Cloud and mobile computing for lawyers
1 like693 views
The document discusses several issues related to lawyers' use of cloud computing and mobile devices: 1) It addresses ethical obligations around maintaining client confidentiality when storing data on devices' hard drives or using cloud services. Lawyers must take reasonable steps to ensure data is protected and sanitized before disposal. 2) It examines opinions on permissibility of storing confidential client data in the cloud if reasonable security measures are taken, and on using email services that scan for keywords to display ads. 3) It summarizes an opinion that lawyers do not violate ethics rules by storing client information electronically with a third party, if they act competently to ensure confidentiality, even if an inadvertent disclosure occurs.
![Cloud computing is a “type of computing that is comparable to grid
computing, relies on sharing computing resources rather than having local
servers or personal devices to handle applications. The goal of cloud
computing is to apply traditional supercomputing power (normally used by
military and research facilities) to perform tens of trillions of computations per
second.”
Software as a service —or SaaS —is “[a] software delivery
model in which a software firm provides daily technical
operation, maintenance, and support for the software
provided to their client.”](https://image.slidesharecdn.com/floridacloud-mobile-110504132841-phpapp02/85/Cloud-and-mobile-computing-for-lawyers-19-320.jpg)
![In comparison, however, see footnote 7 from the October 2009 Memorandum and
Order issued by the United States District Court, Eastern District of New York, in
US v. Cioffi, Case No. 08-CR-415 (FB):
One preliminary matter is not in question: The government does not dispute that
Tannin has a reasonable expectation of privacy in the contents of his personal email
account. See United States v. Zavala, 541 F.3d 562,577 (5th Cir. 2008) ("[C]ell
phones contain a wealth of private information, including emails, text messages, call
histories, address books, and subscriber numbers. [The defendant] had a reasonable
expectation of privacy regarding this information."); United States v. Forrester, 512
F.3d 500, 511 (9th Cir. 2008) ("E-mail, like physical mail, has an outside address
'visible' to the third-party carriers that transmit it to its intended location, and also
a package of content that the sender presumes will be read only by the intended
recipient. The privacy interests in these two forms of communication are identical.
The contents may deserve Fourth Amendment protection, but the address and size
of the package do not.").](https://image.slidesharecdn.com/floridacloud-mobile-110504132841-phpapp02/85/Cloud-and-mobile-computing-for-lawyers-32-320.jpg)
Cloud and mobile computing for lawyers
- 1. Smart, Ethical Use of Mobile, Tablet, & Cloud Computing Nicole Black Attorney, author and founder of lawtechTalk www.nicoleblackesq.com
- 3. What is cloud computing and why should you care?
- 6. A fundamentalist is a person who considers whether a fact is acceptable to their faith before they explore it. As opposed to a curious person who explores first and then considers whether or not they want to accept the ramifications. --Seth Godin
- 8. Do you or your clients use gmail?
- 9. Do you use Lexis or Westlaw?
- 10. Do you use Wikipedia?
- 11. Do you use flickr or snapfish?
- 12. Cloud and Mobile Computing: Not a Trend • Cloud computing is the top technology trend for 2010 • By 2012, 20% of businesses will own no IT assets and will conduct business solely in the Cloud • By 2013, mobile phones will overtake PCs as the most common Web access device worldwide • By 2014, over 3 billion of the world’s adult population will be able to transact electronically via mobile or Internet technology * Gartner’s Top Predictions for IT Organizations and Users, 2010 and Beyond: A New Balance
- 13. But what about lawyers and cloud computing?
