Putting your practice on cloud 9

Putting Your Practice on Cloud 9

2

Cloud Compu*ng

So.ware-‐as-‐a-‐Service

Web Application

ASP

3

4

5

tradi*onal compu*ng model

The Internet Local Area Network

so.ware-‐as-‐a-‐service model

The Internet Local Area Network

typical small law office

tradi/onal so1ware distribu*on

cloud compu/ng

whycloud computing?

You need to delivera better experience to your clients

13

We’re screwed.

14

There is a profound message here for lawyers—when thinking IT and the Internet, the challenge is not to automate current working practices that are not efficient. The challenge is to innovate, to practice law in ways that we could not have done in the past.

It’s not just what you sell

It’s how you sell it

47%53%

Deliver a cloud experience to your clients

inno

vato

rs 2

.5%

early

ado

pter

s 13.

5%

early

maj

ority

34%

late

maj

ority

34%

lagg

ards

16%

21

up and running fast

22

save money

23

cash flow

ethics of cloud computing

North Carolina State Bar Ethics Inquiry

•2011 FEO 6 "Subscribing to So.ware as a Service While Fulfilling Confiden*ality and Preserva*on of Client Property"

•First ethics opinion in North America specifically focused on use of cloud compu*ng in a law firm

Inquiry #1

Is it within the Rules of Professional Conduct for an attorney/law 7irm to use online ("cloud computing")

practice management programs (e.g., the Clio program) as part of the practice of law? These are instances where the software program is accessed online with a password and is not software installed on a computer within the

5irm's of5ice.

North Carolina Proposed Formal Ethics Opinion

Yes, provided steps are taken effectively to minimize the risk of inadvertent or unauthorized disclosure of con5idential client

information and to protect client property, including 5ile information, from risk of loss.

Other States Following Suit• Pennsylvania Formal Opinion 2011-‐200

• California Formal Opinion No. 2010-‐179

• Alabama State Bar Ethics Opinion 2010-‐02

• Arizona State Bar Formal Opinion 09-‐04

• Nevada State Bar Formal Opinion No. 33

• New York State Bar Associa*on Opinion 842 of 2010

• Iowa Op. 11-‐01

• Oregon Formal Op. 2011-‐188

• Vermont Advisory Ethics Op. 2010-‐6

• Massachuse[s MBA Ethics Opinion 12-‐03

29

ABA 20/20 Ethics Commission

•Examining how a lawyer’s ethical responsibili*es apply to cloud compu*ng

•Recommenda*ons adopted in August 2012

30


•The development of a centralized, user-‐friendly website that contains con*nuously updated and detailed informa*on about confiden*ality-‐related ethics issues arising from lawyer’s use of technology, including the latest data security standards.

•Amendments to several Model Rules of Professional Conduct and their Comments to offer specific guidance and expecta*ons rela*ng to technology.

31


32

The Commission concluded that competent lawyers must have some awareness of basic features of technology. To make this point, the Commission is recommending an amendment to Comment [6] of Model Rule 1.1 (Competence) that would emphasize that, in order to stay abreast

of changes in the law and its practice, lawyers need to have a basic understanding of technology’s bene5its and risks.


33

Proposed new Model Rule 1.6(c) would make clear that a lawyer has an ethical duty to take reasonable measures to protect a client’s con7idential information from inadvertent disclosure and

unauthorized access. This duty is already implicit in Model Rule 1.6 and is described in several existing comments, but the Commission concluded that, in light of the pervasive use of technology to store and transmit con5idential client information, this obligation should be stated explicitly in the black

letter of Model Rule 1.6.

ABA Model Rules of Professional Conduct

34

“ When transmitting a communication that includesinformation relating to the representation of a client, thelawyer must take reasonable precautions to prevent theinformation from coming into the hands of unintendedrecipients. This duty, however, does not require that thelawyer use special security measures if the method ofcommunication affords a reasonable expectation ofprivacy.” (Emphasis added)Comment 17, Rule 1.6

security of cloud computing

36

Security

Encryption

Data Privacy

Data Availability

Terms of Service

encryption

terminology

•Secure Sockets Layer (SSL)ØIndustry standard protocol for securing Internet communica*ons

ØBanks, e-‐commerce sites (Amazon.com, etc.) all use SSL for secure communica*ons

without ssl

Informa*on exchanged is insecure

Please give me my bank account balance

$2,031.34

Your Computer Your Bank’s Server

with ssl

11010001110

01101010001010110101010100101010

Your Computer Your Bank’s Server

Informa*on exchanged is encrypted for security

Firefox:

A sealed lock icon indicates a secure connec*on

Internet Explorer:

verifying ssl connec*ons

Safari:

server security

Are third-‐party audits being performed?

server security

server security

endpoint security

HIPAA

47

password security

[email protected]

passwordsmithlaw07121954

49

50

privacy

privacy

•Does the SaaS provider have a published privacy policy?•Need to ensure you own your data•The private client informa*on stored with your SaaS provider cannot be used for any other purposes

facebook privacy policy You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid,

worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store,

retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame,

translate, excerpt, adapt, create derivative works and distribute (through multiple tiers),

any User Content you (i) Post on or in connection with the Facebook Service or the promotion

thereof subject only to your privacy settings.

You may remove your User Content from the Site at any time. If you choose to remove your User

Content, the license granted above will automatically expire, however you acknowledge that

the Company may retain archived copies of your User Content.

How is sensi*ve informa*on being handled?

TRUSTe

“TRUSTe’s program requirements are based upon the Fair

Informa*on Principles and OCED Guidelines around no*ce,

choice, access, security, and redress -‐ the core founda*ons of

privacy and building trust. Sealholders are required to undergo a

rigorous review process to assess the accuracy of privacy

disclosures and compliance with TRUSTe’s requirements in order

to obtain cer*fica*on.”

data availability

56

57

58

59

Data Loca/on

•Where is main data center(s)•Is data backed up to mul*ple offsite loca*ons?

external backup provisions

•Can you perform an export of your data?

Comma Separated Values (CSV)

Extensible Markup Language (XML)

Microso1 Excel (XLS)

business con*nuity

What if the SaaS provider goes out of business?

op*on 1: data export

Cross your fingers and hope you’re up to date…

Comma Separated Values (CSV)

Extensible Markup Language (XML)

Microso1 Excel (XLS)

If it isn’t automated you’ll forget to do it

op*on 2: data escrow

saas provider escrow provider

saas user

terms of service /service level agreement

terms of service

•Easily accessible, published ToS?•Outlines the condi*ons under which you agree to use the service

•Ensure you’ve reviewed and accepted your provider’s terms of service

service level agreement

•SLA•Outlines guaranteed up*me percentages•E.g. 99.9%•Usually providers for some kind of compensa*on if down*me exceeds SLA guarantee

data center security

70

71

72

Thank You

Technology

Putting your practice on cloud 9