Technology Security & Ethics for Idaho Lawyers

A Discussion ofETHICS AND TECHNOLOGY

MAY 7, 2015

MANAGEMENT TEAM

2

JONATHON FISHMANFOUNDER / CHIEF SERVICE OFFICER

GARY ALLENFOUNDER / CEO - ATTORNEY

• 25+ year practicing attorney. • Idaho native.• Always wanted better software and

technology services for attorneys.

• 25 years of tech experience.• 15 years of small business technical

consulting.• Passionate about creating trusted

relationships with clients.

HELPING THE LEGAL COMMUNITY PRACTICE LEAN

ABOUT US

3

SOFTWARE• Cloud-based• Easy-to-use• Low cost• In your

workflow

CONCIERGE SERVICE• User focused• Trusted

relationships• Empowers

change

LEAN METHODOLOGIES + TECH BEST PRACTICES = ETHICS COMPLIANCE

YOUR MOTIVATION

4

FOCUS ONPRACTICING LAW

· Time Efficiencies

· Cost Savings

· Data Security

· Peace of Mind

PART 1:

OVERVIEW

5

What is safe and what isn’t?

PART 2:What Are the Rules?

PART 3:Action Items… the things you can do today.

LEANLAW PERSPECTIVE

6

CYBERSECURITY IS NECESSARY.

7

1.

2.

3.

Ethical Reasons. It matters to your clients.

Business Motivations. It matters to your practice.

This is a board room discussion! It isn’t about anti-virus and firewalls or some other tool. It is about how you run and operate your practice.

4. It needs to carry the same importance as you would apply to accounting or new business development.

THE CLOUD IS THE SAFEST PLACE TO STORE YOUR DATA!

8

LET’S LOOK AT PHYSICAL STORAGE

HERE’S WHAT CLOUD STORAGE LOOKS LIKE

9

THE CLOUD IS THE SAFEST PLACE TO STORE YOUR DATA!

THE CLOUD IS SAFE AND HERE IS WHY

10

1.

2.

3.

4.

Cloud companies have a culture of security.

Cloud companies will always out perform your IT best practices. · Better server architecture. · Better security and IT best practices. · More know-how. · They have a built in incentive not to mess this up and always get better.

The cloud architecture is built to be secure, with less usercontrol and management and data transferred via secure APIs.

Newer authentication and infrastructure models.

CHANGES TO IRPC REGARDING TECHNOLOGY

THE RULES

11

· Rule 1.1 – Competency

· Rule 1.6 – Confidentiality

· Rule 5.3 – Supervision of Nonlawyers Outside the Firm

COMPLIANCE DETERMINED AFTER SOMETHING BAD HAS HAPPENED

12

This is true both if you use technology, e.g. your DropBoxaccount is hacked

Or if you do not, e.g. you fail to check your e-mail andmiss an important message

RULE 1.1 - COMPETENCE

13

A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.

Comment ... Maintaining Competence

[6] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.

…keep abreast of changes in the law and its practice,including the benefits and risks associated with relevant technology,

SO, WHAT DOES THIS MEAN TO YOU?

RULE 1.1 - COMPETENCE

14

• Take ownership of the topic. • You or a delegate must make it a part of their job to understand the technology used within your firms practice.

• Think workflows such as email or document management.

•Align yourself with someone in the know. • An IT firm or tech savvy lawyer. You need a go to person or company. • ABA Tech section: http://www.americanbar.org/groups/departments_offices/legal_technology_resources.html

• Make sure your technology is documented.

http://www.americanbar.org/groups/departments_offices/legal_technology_resources.html

CYBERSECURITY CONCEPTS YOU SHOULD KNOW

15

1.

2.

3.

4.

Physical and Environmental Controls. · Who has access to where the data is stored? How is this managed?

Least Privilege. · Limit data access to only those that it is essential to their work. · Think Snowden.

Encryption at Rest and in Transit. · Is the data so critical that it should stay in an encrypted state even when stored in your local environment. (Encryption at rest)

User Access Control and Logs. · Ensure you have a process in place to know who touched the data, where and when. · Is there a company policy or at least a known best practice?