- 14. • Nearly 98% of respondents incorporated virtualization technologies into their law firms. Some used virtual servers, while others brought virtualization to their desktop computers. • Nearly 84% of responding firms reported using SaaS-based products as well. Typically, however, cloud computing products were used for secondary functions like eDiscovery or human resources. *Am Law 2009 Tech Survey
- 15. • 80% of firms use cloud computing--mostly for non-critical tasks like e-discovery and HR • 60% of firms use cloud-based services for e-discovery or litigation support features, and many use it for important (but not bread-and-butter) tasks like benefits or expense management •5% use cloud services for document management • 6% use it for storage *Am Law 2010 Tech Survey
- 16. “14% of law firms plan to invest in some type of cloud computing or software-as-a-service solution. However, it must be noted that lack of familiarity with cloud computing and related emerging technologies may be inhibiting adoption. Among attorneys, only 30% rate themselves as familiar with the concept of cloud computing, while only 45% claim knowledge of the concept of managed services.” * Comp TIA 2010 survey (a non-profit trade association for the IT industry)
- 18. Cloud computing is a “type of computing that is comparable to grid computing, relies on sharing computing resources rather than having local servers or personal devices to handle applications. The goal of cloud computing is to apply traditional supercomputing power (normally used by military and research facilities) to perform tens of trillions of computations per second.”
- 19. Cloud computing is a “type of computing that is comparable to grid computing, relies on sharing computing resources rather than having local servers or personal devices to handle applications. The goal of cloud computing is to apply traditional supercomputing power (normally used by military and research facilities) to perform tens of trillions of computations per second.” Software as a service —or SaaS —is “[a] software delivery model in which a software firm provides daily technical operation, maintenance, and support for the software provided to their client.”
- 20. For summaries of a few ethics decisons: http://bit.ly/81K2jZ
- 21. Ethical issues to consider: A. Attorney client confidentiality B. Compare/contrast to traditional outsourcing relationships C. Transborder data flow D. Meeting obligations of “reasonable” security E. Electronic evidence/e-discovery
- 22. QUESTION: What are the ethical obligations of lawyers in regard to data stored on the hard drives of “storage media”. Florida Bar Ethics Opinion 10-12 (September 2010)
- 23. ANSWER: Lawyers who use devices that contain storage media such as computers, printers, copiers, scanners, cellular phones, personal digital assistants, flash drives, memory sticks, facsimile machines and other electronic or digital devices must take reasonable steps to ensure that client confidentiality is maintained and that the device is sanitized before disposition, including: (1) identification of the potential threat to confidentiality along with the development and implementation of policies to address the potential threat to confidentiality; (2) inventory of the Devices that contain Hard Drives or other Storage Media; (3) supervision of nonlawyers to obtain adequate assurances that confidentiality will be maintained; and (4) responsibility for sanitization of the Device by requiring meaningful assurances from the vendor at the intake of the Device and confirmation or certification of the sanitization at the disposition of the Device.
- 24. Lawyers using these devices must familiarize themselves with new technologies and “have a duty to keep abreast of changes in technology to the extent that the lawyer can identify potential threats to maintaining confidentiality.” Also, lawyers must take reasonable steps to ensure that client confidentiality is maintained. One important part of this duty includes the obligation to identify any “potential threat(s) to confidentiality along with the development and implementation of policies to address the potential threat to confidentiality.” The Committee noted that lawyers who use mobile devices also have a supervisory responsibility that extends to not only to the lawyer’s own employees but to “entities outside the lawyer’s firm with whom the lawyer contracts to assist in the care and maintenance of the Devices in the lawyer’s control.” Part of the lawyer’s supervisory duty requires that the lawyer obtain assurances from any nonlawyers who will have access to confidential information that confidentiality of the information will be maintained.
- 25. QUESTION: Whether an attorney can use an online system to store confidential client data and, if so, what steps must be taken to ensure the data are secure? New York State Bar Association’s Committee on Professional Ethics, Opinion 842 (September 2010)
- 26. ANSWER: It is permissible for attorneys to store confidential client data in the cloud, but only if reasonable steps are taken to ensure the data would be adequately protected from unauthorized disclosure: “A lawyer may use an online data storage system to store and back up client confidential information provided that the lawyer takes reasonable care to ensure that confidentiality will be maintained in a manner consistent with the lawyer’s obligations under Rule 1.6. In addition, the lawyer should stay abreast of technological advances to ensure that the storage system remains sufficiently advanced to protect the client’s information, and should monitor the changing law of privilege to ensure that storing the information online will not cause loss or waiver of any privilege.” Importantly, the committee noted that “exercising ‘reasonable care’ under Rule 1.6 does not mean that a lawyer guarantees that the information is secure from any unauthorized access.”
