SlideShare a Scribd company logo

Privacy and Technology in Your Practice: Why it Matters & Where is the Risk

Download as PPTX, PDF
D
duffeeandeitzen

This document summarizes a presentation on privacy and technology issues for law firms. It discusses why data breaches are a risk for law firms, as they hold valuable corporate and client data. Several types of attacks that could lead to breaches are described, such as insider threats, vendor threats, phishing, and ransomware. Compliance with breach notification laws, privacy laws, and professional responsibility rules is also discussed. The costs of breaches and implications for a law firm's practice are reviewed. Initial takeaways from a recent major data breach are provided. Questions from attendees are answered relating to privacy, cybersecurity, legal technology, cloud computing contracts, and maintaining competence regarding technology.

Law
1 of 46
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Privacy andTechnology inYour Practice: Written and Presented By: Craig C. Carpenter Thompson & Knight LLP Charles M. Hosch Hosch & Morris PLLC T. Hunter Lewis Duffee + Eitzen LLP Honorable Emily Miskel District Judge, 470th Judicial District Court Collin County Additional Research and Compilation: George Shake Joshua Dossey Duffee + Eitzen LLP Why it matters and where is the risk
Data Breaches for Law Firms Craig C. Carpenter,Thompson & Knight, LLP
Privacy and Technology in Your Practice: Why it Matters & Where is the Risk
Privacy and Technology in Your Practice: Why it Matters & Where is the Risk
What’s a breach? Breaches are a Privacy and Security Issue • Privacy: • Duty to maintain confidentiality • “We will keep your information secure and make sure it is not accessed by unauthorized parties.” • Cyber Security: • Physical, technical, administrative safeguards • Criminal act • 18 U.S. Code § 1030 – Computer Fraud and Abuse Act • Tex. Penal Code § 33.02 – Texas Breach of Computer Security
Law Firms are Not Immune • Mandiant reported that at least 80 of the top 100 law firms in the country, by revenue, had been hacked by 2011. • Logicforce has reported that about 2/3 of law firms have experienced some sort of data breach. “law firm”
In Fact, Law Firms are LucrativeTargets • Corporate Deals • Trade Secrets • Financial Data • Privileged Communications/Information • Personal Data • Health Data • Export-ControlledTechnology
Types of Attacks • InsiderThreat • VendorThreat • Phishing • Spear Phishing • Ransomware • Wire transfer fraud
Compliance • Rules of Professional Responsibility • State notification regulations • Data subject • AGs • Credit Agencies • International notification regulations • Industry-specific data
Compliance Issues for Law Firms • Is it a “breach”? • Who owns the data? • Law firm? • Client? • Other law firm? • Other law firm’s client? • Is it subject to a protective order? • Privileged information How does it impact your practice?
Costs What are the practical implications? • Breach investigation • Breach mitigation • Regulatory responses • Breach notification • Customer Relations • Reputational damage • Down time
InitialTakeaways from the Recent Capital One Breach 1. Having a plan and contacts in place makes a huge difference 2. Know what data you have and where it is located 3. Understand your vendor/third party vulnerabilities 4. “Hacking” has been a crime for a while now 5. Post-breach communication is critical 6. Lawsuits quick to follow
Capital One Breach Lawsuit 1. Negligence 2. Negligence Per Se 3. Breach of Implied Contract
Privacy & Technology Questions? Craig C. Carpenter Thompson & Knight, LLP O: 214-969-1154 Craig.Carpenter@tklaw.com
Cybersecurity vs. Privacy Charles M. Hosch, Hosch & Morris, PLLC
What’s the difference? “Cybersecurity” and “Privacy” Of course you can’t have privacy without security. But what’s the difference?
At a Glance: Cybersecurity • Asks, “How do I secure my data and keep it from being ‘hacked,’ breached,’ stolen, lost, or fumbled?” • Applies to: All data, including both commercial and personal information. Privacy • Asks, “Assuming I can keep my data secure (a huge ‘if’), how can I use the “personal information” within my data?” Applies to: “Personal” or “personally identifiable” information. (Definitions vary. May extend to data that can be linked to households, and/or include inferences you draw from raw data.)
Sources of Law: Cybersecurity • Trade Secret Law: Uniform Trade Secrets Act, Tex. Civ. Prac. & Rem. Code, Ch. 134A; Defend Trade Secrets Act, 18 U.S.C. §1836, et seq.; • State-based “Breach Response” statutes – All 50 States – e.g. Tex. Bus. Comm. Code §§ 521.002, 521.053; • Regulatory requirements in specific industries, e.g. NYS DFS; HIPAA Security Rule; GLBA; FTC Safeguards Rule; MA and CA Information Security Laws; UCC Article 4A; NAIC Insurance Data Security Model Law; City of Chicago (Ordinance, MCC § 2-25-090); PCI-DSS; • Requirements in privacy statutes, e.g. CCPA; • FTC Act, 15 U.S.C. Sec. 5. Privacy • -In US, mostly “sector-specific,” e.g. HIPAA for healthcare; Gramm-Leach- Bliley for financial institutions; FERPA for education; FCRA for credit reports and background checks, etc.; • Most privacy statutes are not preemptive, so states and state industry regulators can overlap; • For Europe (including tracking Europeans from US), comprehensive privacy regulation under GDPR; • Movement toward comprehensive state statutes, e.g. California Consumer Privacy Act (“CCPA”) taking effect in 2020 • FTC Act, 15 U.S.C. Sec. 5. • Key Regulators: • Federal: FTC, OCR, and SEC • State: State AGs • Individual: Class Action Lawyers
