If You re a Lawyer Headed to the Cloud, Read This First By Reid F. Trautz, Director, AILA Practice & Professionalism Center



Similar documents
Ethical Considerations for Lawyers Using the Cloud

LAWYERING IN THE CLOUD CRIB NOTES 2012 Charles F. Luce, Jr. coloradolegalethics.com/ (alpha release)

Advisory Committee on Professional Ethics. Appointed by the Supreme Court of New Jersey

Connecticut Bar Association

Legal Ethics in the Information Age: Unique Data Privacy Issues Faced by Law Firms. v , rev

Presented by Luke Downing

Data Security. The dominant business communication tool

ETHICS for Lawyers and Law Firms Using Cloud Technology

Is Cloud Computing Inevitable for Lawyers?

( and how to fix them )

Cloud Computing A Silver Lining or Ethical Thunderstorm for Lawyers?

HIPAA Security Alert

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Cloud Computing: Managing Legal Risks and Ethical Issues

FINAL May Guideline on Security Systems for Safeguarding Customer Information

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Legal Ethics Practical Tips from Where else?... Practice

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Introduction to Cloud Computing and Its Ethical Implications Is There a Silver Lining?

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

AMERICAN BAR ASSOCIATION STANDING COMMITTEE ON ETHICS AND PROFESSIONAL RESPONSIBILITY

GUIDANCE FOR MANAGING THIRD-PARTY RISK

This is not your grandfather s litigation. BUT. ediscovery Services are not legal services.

3Degrees Group, Inc. Privacy Policy

CLOUD COMPUTING. 11 December 2013 TOWNSHIP OF KING TATTA 1

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Commercial Internet Banking Agreement and Disclosures

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs

CLOUD COMPUTING AND THE ETHICAL CHALLENGES

Cloud Computing: Legal Risks and Best Practices

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

Ethics in Technology and ediscovery Stuff You Know, But Aren t Thinking About

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July Tex Med. 2012;108(7):33-37.

Data Security Incident Response Plan. [Insert Organization Name]

HIPAA Compliance and the Protection of Patient Health Information

Neoscope

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Every Cloud Has A Silver Lining. Protecting Privilege Data In A Hosted World

LAWYERS AS CONTRACTORS HOW MUCH CAN YOU CHARGE FOR THAT?

Keep Your Data Secure in the Cloud Using encryption to ensure your online data is protected from compromise

Litigating in the Cloud - Security Issues for the Trial Practice

Cloud Computing Contracts. October 11, 2012

Online Banking Agreement

How To Get Cloud Computing For A Fraction Of The Cost

HIPAA Privacy & Security White Paper

An Introduction to the Technology and Ethics of Cloud Computing. Jack Newton Co founder and President Themis Solutions Inc. (Clio)

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

3. Consent for the Collection, Use or Disclosure of Personal Information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

NEW JERSEY OFFICE OF ATTORNEY ETHICS ESI & ETHICS OCTOBER 6, 2015 RONALD J. HEDGES

Cloud Computing and Its Impact on the Practice of Law Five Trends Lawyers Can t Ignore Thursday, May 8, 2014

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Estate Agents Authority

Privacy Law Basics and Best Practices

Top Ten Technology Risks Facing Colleges and Universities

Outsourcing and third party access

Document Automation in the Cloud Virtual Lawyering on Steroids

Service Schedule for CLOUD SERVICES

SAAS MADE EASY: SERVICE LEVEL AGREEMENT

Online Banking Requirements Listed in detail under the Access heading within the Personal Online Banking Agreement.

California State University, Sacramento INFORMATION SECURITY PROGRAM

PINAL COUNTY POLICY AND PROCEDURE 2.50 ELECTRONIC MAIL AND SCHEDULING SYSTEM

2. What personal information do we collect and hold?

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND

COMPUTER USE POLICY. 1.0 Purpose and Summary

A Privacy and Data Security Checklist for All

Montclair State University. HIPAA Security Policy

M E M O R A N D U M. The Policy provides for blackout periods during which you are prohibited from buying or selling Company securities.