- 27. QUESTION: “May a lawyer use an e-mail service provider that scans e-mails by computer for keywords and then sends or displays instantaneously (to the side of the e-mails in question) computer-generated advertisements to users of the service based on the e-mail communications?” The New York State Bar Association Committee on Professional Ethics, Opinion 820-2/08/08
- 28. ANSWER: “Unless the lawyer learns information suggesting that the provider is materially departing from conventional privacy policies or is using the information it obtains by computer-scanning of e-mails for a purpose that, unlike computer-generated advertising, puts confidentiality at risk, the use of such e-mail services comports with DR 4-101…A lawyer may use an e-mail service provider that conducts computer scans of e-mails to generate computer advertising, where the e-mails are not reviewed by or provided to other individuals.”
- 29. QUESTION: The question addressed in this opinion is whether a lawyer violates SCR 156 by storing confidential client information and/or communications, without client consent, in an electronic format on a server or other device that is not exclusively in the lawyer’s control. State Bar of Nevada Standing Committee on Ethics and Professional Responsibility, Formal Opinion No. 33
- 30. ANSWER: In order to comply with the rule, the lawyer must act competently and reasonably to safeguard confidential client information and communications from inadvertent and unauthorized disclosure. This may be accomplished while storing client information electronically with a third party to the same extent and subject to the same standards as with storing confidential paper files in a third party warehouse. If the lawyer acts competently and reasonably to ensure the confidentiality of the information, then he or she does not violate SCR 156 simply by contracting with a third party to store the information, even if an unauthorized or inadvertent disclosure should occur... The ABA Committee addressed an issue much closer to that discussed here in Formal Opinion number 95-398, and concluded that a lawyer may give a computer maintenance company access to confidential information in client files, but that in order to comply with the obligation of client confidentiality, he or she “must make reasonable efforts to ensure that the company has in place, or will establish, reasonable procedures to protect the confidentiality of client information.”
- 31. 4th Amendment issues In a decision issued by the United States District Court, District of Oregon Opinion and Order in In re: US, Nos. 08-9131-MC, 08-9147-MC, (2009), the government successfully argued that it need not notify the account holder regarding a warrant that is served upon the ISP holder of the email account (gmail). In reaching its decision, the court gave lip service to the concept that emails are entitled to Fourth Amendment protection, but then stated: “Much of the reluctance to apply traditional notions of third party disclosure to the e-mail context seems to stem from a fundamental misunderstanding of the lack of privacy we all have in our e-mails. Some people seem to think that they are as private as letters, phone calls, or journal entries. The blunt fact is, they are not.”
- 32. In comparison, however, see footnote 7 from the October 2009 Memorandum and Order issued by the United States District Court, Eastern District of New York, in US v. Cioffi, Case No. 08-CR-415 (FB): One preliminary matter is not in question: The government does not dispute that Tannin has a reasonable expectation of privacy in the contents of his personal email account. See United States v. Zavala, 541 F.3d 562,577 (5th Cir. 2008) ("[C]ell phones contain a wealth of private information, including emails, text messages, call histories, address books, and subscriber numbers. [The defendant] had a reasonable expectation of privacy regarding this information."); United States v. Forrester, 512 F.3d 500, 511 (9th Cir. 2008) ("E-mail, like physical mail, has an outside address 'visible' to the third-party carriers that transmit it to its intended location, and also a package of content that the sender presumes will be read only by the intended recipient. The privacy interests in these two forms of communication are identical. The contents may deserve Fourth Amendment protection, but the address and size of the package do not.").
- 33. Security issues to consider: 1. Encryption 2. Geo-redundancy 3. Data back ups 4. Extraction of data
- 34. What questions should you ask cloud providers?
