniques, secure multiparty computation, and trusted execution environments. We will discuss Zero Trust philosophy fundamentally changes the way we approach security since trust is a vulnerability that can be exploited particularly when working remotely and increasingly using cloud models. We will also discuss the “why, what, and how” of techniques for privacy preserving computing.
We will review how different industries are taking opportunity of these privacy preserving techniques. A retail company used secure multi-party computation to be able to respect user privacy and specific regulations and allow the retailer to gain insights while protecting the organization’s IP. Secure data-sharing is used by a healthcare organization to protect the privacy of individuals and they also store and search on encrypted medical data in cloud.
We will also review the benefits of secure data-sharing for financial institutions including a large bank that wanted to broaden access to its data lake without compromising data privacy but preserving the data’s analytical quality for machine learning purposes.
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10Ulf Mattsson
Big Data systems like Hadoop provide analysis of massive amounts of data to open up “Big Answers”, identifying trends and new business opportunities. The massive scalability and economical storage also provides the opportunity to monetize collected data by selling it to a third party.
However, the biggest issue with Big Data remains security. Like any other system, the data must be protected according to regulatory mandates, such as PCI, HIPAA and Privacy laws; from both external and internal threats – including privileged users.
So how can we bridge the gap between access to vast amounts of data, and security of more and more types of data, in this rapidly evolving new environment?
In this webinar, Ulf Mattsson explores the issues and provide solutions to bring together data insight and security in Big Data. With deep knowledge in advanced data security technologies, Ulf explains the best practices in order to safely unlock the power of Big Data.
Come cambia la cybersecurity con il regolamento privacy europeoGiulio Coraggio
Il regolamento privacy europeo (GDPR) richiede di adottare un nuovo approccio in materia di cyber security a causa del rischio di sanzioni e gli obblighi regolatori applicabili
Unlock the potential of data security 2020Ulf Mattsson
Explore challenges of managing and protecting data. We'll share best practices on establishing the right balance between privacy, security, and compliance
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianPECB
Short description:
In this webinar, we will be exploring the current trends, predictions and other things of relevance to GDPR enforcement. Further, we will touch on the big fines such as Facebook, Google, Experian as well as guide you how to stay out of trouble with the regulation.
Main points covered:
• A summary of ICO enforcement action in the UK over the past 12 months
• What organizations got wrong?
• The big fines – Facebook and Experian
• Trends and predictions
• How to keep out of trouble with the regulator
Presenter:
Our presenter for this webinar, James Castro-Edwards is a partner and Head of Data Protection at Wedlake Bell LLP. James advises domestic and multinational organizations on data protection issues. His experience includes managing global data protection compliance projects for multinationals and advising domestic companies on complex data protection issues. He has also developed and delivered innovative data protection training programs for multinational clients, including a data protection officers’ training course which was accredited by a European government. James leads the firm’s outsourced data protection officer service, ProDPO.
James frequently speaks on data protection and cybersecurity issues and is widely published, having written articles for a wide variety of titles including The Times and The Guardian, and wrote The Law Society textbook on the General Data Protection Regulation (GDPR).
Recorded Webinar: https://youtu.be/QAF1XXTBFyg
SOLIXCloud Consumer Data Privacy is a suite of integrated solutions to help SOLIXCloud Common Data Platform (CDP) customers meet the growing requirements for consumer data protection. The "privacy by design" suite of solutions includes end-to-end encryption, metadata management, data profiling, data governance rules, sensitive data discovery, data masking, and data compliance to ensure all personally identifiable information (PII) is properly identified, classified, masked, and able to meet regulatory requirements including GDPR, CCPA, NYDFS, LGPD, PII, PHI and PCI.
Advanced PII / PI data discovery and data protectionUlf Mattsson
We will discuss using Advanced PII/PI Discovery to Find & Inventory All Personal Data at an Enterprise Scale.
Learn about new machine learning & identity intelligence technology.
You will learn how to:
• Identify all PII across structured, unstructured, cloud & Big Data.
• Inventory PII by data subject & residency for GDPR.
• Measure data re-identifiability for pseudonymization.
• Uncover dark or uncatalogued data.
• Fix data quality, visualize PII data relationships
• Apply data protection to discovered sensitive data.
Privacy preserving computing and secure multi-party computation ISACA AtlantaUlf Mattsson
A major challenge that many organizations faces, is how to address data privacy regulations such as CCPA, GDPR and other emerging regulations around the world, including data residency controls as well as enable data sharing in a secure and private fashion. We will present solutions that can reduce and remove the legal, risk and compliance processes normally associated with data sharing projects by allowing organizations to collaborate across divisions, with other organizations and across jurisdictions where data cannot be relocated or shared.
We will discuss secure multi-party computation where organizations want to securely share sensitive data without revealing their private inputs. We will review solutions that are driving faster time to insight by the use of different techniques for privacy-preserving computing including homomorphic encryption, k-anonymity and differential privacy. We will present best practices and how to control privacy and security throughout the data life cycle. We will also review industry standards, implementations, policy management and case studies for hybrid cloud and on-premises.