General Principles and Standards Cybersecurity • Use reasonable measures to protect the confidentiality, security, and integrity of data; • Note that what is enough to be “reasonable” varies according to how sensitive the particular data is; • What is “reasonable” evolves over time; • There is no such thing as perfect security – good information security program documentation is critical. Privacy FTC Fair Information Principles: • Notice/Awareness: Tell people what data you’re going to collect, and why; • Choice/Consent: Get their consent; • Access/Participation: Let people see their data, correct mistakes in it, have it back or move it if they wish; • Integrity/Security: You and your vendors use it only for the consented purpose, keep it secure, dispose of it responsibly; • Enforcement/Redress: (Think $5
Cloud Computing and Legal Technology Q: What are cloud services? A: Third-party services to which you can outsource some or all of your IT requirements. Q: What types of requirements can you outsource (partial list)? A: Top-level “Infrastructure” (e.g. to AWS or Microsoft); Middle-level “Platforms” (e.g. SalesForce or SQL Server); and/or User-friendly “Applications” (e.g. Abacus, Practice Panther, Clio). *You’ll have different responsibilities, and different contracts, for each “layer.” ( Q: What do I most need to know about Legal Tech? A: Most legal-tech services: (i) Are running on a cloud platform hosted by a third-party, (ii) Present their own security and privacy risks, and are (iii) probably relying on other vendors to provide aspects of their services to your firm.
Contracting Key Topics (partial list) PRIVACY PERFORMANCE Automatic Renewal? SECURITY Confidentiality Copyright Infringement Cost Third-Party Issues Inappropriate/Illegal Use Scalability Data Ownership Modifications/Changes Accessibility Geolocation Governing Law/Venue Data Recovery WARRANTIES SERVICE LEVEL AGREEMENTS Storage Term TERMINATION RIGHTS Compliance Training Breach Notification Audits VENDOR CONTROL SCOPE OF RIGHTS
Vendor Control Q: What does “vendor control” mean? A: Prudent Selection – Contracting – Monitoring – Management of vendors and service providers. Q: What are the keys to selecting and contracting with a vendor? A: Ethics/reputation; functionality; performance/service commitment; confidentiality; security; data control; and ownership. Q: Is this required, or just best practice? A: Increasingly required. GDPR and CCPA effectively require Data Processing and Security Addenda, where your vendors pledge to require their vendors not to use personal data for anything except the purpose for which they’re hired; to require the same of their vendors; to keep personal information secure; etc. (TRANSLATION: don’t let your vendors’ vendors do a side hustle with your clients’ data – or with yours.)
Privacy & Technology Questions? Charles M. Hosch Hosch & Morris, PLLC O: 214-306-8980, ext. 102 charles@hoschmorris.com
Competent Representation T. Hunter Lewis, Duffee + Eitzen LLP Duffee + Eitzen LLP
SpecialThanks: George Shake Joshua Dossey Duffee + Eitzen LLP
Technological Competence Requirements In The Beginning…. • In 2012 ABA revised Model Rules of Professional Conduct, Rule 1.1, comment 8 to include the requirement for attorneys to maintain technological competence. • The ABA issues advisory opinions on ethics questions and can be cited as persuasive authority – these opinions and rules are not binding on state disciplinary authorities
ABA Model Rules of Professional Conduct Rule 1.1, comment 8 -Maintaining Competence [8]To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
Texas Implementatio n In The Beginning…. • At the state level, many states began passing legislation concerning technical updates to their statutory authority concerning process of service (to include electronic service), electronic signatures, electronic communication/notice, and electronic filing • In 2013, The Texas Supreme Court mandated electronic filing in civil cases to begin January 1, 2014, with full implementation by July, 2016.
Texas Key Rule Changes • Texas Rule of Civil Procedure 21 • Filing and Serving Pleadings and Motions • Texas Rule of Civil Procedure 21a • Methods of Service • Texas Rule of Civil Procedure 21c • Privacy Protection for Filed Documents
Texas Ethics Opinion Concerning then Current Rules 2016 – Texas Ethics Opinion 665 • In December, 2016 The Professional Ethics Committee For the State Bar of Texas issued Opinion No. 665. • This opinion addresses attorney’s responsibilities related to metadata. • The opinion reviewed the competency requirements of the previous version of Rule 1.01, Texas Disciplinary Rules of Professional Conduct. • Although this opinion addresses an attorney’s duty of competence related to technology, this opinion narrowly deals with metadata.
Texas Ethics Opinion Concerning then Current Rules 2016 – Texas Ethics Opinion 665 The opinion states: • [A] lawyer’s duty of competence requires that lawyers who use electronic documents understand that metadata is created in the generation of electronic documents, that transmission of electronic documents will include transmission of metadata, that the transmitted metadata may include confidential information, that recipients of the documents can access metadata, and that actions can be taken to prevent or minimize the transmission of metadata.
Florida became the first state to require lawyers to include Technology in their CLE 2017 – The First CLE Requirement in FloridaRULE 6-10.3 MINIMUM CONTINUING LEGAL EDUCATION STANDARDS (b) Minimum Hourly Continuing Legal Education Requirements. Each member must complete a minimum of 33 credit hours of approved continuing legal education activity every 3 years. At least 5 of the 33 credit hours must be in approved legal ethics, professionalism, bias elimination, substance abuse, or mental illness awareness programs, with at least 1 of the 5 hours in an approved professionalism program, and at least 3 of the 33 credit hours must be in approved technology programs. If a member completes more than 33 credit hours during any reporting cycle, the excess credits cannot be carried over to the next reporting cycle.
