Embed Size (px)
Citation preview
MAINTAINING CLIENT CONFIDENTIALITY IN THE DIGITAL ERA
Written & Presented by: HON. REBECCA SIMMONS
Associate General Counsel Acelity
12930 IH 10 West San Antonio, Texas 78249
Co-Presented by: MARK I. UNGER
The Unger Law Firm, PC Muse Legal Technology Consulting, LLC
San Antonio, Texas [email protected]
State Bar of Texas 29TH ANNUAL
ADVANCED CIVIL APPELLATE PRACTICE September 10-11, 2015
Austin
CHAPTER 21
Honorable Rebecca Simmons Associate General Counsel
Acelity 12930 IH 10 West
San Antonio, Texas 78249 Education
Austin College B. A. 1978 Baylor University School of Law J.D. l980 Durham University, England post-graduate study 1981
Current Professional Activities
Associate General Counsel, litigation, Acelity 2013 – present Visiting Judge sitting by special assignment
Former Employment
Briefing Attorney, Texas Supreme Court l980 - 81 Cox & Smith Incorporated 1983 - 1992 Akin Gump Strauss Hauer & Feld LLP 1992-2003 Adjunct Professor St. Mary’s Law School 1994 - present Judge, 408th District Court of Bexar County Texas 2003 - 2005 Justice, Fourth Court of Appeals 2005 - 2012 Specially Commissioned as Texas Supreme Court Justice to hear a designated case in 2005
Awards and Recognition
Notes & Comments Editor, Baylor Law Journal Recipient of Rotary International Fellowship Pro-Bono Lawyer of the Year 1987 State Bar of Texas Presidential Citation 2004 Austin College Alumni of the Year 2006 Honorary San Antonio Young Lawyer of the Year 2008 Interfaith Dialogue Community Justice Award 2010
Texas Lawyer: 2014 Winning Women of Texas Activities
Chair, Texas Judicial Committee on Information and Technology 2009 - present Member, State Bar of Texas Pattern Jury Charge Committee 2005 - present Former Chair, Texas Bar Foundation with an endowment of over $20,000,000 Former President, San Antonio Bar Association 2013-2014 Former President of the Bexar County Women’s Bar Association 2006 Former Chair of the William S. Sessions American Inns of Court 2008 Nominations Committee State Bar of Texas Judicial Section 2010 - 2012 Curriculum Committee, Texas Center for the Judiciary 2008-2010 Co-Director, State Bar of Texas Advanced Personal Injury CLE course 2012 Committee member, State Bar of Texas Advanced Civil Trial CLE course 2013, 2014 Trustee, Austin College 2012 - present
Speaker and Author Speaker on numerous subjects; recent topics include: Vanishing Documents and Emerging Law: Spoliation in Texas UTCLE State and Federal Appeals 2013 Tech Tips for Real Estate Practitioners: Advanced Real Estate Course 2013 E-Filing Update; Advanced Civil Trial 2013 Traveling in the Cloud; Advanced Personal Injury Course 2012
Plea to the Jurisdiction; Advanced Personal Injury Course 2011 Judicial Recusal; Advanced Personal Injury Course 2010 E-Filing and Technology; Bexar County Women’s Bar Association 2011 E-Filing and Apps for the I-Pad; Winter Judicial Conference 2012 Cloud Security, San Antonio Appellate Section 2012 Panel Discussion on Appellate Practice; Advanced Appellate Conference 2010 and 2012
Author of several articles in the San Antonio Lawyer magazine, various papers for continuing legal education seminars and the following law journal articles:
Section 3 and Liability for the Condition and Use of Real Property Under the Texas Tort Claims Act, 31 Baylor Law Review 506 (1979). The Enhancement of Anticompetitive Activity through Group Purchasing Organizations: A Case Study. 17 Antitrust Healthcare Chronicle 1, Spring 2003. Exploring Grounds for Attorney Disqualification and Deciphering Exacting Standards, 37 ST. MARY’S L.J. 1009 (Spring 2006). Plea to the Jurisdiction: Defining the Undefined, 40 St. Mary’s L.J. 627 (Spring 2009). Texas’s Spoliation “Presumption”, 43 ST. MARY’S L.J. 691 (Spring 2012)
Personal
Teacher of 6th grade CCD at Our Lady of Grace Parish Married to Richard Clemons and mother of 3 children Hobbies include: running, gardening and cooking
Mark I. Unger The Unger Law Firm, PC
Muse Legal Technology Consulting, LLC San Antonio, Texas [email protected]
www.unger-law.com www.muselegal.com twitter: @miunger T: 210.323.2341
Mark I. Unger is a divorce lawyer, mediator and consultant in San Antonio, Texas. He has been practicing family law almost exclusively since 1996. He has been highly involved with technology and the integration of technology and law since approximately 1998. After having practiced in a firm for ten years, he has practiced family law almost exclusively since 2007, and recently launched Muse Law (technology consulting) to help solos and small firms increase
efficiency in their practices. He has been recognized as one of San Antonio’s Best Lawyers
(peer review) regularly since 2007. Education: St. Mary’s University School of Law, San Antonio, Texas, JD 1995 Universitat Innsbruck, Innsbruck, Austria, summer 1993 University of Texas, Austin, Texas, BA 1991 Austin Dispute Resolution Center, Austin, Texas, General and Family Law, 2009 (Credentialed as Mediator under Texas Civil Practice and Remedies Code, section 154.052) Recognition: * San Antonio's Best Lawyers (Family Law) 2015 Peer Nominated, SA Scene Magazine Annual Poll *2007, 2009, 2010, 2011, 2012, 2013, 2014, 2015 (Family Law) (SA Scene Magazine) * Texas Bar Award, Publication Award/ Series of Articles – Substantive Law Technology & Law: MoneyBall Law for the iPad Litigator (September-October 2013 and January-February 2014 San Antonio Lawyer) 2014 * State Bar of Texas Presidents/Directors Certificate of Merit, State Bar of Texas Annual Meeting June 24, 2011 * Computer & Technology Section, State Bar of Texas Award of Merit June 23, 2011 * State Bar of Texas Directors' Pro Bono Resolution award, State Bar of Texas January, 2010 * Texas eFiling Pioneer Award, TexasOnline-BearingPoint; September, 2005; * First-filed Electronic Filing in Bexar County State District Courts; San Antonio Express News, June 11, 2003; * President’s Award, San Antonio Bar Association; 2002; * First-filed CD-ROM appellate brief in State of Texas; See Texas Lawyer, March 30, 1998 Professional Associations:
Computer Council of the State Bar of Texas, 2001-present
• Chair, 2007-2008
• Judicial Committee on Information Technology (JCIT), 2007-present State Bar Web Services Committee, 2007-2015 • Chair, 2010-2012 Texas Family Law Foundation, 2007-present College of the State Bar of Texas, 1998-present Pro Bono College of the State Bar of Texas San Antonio Bar Association • Chair, Technology Committee, 2000-2015
• Chair, Technology Section, 2015-present
• Family Law Section, Board of Directors, 2008-present, President, 2012-13
• Community Justice Program (CJP) Mentor, 2004-present
• Member, Lawyer2Lawyer/Mentor committee, 2000-2001 Recent Presentations/Publications Trial Demos--Utilizing Tools for Smart Presentations State Bar of Texas, Advanced Family Law Seminar, August 5, 2015 Courtroom Technology: How to Use Your Tablet to Win! (Webinar/Panel Presentation)(Link), State Bar of Texas, June 24, 2015 Moneyball Law: How to Play Big Law Ball on a Small Law Budget- Adaptable Lawyer Track (Presentation) State Bar of Texas (Annual Meeting), June 18, 2015 60 Sites in 60 Minutes (Link) American Bar Association Techshow 2015, Chicago, Illinois April 18, 2015 Turbulence-Free Collaboration – Sharing Documents in the Cloud without E-mail American Bar Association Techshow 2015, Chicago, Illinois April 16, 2015 How To Train Your Dragon Lawyer With Technology South Texas Organization of Paralegals March 5, 2015 The Massive Legal Tech & Practice Management Brain Dump (& SABA Technology Section Launch) ) San Antonio Bar Association January 30, 2015 Family Law Technology 360: Everything You Need To Know For Your 21st Century (Link), State Bar of Texas Course Director and Presenter December 4-5, 2014, Austin, Texas Serving Your Clients Better With Technology(Link) ABA Law Practice Division-ALI CLE November 3, 2014 MoneyBall Law: Technology for Litigators ABA 9th Annual GPSolo National Solo & Small Firm Conference October 24, 2014
Maintaining Client Confidentiality in the Digital Era Chapter 21
i
TABLE OF CONTENTS
I. ABSTRACT .......................................................................................................................................................... 1
II. INTRODUCTION ................................................................................................................................................... 1
III. LAWYERS ETHICAL DUTY OF TECHNOLOGY COMPETENCE ................................................................. 2
IV. OVERVIEW OF CONFIDENTIALITY IN THE DIGITAL AGE ........................................................................ 3
V. THE DEVICES ....................................................................................................................................................... 7
VI. SECURE THE COMMUNICATION ..................................................................................................................... 9
VII. SECURITY IN THE CLOUD ............................................................................................................................... 18
VIII. ETHICAL IMPLICATIONS OF CLOUD COMPUTING .............................................................................. 24
IX. DISPOSAL OF CONFIDENTIAL INFORMATION .......................................................................................... 27
CONCLUSION ............................................................................................................................................................. 28
APPENDIX A: ADDITIONAL RESOURCES ............................................................................................................ 29
Table of Authorities
CASES
Int’l Bus. Machs. Corp. v. Visentin, No. 11 Civ. 399 (LAP), 2011 WL 672025, at *5 (S.D.N.Y. Feb. 16, 2011), aff’d, 437 Fed. App’x 53 (2d Cir.) ............................................................................................................................ 5
STATUTES
TEX. BUS. & COM. CODE ANN. § 521.053 (West Supp. 2011) .................................................................................... 21
OTHER AUTHORITIES
ABA Comm’n on Ethics 20/20, Revised Draft Resolutions for Comment—Technology and Confidentiality, Feb. 21, 2012 ........................................................................................................................................................................... 3
Alberto G. Araiza, Comment, Electronic Discovery in the Cloud, 2011 DUKE L. & TECH. REV. 8 (2011) ................ 19 Amazon Web Services Customer Agreement, AMAZON WEB SERVICES, http://aws.amazon.com/agreement/ (last
updated Mar. 15, 2012) ........................................................................................................................................... 22 C. Williams, Cloud Computing and HIPAA Privacy and Computing, (2013)Perkins Coie LLP, at
http://www.perkinscoie.com/files/upload/PL_13_01_C.A.WilliamsHIPAAarticle.pdf ............................................ 6 C.Hoffman, How to keep Your PC Secure when Microsoft ends Windows XP support. PC World (Feb. 28, 2014) ... 23 Christopher Soghoian, Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era,
8 J. TELECOMM. & HIGH TECH. L. 359, 424 & n.3 (2010) ....................................................................................... 19 David Chernicoff, Will Your Cloud Be HIPAA Compliant?, ZDNET 2012 ................................................................. 21 David S. Barnhill, Cloud Computing and Stored Communications: Another Look at Quon v. Arch Wireless, 25