Securing data in the cloud: A challenge for UK Law FirmsCloudMask inc.
Authorities including the UK Information Commissioner, the Solicitors Regulation Authority
(SRA) and the Council of Bars and Law Societies of Europe (CCBE) are establishing
requirements which are conflicting with the main foundation of cloud computing and in
many cases making it impossible to implement
OSCON 2012 US Patriot Act Implications for Cloud Computing - Diane Mueller, A...OSCON Byrum
Presented by Diane Mueller, ActiveState @pythondj
Are you unsure what the security and privacy implications are for sensitive corporate data? US Patriot Act is causing many of us to hesitate on leveraging the cloud.
Organizations are thinking long and hard about the legal and regulatory implications of cloud computing. When it comes to actual corporate data, no matter what the efficiency gains are, legal departments are often directing IT departments to steer clear of any service that eliminates their ability to keep potential sensitive information out of the hands of Federal prosecutors.
Despite all the hype about every application moving into the cloud, some practical patterns are starting to emerge in the types of data corporations are willing to move to the cloud.
Covered in this session:
(a) Introduction to the US Patriot Act and Data Privacy issues Implications for on Cloud Computing Jurisdictional Issues
(b) Best Practices & Practical Patterns Classes of applications that best leverage the cloud
(c)What types of applications should stay on-premise Private Cloud Model(s) Building a Compliant Cloud Strategy
For more information:
email me at dianem {at} activestate {period} com
or ping me on twitter at @pythondj
visit http://activestate.com/stackato
In this work we highlighted some of the concepts of data privacy, techniques used in data privacy, and some techniques used in data privacy in the cloud plus some new research trends.
Protecting Data Privacy in Analytics and Machine LearningUlf Mattsson
In this session, we will discuss a range of new emerging technologies for privacy and confidentiality in machine learning and data analytics. We will discuss how to use open source tools to put these technologies to work for databases and other data sources.
When we think about developing AI responsibly, there’s many different activities that we need to think about. In this session, we will discuss technologies that help protect people, preserve privacy, and enable you to do machine learning confidentially.
This session discusses industry standards and emerging privacy-enhanced computation techniques, secure multiparty computation, and trusted execution environments. We will discuss Zero Trust philosophy fundamentally changes the way we approach security since trust is a vulnerability that can be exploited particularly when working remotely and increasingly using cloud models. We will also discuss the “why, what, and how” of techniques for privacy preserving computing.
We will review how different industries are taking opportunity of these privacy preserving techniques. A retail company used secure multi-party computation to be able to respect user privacy and specific regulations and allow the retailer to gain insights while protecting the organization’s IP. Secure data-sharing is used by a healthcare organization to protect the privacy of individuals and they also store and search on encrypted medical data in cloud.
We will also review the benefits of secure data-sharing for financial institutions including a large bank that wanted to broaden access to its data lake without compromising data privacy but preserving the data’s analytical quality for machine learning purposes.
Bridging the gap between privacy and big data Ulf Mattsson - Protegrity Sep 10Ulf Mattsson
Big Data systems like Hadoop provide analysis of massive amounts of data to open up “Big Answers”, identifying trends and new business opportunities. The massive scalability and economical storage also provides the opportunity to monetize collected data by selling it to a third party.
However, the biggest issue with Big Data remains security. Like any other system, the data must be protected according to regulatory mandates, such as PCI, HIPAA and Privacy laws; from both external and internal threats – including privileged users.
So how can we bridge the gap between access to vast amounts of data, and security of more and more types of data, in this rapidly evolving new environment?
In this webinar, Ulf Mattsson explores the issues and provide solutions to bring together data insight and security in Big Data. With deep knowledge in advanced data security technologies, Ulf explains the best practices in order to safely unlock the power of Big Data.
Come cambia la cybersecurity con il regolamento privacy europeoGiulio Coraggio
Il regolamento privacy europeo (GDPR) richiede di adottare un nuovo approccio in materia di cyber security a causa del rischio di sanzioni e gli obblighi regolatori applicabili
Unlock the potential of data security 2020Ulf Mattsson
Explore challenges of managing and protecting data. We'll share best practices on establishing the right balance between privacy, security, and compliance
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianPECB
Short description:
In this webinar, we will be exploring the current trends, predictions and other things of relevance to GDPR enforcement. Further, we will touch on the big fines such as Facebook, Google, Experian as well as guide you how to stay out of trouble with the regulation.
Main points covered:
• A summary of ICO enforcement action in the UK over the past 12 months
• What organizations got wrong?
