6. A fundamentalist is a person
who considers whether a fact is
acceptable to their faith before
they explore it. As opposed to
a curious person who explores
first and then considers
whether or not they want to
accept the ramifications.
--Seth Godin
12. Cloud and Mobile Computing: Not
a Trend
• Cloud computing is the top technology trend for
2010
• By 2012, 20% of businesses will own no IT assets
and will conduct business solely in the Cloud
• By 2013, mobile phones will overtake PCs as the
most common Web access device worldwide
• By 2014, over 3 billion of the world’s adult
population will be able to transact electronically via
mobile or Internet technology
* Gartner’s Top Predictions for IT Organizations and Users, 2010 and
Beyond: A New Balance
14. • Nearly 98% of respondents
incorporated virtualization
technologies into their law firms.
Some used virtual servers, while
others brought virtualization to
their desktop computers.
• Nearly 84% of responding firms
reported using SaaS-based
products as well. Typically,
however, cloud computing
products were used for secondary
functions like eDiscovery or
human resources.
*Am Law 2009 Tech Survey
15. • 80% of firms use cloud
computing--mostly for non-critical
tasks like e-discovery and HR
• 60% of firms use cloud-based
services for e-discovery or
litigation support features, and
many use it for important (but not
bread-and-butter) tasks like
benefits or expense management
•5% use cloud services for
document management
• 6% use it for storage
*Am Law 2010 Tech Survey
16. “14% of law firms plan to invest in
some type of cloud computing or
software-as-a-service solution.
However, it must be noted that
lack of familiarity with cloud
computing and related emerging
technologies may be inhibiting
adoption. Among attorneys, only
30% rate themselves as familiar
with the concept of cloud
computing, while only 45% claim
knowledge of the concept of
managed services.”
* Comp TIA 2010 survey (a non-profit trade association for
the IT industry)
17.
18. Cloud computing is a “type of computing that is comparable to grid
computing, relies on sharing computing resources rather than having local
servers or personal devices to handle applications. The goal of cloud
computing is to apply traditional supercomputing power (normally used by
military and research facilities) to perform tens of trillions of computations per
second.”
19. Cloud computing is a “type of computing that is comparable to grid
computing, relies on sharing computing resources rather than having local
servers or personal devices to handle applications. The goal of cloud
computing is to apply traditional supercomputing power (normally used by
military and research facilities) to perform tens of trillions of computations per
second.”
Software as a service —or SaaS —is “[a] software delivery
model in which a software firm provides daily technical
operation, maintenance, and support for the software
provided to their client.”
21. Ethical issues to consider:
A. Attorney client confidentiality
B.
Compare/contrast to traditional outsourcing relationships
C.
Transborder data flow
D.
Meeting obligations of “reasonable” security
E.
Electronic evidence/e-discovery
22. QUESTION:
What are the ethical obligations of
lawyers in regard to data stored on the
hard drives of “storage media”.
Florida Bar Ethics Opinion 10-12 (September 2010)
23. ANSWER:
Lawyers who use devices that contain storage media such as
computers, printers, copiers, scanners, cellular phones, personal
digital assistants, flash drives, memory sticks, facsimile machines and
other electronic or digital devices must take reasonable steps to
ensure that client confidentiality is maintained and that the device
is sanitized before disposition, including: (1) identification of the
potential threat to confidentiality along with the development and
implementation of policies to address the potential threat to
confidentiality; (2) inventory of the Devices that contain Hard
Drives or other Storage Media; (3) supervision of nonlawyers to
obtain adequate assurances that confidentiality will be maintained;
and (4) responsibility for sanitization of the Device by requiring
meaningful assurances from the vendor at the intake of the Device
and confirmation or certification of the sanitization at the
disposition of the Device.
24. Lawyers using these devices must familiarize themselves with new technologies and
“have a duty to keep abreast of changes in technology to the extent that the lawyer
can identify potential threats to maintaining confidentiality.”
Also, lawyers must take reasonable steps to ensure that client confidentiality is
maintained. One important part of this duty includes the obligation to identify any
“potential threat(s) to confidentiality along with the development and
implementation of policies to address the potential threat to confidentiality.”
The Committee noted that lawyers who use mobile devices also have a supervisory
responsibility that extends to not only to the lawyer’s own employees but to
“entities outside the lawyer’s firm with whom the lawyer contracts to assist in the
care and maintenance of the Devices in the lawyer’s control.” Part of the lawyer’s
supervisory duty requires that the lawyer obtain assurances from any nonlawyers
who will have access to confidential information that confidentiality of the
information will be maintained.