Texas Ethics Opinion Concerning then Current Rules 2018 – Texas Ethics Opinion 680 • In September 2018 The Professional Ethics Committee For the State Bar of Texas issues Opinion No. 680. • The opinion states: Rule 1.01(a) requires that lawyers exhibit “competence” in representing clients. In Opinion 665 (December 2016), the Committee applied Rule 1.01 to a question involving a lawyer’s inadvertent transmission to third parties of electronic metadata within client documents and concluded that the Rule’s “competency” requirement was applicable to a lawyer’s technological competence in preserving client confidential information. The Committee reiterates here the necessity of competence by lawyers and their staff regarding data protection considerations of cloud-based systems. • Again, the opinion addresses an attorney’s duty of competence related to technology, this opinion focuses on cloud-based systems, not technology as a broad issue.
2019Texas Supreme Court Order February 26, 2019 the Texas Supreme Court orders that paragraph 8 of the comment to Rule 1.01, Texas Disciplinary Rules of Professional Conduct, is amended to include the requirement for attorneys to maintain technological competence. Thus, becoming the 36th and most recent state to do so.
Texas Ethics Opinion Concerning then Current Rules 2019 Texas Supreme Court Order Rule 1.01. Competent and Diligent Representation Comment: Maintaining Competence 8. Because of the vital role of lawyers in the legal process, each lawyer should strive to become and remain proficient and competent in the practice of law, including the benefits and risks associated with relevant technology. To maintain the requisite knowledge and skill of a competent practitioner, a lawyer should engage in continuing study and education. If a system of peer review has been established, the lawyer should consider making use of it in appropriate circumstances. Isolated instances of faulty conduct or decision should be identified for purposes of additional study or instruction.
How will Texas apply this change? 2019 Texas Supreme Court Order Rule 1.01. Competent and Diligent Representation • As of 9/1/2019, no appellate decisions in Texas reference the revised comment to the Rule. • Sister Jurisdictions may give rise to some guidance for Texas Courts (e.g. Delaware).
The Potential Future of the Competence Requirement James v. Nat’l Fin.LLC, C.A. No. 8931-VCL, 2014 Del. Ch. LEXIS 254 (Del.Ch. December 5, 2014). • The Court of Chancery has jurisdiction to hear all matters relating to equity, largely dealing with corporate issues, has a national reputation in the business community and is responsible for developing the case law in Delaware on corporate matters. Appeals from the Court of Chancery may be taken to the Supreme Court.
James v. Nat’l Fin.LLC • Delaware’s Lawyer’s Rules of Professional Conduct, Rule 1.1, Comment 8, was amended to include the language “including the benefits and risks associated with relevant technology.” ****(This is the Texas Language)**** Case Background • Class Action unconscionable loan practices civil lawsuit. • This opinion deals with a discovery dispute and sanctions. • The Plaintiffs propounded discovery requests related to the bank’s loan practices.
James v. Nat’l Fin.LLC Case Background • In the deposition of the Defendant bank’s representative he admitted to making errors in exporting data for the discovery response. • Court ordered Defendant bank to utilize an IT expert to respond to specific discovery requests. • Court ordered that the IT expert provide an affidavit describing the procedures it followed in extracting the data. • Defendant chatted with an IT expert for 20 minutes who wrote a letter stating that there was no way to property and easily convert paper records into an electronic database.
James v. Nat’l Fin.LLC Case Background • Plaintiff’s attorney pressed Defendant’s attorney for the required affidavit. Wait for it… Wait for it… • Defendant’s attorney stated that he did not know anything about it and tried to stay out of the process! • During the hearing on motion for sanctions (of course) Defendant’s attorney said…
James v. Nat’l Fin.LLC Case Background “I have to confess to this Court, I am not computer literate. I have not found presence in the cybernetic revolution. I need a secretary to help me turn on the computer. This was out of my bailiwick.”
James v. Nat’l Fin.LLC Holding The Court had some thoughts about this: • Professed technological incompetence is not an excuse for discovery misconduct and went on to quote comment 8 to Rule 1.1 of Delaware’s Lawyer’s Rules of Professional Conduct with the language “including the benefits and risks associated with relevant technology.” • The Court ordered the Defendant to pay Plaintiff’s attorneys fees and costs related to this discovery dispute.
Final Thoughts • While Texas does not have a specific Technology requirement for CLE, prioritize at least one CLE or Lecture concerning technology updates annually. • Refer to State Bar promulgated seminars concerning legislative updates and updates concerning e-discovery and new trends in technology in litigation. • Know what you don’t know… technology can outpace even the best of us!
Privacy & Technology Questions? T. Hunter Lewis Duffee + Eitzen, LLP O: 214-419-9010 Hunter@D-ELaw.com
The Judicial Perspective Hon. Emily Miskel, District Judge 470th Judicial District Court Collin County,Texas
Privacy & Technology Questions? Hon. Emily Miskel District Judge 470th Judicial District Court Emily@EmilyMiskel.com