• The big fines – Facebook and Experian
• Trends and predictions
• How to keep out of trouble with the regulator
Presenter:
Our presenter for this webinar, James Castro-Edwards is a partner and Head of Data Protection at Wedlake Bell LLP. James advises domestic and multinational organizations on data protection issues. His experience includes managing global data protection compliance projects for multinationals and advising domestic companies on complex data protection issues. He has also developed and delivered innovative data protection training programs for multinational clients, including a data protection officers’ training course which was accredited by a European government. James leads the firm’s outsourced data protection officer service, ProDPO.
James frequently speaks on data protection and cybersecurity issues and is widely published, having written articles for a wide variety of titles including The Times and The Guardian, and wrote The Law Society textbook on the General Data Protection Regulation (GDPR).
Recorded Webinar: https://youtu.be/QAF1XXTBFyg
SOLIXCloud Consumer Data Privacy is a suite of integrated solutions to help SOLIXCloud Common Data Platform (CDP) customers meet the growing requirements for consumer data protection. The "privacy by design" suite of solutions includes end-to-end encryption, metadata management, data profiling, data governance rules, sensitive data discovery, data masking, and data compliance to ensure all personally identifiable information (PII) is properly identified, classified, masked, and able to meet regulatory requirements including GDPR, CCPA, NYDFS, LGPD, PII, PHI and PCI.
Advanced PII / PI data discovery and data protectionUlf Mattsson
We will discuss using Advanced PII/PI Discovery to Find & Inventory All Personal Data at an Enterprise Scale.
Learn about new machine learning & identity intelligence technology.
You will learn how to:
• Identify all PII across structured, unstructured, cloud & Big Data.
• Inventory PII by data subject & residency for GDPR.
• Measure data re-identifiability for pseudonymization.
• Uncover dark or uncatalogued data.
• Fix data quality, visualize PII data relationships
• Apply data protection to discovered sensitive data.
Privacy preserving computing and secure multi-party computation ISACA AtlantaUlf Mattsson
A major challenge that many organizations faces, is how to address data privacy regulations such as CCPA, GDPR and other emerging regulations around the world, including data residency controls as well as enable data sharing in a secure and private fashion. We will present solutions that can reduce and remove the legal, risk and compliance processes normally associated with data sharing projects by allowing organizations to collaborate across divisions, with other organizations and across jurisdictions where data cannot be relocated or shared.
We will discuss secure multi-party computation where organizations want to securely share sensitive data without revealing their private inputs. We will review solutions that are driving faster time to insight by the use of different techniques for privacy-preserving computing including homomorphic encryption, k-anonymity and differential privacy. We will present best practices and how to control privacy and security throughout the data life cycle. We will also review industry standards, implementations, policy management and case studies for hybrid cloud and on-premises.
Securing data in the cloud: A challenge for UK Law FirmsCloudMask inc.
Authorities including the UK Information Commissioner, the Solicitors Regulation Authority
(SRA) and the Council of Bars and Law Societies of Europe (CCBE) are establishing
requirements which are conflicting with the main foundation of cloud computing and in
many cases making it impossible to implement
GDPR and NIS Compliance - How HyTrust Can HelpJason Lackey
GDPR (EU 2016/679) and NIS are intended to strengthen data protection for people in the EU, replacing Directive 95/46/EC. Learn how HyTrust can help with compliance.
In the last few years, cloud computing has grown from being a promising business concept to one of the fastest growing segments of the IT industry. Now, recession-hit companies are increasingly realizing that simply by tapping into the cloud they can gain fast access to best-of-breed business applications or drastically boost their infrastructure resources, all at negligible cost. But as more and more information on individuals and companies is placed in the cloud, concerns are beginning to grow about just how safe an environment it is. This paper discusses security issues, requirements and challenges that cloud service providers (CSP) face during cloud engineering. Recommended security standards and management models to address these are suggested for technical and business community.
Dcg cba legal ethics and the cloud final 06.20.17DENNIS GARCIA ☁
This is a copy of a presentation I delivered at the Chicago Bar Association on June 20, 2017 about Legal Ethics Considerations with using Cloud Computing solutions in the United States.
Cloud computing: 'everything you always wanted to know (but were aftaid to ask')DLA Piper Nederland N.V.
This workshop has been held at Legal Business Day on 8 September 2011.
Across the globe organisations are contending with this latest technology panacea - cloud computing. The multijurisdictional nature of the internet - which cares not for geographical boundaries - creates a variety of challenges and opportunities for businesses, regardless of the country in which they are based and are transferable to any industry in the private or public sector.
What key considerations should your organisation be aware of? In this workshop we share our opinions on how to handle the legal challenges surrounding cloud computing such as data protection and security, the importance of getting the contract right and on the current lack of consistent, international legal protection.
Similar to Email and cloud ethics (continuing legal education course) (20)
In 2020, the Ministry of Home Affairs established a committee led by Prof. (Dr.) Ranbir Singh, former Vice Chancellor of National Law University (NLU), Delhi. This committee was tasked with reviewing the three codes of criminal law. The primary objective of the committee was to propose comprehensive reforms to the country’s criminal laws in a manner that is both principled and effective.