BERKELEY TECH. L.J. 621, 638 (2010) ...................................................................................................................... 4 J. McKendrick, Cloud Computing Improving But StillA Work In Progress Study Says, Forbes Tech May 12,
2014,http://www.forbes.com/sites/joemckendrick/2014/05/12/cloud-security-improving-but-still-a-work-in-progress-study-says/ ................................................................................................................................................ 22
Janna Quitney Anderson & Lee Rainie, The Future of Cloud Computing, PEW RESEARCH CTR., (2010) .................. 19 Lorraine Mullings Campos et al., Cloud Computing—The Key Risks and Rewards for Federal Government
Contractors, TRANSCENDING THE CLOUD—A LEGAL GUIDE TO THE RISKS AND REWARDS OF CLOUD COMPUTING, 1055 PLI/Pat 119 , 131 (2011) ................................................................................................................................ 20
Michael Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing, UNIV. OF CAL. BERKELEY, TECH. REPORT NO. UCB/EECS-2009-28, 1, 2–3 (2009) ................................................................................................... 19
Mick Seals, HIPAA in the Cloud: Technical Architectures that Render PHI As “Secured,” SOGETI USA, INC. (October 2011) ........................................................................................................................................................ 21
Mick Seals, HIPAA in the Cloud: Technical Architectures that Render PHI As “Secured,” SOGETI USA, INC. (October 2011), http://www.us.sogeti.com/what-we-do/PDF/HIPAA-in-the-Cloud-Whitepaper-Sogeti-v1.2.pdf. ................................................................................................................................................................................. 21
Pa. Bar Ass’n Comm. on Legal Ethics & Prof’l Responsibility, Formal Op. 2011-200 (2011) .................................... 5 Penn. Bar Ass’n Comm. on Legal Ethics & Prof’l Resp., Formal Op. 2011-200. ....................................................... 26 Peter Mell & Tim Grance, The NIST Definition of Cloud Computing, NAT’L INST. OF STANDARDS & TECH., (Oct. 7,
2009) ....................................................................................................................................................................... 20 Quinn Norton, “Byte Rights,” Maximum PC, September 2010, at 12 ........................................................................... 5 R. Abrahams, Mobile Security vs. Blackphone Marketing and Sales Hype, HUFF POST TECH (August 12, 2014) at
http://www.huffingtonpost.com/rebecca-abrahams/mobile-security-vs-blackp_b_5672960.html that points out security issues with the Blackphone. ....................................................................................................................... 23
Roland L. Trope & Sarah Jane Hughes, Red Skies in the Morning—Professional Ethics at the Dawn of Cloud Computing, 38 WM. MITCHELL L. REV. 111, 181 (2011)........................................................................................ 22
Room at the Top, ABA Journal, November 2013 at p. 28. ............................................................................................ 5 Standards for Safeguarding Customer Information, 16 C.F.R. section 314 ................................................................... 5
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
ii
Tex. Comm. on Prof’l Ethics, Op. 572, 69 TEX. B.J. 793, 794 (2006) ........................................................................ 25 William Jeremy Robison, Note, Free At What Cost?: Cloud Computing Privacy Under the Stored Communications
Act, 98 GEO. L.J. 1195, 1209–12 (2010) ................................................................................................................ 19 Yanpei Chenet et al., What’s New About Cloud Computing Security?, UNIV. OF CAL. BERKELEY, TECH. REPORT NO.
UCB/EECS-2010-5 (2010) ..................................................................................................................................... 19
RULES
Tex. Disciplinary Rules Prof’l Conduct R. 1.01( ......................................................................................................... 26 Tex. Disciplinary Rules Prof’l Conduct R. 1.05 .......................................................................................................... 26 Tex. Disciplinary Rules Prof’l Conduct R. 1.14 .......................................................................................................... 26
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
iii
1
MAINTAINING CLIENT CONFIDENTIALITY IN THE DIGITAL ERA I. ABSTRACT
The advent of technology has provided remarkable convenience and efficiency in the practice of law.
The use of portable devices, e-filing and file share applications have created the opportunity to practice
appellate law outside the confines of a brick and mortar law office. But relying on technology without
understanding the attendant security issues is dangerous and in some cases unethical. Email and
information stored in the cloud are common sources of security breaches. Attorneys have an ethical duty
to be knowledgeable about technology and behavior that puts their client confidences at risk. This Article
provides a brief introduction to security issues that may arise in the legal office. In addition to offering
suggestions on securing client information we will address the increasing ethical obligations of lawyers to
understand technology and plan accordingly.
II. INTRODUCTION
Technology is advancing at a rapid pace, but so are the cyberspies and hackers. Billions of records containing sensitive personal information have been involved in security breaches since early 2005. In 2013 hackers accessed 110 million customer debit and credit card information. In 2014 Home Depot’s payment security system was breached and 56 million debit and credit cards may have been compromised. Later that year on August 31, 2014, a collection of almost 500 private pictures of several nude celebrities, including Jennifer Lawrence, were posted on the imageboard 4chan, and later posted on websites and social networks such as Reddit and Tumblr. Apple later confirmed that the hackers had obtained the images using a "very targeted attack" on account information, such as passwords, rather than any specific security vulnerability in the iCloud service itself.1 This year the Internal Revenue Service reported in May that hackers may have stolen data from 100,000 taxpayer accounts. Unfortunately in August the IRS announced that the hackers may have stolen from as many as 334,000 taxpayer accounts.2 But hacking is not limited to credit cards and personal identification information. In August 2015, the Securities and Exchange Commission announced fraud charges against two hackers who hacked into newswire services to obtain nonpublic information about corporate earnings announcements and then provided that information to traders who profited by the information.3 The use of the non-public information garnered the traders over $100 million in profits. It is clear hackers are seeking to profit by non-public information and law firms that have a merger and acquisition practice are prime targets.
Law firms are increasingly being targeted not only by hackers but by foreign governments. Puckett & Faraj, a Washington-area firm, was hacked in 2012 by activists associated with the group Anonymous, who were angered by the firm’s representation of a United States soldier involved the death of 24 Iraqi civilians. Gipson, Hoffman & Pancione, based in Los Angeles, announced it was hacked in 2010 because 1 Apple – Press Info – Apple Media Advisory". Apple Inc. September 2, 2014 2 http://www.irs.gov/uac/Newsroom/Additional-IRS-Statement-on-the-Get-Transcript-Incident 3 SEC Charges 32 Defendants in Scheme to Trade on Hacked News Releases, 2015-163http://www.sec.gov/news/pressrelease/2015-163.html.
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
2
of a software piracy lawsuit it filed against the Chinese government.4 While the risk of cybercriminals and hackers has increased, some of the most common threats to law firm data security come from firm attorneys who are sloppy or simply unaware of the correct way to handle and store digital media. A firm's records room was once a major source of vulnerability, but technology like smart phones, tablets, laptops and cloud storage have essentially created mini and mobile records rooms that have exponentially increased points of access into a firm's confidential information, plus opportunities for the data to be lost. Attorneys must learn how to secure (1) the devices they use, (2) the electronic communications they have, and (3) the storage they employ.
III. LAWYERS ETHICAL DUTY OF TECHNOLOGY COMPETENCE
In addition to the motivation provided by the onslaught of hackers identified in the media, the
American Bar Association’s Model Rules of Professional Conduct were updated in 2012 to address the
effect of technology upon the legal profession. Model Rule 1.1 Comment [8] provides that a lawyer
“should keep abreast of changes in the law and its practice, including the benefits and risks
associated with relevant technology.”5 (Emphasis added).
In addition to the ABA model rules several states have imposed the duty of technology competence
on lawyers. As the Arizona Bar stated in Opinion 09-04 (Dec. 2009) “[i]t is important that lawyers
recognize their own competence limitations regarding computer security measures and take the necessary
time and energy to become competent or alternatively consult available experts in the field”.
Approximately 13 states have formally adopted the revised comment to Rule 1.1.
• Arizona, effective Jan. 1, 2015.
• Arkansas, approved June 26, 2014, effective immediately.
• Connecticut, approved June 14, 2013, effective Jan. 1, 2014.
• Delaware, approved Jan. 15, 2013, effective March 1, 2013.
• Delaware, approved Jan. 15, 2013, effective March 1, 2013.
• Idaho, approved March 17, 2014, effective July 1, 2014.
• Kansas, approved Jan. 29, 2014, effective March 1, 2014.
• Minnesota, approved Feb. 24, 2015.
• New Mexico, approved Nov. 1, 2013 (text of approved rules), effective Dec. 31, 2013.
• North Carolina, approved July 25, 2014. Note that the phrase adopted by N.C. varies slightly from the Model Rule: “… including the benefits and risks associated with the technology relevant to the lawyer’s practice.”
• Ohio, approved Feb. 14, 2015, effective April 1, 2015.
4 http://www.nytimes.com/2015/03/27/business/dealbook/citigroup-report-chides-law-firms-for-silence-on-hackings.html. 5 Additional ethical obligations relating to the duty to secure confidential information, transmit information securely, to outsource securely and to dispose of securely will be discussed below.
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
3
• Pennsylvania, approved Oct. 22, 2013 (text of approved rules), effective 30 days later.
• West Virginia, approved Sept. 29, 2014, effective Jan. 1, 2015.
• Wyoming, approved Aug. 5, 2014, effective Oct. 6, 2014.
On Feb. 28, 2015, the Virginia State Bar Council voted to adopt the Rule 1.1 change. However, the
change does not take effect unless and until it is approved by the Virginia Supreme Court. In
Massachusetts the Supreme Judicial Court has issued a notice stating that it will adopt a package of
proposed rule changes that includes Comment 8.