Information Security Program Management Standard

Software as a Service (SaaS) ethical issues

Outsourcing: From Here to There

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

INFORMATION TECHNOLOGY SECURITY STANDARDS

ISBA Professional Conduct Advisory Opinion

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

INTERNET BANKING AGREEMENT & DISCLOSURE

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

THE AMERICAN LAW INSTITUTE Continuing Legal Education. Estate Planning for the Family Business Owner

10 Hidden IT Risks That Threaten Your Practice

HIPAA Security COMPLIANCE Checklist For Employers

10 Hidden IT Risks That Might Threaten Your Business

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

Law Firm Compliance: Key Privacy Considerations for Lawyers and Law Firms in Ontario

Software as a Service (SaaS) Contract. I. Subject matter of the Contract. II. Software provision

Information Security Awareness Training Gramm-Leach-Bliley Act (GLB Act)

Procedure for Managing a Privacy Breach

Cloud Computing TODAY S TOPICS WHAT IS CLOUD COMPUTING? ICAC Webinar Cloud Computing September 4, What Cloud Computing is and How it Works

What are the benefits of Cloud Computing for Small Business?

Data Privacy and Security: A Primer for Law Firms

ETHICAL LEGAL ADVOCACY: ISSUES FOR DOMESTIC VIOLENCE

10 Hidden IT Risks That Might Threaten Your Law Firm

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

ELECTRONIC SERVICES AGREEMENT

Wellesley College Written Information Security Program

Protection of Privacy

Code - A Date Approved: July 24/01

Transcription:

If You re a Lawyer Headed to the Cloud, Read This First By Reid F. Trautz, Director, AILA Practice & Professionalism Center Not since the terms cyberspace and Y2K has there been an inexact technology term so bandied about as cloud computing. We hear it more and more, but what does it mean? More importantly, what does it mean for lawyers? Cloud computing is the use of software and storage of information, documents, and other electronic files in an off site computer server (or servers) outside of the physical space of the law office and beyond the normal control of the lawyer or law firm. Examples of cloud computing include webmail services such as Gmail, on line file back up services, web based immigration case management services, and hosted email services, among others. Cloud computing is really a form of outsourcing functions normally done within the confines of an office. Outsourcing technology functions is growing rapidly across all businesses. Rather than have network servers, software applications, or data reside exclusively within the walls of a law firm, these functions can now be managed off site by third parties at a lower cost than traditional IT. The data is connected to the business by the Internet (and vice versa). Here is a real world analogy of cloud computing (courtesy of the Wall Street Journal): Imagine a large law firm that, instead of using a commercial service like FedEx, decided to create its own worldwide parcel delivery system. The company would buy warehouses, delivery trucks and airplanes. It would hire package handlers, mechanics and logistical experts. All this would require an enormous investment and would be quite impossible for any law firms to do efficiently, cost effectively or well. Cloud computing is the equivalent of hiring FedEx. It is a way to outsource the service of providing the hardware, software, and human resources required to deliver, store and manage digital data. The outside service providers in turn achieve economies of scale, lowering the cost to all their customers. It is up to the individual business to decide how much of their technology to outsource. Cloud computing services can include complete data center infrastructure including networking, electronic file storage, operating systems, application servers, e mail servers, security, update and user management, file backup services, and disaster recovery. The most common use of technology outsourcing is on line data storage, but a growing trend, especially in smaller firms is a form of cloud computing known as Software as a Service or SaaS. SaaS is software that is not installed on your computer but instead is hosted remotely. Users access the software over the internet and the data is hosted remotely along with the software. Another way to think of SaaS is that it uses the web as a platform your operating system becomes, de facto, your web browser.