More Related Content

PDF
20 New Trends and Developments in Computer and Internet Law
Klemchuk LLP
 
PDF
Cyber Liability Insurance Counseling and Breach Response
Shawn Tuma
 
PDF
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Shawn Tuma
 
PDF
Cybersecurity Issues All Lawyers Should Know -- Especially Litigators
Shawn Tuma
 
PDF
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Shawn Tuma
 
PPT
Privacy and Data Security: Risk Management and Avoidance
Amy Purcell
 
PPT
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
amiable_indian
 
PPT
Data Privacy Micc Presentation
ashishjoshi
 
20 New Trends and Developments in Computer and Internet Law
Klemchuk LLP
 
Cyber Liability Insurance Counseling and Breach Response
Shawn Tuma
 
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
Shawn Tuma
 
Cybersecurity Issues All Lawyers Should Know -- Especially Litigators
Shawn Tuma
 
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Shawn Tuma
 
Privacy and Data Security: Risk Management and Avoidance
Amy Purcell
 
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
amiable_indian
 
Data Privacy Micc Presentation
ashishjoshi
 

What's hot (20)

KEY
Gagnier's Portion of TechWeek Chicago Presentation
Christina Gagnier
 
PPTX
Justin Harvey - Apple vs DOJ: Privacy in Today's Enterprise
centralohioissa
 
PPT
Personal Data Privacy and Information Security
Charles Mok
 
PPTX
Strong Host Security Policies are Good Business
HostingCon
 
PPTX
Be aware of the ICT laws that apply to your organisation
Lance Michalson
 
PPTX
CSMFO 2012 Data Privacy in Local Government
Donald E. Hester
 
PPT
The Legal Aspects of Cyberspace
timmcguinness
 
PDF
Privacy and Security in Mobile E-Commerce
Now Dentons
 
PPTX
Be aware of the laws in South Africa that apply to email
Lance Michalson
 
PDF
Privacy and Information Security: What Every New Business Needs to Know
The Capital Network
 
PPTX
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
Knowledge Management Associates, LLC
 
PPTX
Tech Week Chicago 2012: Law & Social Data
Adler Law Group
 
PDF
Understanding Legal Technology Competence with Bob Ambrogi and Joshua Lenon
Clio - Cloud-Based Legal Technology
 
PDF
How to Choose a Legal Technology Consultant
Clio - Cloud-Based Legal Technology
 
PDF
Cybercrime and the Healthcare Industry
EMC
 
PDF
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Financial Poise
 
PPTX
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
PDF
Cloud primer
Zeno Idzerda
 
PPTX
Data Security And Privacy Risks In Cloud Computing William A Tanenbaum Sourc...
William Tanenbaum
 
PPT
Best Practices In Corporate Privacy & Information Security
satyakam_biswas
 
Gagnier's Portion of TechWeek Chicago Presentation
Christina Gagnier
 
Justin Harvey - Apple vs DOJ: Privacy in Today's Enterprise
centralohioissa
 
Personal Data Privacy and Information Security
Charles Mok
 
Strong Host Security Policies are Good Business
HostingCon
 
Be aware of the ICT laws that apply to your organisation
Lance Michalson
 
CSMFO 2012 Data Privacy in Local Government
Donald E. Hester
 
The Legal Aspects of Cyberspace
timmcguinness
 
Privacy and Security in Mobile E-Commerce
Now Dentons
 
Be aware of the laws in South Africa that apply to email
Lance Michalson
 
Privacy and Information Security: What Every New Business Needs to Know
The Capital Network
 
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
Knowledge Management Associates, LLC
 
Tech Week Chicago 2012: Law & Social Data
Adler Law Group
 
Understanding Legal Technology Competence with Bob Ambrogi and Joshua Lenon
Clio - Cloud-Based Legal Technology
 
How to Choose a Legal Technology Consultant
Clio - Cloud-Based Legal Technology
 
Cybercrime and the Healthcare Industry
EMC
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Financial Poise
 
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
Cloud primer
Zeno Idzerda
 
Data Security And Privacy Risks In Cloud Computing William A Tanenbaum Sourc...
William Tanenbaum
 
Best Practices In Corporate Privacy & Information Security
satyakam_biswas
 
Ad

Similar to Privacy and Technology in Your Practice: Why it Matters & Where is the Risk (20)

PPTX
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Diana Maier
 
PDF
Cybersecurity Legal Issues: What You Really Need to Know
Shawn Tuma
 
PPTX
Contracting for Better Cybersecurity
Shawn Tuma
 
PDF
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Shawn Tuma
 
PDF
ISSA North Texas - SecureWorld Expo Dallas - Cybersecurity Legal Issues: What...
Shawn Tuma
 
PDF
Scotland legal update 25 sept
Rachel Aldighieri
 
PDF
12 02-14 information security managers - unannotated
wdsnead
 
PDF
Legal Issues Associated with Third-Party Cyber Risk
Shawn Tuma
 
PDF
Introduction to US Privacy and Data Security: Regulations and Requirements
Financial Poise
 
PPTX
A Brave New World of Cyber Security and Data Breach
Jim Brashear
 
PDF
Don't be a robot: You can't automate your ethical considerations
Nehal Madhani
 
PPTX
Protecting Client Data 11.09.11
pdewitte
 
PPTX
The Story of a Lean Law Firm: Escaping the Overhead Swamp, Surviving Disrupti...
Gary Allen
 
PPTX
74 x9019 bea legal slides short form ged12.12.16
Glenn E. Davis
 
PDF
Hacker Defense: How to Make Your Law Firm a Harder Target
LexisNexis
 
PDF
Real World Cybersecurity Tips You Can Use to Protect Your Clients, Your Firm,...
Shawn Tuma
 
PDF
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Shawn Tuma
 
PPT
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Lisa Abe-Oldenburg, B.Comm., JD.
 