IV. OVERVIEW OF CONFIDENTIALITY IN THE DIGITAL AGE
Lawyers clearly can no longer ignore technology and its attendant security issues. The duty of
confidentiality is one of the foundations of the attorney-client relationship. Changes to ABA Model Rule
1.6 and accompanying Comment [18] make it clear that the lawyer shall make reasonable efforts to
prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to
the representation of a client. The Comment identifies a safe harbor for unauthorized disclosure of
confidential information if the lawyer has made reasonable efforts to prevent the access or disclosure. A
number of factors are listed for consideration in determining the lawyer’s reasonableness including:
• sensitivity of the information;
• likelihood of disclosure if additional safeguards are not employed;
• cost of employing additional safeguards;
• difficulty of implementing the safeguards;
• and the extent to which the safeguards adversely affect the lawyer’s ability to represent
clients.6
The Commission examined the possibility of offering more guidance about specific measures lawyers
should use, but decided technology changes rapidly and the corresponding measures lawyers should take
will change with the advances in technology. According to the Commission, its “proposals are designed
to help lawyers understand these risks so that they can take appropriate and reasonable measures when
taking advantage of technology’s many benefits.”7
In addition, Comment 19 to Rule 1.6 specifically relates to electronic communications with
clients stating: “When transmitting communication that includes information relating to the
representation of a client, the lawyer must take reasonable precautions to prevent the information from
coming into the hands of unintended recipients.”8 It also has a safe harbor provision: “This duty,
6 ABA Model Rules at www.americanbar.org/contentdam/aba/administrative/ethics_2020/20120808 _house_ action_ compilation_redline_ 105a-f.authcheckdam.pdf. 7 ABA Comm’n on Ethics 20/20, Revised Draft Resolutions for Comment—Technology and Confidentiality, Feb. 21, 2012, available at http://www.americanbar.org/content/dam/ aba/administrative/ethics_2020/20120508_ethics _20_20_final_resolution_and_report_technology_and_confidentiality_posting.authcheckdam.pdf. 8 Model Rules of Professional Conduct, rule 1.6, cmt.19 (2014).
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
4
however, does not require that the lawyer use special security measures if the method of communication
affords a reasonable expectation of privacy.”9 Unfortunately, there is no specific explanation of what is
reasonable but Comment 19 specifically notes two factors to consider when determining reasonableness:
(1) the sensitivity of the data itself and (2) the extent to which the privacy of the communication is
protected by law or by a confidentiality agreement. 10 A client may also give consent to a method of
communication not otherwise permitted, but that is problematic if the client changes his or her mind later.
Attorneys must be knowledgeable enough about their digital communications and storage to
reasonably assess the risk of certain technologies. Attorneys cannot guarantee electronic security any
more than they can guarantee physical security of documents stored in a file cabinet but they should be
aware of any relevant ethics opinions and know the basic issues. The source of most security breaches
involves the mobility of our devices or the transmission and storage of our digital information online on
remote servers. We often refer to this off-device storage as the cloud. Some knowledge of the cloud is
necessary in order to understand how breaches occur and how best to avoid them.
A. The Cloud
Cloud computing is still evolving, and experts are not in agreement over the definition of “Cloud
Computing.”11 The National Institute of Standards and Technology has defined cloud computing as “a
model for enabling convenient, on-demand network access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider interaction.”12 Put in simpler terms, cloud
computing is a broad term that describes any technology that allows end users to store data and
applications in shared data centers so that clients can access their data or run applications from any
location with an Internet connection. The use of a smart phone or an iPad often involves “cloud
computing” through products and services such as Google Drive, Facebook, or Dropbox. A
simple way of describing cloud computing is: “a fancy way of saying stuff’s not on your
computer.”13 In a more technical sense: “[C]loud computing allows businesses and individuals
to use the Internet to access software programs, applications, and data from computer data
9 Id. 10 Id. 11 Armbrust, supra note 5 at 3 (noting the industry-wide disagreement about the exact meaning of Cloud computing); Cloud Computing: Clash of the Clouds, ECONOMIST, Oct. 17, 2009 at 80, 80–82, available at http://www. economist.com/node/14637206. 12 David S. Barnhill, Cloud Computing and Stored Communications: Another Look at Quon v. Arch Wireless, 25 BERKELEY TECH. L.J. 621, 638 (2010) (quoting Peter Mell & Tim Grance, The NIST Definition of Cloud Computing, NAT’L INST. OF STANDARDS & TECH., (Oct. 7, 2009). 13 See Pa. Bar Ass’n Comm. on Legal Ethics & Prof’l Responsibility, Formal Op. 2011-200 (2011) (“Ethical Obligations for Attorneys Using Cloud Computing/Software As a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property”), 1093 PLI/Pat 325 , 327 (quoting Quinn Norton, “Byte Rights,” Maximum PC, September 2010, at 12).
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
5
centers managed by providers . . . .”14 If you use Facebook, Yahoo, Gmail or WestLaw you are using
the Cloud and your emails and information is stored on remote servers rather than on your computer hard
drive. Approximately 54.4% of lawyers use online services for removable or external storage.15
Because the storage is in the “cloud” and off-site there are some concerns and ethical obligations
that arise.
B. Regulatory Schemes Affecting Confidentiality and Privacy on the Cloud
The increasing interconnectedness of things was reported on by the FTC in their report The Internet
of Things – Privacy and Security in a Connected World that discussed the privacy and security
implications of internet-connected cars, appliances, health monitors, cameras, and other devices.16 It
noted there are 25 billion objects connected to the internet that can impact both security and privacy.
Notably there is no single, comprehensive federal law regulating the collection and use of personal data.
Rather there is a mix of state and federal laws, and regulations that often overlap and even contradict each
other. The proliferation of security breaches in recent years has led to an expansion of privacy laws and
data protection across the nation. States have taken the lead in implementing laws relating to data breach
disclosure. To date 47 states have passed some form of data beach notification law. But a proposed Data
Security and Breach Notification Act bill would preempt state data breach notification and security
laws.17 If your practice extends to multiple states, it is important to determine any additional
requirements relating to security.
There are several existing federal privacy-related laws that regulate the collection and use of
personal data. Certain regulations affect the financial industry, the healthcare industry and others.18
However, these regulations are not directed to cloud computing issues but to the security of the
underlying data. For example encryption of protected healthcare information and policies for authorizing
access to protected healthcare information is encouraged by HIPAA. Data centers fall within the purview
of business associate and also bear responsibility for maintaining the confidentiality of protected
healthcare information. While the business associate might be liable under HIPAA, covered entities are
also directly held responsible for any actions of their business associates. Counsel may need to do more
investigation to determine if a cloud provider that claims its cloud computing infrastructure is compliant
14 Int’l Bus. Machs. Corp. v. Visentin, No. 11 Civ. 399 (LAP), 2011 WL 672025, at *5 (S.D.N.Y. Feb. 16, 2011), aff’d, 437 Fed. App’x 53 (2d Cir.). 15 Room at the Top, ABA Journal, November 2013 at p. 28. 16 FTC Report Internet of Things, www.ftc.gov/files/documents/reports/federaltrade-commision-staff-rep. January 2015. 17 It is unknown whether the federal bill will pre-empt state laws. Data Security and Breach Notification Act, H.R. ___, 114th Cong. Sec. 6(a)(2015). 18 See e.g. Standards for Safeguarding Customer Information, 16 C.F.R. section 314 (2012); OCR HIPAA Security and Privacy Rules, 45 C.F.R. section 164 (2012).
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
6
with HIPAA is truly compliant.19 Attorneys that work in the banking industry are increasingly being
asked to become compliant with requirements under the Gramm-Leach-Bliley Act (GLBA) to implement
a security process and ensure information security.
The FTC has launched a new initiative to provide guidance on data security practices called Start
with Security: A Guide for Business.20 It includes 10 lessons, 9 of which are applicable to lawyers, that
assist companies in learning about data vulnerabilities and how to reduce the risks they pose.
• Collect only what is Necessary. Companies should not collect data that is not needed and
hold on to it only as long as it has a legitimate interest to do so.
• Control Access to Data Sensibly. Put limits on who can access sensitive information. Not
everyone needs unrestricted access to the entire network and all the information in it.
• Require Secure Passwords and Authentication. Companies should require strong
password practices among their employees. The passwords should be stored securely and
not in clear text. Be mindful of backdoors and other means of avoiding password
authentication.
• Store Sensitive Personal Information Securely and Protect it During Transmission.
Companies should protect sensitive information throughout its life cycle including when the
information is transmitted to others, downloaded to a laptop or other device or destroyed.
• Segment Your Network and Monitor Who’s Trying to Get In and Out. Use firewalls to
segment networks and limit access between devices on the network and between the network
and the Internet. Implement intrusion detection and prevention tools to monitor networks.
• Secure Remote Access to Your Network. Employees with remote access rights need
antivirus and firewall protection, and limit access to the information and resources
necessary.
• Make Sure Your Service Providers Implement Reasonable Security Measures. Your
security protection obligations include the vendors to whom they provide sensitive
information. Make sure the providers have implemented appropriate security measures,
including their security requirements in their contracts and monitor providers for
compliance.
• Put Procedures in Place to Keep Your Security Current and Address Vulnerabilities
That May Arise. Security is not a one-time analysis, and companies should be sure to apply
security updates to third-party products on their networks and in their products and
constantly monitor for new vulnerabilities to existing products.
19 See C. Williams, Cloud Computing and HIPAA Privacy and Computing, (2013)Perkins Coie LLP, at http://www.perkinscoie.com/files/upload/PL_13_01_C.A.WilliamsHIPAAarticle.pdf
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
7
• Secure Paper, Physical Media and Devices. Store and control access to paper files and
devices. Laptops that contain sensitive information are vulnerable to theft or loss. Secure
destruction of sensitive information is important and requires shredding and appropriate
wipe technology.
With some knowledge of the cloud and the regulatory environment, we turn to the three points of
security risk: the device, the communication, and the digital storage.
V. THE DEVICES
Mobile devices have proliferated and more information is stored on them. The cell phones of the
1990’s bear little resemblance to the phones we use today. Common devices that travel with us include
phones, tablets, e-readers, lap tops and jump drives that all may contain confidential information. The
capabilities of these devices are growing and it is possible to conduct an entire trial using only a tablet.
Despite the media attention directed to hacking retail operations, perhaps the most widely experienced
security breach is caused by owner error and is the loss of their mobile devices.
A. Protect Against Loss
The single most stolen items in airports are laptops and tablets. Roughly 10 percent of all cell
phones (some 30 million) go missing each year. A full 40% of armed robberies include smartphones.21
Keep your eyes on your devices at all times. Do not leave your device charging outside of your view.
B. Encryption
Encryption garbles your data into unreadable nonsense (ciphertext). If your data is hacked then the
hacker cannot obtain the information. All mobile devices (the hardware) should be encrypted. Once the
device is encrypted, all user-created data is automatically encrypted before committing it to disk.
Encryption is enabled on any Apple iOS device (iPad, iPhone) merely by configuring a lock code. The
iOS operating system provides full device encryption by setting a PIN or password. Android devices need
to have encryption enabled through the setting menu. There are a variety of specialty thumb drives like
20 Start With Security: A Guide for Business, www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business. 21 11Tips to Safeguard Clients’ Digital Information, Jill Fernandez, coloradosupremecourt.com, Winter 2014.