Options for implementing SaaS in your office are multiplying rapidly. There are SaaS solutions for on line backup and data storage, such as ibackup, Carbonite, or Mozy. There are case management programs, such as Clio or RocketMatter. There are office suites, such as GoogleDocs and Microsoft Office 365. There are document management services such as NetDocuments and Worldox. Even old stalwarts of installed software are moving toward SaaS, such as Intuit s QuickBooks and Quicken. SaaS does not require the user to download, patch, update or otherwise maintain the software it is all done at the host site. This creates an uptick in ease of use for users, but as usual, along with that improvement comes a potential disadvantage too: SaaS products are usually billed in monthly or annual subscriptions; i.e., you stop paying for the service and you stop receiving it altogether. Cloud computing (aka outsourcing) is an unbeatable market force, but it is also an ethical minefield for lawyers. That said, it is not an impossible minefield to navigate, so here are some issues to consider and questions to ask before you outsource into the cloud. Ethical Rules and Legal Responsibilities Attorneys have ethical, contractual, common law, and regulatory duties to safeguard client information. Ethical obligations are imposed by your state Rules of Professional Conduct. Legal responsibilities come from state and federal laws addressing data security and consumer protection. Since 2004, 45 states have enacted data security laws that protect consumers if personal information in the possession of a business is lost or stolen. The most common obligations involving client confidences and information stem from these rules: A. Rule 1.1 Competence B. Rule 1.3 Diligence C. Rule 1.4 Communication D. Rule 1.6 Confidentiality of Information (See also Rules 1.9(c) and 1.18(b)) F. Rules 5.1, 5.2 and 5.3 Duties of Supervising and Subordinate Attorneys, and Supervision of Non lawyer Assistants Rule 1.1 covers competence. It is not just competence in law, but in using the technology to practice law and service clients. Comment 16 to this rule states: A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer s supervision. See Rules 1.1, 5.1 and 5.3.

A number of state ethics opinions address professional responsibility issues related to attorneys use of various technologies. In 2009, Arizona issued LEO 09 04 in response to an inquiry about on line file storage that is securely accessible by the firm and authorized clients. Other bar associations have recognized that the duty to take reasonable precautions does not require a guarantee that the system will be invulnerable to unauthorized access. [Citation omitted] Instead, the lawyer is required to exercise sound professional judgment on the steps necessary to secure client confidences against foreseeable attempts at unauthorized access. It is also important that lawyers recognize their own competence limitations regarding computer security measures and take the necessary time and energy to become competent or alternatively consult available experts in the field. The competence requirements of ER 1.1 apply not only to a lawyer s legal skills, but also generally to those matters reasonably necessary for the representation. Therefore, as a necessary prerequisite to making a determination regarding the reasonableness of online file security precautions, the lawyer must have, or consult someone with, competence in the field of online computer security. The opinion provided further guidance for lawyers: [T]he Committee also recognizes that technology advances may make certain protective measures obsolete over time. Therefore, the Committee does not suggest that the protective measures at issue in Ethics Op. 05 04 or in this opinion necessarily satisfy ER 1.6 s requirements indefinitely. Instead, whether a particular system provides reasonable protective measures must be informed by the technology reasonably available at the time to secure data against unintentional disclosure. N.J. Ethics Op. 701. As technology advances occur, lawyers should periodically review security measures in place to ensure that they still reasonably protect the security and confidentiality of the clients documents and information. In 2010, the State Bar of California issued Formal Opinion No. 2010 179, and focused on the changing standard of care, but also provided factors to evaluate before using a particular technology to store or transmit client information: The Digest to this opinion states: Whether an attorney violates his or her duties of confidentiality and competence when using technology to transmit or store confidential client information will depend on the particular technology being used and the circumstances surrounding such use. Before using a particular technology in the course of representing a client, an attorney must take appropriate steps

to evaluate: 1) the level of security attendant to the use of that technology, including whether reasonable precautions may be taken when using the technology to increase the level of security; 2) the legal ramifications to a third party who intercepts, accesses or exceeds authorized use of the electronic information; 3) the degree of sensitivity of the information; 4) the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product; 5) the urgency of the of the situation; and 6) the client s instructions and circumstances, such as access by others to the client s devices and communications. The ethics opinions that have addressed attorneys use of cloud technology have focused primarily on the duties of competence and confidentiality. Some have also addressed the duty to supervise. The key issues in all opinions are: a) Failure to timely service clients because of a temporary or permanent loss of data or connection to cloud service. b) Lack of control over data. c) International storage of data beyond the laws, rules, and regulations of the United States. d) Obligation to obtain client consent about the outsourcing of their personal data storage to a cloud vendor. Competence & Supervision You are responsible for supervising the work and assuring the competence of your outsourced service providers. At a bare minimum, check the service provider s references. You may also want to perform a background investigation on all service providers and interview principal lawyers. Finally, consider investigating the security of the provider s premises, computer network, and waste disposal services. Confidentiality Model Rule 1.6(a) mandates that a lawyer may not reveal confidential client information without the client s informed consent. This includes client information and data that you entrust to a cloud provider. Increasingly, state bar associations are tackling the ethical dimensions of electronically stored information and lawyers using SaaS must exercise professional judgment and caution. Outsourcing Cloud computing is a form of outsourcing. We are delegating the maintenance of some or all computing functions to a non employee outside of our direct control within our