PPT
Law firm information security overview focus on encryption by dave cunningh...
David Cunningham
 
PDF
How can you improve cybersecurity at your law firm?
Clio - Cloud-Based Legal Technology
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Diana Maier
 
Cybersecurity Legal Issues: What You Really Need to Know
Shawn Tuma
 
Contracting for Better Cybersecurity
Shawn Tuma
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Shawn Tuma
 
ISSA North Texas - SecureWorld Expo Dallas - Cybersecurity Legal Issues: What...
Shawn Tuma
 
Scotland legal update 25 sept
Rachel Aldighieri
 
12 02-14 information security managers - unannotated
wdsnead
 
Legal Issues Associated with Third-Party Cyber Risk
Shawn Tuma
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Financial Poise
 
A Brave New World of Cyber Security and Data Breach
Jim Brashear
 
Don't be a robot: You can't automate your ethical considerations
Nehal Madhani
 
Protecting Client Data 11.09.11
pdewitte
 
The Story of a Lean Law Firm: Escaping the Overhead Swamp, Surviving Disrupti...
Gary Allen
 
74 x9019 bea legal slides short form ged12.12.16
Glenn E. Davis
 
Hacker Defense: How to Make Your Law Firm a Harder Target
LexisNexis
 
Real World Cybersecurity Tips You Can Use to Protect Your Clients, Your Firm,...
Shawn Tuma
 
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...
Shawn Tuma
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Lisa Abe-Oldenburg, B.Comm., JD.
 
Law firm information security overview focus on encryption by dave cunningh...
David Cunningham
 
How can you improve cybersecurity at your law firm?
Clio - Cloud-Based Legal Technology
 
Ad

Recently uploaded (20)

PPT
Criminal law and civil law under of collage corriculum
HerobrinediamondPane1
 
PDF
Trademark, Copyright, and Trade Secret Protection for Med Tech Startups.pdf
Ortynska Law PLLC
 
PPTX
Behavioural_Approach_Public_Administration_Zambia_USA.pptx
innocentkamfwa250820
 
PPT
Understanding the Impact of the Cyber Act
dhanesh96
 
PDF
A SEP and FRAND Overview 13 Aug 2024.pdf
Jane Lambert
 
PPTX
2.....FORMULATION OF THE RESEARCH PROBLEM.pptx
pacifey700
 
PPT
Understanding the Impact of the Cyber Act
dhanesh96
 
PPTX
BUSINESS LAW AND IT IN CONTRACT SIGNING AND MANAGEMENT
daudevarist18
 
PDF
OpenAi v. Open AI Summary Judgment Order
Mike Keyes
 
PDF
AI in Modern Warfare and Business Ethics Ortynska Law Ventures Cafe.pdf
Ortynska Law PLLC
 
PPT
Gender sensitivity and fair language implementation
MICHAELVERINA1
 
PPTX
What Happens to Your Business If You Become Incapacitated
Elder Law Center Of Wisconsin
 
PPTX
UDHR & OTHER INTERNATIONAL CONVENTIONS.pptx
legumleviosa
 
PDF
OBLICON (Civil Law of the Philippines) Obligations and Contracts
NicholeAnneLavides
 
PPT
looking_into_the_crystal_ball - Merger Control .ppt
williamawulff
 
PDF
Notes to accompany the TMT and FRAND Overview Slides
Jane Lambert
 
PDF
The AI & LegalTech Surge Reshaping the Indian Legal Landscape
Vidhikarya Legal Services LLP
 
PPTX
PoSH act in a nutshell by Lovely Kumari .pptx
siradhya
 
PPTX
Peter Maatouk Is Redefining What It Means To Be A Local Lawyer Who Truly List...
Maatouks Law Group
 
PDF
Analysis Childrens act Kenya for the year 2022
ssuserbc32b91
 
Criminal law and civil law under of collage corriculum
HerobrinediamondPane1
 
Trademark, Copyright, and Trade Secret Protection for Med Tech Startups.pdf
Ortynska Law PLLC
 
Behavioural_Approach_Public_Administration_Zambia_USA.pptx
innocentkamfwa250820
 
Understanding the Impact of the Cyber Act
dhanesh96
 
A SEP and FRAND Overview 13 Aug 2024.pdf
Jane Lambert
 
2.....FORMULATION OF THE RESEARCH PROBLEM.pptx
pacifey700
 
Understanding the Impact of the Cyber Act
dhanesh96
 
BUSINESS LAW AND IT IN CONTRACT SIGNING AND MANAGEMENT
daudevarist18
 
OpenAi v. Open AI Summary Judgment Order
Mike Keyes
 
AI in Modern Warfare and Business Ethics Ortynska Law Ventures Cafe.pdf
Ortynska Law PLLC
 
Gender sensitivity and fair language implementation
MICHAELVERINA1
 
What Happens to Your Business If You Become Incapacitated
Elder Law Center Of Wisconsin
 