The committee’s focus was on ensuring the safety and security of individuals, communities, and the nation as a whole. Throughout its deliberations, the committee aimed to uphold constitutional values such as justice, dignity, and the intrinsic value of each individual. Their goal was to recommend amendments to the criminal laws that align with these values and priorities.
Subsequently, in February, the committee successfully submitted its recommendations regarding amendments to the criminal law. These recommendations are intended to serve as a foundation for enhancing the current legal framework, promoting safety and security, and upholding the constitutional principles of justice, dignity, and the inherent worth of every individual.
WINDING UP of COMPANY, Modes of DissolutionKHURRAMWALI
Winding up, also known as liquidation, refers to the legal and financial process of dissolving a company. It involves ceasing operations, selling assets, settling debts, and ultimately removing the company from the official business registry.
Here's a breakdown of the key aspects of winding up:
Reasons for Winding Up:
Insolvency: This is the most common reason, where the company cannot pay its debts. Creditors may initiate a compulsory winding up to recover their dues.
Voluntary Closure: The owners may decide to close the company due to reasons like reaching business goals, facing losses, or merging with another company.
Deadlock: If shareholders or directors cannot agree on how to run the company, a court may order a winding up.
Types of Winding Up:
Voluntary Winding Up: This is initiated by the company's shareholders through a resolution passed by a majority vote. There are two main types:
Members' Voluntary Winding Up: The company is solvent (has enough assets to pay off its debts) and shareholders will receive any remaining assets after debts are settled.
Creditors' Voluntary Winding Up: The company is insolvent and creditors will be prioritized in receiving payment from the sale of assets.
Compulsory Winding Up: This is initiated by a court order, typically at the request of creditors, government agencies, or even by the company itself if it's insolvent.
Process of Winding Up:
Appointment of Liquidator: A qualified professional is appointed to oversee the winding-up process. They are responsible for selling assets, paying off debts, and distributing any remaining funds.
Cease Trading: The company stops its regular business operations.
Notification of Creditors: Creditors are informed about the winding up and invited to submit their claims.
Sale of Assets: The company's assets are sold to generate cash to pay off creditors.
Payment of Debts: Creditors are paid according to a set order of priority, with secured creditors receiving payment before unsecured creditors.
Distribution to Shareholders: If there are any remaining funds after all debts are settled, they are distributed to shareholders according to their ownership stake.
Dissolution: Once all claims are settled and distributions made, the company is officially dissolved and removed from the business register.
Impact of Winding Up:
Employees: Employees will likely lose their jobs during the winding-up process.
Creditors: Creditors may not recover their debts in full, especially if the company is insolvent.
Shareholders: Shareholders may not receive any payout if the company's debts exceed its assets.
Winding up is a complex legal and financial process that can have significant consequences for all parties involved. It's important to seek professional legal and financial advice when considering winding up a company.
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxanvithaav
These slides helps the student of international law to understand what is the nature of international law? and how international law was originated and developed?.
The slides was well structured along with the highlighted points for better understanding .
How to Obtain Permanent Residency in the NetherlandsBridgeWest.eu
You can rely on our assistance if you are ready to apply for permanent residency. Find out more at: https://immigration-netherlands.com/obtain-a-permanent-residence-permit-in-the-netherlands/.
Responsibilities of the office bearers while registering multi-state cooperat...Finlaw Consultancy Pvt Ltd
Introduction-
The process of register multi-state cooperative society in India is governed by the Multi-State Co-operative Societies Act, 2002. This process requires the office bearers to undertake several crucial responsibilities to ensure compliance with legal and regulatory frameworks. The key office bearers typically include the President, Secretary, and Treasurer, along with other elected members of the managing committee. Their responsibilities encompass administrative, legal, and financial duties essential for the successful registration and operation of the society.
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
Hi, Thanks for having me. So today’s presentation is Email and Cloud Ethics – Maintaining competence and confidence without being a luddite. For those who don’t know, the Luddites were 19th century textile workers that destroyed machinery they thought was threatening their job. But the term is now commonly used to refer to people who have a fear or distrust of new technology or
Technophobes, if you will. So I hope this presentation will help alleviate some of the fears and doubts and show you that using email and cloud technologies without violating your ethical obligations is not that daunting of a task.
My name is Chad Gilles, my current role with mailcontrol.net is a bit of a mixed bag. I do some marketing, some legal, and some product.
Before coming to MailControl I spent 9 years prosecuting patents
And before that I was an electrical engineer for 3 years.
Okay, so what are we going to talk about today. Well, as to-do list says, we are going to talk about being ethical. Specifically we are going to talk about ethical use of email and “The Cloud.” The roadmap looks like this:
first we are going to review the two most-applicable rules which are 1.1, competence, and 1.6 Confidentially of information. In both cases the Illinois rules are largely identical to the Model Rules
Then, to make sure we are all on the same page we are going to briefly go over when the heck is “The Cloud.” People throw that term around a lot sometimes meaning different things and a lot of times meaning nothing because they don’t really know what it means. So we are just going to establish a basic working definition that will allow us to then
Apply rules 1.1 and 1.6 to use of the cloud.