office. The ABA has recognized the competing benefits and risks of outsourcing and has provided ethical guidance in ABA Formal Opinion 08 451 (Lawyer s Obligations When Outsourcing Legal and Non Legal Support Services). Although this opinion is non binding on lawyers, it is a source of reasoned guidance. It concludes: The challenge for an outsourcing lawyer is, therefore, to ensure that tasks are delegated to individuals who are competent to perform them, and then to oversee the execution of the project adequately and appropriately. At a minimum, a lawyer must investigate the background of any service provider to make sure they possess the correct skill, competence, and integrity to adequately and appropriately handle the tasks being delegated. An outsourcing lawyer should recognize and minimize the risk that any outside service provider may inadvertently or perhaps even advertently reveal client confidential information to adverse parties or to others who are not entitled to access. One recommended precaution is to require the third party provider to sign a confidentiality agreement that provides specific guidance to the provider for maintaining confidentiality. Such language may already be in the proposed services contract, but reasonable modifications may be required for the best reasonable protection under Rule 1.6. The agreement should give specific examples of prohibited conduct and triggers for notification of a breach (unless covered elsewhere in your services contract). Some legal technology experts opine that the outsourced data may actually be safer under the control of a third party provider than at a small law firm with a small or no IT staff. Legal Responsibilities Legal responsibilities come from state and federal data security laws that are of growing importance in our interconnected world. These laws address what happens if your client information (including that held by a cloud based service) is breached (lost or stolen). Generally, these state laws require anyone who holds consumers personal information to take action if the breach exposes consumers to risk of financial fraud. Although each state law defines consumer personal information differently, a social security number or financial institution account number in combination with a name is at the core of most definitions. If there is a breach of data on your computers or the cloud provider s computers and you possess consumer personal information, data security laws require that your clients be notified of the breach. The same is true if any lawyer s computer or mobile device is lost or stolen and the data is breached. This client notification can be an embarrassing step for lawyers, but it is a necessary one. The purpose of the notice is to allow consumers to protect themselves from possible repercussions of the data breach such as identity theft, so delaying the notice to them could be harmful.

These laws should not scare you away from cloud computing, but you must be prepared to respond to protect your clients interests if there is a breach of client information. Potential Questions for Cloud Providers Here is a list of questions to help you select the right cloud provider, while meeting your ethical and legal obligations. These are aimed at particularly at SaaS providers. The list is not exhaustive, just a starting point. Before purchasing a cloud solution: 1. Read the user or license agreement terms. 2. Determine where the data is stored. Is it solely within the United States? 3. Determine who, besides you, has access to the data. 4. Who owns the data residing on the service provider s servers? 5. If you terminate the service, how do you retrieve your data and what happens to the data hosted by the service provider? 6. Examine the service provider s physical and electronic security and confidentiality policies. What layers of protection do they have? Do they provide notice of a breach? 7. What is the history of downtime for the service? What redundancy do they have to avoid downtime? Potential Questions for Cloud Storage Providers A separate article, available on InfoNet, addresses the questions to ask a cloud storage/data back up provider in more depth. Conclusion As Internet connection speeds become faster and less costly, as the cost of internal hosting of law firm servers and software becomes more expensive, and as the reliability and functionality of "cloud" options increase, will firms be able to resist the economic forces at play? As this next era in law firm technology begins, firms must ethically balance the needs of the client with the realities of this new technology. However, caution rather than fear should rule the day.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information