UDHR & OTHER INTERNATIONAL CONVENTIONS.pptx
legumleviosa
 
OBLICON (Civil Law of the Philippines) Obligations and Contracts
NicholeAnneLavides
 
looking_into_the_crystal_ball - Merger Control .ppt
williamawulff
 
Notes to accompany the TMT and FRAND Overview Slides
Jane Lambert
 
The AI & LegalTech Surge Reshaping the Indian Legal Landscape
Vidhikarya Legal Services LLP
 
PoSH act in a nutshell by Lovely Kumari .pptx
siradhya
 
Peter Maatouk Is Redefining What It Means To Be A Local Lawyer Who Truly List...
Maatouks Law Group
 
Analysis Childrens act Kenya for the year 2022
ssuserbc32b91
 

Privacy and Technology in Your Practice: Why it Matters & Where is the Risk

  • 1. Privacy andTechnology inYour Practice: Written and Presented By: Craig C. Carpenter Thompson & Knight LLP Charles M. Hosch Hosch & Morris PLLC T. Hunter Lewis Duffee + Eitzen LLP Honorable Emily Miskel District Judge, 470th Judicial District Court Collin County Additional Research and Compilation: George Shake Joshua Dossey Duffee + Eitzen LLP Why it matters and where is the risk
  • 2. Data Breaches for Law Firms Craig C. Carpenter,Thompson & Knight, LLP
  • 5. What’s a breach? Breaches are a Privacy and Security Issue • Privacy: • Duty to maintain confidentiality • “We will keep your information secure and make sure it is not accessed by unauthorized parties.” • Cyber Security: • Physical, technical, administrative safeguards • Criminal act • 18 U.S. Code § 1030 – Computer Fraud and Abuse Act • Tex. Penal Code § 33.02 – Texas Breach of Computer Security
  • 6. Law Firms are Not Immune • Mandiant reported that at least 80 of the top 100 law firms in the country, by revenue, had been hacked by 2011. • Logicforce has reported that about 2/3 of law firms have experienced some sort of data breach. “law firm”
  • 7. In Fact, Law Firms are LucrativeTargets • Corporate Deals • Trade Secrets • Financial Data • Privileged Communications/Information • Personal Data • Health Data • Export-ControlledTechnology
  • 8. Types of Attacks • InsiderThreat • VendorThreat • Phishing • Spear Phishing • Ransomware • Wire transfer fraud
  • 9. Compliance • Rules of Professional Responsibility • State notification regulations • Data subject • AGs • Credit Agencies • International notification regulations • Industry-specific data
  • 10. Compliance Issues for Law Firms • Is it a “breach”? • Who owns the data? • Law firm? • Client? • Other law firm? • Other law firm’s client? • Is it subject to a protective order? • Privileged information How does it impact your practice?
  • 11. Costs What are the practical implications? • Breach investigation • Breach mitigation • Regulatory responses • Breach notification • Customer Relations • Reputational damage • Down time
  • 12. InitialTakeaways from the Recent Capital One Breach 1. Having a plan and contacts in place makes a huge difference 2. Know what data you have and where it is located 3. Understand your vendor/third party vulnerabilities 4. “Hacking” has been a crime for a while now 5. Post-breach communication is critical 6. Lawsuits quick to follow
  • 13. Capital One Breach Lawsuit 1. Negligence 2. Negligence Per Se 3. Breach of Implied Contract
  • 14. Privacy & Technology Questions? Craig C. Carpenter Thompson & Knight, LLP O: 214-969-1154 Craig.Carpenter@tklaw.com
  • 15. Cybersecurity vs. Privacy Charles M. Hosch, Hosch & Morris, PLLC
  • 16. What’s the difference? “Cybersecurity” and “Privacy” Of course you can’t have privacy without security. But what’s the difference?
  • 17. At a Glance: Cybersecurity • Asks, “How do I secure my data and keep it from being ‘hacked,’ breached,’ stolen, lost, or fumbled?” • Applies to: All data, including both commercial and personal information. Privacy • Asks, “Assuming I can keep my data secure (a huge ‘if’), how can I use the “personal information” within my data?” Applies to: “Personal” or “personally identifiable” information. (Definitions vary. May extend to data that can be linked to households, and/or include inferences you draw from raw data.)
  • 18. Sources of Law: Cybersecurity • Trade Secret Law: Uniform Trade Secrets Act, Tex. Civ. Prac. & Rem. Code, Ch. 134A; Defend Trade Secrets Act, 18 U.S.C. §1836, et seq.; • State-based “Breach Response” statutes – All 50 States – e.g. Tex. Bus. Comm. Code §§ 521.002, 521.053; • Regulatory requirements in specific industries, e.g. NYS DFS; HIPAA Security Rule; GLBA; FTC Safeguards Rule; MA and CA Information Security Laws; UCC Article 4A; NAIC Insurance Data Security Model Law; City of Chicago (Ordinance, MCC § 2-25-090); PCI-DSS; • Requirements in privacy statutes, e.g. CCPA; • FTC Act, 15 U.S.C. Sec. 5. Privacy • -In US, mostly “sector-specific,” e.g. HIPAA for healthcare; Gramm-Leach- Bliley for financial institutions; FERPA for education; FCRA for credit reports and background checks, etc.; • Most privacy statutes are not preemptive, so states and state industry regulators can overlap; • For Europe (including tracking Europeans from US), comprehensive privacy regulation under GDPR; • Movement toward comprehensive state statutes, e.g. California Consumer Privacy Act (“CCPA”) taking effect in 2020 • FTC Act, 15 U.S.C. Sec. 5. • Key Regulators: • Federal: FTC, OCR, and SEC • State: State AGs • Individual: Class Action Lawyers
  • 19. General Principles and Standards Cybersecurity • Use reasonable measures to protect the confidentiality, security, and integrity of data; • Note that what is enough to be “reasonable” varies according to how sensitive the particular data is; • What is “reasonable” evolves over time; • There is no such thing as perfect security – good information security program documentation is critical. Privacy FTC Fair Information Principles: • Notice/Awareness: Tell people what data you’re going to collect, and why; • Choice/Consent: Get their consent; • Access/Participation: Let people see their data, correct mistakes in it, have it back or move it if they wish; • Integrity/Security: You and your vendors use it only for the consented purpose, keep it secure, dispose of it responsibly; • Enforcement/Redress: (Think $5