Then we’ll talk about how email works and apply rules 1.1 and 1.6 to email in general
and then to a specific type of email which has actually become pervasive, yet most people do not know about. We call it spymail.
Okay, so rule 1.1 – competence. Now I know everyone watching can recite all the rule of professional conduct by heart, but if you can just humor me for a second, rule 1.1 says [read rule]. So, on its face, this rule doesn’t seem to say a whole lot about the use of email or the cloud, But if we look at comment 8,
then we see a lot of the motivation for why I am here today. It says [read]. This emphasized portion was added in IL 2010 and the same language was added to the ABA model rules in 2012.
And then the other rule that is very important for purposes of our discussion today is rule 1.6: Confidentiality of Information. Specifically paragraph (c) (as noted at the bottom it is paragraph (e) in IL), which reads: [read rule]. So this obviously raises the question of what are reasonable efforts.
Comment 18 offers some guidance on that. [read]
And it goes on to provide a non-exhaustive list of factors to be considered.
Likelihood of disclosure.
Sensitivity of information. So, for example, are we talking about the recipe to coca cola or just marketing materials that will soon be public anyways could make a difference
Cost of employing additional safeguards
Difficulty of implementing the safeguards
Extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use) – so this one is interesting because it accounts for a lot of the reason that, as we will see, use of unencrypted email is considered consistent with our ethical obligations. That is, email has improved attorney-client communications so much (its fast, it provides a written record, its accessible to all, etc.) that the little bit of additional risk it involved was deemed reasonable.
Finally, the comment notes that, regardless of these factors, if your client instructs you otherwise, you need to listen to your client.
Okay, so as we just saw, Rule 1.1 requires understanding the benefits and risks associated with any technology that we use. In 2016 this means understanding the benefits and risks of “The Cloud.”
So what is “The Cloud”? Don’t worry- for our purposes of meeting your ethical obligations we can keep it a very basic level.
So lets start by pretending we are back in the pre-Internet days. For the younger associates try to remember back to before your kindergarten got that AOL subscription.
Back then you had a computer it sat next to you on your desk or on the floor and it was not connected to any network or anything. You pretty much used it for typing. If you wanted to exchange files with someone else you put it on a floppy disk and then transferred that floppy disk.
Now let’s just imagine we take that computer, and put it in a data center somewhere – data center is just a fancy word for place that holds a bunch of servers. And now we access that computer over a network and we share it with other people who are also accessing it over a network. For our purposes, that is pretty much cloud computing. So then just a little bit of terminology that you might come across
Public Cloud means that that computer right there is owned by a third-party (Amazon, for example) and in public cloud typically that computer is going to be shared among you and other customers of the cloud provider. Public cloud is really what has the ethical implications and references to cloud in this presentation generally mean public cloud.
Private cloud, on the other hand, means that you own that computer. So, for example, that data center is a closet down the hall. So since you have full control over the computer in this case, it doesn’t really have the same ethical implications as public cloud does.
Hybrid cloud is just a combination of public and private
Remote / hosted private cloud is private cloud but you rent space in a third-party’s data center as opposed to housing the computers in your own building.
Virtual Private Cloud is a marketing term that is a bit confusing because it is essentially public cloud in that the hardware is shared among multiple organizations – albeit with some enforced isolation between the different organizations (typically each getting its own VPN / encrypted channels)
Since we are talking ethics, it makes sense to look at the definition that the ABA uses when discussing cloud ethics opinions. The ABA’s definition, which you can find at the link shown here, says [read]. So aside from the fact that the access is often not via a web browser – and certainly not Internet Explorer, the first sentence here is basically what we just went over. And the second sentence – the benefits of the cloud – is what we will go over next.
Okay, so now we know what cloud computing is. Next we are going to take that knowledge and apply it to the rules 1.1 and 1.6. In other words, the ethics of cloud computing.
Okay, so it seems all we hear about these days is the cloud -- everybody is moving to the cloud, hey man, you gotta get in the cloud. I mean just look at the smiles on these faces! What about the cloud is making these guys so happy?
One benefit is Mobility and device independence. You can work from anywhere you want on any device you want and always have access to your programs and your files.
Easy updates/upgrades. With cloud computing, the hardware becomes someone else’s problem. As servers become outdated, that’s on the Cloud provider to fix or replace it. Your costs remain fixed and generally there is little or no downtime for upgrades.
Scalability – Cloud allows you to very rapidly increase or decrease resources as needed. And you generally only pay for what you use, so it can be very cost-effective.