• Do not let your device out of your sight
• Do not loan your device to others (including the kids)
• Install a password • Use the lockout feature • Enable Remote Wipe
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
8
IronKey which come preloaded with encryption software. External drives such as Maxtor, WD and
Seagate come with disk encryption.
C. Encrypting Your Laptop – Full Disk Encryption
Attorneys’ laptops often contain confidential and privileged information of their clients. Encrypting
your disk will protect you and the information if your laptop falls into the wrong hands, because without
the encryption key, the information on the disk is unreadable. If someone steals your laptop and your disk
is not encrypted your files can be easily viewed. It doesn’t matter that your computer is password -
protected, the thief can simply boot to a new operating system or remove the disk and put it in a different
computer. Bear in mind, however, disk encryption only secures your computer from attackers that have
physical access to your computer. It does not make your computer free from attack over a network.
Malicious websites and hackers can still attack you through your web browser.
In general when you encrypt your disk you must unlock your disk when you first power up your
computer by supplying the correct encryption key. Your operating system can’t even boot up without the
key to unlock the disk. The encryption key must be strong and secure.
1. Windows Encryption22
BitLocker is Microsoft’s disk encryption technology. It is only included in the Ultimate and
Enterprise editions of Windows Vista and Windows 7, and the Enterprise and Pro editions of Windows 8
and 8.1.but not the home editions. To see if BitLocker is supported on your version of Windows, open
up Windows Explorer, right-click on C drive, and see if you have a “Turn on BitLocker” option (if you
see a “Manage BitLocker” option, then your disk is already encrypted). If BitLocker is not supported
in your version of Windows then you can upgrade to a supported version of Windows by buying a
license. BitLocker is designed to be used with a Trusted Platform Module (TPM), a tamper-resistant
chip that is built into new PCs that can store your disk encryption key. It doesn’t require users to enter a
passphrase when booting up. If your computer doesn’t have a TPM it’s possible to use BitLocker with
a passphrase or USB stick instead. Detailed instructions on how to activate BitLocker are available in
the Micah Lee article.23
2. Mac Encryption24
FileVault, Apple’s disk encryption technology for Macs, is simple to enable. Open System
Preferences, click on the Security & Privacy icon, and switch to the FileVault tab. If you see a
button that says “Turn Off FileVault…”, then congratulations, your disk is already encrypted.
Otherwise, click the lock icon in the bottom left so you can make changes, and click “Turn On
FileVault…”. With FileVault, Mac OS X user passwords double as passphrases to unlock your
22 Micah Lee, Encrypting Your Laptop Like you Mean IT, April 27, 2015, https://firstlook.org/theintercept/ 2015/04/27/encrypting-laptop-like-mean/ 23 Id. 24 Id.
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
9
encrypted disk.
C. Tips for securing Mobile Phones and Tablets
• Label your device with your name and a phone number to make it easy to return
• Configure a passcode to access and use the device
• Set an idle timeout that will automatically lock the phone when not in use.
• Keep all software up to date, including the operating system and installed “Apps”
• Do not “jailbreak” or “root” your device. These activities remove the manufacturer’s
protection against malware.
• Obtain your apps only from trusted sources like AppleiTunes store, Google Play or the
Amazon App Store for Android.
• Enroll your device in a managed environment if permitted.
• Enroll your device in Find my iPhone or an equivalent service.
D. How to Strengthen Your iPad’s Security25
I Pad’s are increasingly being used in place of the laptop. But their hybrid use as an
entertainment device and professional tool create issues with security. Attorneys often store and
communicate confidential information using their iPads. You may also access your law firm network
using the iPad. But if you use your iPad for a law practice tool, you must keep kids, spouse and
neighbors from using it for entertainment. The following are 5 tips to secure the iPad.
• Set a strong passcode. The 4 digit code is inadequate if you use the iPad out of the office.
To change the passcode go to settings and on the passcode lock page turn off the simple
passcode setting and then you can set a stronger passcode. You can enter any combination of
number, letters, symbols and are not limited by length.
• Activate the Find My iPad and Remote Wipe features
• Set a time for your iPad to lock if not used.
• Regularly back up data on iCloud.
• Individually password protect client information with an application password.
• Do not let your spouse or your children or others play with your work iPad.
VI. SECURE THE COMMUNICATION
New forms of electronic communications such as texting, tweeting, social networking through a
myriad of sites, and instant messaging are creating additional challenges to the existing issues with email
communications. Not only is it becoming difficult to keep information confidential, there is increasing
risk of waiver of attorney – client privileged matter. Clients have new expectations regarding
25 Five Ways to Strengthen Your iPad’s Security taken from “Can A Tablet Replace the Attorney’s PC” ABA Techshow 2014,Catherine Sanders Reach and Bill Latham.
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
10
communications with their counsel, and attorneys must keep abreast and manage those expectations. If
attorneys don’t understand the new modes of communication it will be difficult for them to take the
necessary precautions to make sure their communications remain confidential.
A. Email and How it Works
Email is not a very secure way to share information. When you send an email it goes from your
device to a server and then passes through a number of servers on its way to the recipient’s computer or
mobile device. As the email passes through each server a copy of the email is deposited and anyone with
access to one of the servers can read it unless the email is encrypted. Email can be intercepted by sniffers
or read while saved on remote servers. “Sending highly confidential or personal information via
unencrypted email is like sending a postcard. There are many places that postcard goes before it reaches
its recipient – and can be read by anyone along the way.”26 Not surprisingly law firms rely on email more
than any other tool to collaborate with clients and third parties.27 According to a 2014 Survey, 89% of law
firms use emails to communicate and 74% say they use it daily.28 Only 22% encrypt their email. Most
rely on confidentiality statements located on the bottom of their emails. Because of the lack of security,
the ABA and other jurisdictions are beginning to question the wisdom of sending confidential information
by unencrypted email.
1. ABA Opinion on Email
In 1999, a good 5 years before the rise of the smart phone, the ABA issued formal opinion 99-413
that permitted a lawyer to transmit information relating to the representation of a client by unencrypted e-
mail without violating the Model Rules of Professional Conduct because that mode of transmission
affords a reasonable expectation of privacy from a technological and legal standpoint. But the opinion
also concluded that when a lawyer reasonably believes that confidential client information being
transmitted is so highly sensitive that extraordinary measures to protect the transmission are warranted,
the lawyer should consult the client on whether another mode of transmission would be better. Much has
changed since that opinion issued including the recent ABA opinion on the Duty to Protect the
Confidentiality of Email Communication with One’s Client and State Bars are increasingly giving
guidance on “cloud” computing. Now that we know that emails are being intercepted by our government,
can we rely on unencrypted email?
2. Texas Ethics Opinion on Email
Recently the Texas Center for Legal Ethics issued Opinion 648 (2015) that addressed whether a
lawyer may communicate confidential information by email.29 The question arose from lawyers that used
unencrypted Gmail to communicate confidential information and who were concerned about hackers and
26 Catherine Reach, Easy Encryption for Email – Not an Oxymoron. 27 LexisNexis, Law Firm File Sharing in 2014. 28 Id. 29 http://www.legalethicstexas.com/Ethics-Resources/Opinion/opinion-648.aspx
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
11
the National Security Agency obtaining their transmissions without a search warrant. In response the
Center referenced Rule 1.05(a) of the Texas Disciplinary Rules of Professional Conduct that provides:
“a lawyer shall not knowingly: (1) Reveal confidential information of a client or former client to:
(i) a person that the client has instructed is not to receive the information; or (ii) anyone else, other than the client, the client’s representatives, or the members, associates, or employees of the lawyer’s law firm.”
According to the Center, whether a lawyer violates the Disciplinary Rules by sending an email with
confidential information requires a case by case evaluation. The Center also noted that the concern
about sending confidential information by email has been addressed by several ethics committees that
have concluded that in general and except in certain special circumstances, the use of email, including
unencrypted email is a proper method of communicating confidential information.30 Notably, the Center
further notes that “In some circumstances, however, a lawyer should consider whether the confidentiality
of the information will be protected if communicated by email and whether it is prudent to use encrypted
email or another form of communication.”31
The examples given by the Center include:
1. communicating highly sensitive or confidential information via email or unencrypted email connections;
2. sending an email to or from an account that the email sender or recipient shares with others; 3. sending an email to a client when it is possible that a third person (such as a spouse in a divorce
case) knows the password to the email account, or to an individual client at that client’s work email account, especially if the email relates to a client’s employment dispute with his employer (see ABA Comm. on Ethics and Prof’l Responsibility, Formal Op. 11-459 (2011));
4. sending an email from a public computer or a borrowed computer or where the lawyer knows that the emails the lawyer sends are being read on a public or borrowed computer or on an unsecure network;
5. sending an email if the lawyer knows that the email recipient is accessing the email on devices that are potentially accessible to third persons or are not protected by a password; or
6. sending an email if the lawyer is concerned that the NSA or other law enforcement agency may read the lawyer’s email communication, with or without a warrant.
Under the foregoing circumstances it may be appropriate for the attorney to caution a client as to the
dangers inherent in sending or accessing emails from computers accessible to persons other than the
client. “Additionally, a lawyer’s evaluation of the lawyer’s email technology and practices should be
ongoing as there may be changes in the risk of interception of email communication over time that
30 See, e.g., ABA Comm. on Ethics and Prof’l Responsibility, Formal Op. 99-413 (1999); ABA Comm. on Ethics and Prof’l Responsibility, Formal Op. 11-459 (2011); State Bar of Cal. Standing Comm. on Prof’l Responsibility and Conduct, Formal Op. 2010-179 (2010); Prof’l Ethics Comm. of the Maine Bd. of Overseers of the Bar, Op. No. 195 (2008); N.Y. State Bar Ass’n Comm. on Prof’l Ethics, Op. 820 (2008); Alaska Bar Ass’n Ethics Comm., Op. 98-2 (1998); D.C. Bar Legal Ethics Comm., Op. 281 (1998); Ill. State Bar Ass’n Advisory Opinion on Prof’l Conduct, Op. 96-10 (1997); State Bar Ass’n of N.D. Ethics Comm., Op. No. 97-09 (1997); S.C. Bar Ethics Advisory Comm., Ethics Advisory Op. 97-08 (1997); Vt. Bar Ass’n, Advisory Ethics Op. No 97-05 (1997). 31 Id.