25. QUESTION:
Whether an attorney can use an online system to store
confidential client data and, if so, what steps must be
taken to ensure the data are secure?
New York State Bar Association’s Committee on Professional Ethics, Opinion 842
(September 2010)
26. ANSWER:
It is permissible for attorneys to store confidential client data in the
cloud, but only if reasonable steps are taken to ensure the data would be
adequately protected from unauthorized disclosure: “A lawyer may use
an online data storage system to store and back up client confidential
information provided that the lawyer takes reasonable care to ensure
that confidentiality will be maintained in a manner consistent with the
lawyer’s obligations under Rule 1.6. In addition, the lawyer should stay
abreast of technological advances to ensure that the storage system
remains sufficiently advanced to protect the client’s information, and
should monitor the changing law of privilege to ensure that storing the
information online will not cause loss or waiver of any privilege.”
Importantly, the committee noted that “exercising ‘reasonable care’ under Rule
1.6 does not mean that a lawyer guarantees that the information is secure
from any unauthorized access.”
27. QUESTION:
“May a lawyer use an e-mail service provider that scans
e-mails by computer for keywords and then sends or
displays instantaneously (to the side of the e-mails in
question) computer-generated advertisements to users
of the service based on the e-mail communications?”
The New York State Bar Association Committee on Professional Ethics, Opinion
820-2/08/08
28. ANSWER:
“Unless the lawyer learns information suggesting that
the provider is materially departing from conventional
privacy policies or is using the information it obtains by
computer-scanning of e-mails for a purpose that, unlike
computer-generated advertising, puts confidentiality at
risk, the use of such e-mail services comports with DR
4-101…A lawyer may use an e-mail service provider
that conducts computer scans of e-mails to generate
computer advertising, where the e-mails are not
reviewed by or provided to other individuals.”
29. QUESTION:
The question addressed in this opinion is whether a lawyer violates
SCR 156 by storing confidential client information and/or
communications, without client consent, in an electronic format on
a server or other device that is not exclusively in the lawyer’s
control.
State Bar of Nevada Standing Committee on Ethics and Professional Responsibility,
Formal Opinion No. 33
30. ANSWER:
In order to comply with the rule, the lawyer must act competently and
reasonably to safeguard confidential client information and communications
from inadvertent and unauthorized disclosure. This may be accomplished
while storing client information electronically with a third party to the same
extent and subject to the same standards as with storing confidential paper
files in a third party warehouse. If the lawyer acts competently and
reasonably to ensure the confidentiality of the information, then he or she
does not violate SCR 156 simply by contracting with a third party to store the
information, even if an unauthorized or inadvertent disclosure should occur...
The ABA Committee addressed an issue much closer to that discussed here
in Formal Opinion number 95-398, and concluded that a lawyer may give a
computer maintenance company access to confidential information in client
files, but that in order to comply with the obligation of client confidentiality, he
or she “must make reasonable efforts to ensure that the company has in
place, or will establish, reasonable procedures to protect the confidentiality
of client information.”
31. 4th Amendment issues
In a decision issued by the United States District Court, District of Oregon
Opinion and Order in In re: US, Nos. 08-9131-MC, 08-9147-MC, (2009), the
government successfully argued that it need not notify the account holder regarding
a warrant that is served upon the ISP holder of the email account (gmail). In
reaching its decision, the court gave lip service to the concept that emails are
entitled to Fourth Amendment protection, but then stated:
“Much of the reluctance to apply traditional notions of third party disclosure to the
e-mail context seems to stem from a fundamental misunderstanding of the lack of
privacy we all have in our e-mails. Some people seem to think that they are as
private as letters, phone calls, or journal entries. The blunt fact is, they are not.”
32. In comparison, however, see footnote 7 from the October 2009 Memorandum and
Order issued by the United States District Court, Eastern District of New York, in
US v. Cioffi, Case No. 08-CR-415 (FB):
One preliminary matter is not in question: The government does not dispute that
Tannin has a reasonable expectation of privacy in the contents of his personal email
account. See United States v. Zavala, 541 F.3d 562,577 (5th Cir. 2008) ("[C]ell
phones contain a wealth of private information, including emails, text messages, call
histories, address books, and subscriber numbers. [The defendant] had a reasonable
expectation of privacy regarding this information."); United States v. Forrester, 512
F.3d 500, 511 (9th Cir. 2008) ("E-mail, like physical mail, has an outside address
'visible' to the third-party carriers that transmit it to its intended location, and also
a package of content that the sender presumes will be read only by the intended
recipient. The privacy interests in these two forms of communication are identical.