Disaster recovery – In the cloud everything is virtualized, which means it can very rapidly be moved to different physical servers. Combine that with the fact that cloud providers are automatically providing redundancy and backup for you and that means that (a) disasters are less likely to occur in the first place and (b) even of something does happen to one of their data centers, recovery will typically be faster and cheaper than recovering from a disaster at your own data center.
Environmentally friendly. At some level the cloud is basically time sharing. This means fewer servers overall, fewer servers burning power while being underused, and fewer servers running inefficient, outdated software and/or hardware.
Cost savings – all of these benefits and others often add up to significant cost savings over hosting your own servers.
Ultimately, moving to the cloud is basically outsourcing a lot of the mundane and commoditized aspects of running a data center and this frees up your IT staff to really focus on more high leverage tasks.
Those were the benefits, what are the risks. A good first place to turn is again the ABA. [read]
So reading between the lines here, the ABA is calling out at least two risks: (1) the cloud provider may have access to your client data; (2) there may be a question of who owns or controls the data.
So, both of these are valid concerns – especially if you are using free tiers of service from companies such as google or dropbox or whatever. But if you are using paid tiers of service, then all good cloud provider’s terms of service will eliminate these concerns because they will include a confidentiality agreement and they will include very clear language that
that you retain ownership of any data
that you will you will be given opportunity to take your data with you if you cancel your service, and
They will include well-defined procedures that they will follow for who is allowed to access the data under what circumstances.
Another concern some have had about the use of the cloud is that they will not have access to their data when they have no Internet connection. On one hand, this concern is perhaps trickier than the previous two because it is not something that can be solved through terms of service, but on the other hand (a) there is Wi-Fi and LTE pretty much everywhere now and (b) most providers will provide seamless syncing of recent files to local drives. So you simultaneously have the most-recent version both in the Cloud and on each of your devices.
Finally some people feel like big cloud providers are higher profile and thus more likely to be targeted by hackers. This is probably more perception than reality because (1) there has been a major rise in attempts to hack law firms, which will also discuss and (2) these cloud providers have a lot of people focused exclusively on security, they are constantly being audited, etc. So in all likelihood a cloud provider is going to be as secure, if not more secure, than the average self-hosted data center.
So in light of all these benefits and risks, what are ethics bodies saying about the use of cloud computing? Well the ABA actually has a really nice web-page summarizing the cloud ethics opinions from various states. This map is from that page and the states which have issued opinions are shown in blue.
The take away is that all states that have weighed in have adopted a “reasonable care” standard. The various jurisdictions a variety of factors to look at to determine what is reasonable - and I would encourage everyone to visit that webpage and review the various opinions – but what I have tried to do here is synthesize them into some generally-applicable recommendations.
First, you – and by you I mean a responsible attorney and a security expert either from your IT team or an outside consultant – need to carefully review the terms of service offered by the cloud services provider. Some things to look for in the agreement are:
The provider agrees to treat all your data as confidential
You retain ownership of all data and can delete it / take it with you if you cancel your service
The agreement clearly spells out who has access to the data and under what conditions
Make sure they are using industry-standard best-practices for encryption both for data in transit and at rest
They should have sufficient uptime guarantees
They should have defined procedures for reporting breaches or requests for access
They should agree that the data will be housed only in the U.S.
They should have appropriate certifications Health Insurance Portability and Accountability Act, Federal Information Security Management Act,
In addition to making sure the terms of service are in order, you probably want to
include some explicit language in your client retainer agreements that they agree to your use of cloud services. Explicity consent is not required, but it certainly won’t hurt.
For very sensitive information, consider encrypting the data before uploading it to the cloud. So maybe that requires a bit of explanation. So let’s say we have the recipe for coca cola in a pdf and we want to store it to our cloud account. Well, if we upload it directly and rely on the encryption provided by the cloud provider, that means the cloud provider technically could access that pdf. But what we can do is encrypt the file first on our local machine and then upload it to the Cloud. Then the cloud provider has no access. This is essentially end-to-end encryption, which we will discuss in reference to email in a little bit.
Just as one example, Microsoft Office 365 is one of the most popular cloud based services and they have gone to great lengths to assuage attorney’s fears of the cloud. Here are the links to their service level agreement, their privacy policy, and information about the security that they have in place.
Next up is a brief overview of how email works.
First we’ll talk about traditional self-hosted email.
Company A’s email server is sitting in some closet at Company A’s office and Company B’s server is sitting in a closet at company B’s office.
So a user at company A using Microsoft Outlook, for example, types an email to a user at company B and clicks send. The email goes through Company A’s local network and arrives at Company A’s email server. A’s email server connects to B’s server over the Internet and sends the message over the Internet. B’s server then delivers it to the recipient’s email client, again Outlook in this example.