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
12
would indicate that certain or perhaps all communications should be sent by other means.”32
The Center’s answer on whether you can use unencrypted email to transmit confidential
information is “it depends”. The answer depends on the facts of each case because a “knowing”
disclosure can be based on actual or inferred knowledge. Thus “each lawyer must decide whether he or
she has a reasonable expectation that the confidential character of the information will be maintained if
the lawyer transmits the information by email”.
Based on Ethics Opinion No. 648 it should be standard for attorneys to advise clients on the risks
attendant with communication by unencrypted email. Furthermore, as encryption and file sharing
becomes easier, alternatives to using web-based email become much more appealing and efficient.
B. Unencrypted Email
If you decide to use public email sites such as Gmail there are some security measures you can
take. For instance, set up the two-step verification for your Gmail account. Passwords are easy to steal,
and two-step verification is relatively simple. First you will enter your password to sign in and then a
code will be sent to your phone to input or if you have a security key you can insert it into your
computer’s USB port.33 Another option is to upgrade to Google Apps for Business. Other online service
providers also have this type of security service.
C. Encrypting Email
To secure your email effectively, you should encrypt three things: the connection from your
email provider, your actual email messages; and your stored, cashed, or archived email messages.34 We
have already discussed encryption in the context of the physical device, but encryption is also necessary
for the data transmitted and stored on the device. The encryption of data involves the use of an algorithm
to scramble the data into cyphertext. An encryption key is used to scramble the data. Depending on how
the encryption is set up, either the same key (symmetrical encryption) or a different key (asymmetrical
encryption) is used by the recipient.35 End to end encryption means that your data is encrypted when it
leaves your device and travels through various servers to your intended recipient. Traditional email
encryption often requires either a public/private key setup. The recipient must be a party to this system
and install software or meet other requirements. For large firms this is not an unusual step. For smaller
firms cheaper alternatives may be necessary. Email can be encrypted on a case by case basis by using
some of the email encryption options available. Encrypting email is relatively easy with MS Outlook
2010 and 2013 that lets you encrypt a single or all your messages. MS Office 365 has a number of tools
built in to protect emails stored and in transit. Facebook gives its users the option to encrypt notifications
32 Id. 33 https://www.google.com/landing/2step/#tab=how-it-works. 34 Eric Geier, PC World, How to Encrypt Your Email, April 25, 2012. 35 Scott Aurnou Lawyers and Email: Ethical & Security Considerations, The Security Advocate, July 8, 2014.
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
13
sent from the site to their email addresses. Other tools36 include:
a. Send (www.sendinc.com). Email sent via Send is encrypted in transit, in storage and can only
be decrypted by the recipient once she has a (free) send account. You can use it in conjunction with MS
Outlook. The product is free for senders and recipients for limited use – 20 recipients per day. The email
expires in 7 days so the recipient would need to save it as a PDF to keep a copy of the email. The Pro
account at a minimal monthly cost has increased message size, unlimited message retention and other
options.
b. Enlocked (www.enlocked.com).37 Enlocked has more options than Send, with extensions for
Chrome, Firefox and Safari for web based email like Gmail or Yahoo, an Outlook plugin and apps for
your Android or iPhone. The free plan permits only limited messages but with a monthly fee you can
send more. The recipient will need to create a username and password to access the message. Those
using Outlook 2010 or later can install the Outlook plugin and when you receive an enlocked message the
content appears in a special window.
Many attorneys complain about the number of passwords that they must recall. There are other more
secure methods of authentication such as security tokens or USB tokens. If you insist on using a
password, get serious and create different passwords for each application. A password manager like
LastPass that creates a complicated password and keeps track of it may be useful. Need a NSA – resistant
phone? Spanish smart phone company GeeksPhone and software company Silent Circle have launched
Blackphone, an encrypted smart phone that allegedly protects phone calls, text messages, emails and
Internet browsing.38
D. Using a Secure Client Portal
If encrypting your email is too cumbersome, a less difficult alternative to communicate with your
client is through a secure client portal. These are becoming more common in both large and small firms
particularly those that deal with HIPPA and GLBA security requirements. The portal is an encrypted
location where all communication takes place, rather than using email to send documents and information
back and forth. The client portal also eliminates the size limitation inherent in some email systems. To
access the portal clients generally must create a user name and password that will allow them access to all
the information relating to their matter.39 Several case management software applications, including Clio
36 Catherine Sanders Reach, Easy Encryption for Email – Not an Oxymoron, Slaw, August 12, 2013, http://www.slaw.ca/2013/08/12/2easy-encryption-for-email -not-an oxymoron/. 37 N 38 But see R. Abrahams, Mobile Security vs. Blackphone Marketing and Sales Hype, HUFF POST TECH (August 12, 2014) at http://www.huffingtonpost.com/rebecca-abrahams/mobile-security-vs-blackp_b_5672960.html that points out security issues with the Blackphone. 39 Donna Seyle, Expand Your Solo or Small Firm Practice Using Client Portals, Law Practice Today, December 2011http://www.americanbar.org/content/dam/aba/publications/law_practice_today/expand-your-solo-or-small-firm-practice-using-client-portals.authcheckdam.pdf.
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
14
and MyCase, already have portals built into the application. Alternatively, the firm could partition a
secure portion of its network that permits access to your client. The benefit is that the server is located in
your office and not in the cloud. From the client’s perspective a portal is easier to navigate and ensures
the communication is secure and available 24/7.
E. File Sharing
File sharing services allow you to store information on remote servers and access it through the
Internet. The communication and files are placed in encrypted cloud storage and that allows third parties
or the client to have password-protected access to them. Rather than emailing attachments, the client
receives a link to the securely stored data. File sync and share (“FSS”) is shorthand for sharing files
among multiple users and devices, and synchronizing the shared files to retain file integrity. File sharing
is gaining importance in law firms. Approximately 50% of law firms have used free commercial file
sharing services to transmit privileged information.40 One of the most popular services is DropBox41,
free, simple and easy to use. However, free, consumer based file sharing services should be avoided as
they are not focused on security. There are a number of file sharing services that offer more secure and
robust services including: Citrix, Box, EMC and Accellion.
F. HTTP vs. HTTPS
HTTP (hypertext transfer protocol) is the way a Web server communicates with browsers like
Internet Explorer. HTTP lets visitors view a site and send information back to the Web server.
HTTPS(hypertext transfer protocol secure) is HTTP through a secured connection. Communications
through an HTTPS server are encrypted by a secure certificate known as an SSL. The encryption
prevents third-parties from eavesdropping on communications to and from the server. It does not
guarantee the website is safe to use, it only assures you of the identity of the website based on information
provided by the certifying organization. Most organizations are moving to HTTPS in their transactions.
You should too.
G. Texting
40 LexisNexis, Law Firm File Sharing in 2014 41 DropBox Business has more robust security but there is a charge for the service.
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
15
Although the ABA and other state ethics commissions have not objected to attorneys text messaging
clients, attorneys should consider carefully whether to use texts to communicate privileged information to
clients. The concern includes the ownership of the cell phone to which you are communicating and
access to third parties. Does your client have a reasonable expectation of privacy? Although texting can
be fast and easy, the most common form of texting, SMS, is not sufficiently secure to use to transmit
personal information in the healthcare environment.42 SMS text messages are sent and stored on servers
in plain text and can be intercepted during transit.43 Because of the number of texts sent, there is a move
to encrypt and secure smartphone text messaging. Apple encrypts all iMessage communications. A
secure text messaging app like TextSecure for Android and now Signal for IOs are private messaging
apps that sidesteps SMS completely.44
H. Wireless Communications
Wireless networks have become ubiquitous. Coffee shops, airports, homes and businesses all use
wireless (Wi-Fi) networks to enable their laptops and other devices to access the Internet. If the network
doesn’t have a password, don’t use it unless you have a secure VPN (virtual private network). Otherwise,
use your cellular data to communicate or Skype.
The Wi-Fi networks generally include a wireless “router” connected to a broadband Internet service
via a modem that is attached to the cable or telephone network. While Wi-Fi provides many benefits,
unprotected networks can result in unauthorized use and theft of information. Unauthorized users may be
able to access your private information, view the transmissions, download your content and infect your
devices. There are steps you can take to secure your wireless transmissions.45 The FCC has published
the following guidelines:
42 The Joint Commission forbids the use of SMS for the transmission of electronic protected health information under HIPAA regulations. 43 Nathan Collier, Keep Text Messaging Secure, For the Record Vol 27 No. 3 P. 25, March 2015. 44 Molly Wood, Can you Trust Secure Messaging Apps, New York Times, March 19, 2014, http://www.bits.blogs.nytimes.com. 45FCC Guide, Protecting Your Wireless Network, Benefits and Risks of a Wireless Network
Reasons not to text with clients:
• Short messages are misconstrued
• Text messages are not secure • Text messages are not easily
preserved • Text message may encourage
constant contact and access to the attorney
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
16
1. Turn Encryption On
Turn your wireless router’s encryption setting on and use WPA2 encryption. Use a strong wireless
network password.
2. Turn the Firewall On
Wireless Routers generally contain built-in firewalls, but are sometimes shipped with the firewall
turned off. Make sure the firewall is turned on.
3. Change the Default Passwords
Most wireless routers come with preset passwords for administering the devices settings. Change the
router device’s password as soon as it is installed.
4. Change the Default Name of the Network
A network’s name is known as its SSID (service set identifier). When a computer searches for a
wireless network the SSID nearby are displayed. Manufacturers usually give the router a default SSID so
it is a good practice to change it.
5. Turn Network Name Broadcasting Off
Wireless routers may broadcast the name of the SSID to the general public. This might be useful for
commercial operations that want to offer wireless access to customers but unnecessary for a private
network. Turn this feature off.
6. Use the MAC address Filter
Every device that can connect to a Wi-Fi network has a unique ID called the MAC (media access
control) address. You can set your wireless network to accept connections only from devices with MAC
addresses that the router is set to recognize. Make sure the router activates its MAC address filter to
include only your devices.
In addition to securing home and office networks, remember to turn off “share.” Many of us share
files, printers, music and data when we are at home. When you are on a public wireless service you must
turn off sharing or anyone can access your data.
Tips
• Use HTTPS for secure browsing. If you have sensitive data wait until you are at a secure site.
• Use a VPN(virtual private network) if you have one
• Turn off wi-fi when you are not using it
• Use cellular data or skype to transmit your information
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
17
I. Legal Issues and Concerns with Email and Social Media
1. Emails sent to or from a client’s work account
Given the proliferation of recorded communications and ease of dissemination, waiver of attorney-
client privilege is an increasing concern. The definition of the attorney-client privilege has not changed in
the digital age. Confidential information between attorney and client for the purpose of seeking or giving
legal advice is generally privileged. In cases involving technology the issue is disclosure of otherwise
privileged information and whether there was a reasonable expectation of privacy.