The contents may deserve Fourth Amendment protection, but the address and size
of the package do not.").
33. Security issues to
consider:
1. Encryption
2. Geo-redundancy
3. Data back ups
4. Extraction of data
35. • What type of facility will host the data?
• Who else has access to the cloud facility, the servers and the data and what
mechanisms are in place to ensure that only authorized personnel will be able to
access your data? How does the vendor screen its employees? If the vendor
doesn’t own the data center, how does the data center screen its employees?
• Does the contract include terms that limit data access by the vendor’s employees
to only those situations where you request assistance?
For full list see: http://bit.ly/hyFBxo
36. • Does the contract address confidentiality? If not, is the vendor willing to sign a
confidentiality agreement?
• How frequently are back-ups performed? How are you able to verify that backups
are being performed as promised?
• Is data backed up to more than one server? Where are the respective servers
located? Will your data, and any back up copies of it, always stay within the
boundaries of the United States?
• How secure are the data centers where the servers are housed?
• What types of encryption methods are used and how are passwords stored? Is
your data encrypted while in transit or only when in storage?
For full list see: http://bit.ly/hyFBxo
37. • Has a third party, such as McAfee, evaluated or tested the vendor’s security
measures to assess the strength of, among other things, firewalls, encryption
techniques, and intrusion detection systems? Are the audits of the security system
available for your review?
• Are there redundant power supplies for the servers?
• Does the contract include a guarantee of uptime? How much uptime? What
happens in the event that the servers are down? Will you be compensated if there
is an unexpected period of downtime that exceeds the amount set forth in the
agreement?
• If a natural disaster strikes one geographic region, would all data be lost? Are
there geo-redundant back ups?
For full list see: http://bit.ly/hyFBxo
38. • What remedies does the contract provide? Are consequential damages included? Are total
damages capped or are specific remedies limited?
• Does the agreement contain a forum selection clause? How about a mandatory arbitration
clause?
• If there is a data breach, will you be notified? How are costs for remedying the breach allocated?
• What rights do you have upon termination? Does the contract contain terms that require the
vendor to assist you in transitioning from their system to another?
• What rights do you have in the event of a billing or similar dispute with the vendor? Do you have
the option of having your data held in escrow by a third party, so that it is fully accessible in the
event of a dispute? Alternatively can you back up your data locally so that it is accessible to you
should you need it?
• Does the provider carry cyber insurance? If so, what does it cover? What are the coverage
limits?
For full list see: http://bit.ly/hyFBxo
41. Thanks for listening!
Nicole Black
Of Counsel, Fiandach & Fiandach
Founder of lawtechTalk
www.nicoleblackesq.com
Social Media for Lawyers: the Next Frontier
published by the ABA in July 2010
(http://bit.ly/socmed4lawyersbook)
Cloud Computing for Lawyers to be
published by the ABA in May 2011
Notas do Editor
\n
Today: 1) why CC and mobile tech matters 2) what CC is 3) ethical and security issues.\n\nBottom line--CC is the future. For some firms, the current tech and security may be insufficient, but that will change quickly. Learn about it, understand it and position your firm for the future. \n
Information is changing--we must rethink “information”--be curious\n
Explore the benefits. Balance the risks. Be curious.\n\n
\n
\n
\n
\nSimple definition of CC: data/software stored on someone else’s server.\n
\n
Mobile tech in the legal field is a given--after all lawyers were crackberry addicts before anyone else. So let’s talk about cloud computing.\n
\n
\n
\n
Legal specific apps (prac man, billing, doc management) and general apps (google apps, dropbox).\n
Legal specific apps (prac man, billing, doc management) and general apps (google apps, dropbox).\n
Ethics and security seems to be a thorny maze of issues.\n
\n
\n
\n
ABA Ethics 20/20--my take--can’t be tasked with supervising them re: their tech skills.\n
\n
\n
\n
Note: Gmail language re: free email. Option is to use Google Apps--$50 per user per month.\n
\n
\n
Electronic Communications Privacy Act (ECPA)--no significant revisions since 1986\n