One thing to point out is that, historically, these connections were all unencrypted. That meant anyone with access to any of the routers or servers along the way could read the email. Nowadays most - but still not all - such traffic is encrypted. But the encryption is still generally only per-hop. That is, different encryption keys are used for each of the three segments of this journey. This is certainly a step up from unencrypted email, but it still leaves the message exposed in each of the email servers – in other words, the email message could be read by authorized users of those servers or hackers that have breached those servers. End-to-end encryption is where the message is encrypted in the sender’s client and not decrypted until it reaches the recipient’s client. End-to-end encryption has been very slow to catch on due to usability / customer experience issues.
Final thing to note is that even with end-to-end encryption, the to and from is going to be exposed.
So now here is cloud-based email. The difference is that mail servers are now in third-party data centers. In this case Company A uses Office 365 and Company B uses Google. This means that, for per-hop encryption, Microsoft and Google could theoretically read the email.
Now lets look at rules 1.1 and 1.6 as they relate to email.
We’ll start with a sort of history lesson.
As I mentioned, email was historically unencrypted. Pre-1997, when email was just gaining widespread adoption, this led a lot of jurisdictions to conclude that informed consent was required before using unencrypted email.
But then in 1997 it really became clear that email was not just a fad and that it was in fact incredibly beneficial and thus the tide turned and a bunch of states, including IL, decided that just because there is some theoretical chance that someone might read the email does not mean there was not a reasonable expectation of privacy. Many of these ethics bodies reasoned that it really wasn’t much different than regular mail where there was the theoretical chance that the mailman or somebody in-between could open your letter and read it. Some would argue that this analogy is flawed because paper mail is not easily searchable etc., but nevertheless as you can see here, a bunch of states said unencrypted email is fine even without explicit consent from the client.
They did leave a little wiggle room but only for “extraordinarily sensitive matters”
Fast forward to 1999 and the ABA chimed in basically reiterating what IL said.
So good news…no need to keep everything in padlocked three-ring binders.
So that’s where it stood for a while until a lot of cases started arising where courts were finding that it was okay for employers to monitor employee email. So usually the context was an employee suing his or her employer and the employer would pull up the employee’s emails in building its defense. Courts were generally saying this was fine – especially where it was in the employment contract.
As we can see from this Dilbert, the issue really came to a head around 2010 and 2011 which then prompted the ABA to chime in and refine its stance on email.
Formal Opinion 11-459 says [read]. So they basically said, look, email – even unencrypted email – can provide a reasonable expectation of privacy, but not in all cases. You have to consider the particular circumstances.
But the ultimate question still remains: is there a reasonable expectation of privacy.
And that’s pretty much where it stands today. And, so in light of that guidance, here are some suggestions to reduce your risk of violating your ethical obligations.
In your client retainer agreements put (1) an express consent to use of unencrypted email and (2) a warning not to communicate with you using employer email accounts, or employer-owned devices, or email accounts that are shared with non-privileged parties if. They should also be instructed not to cc or forward the communications to parties that would destroy privilege.
Also, consider using encrypted communications, particularly for very high sensitivity stuff.
Encrypted email is an option but it hasn’t really caught on because historically it has not been user friendly
Another option is to use a secure client portal. Many practice management software suites have these built in.
Okay, so finally we are going to talk about the ethics of spymail, which begs the question
What is spymail?
Well I will actually start with what spymail is NOT. Spymail is not simply spam or marketing emails and it is not a virus or any other type of malware in the traditional sense. Spymail is legitimate email that your spam filter and anti-virus tools are not doing anything to stop. Which is probably good because a lot of spymail is email that you want to receive - this could be email from clients, vendors, opposing parties, etc. – so you want to receive it, you just don’t want to give up a bunch of sensitive information when you do receive it.
As another point of clarification, Spymail is not a read receipt as you may be familiar with in Microsoft Outlook.
Who here requests read receipts? Do you ever get any? No, right? First of all it generally only works for intra-office emails. And second everybody checks this box that says don’t ask my about sending receipts again and clicks No. Well spymail is like a read receipt, but you don’t get the option of saying No. Because…
Spymail relies on hidden tracking code to reveal information about you and your interactions with the email without you knowing it is happening. What information does it reveal?
Comment on the confidential witness
The prevalence of spymail is actually skyrocketing. This report from July said spymail was up over 280% since 2013. So we actually built a tool to scan existing email and I scanned 10 years of my gmail account and prior to 2010 I had a handful and this year I already have over 300. The reason its so popular because there has been an explosion of off-the-shelf tools for doing this. They cost basically nothing and install in minutes
Okay, so that’s what spymail can do. Now lets talk about how this creates legal and ethical risk.
So the first risk is that spymail compromises privacy and safety of firm clients and employees
As I mentioned, when a spymail is opened, the location of that open is reported to the sender.
2. The same goes for any spymail you forward to a client or witness. As in the example I showed a few slides ago, when your client or witness opens that spymail, the original sender can see where they are.
3. Information exposed by spymail is reported immediately. But then the tools also aggregate it over time to reveal historical patterns.