  • 20. Cloud Computing and Legal Technology Q: What are cloud services? A: Third-party services to which you can outsource some or all of your IT requirements. Q: What types of requirements can you outsource (partial list)? A: Top-level “Infrastructure” (e.g. to AWS or Microsoft); Middle-level “Platforms” (e.g. SalesForce or SQL Server); and/or User-friendly “Applications” (e.g. Abacus, Practice Panther, Clio). *You’ll have different responsibilities, and different contracts, for each “layer.” ( Q: What do I most need to know about Legal Tech? A: Most legal-tech services: (i) Are running on a cloud platform hosted by a third-party, (ii) Present their own security and privacy risks, and are (iii) probably relying on other vendors to provide aspects of their services to your firm.
  • 21. Contracting Key Topics (partial list) PRIVACY PERFORMANCE Automatic Renewal? SECURITY Confidentiality Copyright Infringement Cost Third-Party Issues Inappropriate/Illegal Use Scalability Data Ownership Modifications/Changes Accessibility Geolocation Governing Law/Venue Data Recovery WARRANTIES SERVICE LEVEL AGREEMENTS Storage Term TERMINATION RIGHTS Compliance Training Breach Notification Audits VENDOR CONTROL SCOPE OF RIGHTS
  • 22. Vendor Control Q: What does “vendor control” mean? A: Prudent Selection – Contracting – Monitoring – Management of vendors and service providers. Q: What are the keys to selecting and contracting with a vendor? A: Ethics/reputation; functionality; performance/service commitment; confidentiality; security; data control; and ownership. Q: Is this required, or just best practice? A: Increasingly required. GDPR and CCPA effectively require Data Processing and Security Addenda, where your vendors pledge to require their vendors not to use personal data for anything except the purpose for which they’re hired; to require the same of their vendors; to keep personal information secure; etc. (TRANSLATION: don’t let your vendors’ vendors do a side hustle with your clients’ data – or with yours.)
  • 23. Privacy & Technology Questions? Charles M. Hosch Hosch & Morris, PLLC O: 214-306-8980, ext. 102 charles@hoschmorris.com
  • 24. Competent Representation T. Hunter Lewis, Duffee + Eitzen LLP Duffee + Eitzen LLP
  • 26. Technological Competence Requirements In The Beginning…. • In 2012 ABA revised Model Rules of Professional Conduct, Rule 1.1, comment 8 to include the requirement for attorneys to maintain technological competence. • The ABA issues advisory opinions on ethics questions and can be cited as persuasive authority – these opinions and rules are not binding on state disciplinary authorities
  • 27. ABA Model Rules of Professional Conduct Rule 1.1, comment 8 -Maintaining Competence [8]To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
  • 28. Texas Implementatio n In The Beginning…. • At the state level, many states began passing legislation concerning technical updates to their statutory authority concerning process of service (to include electronic service), electronic signatures, electronic communication/notice, and electronic filing • In 2013, The Texas Supreme Court mandated electronic filing in civil cases to begin January 1, 2014, with full implementation by July, 2016.
  • 29. Texas Key Rule Changes • Texas Rule of Civil Procedure 21 • Filing and Serving Pleadings and Motions • Texas Rule of Civil Procedure 21a • Methods of Service • Texas Rule of Civil Procedure 21c • Privacy Protection for Filed Documents
  • 30. Texas Ethics Opinion Concerning then Current Rules 2016 – Texas Ethics Opinion 665 • In December, 2016 The Professional Ethics Committee For the State Bar of Texas issued Opinion No. 665. • This opinion addresses attorney’s responsibilities related to metadata. • The opinion reviewed the competency requirements of the previous version of Rule 1.01, Texas Disciplinary Rules of Professional Conduct. • Although this opinion addresses an attorney’s duty of competence related to technology, this opinion narrowly deals with metadata.
  • 31. Texas Ethics Opinion Concerning then Current Rules 2016 – Texas Ethics Opinion 665 The opinion states: • [A] lawyer’s duty of competence requires that lawyers who use electronic documents understand that metadata is created in the generation of electronic documents, that transmission of electronic documents will include transmission of metadata, that the transmitted metadata may include confidential information, that recipients of the documents can access metadata, and that actions can be taken to prevent or minimize the transmission of metadata.
  • 32. Florida became the first state to require lawyers to include Technology in their CLE 2017 – The First CLE Requirement in FloridaRULE 6-10.3 MINIMUM CONTINUING LEGAL EDUCATION STANDARDS (b) Minimum Hourly Continuing Legal Education Requirements. Each member must complete a minimum of 33 credit hours of approved continuing legal education activity every 3 years. At least 5 of the 33 credit hours must be in approved legal ethics, professionalism, bias elimination, substance abuse, or mental illness awareness programs, with at least 1 of the 5 hours in an approved professionalism program, and at least 3 of the 33 credit hours must be in approved technology programs. If a member completes more than 33 credit hours during any reporting cycle, the excess credits cannot be carried over to the next reporting cycle.