Case law addressing whether an employee destroys or waives any attorney-client privilege he may
have in personal communications transmitted or located on company property has been developing
among the courts. Several courts have held that there is no reasonable expectation of privacy in emails
and downloads on company equipment when the employer has a policy of monitoring employee emails
and guidelines confirm employee no right of privacy. United States v. Simons, 206 F.3d 392, 398 & 399
n.8 (4th Cir. 2000); Muick v. Glenayre Elecs, 280 F. 3d 741,743 (7th Cir. 2002); In re Royce Homes LP,
449 B.R. 709 (Bkr. Ct., S.D. Tx. 2011). The Royce court adopted the four factor test first outlined in In re
Asia Global Crossing, 322 B.R. 247 (Bkr. Ct., S.D. New York 2005) to determine whether an employee
waived attorney-client privilege. The four factors include:
1. does the corporation maintain a policy banning personal or other objectionable use,
2. does the company monitor the use of the employee’s computer or e-mail,
3. do third parties have a right to access the computer or emails, and
4. did the corporation notify the employee, or was the employee aware, of the use and
monitoring policies?
Under a similar analysis, the attorney who communicates with his client over her work email
likewise has no expectation of privacy when the employee’s email address puts the attorney on notice that
he was using his client’s work email address. Employer monitoring of work-based e-mails is so
ubiquitous that attorneys must be aware that his client’s employer would be monitoring, accessing and
retrieving emails. See Alamar Ranch, LLC v. County of Boise, No. CV-09-004-S-BLW, 2009 WL
3669741, at *4(D. Idaho Nov. 2, 2009).
There is a distinction, however, among courts over communications by a client using her personal
password protected Web-based email account even if transmitted over a work computer. In Stengart v.
Loving Care Agency, Inc. 990 A. 2d 650(N.J. 2010), Loving Care Agency employee Stengart used her
company issued laptop to communicate with her lawyer through her personal email account. The
company used a forensic expert to hack her email account and locate the attorney communications. The
court held that Stengart had a reasonable expectation of privacy by virtue of the use of her password
protected email service and the company policy did not specifically address personal email accounts. But
See, e.g., Long v. Marubeni Am. Corp., No. 05-Civ.-639, 2006 WL 2998671 (S.D.N.Y. Oct. 19, 2006)
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
18
(employees did not have a reasonable expectation of privacy in personal email account in light of
employer's policy); National Econ. Research Assoc. v. Evans, No. 04-2618-BLS2, 2006 WL 2440008
(Mass. Super. Aug. 3, 2006) (determining that, based on the warnings furnished in the employer's manual,
employee would have not reasonable expectation of privacy in his work email, but would have a
reasonable expectation of privacy with respect to his password-protected Yahoo email account).46
2. Disclosures in Blogs and Social Media
The threat arising from disclosure on multiple media outlets is illustrated by Lenz v. Universal Music
Corporation, No. C 07-03783 JF (PVT), 2010 WL 4286329(N.D. Cal. Oct. 22, 2010) obj. overr. By 2010
WL 4789099 (N.D. Cal. Nov. 17, 2010). Stephanie Lenz hired counsel to represent her in a lawsuit
against Universal Music Corporation. Ms. Lenz posted to YouTube a short video of her toddler dancing
to Prince's song Let's Go Crazy. Universal, as the copyright administrator for Let's Go Crazy, sent
YouTube a notice that Ms. Lenz's use of the song was unauthorized. Following the notice, YouTube
removed the video from its website. After successfully seeking to have the video restored to YouTube,
Ms. Lenz filed suit alleging that Universal knew or should have known the video was a “self-evident,
non-infringing fair use,” and that Universal's actions caused “harm to her free speech rights” and to her
“sense of freedom to express herself.” Lenz emailed privileged information to her mother and a friend.
She also posted attorney communications on trial strategy in Gmail chats and on her blog. The court
found Ms. Lenz voluntarily waived the privilege as to her communications with counsel. Id.
3. Recommendation to Avoid Attorney Client Waiver
1. Attorneys must explain the risk of disclosing privileged information to their clients particularly
as it relates to email, blogs and social media.
2. Attorneys should understand the modern communication landscape to manage the flow of
attorney-client communications during the course of representation.
3. Attorneys should understand metadata and communicate that knowledge to their client.
VII. SECURITY IN THE CLOUD
We have previously addressed security related to our electronic devices and our electronic
communications; we now turn to storage of electronic data. Data is stored on our computers, mobile
devices, cars, home surveillance systems and a myriad of other objects. But increasingly data is being
stored in the cloud. The growth of cloud computing is explosive. Some estimates predict the total
spending for cloud computing in 2017 at $235 billion, and predict that the demand for cloud services will
46 See Paula Schaefer, Technology's Triple Threat to the Attorney-Client Privilege, Prof. Law., 2013, at 171, 194
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
19
continue to grow at a brisk pace.47 A recent report from the University of California at Berkeley
predicted that “Cloud computing is likely to have the same impact on software that foundries have had on
the hardware industry.”48 Along those same lines, the Pew Research Center recently published a report
that found that most people will access software applications online and share and access information
through the use of remote server networks by 2020.49
The increasing functionality of the Internet is reducing the role of the personal computer. Cloud
providers increasingly offer access to more applications, operating systems and hardware as services.50
Instead of using a personal computer to create documents and spreadsheets that are saved to the user’s
hard drive, an Internet user can access a word processing application such as Google Docs and save the
completed product on Google’s server to access later. Most social media are based on Cloud technology.
One of the most controversial aspects of Cloud computing is that the data may be stored anywhere in the
world under the control and administration of a vendor. Data is created, edited, and shared entirely off-
site.51
A. Cloud Services
Cloud computing offers many advantages such as cost-efficiency, flexibility and scalability. Despite
the numerous benefits that can be realized from migrating “into the cloud,” many companies remain
reluctant to do so. Security, reliability, availability, and control over their own data are major concerns.52
Lawyers must be particularly aware of the ramifications of “off-site” storage of a client’s data, and take
appropriate precautions to prevent compromising client confidentiality. Security is the top consideration
in choosing whether to move any data or productivity to the cloud. Electronic information storage and
dissemination are covered by a myriad of laws and regulations that the attorney must understand before
placing client information on the cloud.
Most cloud services fall into one of three main categories, based on the specific services provided:53
47 See Christopher Soghoian, Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era, 8 J. TELECOMM. & HIGH TECH. L. 359, 424 & n.3 (2010) (citing various estimates, including Merrill Lynch’s $160 billion estimate); C. Columbus, Roundup of Cloud Computing Forecasts and Market Estimates, 2014 http://www.forbes.com/sites/louiscolumbus/2014/03/14/roundup-of-cloud-computing-forecasts-and-market-estimates-2014/ 48 Michael Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing, UNIV. OF CAL. BERKELEY, TECH. REPORT NO. UCB/EECS-2009-28, 1, 2–3 (2009), available at http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS -2009-28.pdf. 49 Janna Quitney Anderson & Lee Rainie, The Future of Cloud Computing, PEW RESEARCH CTR., (2010), http:// pewresearch.org/pubs/1623/future-cloud-computing. 50 Alberto G. Araiza, Comment, Electronic Discovery in the Cloud, 2011 DUKE L. & TECH. REV. 8 (2011). 51 See William Jeremy Robison, Note, Free At What Cost?: Cloud Computing Privacy Under the Stored Communications Act, 98 GEO. L.J. 1195, 1209–12 (2010). 52 See Yanpei Chenet et al., What’s New About Cloud Computing Security?, UNIV. OF CAL. BERKELEY, TECH. REPORT NO. UCB/EECS-2010-5 (2010), http://www. utdallas.edu/ ~mxk055100/courses/cloud11f_files/what-is-new-in-cloud-security.pdf. 53 Peter Mell & Tim Grance, The NIST Definition of Cloud Computing, NAT’L INST. OF STANDARDS & TECH., (Oct. 7, 2009); see also Lorraine Mullings Campos et al., Cloud Computing—The Key Risks and Rewards for Federal
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
20
• Infrastructure-as-a-Service (“IaaS”): Provides computing capacity (servers, storage space,
network devices) on which the customer can perform its computing functions using its own
software. Instead of purchasing servers, software, datacenter space or network equipment, clients
instead buy those resources as a fully outsourced service on demand.
• Platform-as-a-Service (“PaaS”): Provides hardware which the customer can operate as a
“virtual machine” for building and operating its own software applications.
• Software-as-a-Service (“SaaS”): Provides fully functional software applications that reside on
the provider’s infrastructure, and are accessed through the Internet. This service model is by far
the most common, encompassing virtually all of the consumer cloud services, such as Gmail,
Shutterfly, evite and Facebook. This is the new software model that beckons the practitioner.
Rather than buying/licensing software that you install on your computer or the firm’s server,
SaaS is accessed through the web over the Internet. Under the traditional software model the
data created and used by the software existed on the user’s computer and was often backed up to
a firm’s central file server. The data created and used by SaaS is stored in the vendor’s data
center. Upgrades and updates are rolled out continuously and the payment model is usually a
subscription fee.
Cloud computing also involves different types of delivery models, which are based on the location
and degree of control over the infrastructure:54
• Private Cloud: The physical infrastructure is dedicated to a single customer—whether located on
the customer’s premises or at the cloud provider’s datacenter. No other customers share the
infrastructure, which is usually protected behind a dedicated firewall.
• Public Cloud: The infrastructure is housed in the cloud provider’s facility and is shared amongst
multiple customers—often through virtualization technology which slices a single server into
several segregated “virtual” servers which are then assigned to individual customers. Gmail and
Office 365 are public clouds. Dropbox is a public cloud service. Amazon Web Services (AWS) is
a series of public cloud services. Anyone can sign up and use these services if they are willing to
pay. With the public cloud you do not control the servers or have access to them and must rely on
the security utilized by the vendor.
• Hybrid Cloud: As you might be able to guess from the name, this term refers to a mix of both
public and private cloud services. Some companies view certain categories of data and/or
Government Contractors, TRANSCENDING THE CLOUD—A LEGAL GUIDE TO THE RISKS AND REWARDS OF CLOUD COMPUTING, 1055 PLI/Pat 119 , 131 (2011). 54 Peter Mell & Tim Grance, The NIST Definition of Cloud Computing, NAT’L INST. OF STANDARDS & TECH., (Oct. 7, 2009).
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
21
applications as more sensitive or mission-critical than others. This type of cloud service allows
them to utilize a private cloud for the more sensitive computing tasks, and a public cloud for the
rest.
• Community Cloud: The infrastructure is shared by several organizations with a common interest
(e.g., mission, security requirements, policy, and compliance considerations). It may be managed
by the organizations or a third party on or off site.