We Attorneys, as much as anyone are “always connected.” All of us are checking our email on our mobile devices and at home. This means where we and our clients are now, where we were, where we live, where we go after work . . . all that can be exposed simply by opening and forwarding totally normal looking emails. And since they are so cheap and easy to use, spymail can be from anyone.
4. And, this is sort of a fun fact, but it helps drive the point home - someone used exactly this technique to stalk Jay-Z across the world.
The second risk of spymail is that it makes firms and clients more susceptible to phishing and other cyber attacks
How does it do that? It does it by being a fantastic social engineering tool.
Does everybody know what social engineering is? It’s basically learning as much as you can about a person or company so that you can then use that information to trick them into doing something such as wiring them money, sending them sensitive documents, etc.. As we’ve seen, spymail allows them to learn all sorts of stuff about you, your firm, and your clients such as
Physical locations. Where people are and where they’ve been is very helpful for scams. Travel reimbursement scams has recently been a very popular one.
Security vulnerabilities. Spymail is revealing what emails are making it through corporate existing spam filters, firewalls, etc. So this helps them tailor future emails for future phishing attacks
Employees opening various spymails is telling attackers who is interested in what and who are your weak links. Who in your firm is most likely to open a phishing email with pictures of kittens or whatever.
Spymail can reveal identities of forward recipients, we already talked about that one
So take all of this information, put it together with other publicly available information and it becomes pretty easy to draft a very convincing phishing email or phone call.
And the number of phishing attempts being launched at firms is exploding.
I think we all remember the Mossack Fonseca hack – the Panama Papers
Earlier this year a bunch of firms including Cravath and Weil Gotshal were hacked. Its getting so bad that the FBI issued an alert to law firms to warn them that they are being targeted. Why are firms being targeted? Well, sometimes to rip them off directly, but actually more worrisome is that they are trying to get their hands on all the sensitive client information that can be used for insider trading, bribery, blackmail, etc.
Breaches are already leading to malpractice suits
And there is even one firm that is specifically targeting law firms with class action lawsuits. They are literally probing firm’s cyber security to build a case for a class action lawsuit.
Finally on this topic, here is a quote about how spymail was instrumental in the hack that took down the ukranian power grid.
The third risk of spymail is that it exposes you and your clients to a bunch of legal pitfalls and puts you at a disadvantage. And one situation in which it does this is in negotiations. Here’s a quote from an attorney talking about how someone was trying to sell him on the idea of using spymail in his practice. The sales pitch was [read]
Spymail also creates pitfalls and disadvantages during pre-suit investigations and in litigation.
Email tracking is being admitted as direct evidence
In Fox v. Leland out of the Eastern District of North Carolina it was admitted to prove time of receipt of an email
In Steward v. Keuttel out of Arkansas email tracking was weighed very heavily by the district court in finding sufficient service of process via email and entering a default judgment. The default judgment was ultimately vacated on appeal, but obviously only after the defendant had to spend a bunch of time and money on the appeal.
Email tracking can also provide direct evidence of knowledge. That is, the sender now knows that you opened the email. Think about this for willful patent infringement, for example. A patent troll emails a patent to your client and someone at your client opens it, the troll now has evidence that your client had knowledge of that patent as of that date.
Still in regards to pre-suit and in litigation, spymail can help opposing parties:
Identify defendants. A troll for example could just blast out demand letters and see who opens. forwards it, etc. – its basically a game of whack a mole
Identify you clients and witnesses, we’ve talked about these.
And spymail can help opposing parties identify which employees of your clients or which third parties they should depose
And here as another real world example: HP was caught using this to identify the confidential source of a journalist
Okay, so now that we understand what spymail is and what it can do, lets look at it from an ethical perspective.
Here again is rule 1.1, we need to understand the risks and benefits of email. Well, now we understand that the rise of spymail has introduced new risks. Specifically: the risk that an email sender will see when, where, and how many times we open an email and forward an email.
Okay so last thing I want to talk about is the ethical implications of using a spymail tool in our own practice. Specifically, is it ethical to send spymail to opposing parties in the hopes that it will give you an upper hand in negotiations or litigation?
First before I share my thoughts I wanted to hear if anyone else had any theories as to why this would or would not be ethical.
Okay, so, in general, I do not think it is unethical. The only thing I could come up with was in relation to rule 4.4(b) in the situation that opposing counsel forwards my spymail to its client and I learn who that client is and I see how often they are forwarding the thread back and forth. In this situation, perhaps this is an inadvertent disclosure that I am obligated to notify them about. But on the other hand, they did intentionally send those emails so maybe its not inadvertent.
Now this is not to say that sending spymail to opposing parties is necessarily okay – ethics bodies have construed rule 4.4(b) very narrowly and generally defer to rules of evidence, civil procedure, and local rules for issues of inadvertent disclosure. So that is a topic for another day.
Okay, so that’s what spymail can do. Now lets talk about how this puts us and our clients at risk.
Okay, so that’s what spymail can do. Now lets talk about how this puts us and our clients at risk.