  • 33. Texas Ethics Opinion Concerning then Current Rules 2018 – Texas Ethics Opinion 680 • In September 2018 The Professional Ethics Committee For the State Bar of Texas issues Opinion No. 680. • The opinion states: Rule 1.01(a) requires that lawyers exhibit “competence” in representing clients. In Opinion 665 (December 2016), the Committee applied Rule 1.01 to a question involving a lawyer’s inadvertent transmission to third parties of electronic metadata within client documents and concluded that the Rule’s “competency” requirement was applicable to a lawyer’s technological competence in preserving client confidential information. The Committee reiterates here the necessity of competence by lawyers and their staff regarding data protection considerations of cloud-based systems. • Again, the opinion addresses an attorney’s duty of competence related to technology, this opinion focuses on cloud-based systems, not technology as a broad issue.
  • 34. 2019Texas Supreme Court Order February 26, 2019 the Texas Supreme Court orders that paragraph 8 of the comment to Rule 1.01, Texas Disciplinary Rules of Professional Conduct, is amended to include the requirement for attorneys to maintain technological competence. Thus, becoming the 36th and most recent state to do so.
  • 35. Texas Ethics Opinion Concerning then Current Rules 2019 Texas Supreme Court Order Rule 1.01. Competent and Diligent Representation Comment: Maintaining Competence 8. Because of the vital role of lawyers in the legal process, each lawyer should strive to become and remain proficient and competent in the practice of law, including the benefits and risks associated with relevant technology. To maintain the requisite knowledge and skill of a competent practitioner, a lawyer should engage in continuing study and education. If a system of peer review has been established, the lawyer should consider making use of it in appropriate circumstances. Isolated instances of faulty conduct or decision should be identified for purposes of additional study or instruction.
  • 36. How will Texas apply this change? 2019 Texas Supreme Court Order Rule 1.01. Competent and Diligent Representation • As of 9/1/2019, no appellate decisions in Texas reference the revised comment to the Rule. • Sister Jurisdictions may give rise to some guidance for Texas Courts (e.g. Delaware).
  • 37. The Potential Future of the Competence Requirement James v. Nat’l Fin.LLC, C.A. No. 8931-VCL, 2014 Del. Ch. LEXIS 254 (Del.Ch. December 5, 2014). • The Court of Chancery has jurisdiction to hear all matters relating to equity, largely dealing with corporate issues, has a national reputation in the business community and is responsible for developing the case law in Delaware on corporate matters. Appeals from the Court of Chancery may be taken to the Supreme Court.
  • 38. James v. Nat’l Fin.LLC • Delaware’s Lawyer’s Rules of Professional Conduct, Rule 1.1, Comment 8, was amended to include the language “including the benefits and risks associated with relevant technology.” ****(This is the Texas Language)**** Case Background • Class Action unconscionable loan practices civil lawsuit. • This opinion deals with a discovery dispute and sanctions. • The Plaintiffs propounded discovery requests related to the bank’s loan practices.
  • 39. James v. Nat’l Fin.LLC Case Background • In the deposition of the Defendant bank’s representative he admitted to making errors in exporting data for the discovery response. • Court ordered Defendant bank to utilize an IT expert to respond to specific discovery requests. • Court ordered that the IT expert provide an affidavit describing the procedures it followed in extracting the data. • Defendant chatted with an IT expert for 20 minutes who wrote a letter stating that there was no way to property and easily convert paper records into an electronic database.
  • 40. James v. Nat’l Fin.LLC Case Background • Plaintiff’s attorney pressed Defendant’s attorney for the required affidavit. Wait for it… Wait for it… • Defendant’s attorney stated that he did not know anything about it and tried to stay out of the process! • During the hearing on motion for sanctions (of course) Defendant’s attorney said…
  • 41. James v. Nat’l Fin.LLC Case Background “I have to confess to this Court, I am not computer literate. I have not found presence in the cybernetic revolution. I need a secretary to help me turn on the computer. This was out of my bailiwick.”
  • 42. James v. Nat’l Fin.LLC Holding The Court had some thoughts about this: • Professed technological incompetence is not an excuse for discovery misconduct and went on to quote comment 8 to Rule 1.1 of Delaware’s Lawyer’s Rules of Professional Conduct with the language “including the benefits and risks associated with relevant technology.” • The Court ordered the Defendant to pay Plaintiff’s attorneys fees and costs related to this discovery dispute.
  • 43. Final Thoughts • While Texas does not have a specific Technology requirement for CLE, prioritize at least one CLE or Lecture concerning technology updates annually. • Refer to State Bar promulgated seminars concerning legislative updates and updates concerning e-discovery and new trends in technology in litigation. • Know what you don’t know… technology can outpace even the best of us!
  • 44. Privacy & Technology Questions? T. Hunter Lewis Duffee + Eitzen, LLP O: 214-419-9010 Hunter@D-ELaw.com
  • 45. The Judicial Perspective Hon. Emily Miskel, District Judge 470th Judicial District Court Collin County,Texas
  • 46. Privacy & Technology Questions? Hon. Emily Miskel District Judge 470th Judicial District Court Emily@EmilyMiskel.com