Although service and access are important considerations, the first step in evaluating whether cloud
computing is the right choice for you or your client is to understand the exact nature of all the data that is
being considered for storage in the cloud, including its proprietary or confidential nature, and whether it
contains personally identifiable information. Care must be taken in choosing the cloud vendor because
cloud providers can go bankrupt, be seized as part of a criminal investigation, or be acquired which may
affect the continued maintenance of its servers.
Certain categories of information (financial data, health-related information, etc.) are subject to
specific laws and regulations which may dictate how and to what extent that information can be stored in
the cloud. For example, HIPAA contains very explicit requirements for the storage of health-related
personal information. Many of these legal obligations are non-delegable, meaning that even if the storage
of the data is entrusted to a cloud services provider, the ultimate responsibility for compliance with the
law rests with the company that “owns” the data.55 Several states including Texas have additional
requirements regarding information stored on the Cloud including breach notification laws.56 Some cloud
service providers have begun to specialize in storage of data that is covered by HIPAA, and have received
certification of HIPAA compliance as further assurance to their customers that storage of health-related
information in their cloud environment is a safe alternative to local storage.57 As the cloud industry
matures, more providers will become specialized in storage of other specific categories of information
that are subject to legal or regulatory oversight.
Cloud computing often offers security levels that are superior to those employed by most law firms,
but because the data being stored may be highly sensitive client information; attorneys must be
particularly alert to the security protection offered by prospective cloud providers.
B. Responsibility for Data Security
55 Mick Seals, HIPAA in the Cloud: Technical Architectures that Render PHI As “Secured,” SOGETI USA, INC. (October 2011), http://www.us.sogeti.com/what-we-do/PDF/HIPAA-in-the-Cloud-Whitepaper-Sogeti-v1.2.pdf. 56 The Texas Business & Commerce Code provides:
Any person who maintains computerized data that includes sensitive personal information not owned by the person shall notify the owner or license holder of the information of any breach of system security immediately after discovering the breach, if the sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
TEX. BUS. & COM. CODE ANN. § 521.053 (West Supp. 2011). 57 See David Chernicoff, Will Your Cloud Be HIPAA Compliant?, ZDNET 2012; http://www.zdnet.com/blog/ datacenter/will-your-cloud-be-hipaa-compliant/1212?tag= search-results-rivers;item2.
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
22
Companies from Amazon to Sony have learned the hard way that a breach in the security of sensitive
customer information can have serious repercussions in areas of legal exposure and public relations.58
The data breach at Target resulting in the loss of personal and credit card information of up to 110 million
individuals occurred during the normal processing and storage of data. The first question you should ask
yourself—and the cloud provider you’re considering—is: Who is responsible for which aspects of the
security of your data? The perceived responsibility for protecting data in the cloud depends greatly on the
type of cloud service you are using. In SaaS environments users believe that the cloud provider is
primarily responsible for security while in IaaS and PaaS environments security is a shared
responsibility.59
If your firm is considering offloading its storage to remote servers handled by vendors like Amazon
or Rackspace there are a number of considerations to keep in mind. Although the vendor’s website often
promotes the security of data stored on its servers, the vendor’s standard service level agreement usually
reveals that the vendor disclaims responsibility and declares security the customer’s responsibility.60
Generally speaking, the cloud service provider is responsible for only the physical security of the
datacenter and the server. The customer, on the other hand, is typically responsible for the security of the
data stored on the server by, for example, maintaining adequate firewalls, data encryption software, and
internal company controls to prevent data breaches from within. While some cloud companies may offer
enhanced security services, you should assume that you, the customer, are responsible for all aspects of
security other than the datacenter itself.
If the cloud services provider is responsible for data security, you should make sure the service level
agreement provides you (or your client) with plenty of opportunity to verify the efficacy of the provider’s
security measures. You can also request the right to conduct your own inspection and audit of the
provider’s security measures—including both data security (where this is the provider’s responsibility)
and physical security of the facilities that house your company’s data. Make sure that your agreement
provides you the right to immediate termination in the event that the cloud provider’s security measures
are found to be materially deficient as a result of one of these audit procedures. You can also attempt to
negotiate an indemnification from the provider for any losses or damage to your firm or clients as a result
58 See Roland L. Trope & Sarah Jane Hughes, Red Skies in the Morning—Professional Ethics at the Dawn of Cloud Computing, 38 WM. MITCHELL L. REV. 111, 181 (2011). 59 See J. McKendrick, Cloud Computing Improving But StillA Work In Progress Study Says, Forbes Tech May 12, 2014,http://www.forbes.com/sites/joemckendrick/2014/05/12/cloud-security-improving-but-still-a-work-in-progress-study-says/ 60 See id. at 194–95 & n.248 (quoting the “Amazon Services Customer Agreement” and noting that the ultimate responsibility for security rests with the data customer). The Amazon Services Customer Agreement provides that Amazon “will implement reasonable and appropriate measures designed to help you secure Your Content against accidental or unlawful loss, access or disclosure.” Amazon Web Services Customer Agreement, AMAZON WEB SERVICES, http://aws.amazon.com/agreement/ (last updated August 20, 2014). The agreement further provides, “You are responsible for properly configuring and using the Service Offerings and taking your own steps to maintain appropriate security, protection and backup of Your Content . . . .” Id.
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
23
of the security of your data being compromised, as well as a corresponding carve-out from the section of
the agreement that limits the cloud provider’s liability under the agreement. However, again, this would
only apply if the provider is responsible for the security of the data itself. Even where you, the customer,
are responsible for the electronic security of your data, you can still ask the cloud provider to take
responsibility for any breach of the physical security of the facility where your data is stored. As a
practical matter, however, unless you have large storage needs it may be unrealistic to expect major cloud
providers such as Amazon or Rackspace to negotiate terms beyond their standard agreements without an
increase in cost.
There are some cloud services that provide encryption and decryption of your files in addition to
storage and backup so that no one – including service providers or server administrators will have access
to your files. Such services include Spideroak and Wuala.
Finally, in terms of security the end of the road for Microsoft’s Windows XP spells opportunity for
hackers. Microsoft has stopped providing security patches for WinXP.61 Without those patches WinXP
PC’s will be increasingly full of security holes. Nearly 30 percent of Internet-Connected PC’s still run
WindowsXP.62 If you are using WinXP you should upgrade. If you can’t, you should stop using
Microsoft’s Internet Explorer 8 which will no longer receive security patches. Move to Google Chrome
or Mozilla Firefox to have a secure modern browser. Most antivirus solutions will continue to support
Windows XP.
C. Other Important Issues
Relative to data security, other areas of concern for anyone considering cloud storage:
• Geographic Location of Data Storage. Where in the world is your data and what are the privacy
and security rules that apply? There are numerous rules and statutes that relate to storing
financial, health and education information that require additional security levels. In addition,
the European Union Data Protection Directive and implementing statutes prohibit the disclosure
of personally identifiable information to jurisdictions that do not meet minimum standards,
including the United States, unless certain safeguards are in place.
• Service Quality and Availability. How frequently can you get to your data and, more
importantly, what happens if you cannot? Does the Service Level Agreement contain minimum
uptime levels?
• Data Retention and Destruction. Will your data be backed up? When you delete your data is it
“really” gone?
61 Note that Microsoft continues to support “Windows Embedded Industry” which will last until 2019. Embedded Industry operating system is based on Windows XP Service Pack 3. Consequently the security updates released for Windows Embedded Industry are essentially what would have been provided for XP3. However, you have to develop a hack as explained in G.Kelly, Simple Hack Gives Windows XP Users 5 More Years of Support, www.forbes.com/sites/gordonkelly/2014/05/27/simple-hack-gives-windows-xp-users-5-more-years-of-support.
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
24
• Indemnification. If the provider makes a mistake, what is the liability?
• Contract Termination. How do you end the agreement? How do you migrate your data from the
provider at the end of the contract?
The reality is, however, that cloud computing contracts are often non-negotiable except for the
largest customers.
VIII. ETHICAL IMPLICATIONS OF CLOUD COMPUTING
Having briefly examined the operation of the cloud and issues relating to security, we turn to some
of the relevant ethical considerations. The advent of cloud computing, as well as the use of electronic
devices such as cell phones that take advantage of cloud services, has raised serious questions concerning
the manner in which lawyers and law firms handle client information, and this has been the subject of
numerous ethical inquiries throughout the country.63 Recently, the Pennsylvania Bar Association’s Legal
Ethics and Professional Responsibility Committee has released Formal Opinion 2011-200, North Carolina
has adopted Formal Ethics Opinion 2011-06, the New York State Bar Association has adopted Opinion
842, and California has adopted Ethics Opinion 2010-179. Alabama, Arizona, Florida, Illinois, Maine,
Massachusetts, Nevada, New Hampshire New Jersey, North Dakota, Vermont, and Virginia have also
issued opinions related to cloud computing in the last few years.
All of the foregoing opinions deem the storage of confidential client information in the cloud to be
ethical so long as proper precautions are taken by the attorney to assure that the materials remain
62 C.Hoffman, How to keep Your PC Secure when Microsoft ends Windows XP support. PC World (Feb. 28, 2014) 63 See Roland L. Trope & Sarah Jane Hughes, Red Skies in the Morning—Professional Ethics at the Dawn of Cloud Computing, 38 WM. MITCHELL L. REV. 111, 144, 161–63 (2011) (reviewing ethics opinions from the New York State Bar, California State Bar, and the American Bar Association).
TIPS • Select a suitable provider • Ensure the provider has technology to
withstand any attempt to infiltrate • Limit data to U.S. or understand
consequences • Take reasonable precautions to back up data
and ensure its accessibility • Implement electronic audit trail procedures to
monitor who is accessing the data • Create a plan to address security breaches • Retain ownership of the data • Require notification if the provider is
requested to produce data to a third party • Know the exit strategy if you terminate the
agreement so you can obtain your data.
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
25
confidential and they are protected from breaches, loss and other risks.64 Interestingly, there were a
number of requirements that differed among the jurisdictions. Nevada likened storage in the cloud to
storage of paper documents in a warehouse and thus a client’s consent to such storage was preferable but
not required. New Hampshire seems to require consent to storage in the cloud based on the sensitivity of
the documents while Massachusetts requires a client’s express consent to cloud storage. Alabama
requires the attorney to know how the provider will handle security of the stored information including
confidentiality and the attorney should stay abreast of pertinent safeguards to be employed in cloud
storage. California has a list of factors for an attorney to consider before using a particular form of
technology based in part on the attorney’s own competence.