- 35. • What type of facility will host the data? • Who else has access to the cloud facility, the servers and the data and what mechanisms are in place to ensure that only authorized personnel will be able to access your data? How does the vendor screen its employees? If the vendor doesn’t own the data center, how does the data center screen its employees? • Does the contract include terms that limit data access by the vendor’s employees to only those situations where you request assistance? For full list see: http://bit.ly/hyFBxo
- 36. • Does the contract address confidentiality? If not, is the vendor willing to sign a confidentiality agreement? • How frequently are back-ups performed? How are you able to verify that backups are being performed as promised? • Is data backed up to more than one server? Where are the respective servers located? Will your data, and any back up copies of it, always stay within the boundaries of the United States? • How secure are the data centers where the servers are housed? • What types of encryption methods are used and how are passwords stored? Is your data encrypted while in transit or only when in storage? For full list see: http://bit.ly/hyFBxo
- 37. • Has a third party, such as McAfee, evaluated or tested the vendor’s security measures to assess the strength of, among other things, firewalls, encryption techniques, and intrusion detection systems? Are the audits of the security system available for your review? • Are there redundant power supplies for the servers? • Does the contract include a guarantee of uptime? How much uptime? What happens in the event that the servers are down? Will you be compensated if there is an unexpected period of downtime that exceeds the amount set forth in the agreement? • If a natural disaster strikes one geographic region, would all data be lost? Are there geo-redundant back ups? For full list see: http://bit.ly/hyFBxo
- 38. • What remedies does the contract provide? Are consequential damages included? Are total damages capped or are specific remedies limited? • Does the agreement contain a forum selection clause? How about a mandatory arbitration clause? • If there is a data breach, will you be notified? How are costs for remedying the breach allocated? • What rights do you have upon termination? Does the contract contain terms that require the vendor to assist you in transitioning from their system to another? • What rights do you have in the event of a billing or similar dispute with the vendor? Do you have the option of having your data held in escrow by a third party, so that it is fully accessible in the event of a dispute? Alternatively can you back up your data locally so that it is accessible to you should you need it? • Does the provider carry cyber insurance? If so, what does it cover? What are the coverage limits? For full list see: http://bit.ly/hyFBxo
- 39. Additional cloud computing resources: http://bit.ly/86ILNI
- 41. Thanks for listening! Nicole Black Of Counsel, Fiandach & Fiandach Founder of lawtechTalk www.nicoleblackesq.com Social Media for Lawyers: the Next Frontier published by the ABA in July 2010 (http://bit.ly/socmed4lawyersbook) Cloud Computing for Lawyers to be published by the ABA in May 2011
Editor's Notes
- #2: \n
- #3: Today: 1) why CC and mobile tech matters 2) what CC is 3) ethical and security issues.\n\nBottom line--CC is the future. For some firms, the current tech and security may be insufficient, but that will change quickly. Learn about it, understand it and position your firm for the future. \n
- #4: Information is changing--we must rethink “information”--be curious\n
- #5: Explore the benefits. Balance the risks. Be curious.\n\n
- #6: \n
- #7: \n
- #8: \n
- #9: \nSimple definition of CC: data/software stored on someone else’s server.\n
- #10: \n
- #11: Mobile tech in the legal field is a given--after all lawyers were crackberry addicts before anyone else. So let’s talk about cloud computing.\n
- #12: \n
- #13: \n
- #14: \n
- #15: Legal specific apps (prac man, billing, doc management) and general apps (google apps, dropbox).\n
- #16: Legal specific apps (prac man, billing, doc management) and general apps (google apps, dropbox).\n
- #17: Ethics and security seems to be a thorny maze of issues.\n
- #18: \n
- #19: \n
- #20: \n
- #21: ABA Ethics 20/20--my take--can’t be tasked with supervising them re: their tech skills.\n
- #22: \n
- #23: \n
- #24: \n
- #25: Note: Gmail language re: free email. Option is to use Google Apps--$50 per user per month.\n
- #26: \n
- #27: \n
- #28: Electronic Communications Privacy Act (ECPA)--no significant revisions since 1986\n
- #29: \n
- #30: \n
- #31: \n
- #32: \n
- #33: \n
- #34: \n
- #35: \n
- #36: \n
- #37: \n
- #38: \n