Texas has not yet released a formal ethics opinion on the Cloud, but its recent Opinion 648 (2015)
that addresses email provides some insight. Opinion 648 references with approval Opinion 572 (2006)
that provides:
Under the Texas Disciplinary Rules of Professional Conduct, unless the client has instructed
otherwise, a lawyer may deliver materials containing privileged information to an independent
contractor, such as a copy service, hired by the lawyer in the furtherance of the lawyer’s
representation of the client if the lawyer reasonably expects that the confidential character of the
information will be respected by the independent contractor.65
Thus, by implication just as a lawyer can hire a copy service to hold client confidential information, the
attorney may select a cloud vendor but only if she does due diligence to determine the vendor has
adequate security.
An attorney using cloud computing is under the same obligation to maintain client confidentiality as
is the attorney who uses on-site document management. While no Texas Disciplinary Rule of
Professional Conduct specifically addresses cloud computing, the following, inter alia, may be
implicated: Rule 1.01 (Competent and Diligent Representation), Rule 1.05 (Confidentiality of
Information); Rule 1.14 (Safekeeping Property); and Rule 5.03 (Responsibilities Regarding Non-lawyer
Assistants). 66
Rule 1.01 requires that “[i]n representing a client, a lawyer shall not . . . neglect a legal matter
entrusted to the lawyer. . . . ‘[N]eglect’ signifies inattentiveness involving a conscious disregard for the
responsibilities owed to a client or clients.”67 Failing to ensure that a cloud services provider has
implemented adequate safeguards to maintain confidentiality may implicate Rule 1.01. Likewise, under
64 For an interactive map of cloud ethics opinions go to: www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/cloud-ethics-chart.html. 65 Tex. Comm. on Prof’l Ethics, Op. 572, 69 TEX. B.J. 793, 794 (2006). 66 Texas Disciplinary Rules of Professional Conduct (reprinted, Tex. Gov’t Code Ann., Tit.2, Subtit.G App. A-1(Tex. State Bar R. Art. X, sec,9 (West)).
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
26
Comment 8 to the Rule, a lawyer “should strive to become and remain proficient and competent in the
practice of law.” As the use of technology increases in the practice of law, lawyers must become
knowledgeable about the technology that they and their client’s use.
Rule 1.05 states that “a lawyer shall not knowingly . . . reveal confidential information of a client or
former client to [anyone] other than the client, the client’s representatives, or the members, associates, or
employees of the lawyer’s firm.”68 However, “A lawyer may reveal confidential information . . . when
the lawyer has been expressly authorized to do so in order to carry out the representation [or when] the
client consents after consultation.”69 Comments [1]–[5] to Rule 1.05 explain the importance of the
confidential relationship... It is vital that a client’s personal information or information related to a case is
kept private and protected. Comment [1] explains the reasoning behind the confidential attorney-client
relationship: “The ethical obligation of the lawyer to protect the confidential information of the client not
only facilitates the proper representation of the client but also encourages potential clients to seek early
legal assistance.”70
Concerns regarding the security of confidential client information may be raised when confidential
information is kept on servers in another country. An attorney should ensure that the country has privacy
laws similar to those in the United States that will protect the data in the server.71 In the event the
server’s protection of confidential data is compromised (e.g., through hacking, technical failures, or other
situations), an attorney using cloud computing services may need to take special steps to satisfy his or her
obligation under Rules 1.05 and Rule 1.14.72
Rule 1.14 requires that client property should be “appropriately safeguarded.” Client property
generally includes files, information, and documents, including those existing electronically. Appropriate
safeguards will vary depending on the nature and sensitivity of the property.73 Rule 1.14 provides in
relevant part: “A lawyer shall hold . . . property belonging in whole or in part to clients . . . separate from
the lawyer’s own property.” In the days of paper discovery and tangible property, assuring this level of
protection for the client’s property was a straightforward process. File cabinets and folders maintained
the separation among clients and the attorney’s personal information. With the move to electronic rather
than paper documents and the switch from boxes to the cloud, the separation of attorney and client
materials becomes less clear.
Rule 5.03 provides:
67 Tex. Disciplinary Rules Prof’l Conduct R. 1.01(b), reprinted in TEX. GOV’T CODE ANN., tit. 2, subtit. G, app. A (West 2005) (Tex. State Bar R. art. X, § 9). 68 Tex. Disciplinary Rules Prof’l Conduct R. 1.05(b)(1). 69 Id. R. 1.05(c)(1)–(2). 70 Id. R. 1.05 cmt. 1. 71 Pa. Bar Ass’n Comm. on Legal Ethics & Prof’l Resp., Formal Op. 2011-200. 72 Id.; see also Tex. Disciplinary Rules Prof’l Conduct R. 1.05, 1.14. 73 See Tex. Disciplinary Rules Prof’l Conduct R. 1.14.
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
27
With respect to a nonlawyer employed or retained by or associated with a lawyer: (a) a lawyer
having direct supervisory authority over the nonlawyer shall make reasonable efforts to ensure
that the person’s conduct is compatible with the professional obligations of the lawyer; and (b)
a lawyer shall be subject to discipline for the conduct of such a person that would be a violation
of these rules if engaged in by a lawyer if: (1) the lawyer orders, encourages, or permits the
conduct involved; or (2) the lawyer: (i) is a partner in the law firm in which the person is
employed, retained by, or associated with; or is the general counsel of a government agency’s
legal department in which the person is employed, retained by or associated with; or has direct
supervisory authority over such person; and (ii) with knowledge of such misconduct by the
nonlawyer knowingly fails to take reasonable remedial action to avoid or mitigate the
consequences of that person’s misconduct.
At its essence, cloud computing can be seen as an online form of outsourcing subject to Rule 5.03’s
governance of the supervision of those who are associated with an attorney. Therefore, a lawyer must
make reasonable efforts to ensure that the cloud provider entrusted with confidential client information is
competent and trustworthy. To meet this standard the attorney may want to investigate the provider’s
security measures, policies and recovery methods as well as the financial viability of the company. There
are many important factors to consider when examining potential vendors of cloud services.74
IX. DISPOSAL OF CONFIDENTIAL INFORMATION
Suggested Guidelines for traveling in the Cloud: • Only Use Reliable Providers • Document Due Diligence • Read the Contract • Agree on Key Terms:
o Ownership of Data o Frequent Backups o Data Storage Location o Unfettered Access o State of the Art Security o Timely Breach Notice o Timely Subpoena Notice o Access Without Internet Connection o Meaningful Support
• Get Client Consent • Understand the Technology or Engage an Expert • Encrypt Sensitive Data
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
28
Once you upgrade to the next smart phone or tablet, be careful how you dispose of your older
version. In a recent study by Deloitte,75 researchers were able to recover personal email content (30%),
corporate email content (15%) on factory-wiped phones. On encrypted devices, recovery was not
possible. The lesson: encrypt your device. Do not rely on the factory wipe.
CONCLUSION
Recent security breaches show an escalation in attacks as well as a corresponding escalation in
security measures. Lawyers must learn the basics relating to technology and then apply the appropriate
measures to ensure confidential client information remains confidential.
74 See generally Roland L. Trope & Sarah Jane Hughes, Red Skies in the Morning—Professional Ethics at the Dawn of Cloud Computing, 38 WM. MITCHELL L. REV. 111 (2011) (reviewing ethics opinions and practical considerations in choosing a Cloud provider). 75 www.2.deloitte.com/content/dam/Deloitte/Risk/mobile _device_security_risk.pdf.
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
APPENDIX A:
ADDITIONAL RESOURCES
Cloud Storage
www.Dropbox.com
www.Box.com
www.Evernote.com
www.filetransporter.com – “Your own personal cloud”
Security Tools to Use in Conjunction with Cloud Storage
Viivo – www.viivo.com
Boxcryptor – www.boxcryptor.com
Mobile Document Management
PDF Pen for iPad – www.SmileSoftware.com
Documents to Go – www.dataviz.com – view, edit, and create Microsoft Office documents on your mobile device
Notability – www.gingerlabs.com – note-taking app with integrated recorder (iOS only)
Encryption
ZixCorp – www.Zixcorp.com – encrypt and decrypt email and attachments.
SpiderOak – www.spideroak.com – privately store, sync, share and access data with encryption.
Wuala – www.wuala.com – secure cloud storage from Switzerland
Seagate Secure – www.seagate.com – self-encrypting hard drives
IronKey – www.ironkey.com – security policies for usb devices
Password Managers
1Password – www.agilebits.com/onepassword
LastPass – www.lastpass.com
Roboform - www.roboform.com/
Dashlane - https://www.dashlane.com/
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
29
Additional Information
“Law Firm Management in the Cloud – Leveling the Playing Field for Law Firms,” a white paper by Andrew Z. Adkins III, President, Legal Technology Institute, Fall 2011.
“Green-minded law firms try to reduce paper waste,” Randy Roguski, July 28, 2008, Cleveland.com; http://blog.cleveland.com/business/2008/07/greenminded_law_firms_try_to_r.html
“The Office of the Future,” Business Week, June 30, 1975, now available at http://www.businessweek.com/stories/1975-06-30/the-office-of-the-futurebusinessweek-business-news-stock-market-and-financial-advice
“The Best Password Managers,” by Neil J. Rubenking, PC Magazine (online), April 11, 2014; http://www.pcmag.com/article2/0,2817,2407168,00.asp
“2014 Best Online Password Manager Reviews,” TopTenReviews.com http://online-password-manager-review.toptenreviews.com/
“Ethics 20/20, Security, and Cloud Computing,” webinar presented 6/19/2014 by the American Bar Association Legal Technology Resource Center, Center for Professional Responsibility, and Center for Professional Development. http://shop.americanbar.org/ebus/store/productdetails.aspx?productid=128090546 or http://westlegaledcentrecarswell.com/program_guide/course_detail.jsf?courseId=100027043
“Hackers, Spies, and Stolen Secrets: Protecting Law Firms from Data Theft,” Alan W. Ezekiel, Harvard Journal of Law & Technology, Volume 26, Number 2, Spring 2013.
“Going Paperless for the Law Office: A Practical Guide,” Michael J. Morse, Law Practice Today, September 2009, http://apps.americanbar.org/lpm/lpt/articles/ftr09095.shtml.
“Record Retention and Destruction Current Best Practices,” ABA August 8, 2003; http://apps.americanbar.org/buslaw/newsletter/0019/materials/recordretention.pdf .
Information and resources available at the ABA’s Legal Technology Resource Center: http://www.americanbar.org/groups/departments_offices/legal_technology_resources.html.
Laura L. McClellan Partner Thompson & Knight LLP 1722 Routh Street, Suite 1500 Dallas, TX 75201 Phone: 214.969.1358 Email: [email protected]
Maintaining Client Confidentiality in the Digital Era_________________________________________________________________________________________________________Chapter 21
30