(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

Comment ... Acting Competently to Preserve Confidentiality [16] …The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are notemployed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). . . .

RULE 1.6 - CONFIDENTIALITY

16

The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.




16


…sensitivity of the information




16


…sensitivity of the informationthe likelihood of disclosure if additional safeguards are not

employed




16



employed…the cost of employing additional safeguards




16



employed…the cost of employing additional safeguards…the difficulty of implementing the safeguards




16



employed…the cost of employing additional safeguards…the difficulty of implementing the

safeguards…the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use)


17


Comment ...

Acting Competently to Preserve Confidentiality

[16] …A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule.

…A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule.


18

[17] When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule. Whether a lawyer may be required to take additional steps in order to comply with other law, such as state and federal laws that govern data privacy, is beyond the scope of these Rules.

Whether a lawyer may be required to take additional steps in order to comply with other law, such as state and federal laws that govern data privacy, is beyond the scope of these Rules.

RULE 1.6 – STATE AND FEDERAL RULES THAT GOVERN DATA PRIVACY

1. Health Care • HIPAA 45 CFR Part 160, Part 164 (Subparts A & E) • Administrative Safeguards. • Physical Safeguards. • Technical Safeguards. 2. Banking/Consumer Finance • Fair Credit Reporting Act, 15 USC 1681 et seq. • Gramm-Leach-Bliley - 15 USC 6802.

• FTC 16 CFR Part 313.• SEC 17 CFR Part 248.

3. California Online Privacy Act of 2003 • Cal. Bus. & Prof. Code §§ 22575-22579.

4. Massachusetts 940 CMR 27

5. Canada • PIPEDA S.C. 2000, c. 5 • British Columbia – FOIPA RSBC 1996, Ch.165

6. European Union • Data Protection Directive 95/46/EC

7. Insurance • Best practices required for cyber coverage

19

HOW TO THINK ABOUT CONFIDENTIALITY?


20

1. Client Requirements Trump the Rule • Extra security measures. • Waiver.

2. Workflows • Client engagement. • Document execution. • Data discovery. • Trial preparation.

3. Where You Work • Home / Office / Vacation home.

4. Think About Who You Work With

EXAMPLE: DOCUMENT MANAGEMENT


21

HARDTO USE

LESS SECURE MORE SECURE

EASYTO USE

LOCAL SERVER STORAGE

FLASH DRIVE STORAGE STORAGE PROVIDERS

REMOTE ACCESS

SUPERVISION OF NON-LAWYERS OUTSIDE THE FIRM

RULE 5.3

22

Nonlawyers Outside the Firm

When using such services outside the firm, a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations. The extent of this obligation will depend upon the circumstances, including the education, experience and reputation of the nonlawyer; the nature of the services involved; the terms of any arrangements concerning the protection of client information; and the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality. See also Rules 1.1 (competence), 1.2 (allocation of authority), 1.4 (communication with client), 1.6 (confidentiality), 5.4(a) (professional independence of the lawyer), and 5.5(a) (unauthorized practice of law).

. . . reasonable efforts . .

.


RULE 5.3

22




. . . . the education, experience and reputation of the nonlawyer


RULE 5.3

22




. . . . the education, experience and reputation of the nonlawyer. . . the nature of the services

involved


RULE 5.3

22





involved. . . the terms of any arrangements concerning the protection of client information


RULE 5.3

22





involved. . . the terms of any arrangements concerning the protection of client information

. . . the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality.


RULE 5.3

23

• Expert Witnesses/eDiscovery Vendors

• Confidentiality agreements

• Some understanding of practices

• Opinions on cloud computing:http://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/cloud-ethics-chart.html#OR

http://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/cloud-ethics-chart.html









ACTION ITEM 1:

NEXT STEPS

24

Define accountability and “reasonable steps”for you and your firm.

What is your firm doing to manage this topic?

ACTION ITEM 2

NEXT STEPS

25

Client / Vendor Engagement & Management.

You set the terms with the client,your staff and your vendors.

ACTION ITEM 3

NEXT STEPS

26

Get mobile right…or at least not wrong.• Make sure your mobile device is secure.

• Strong login password / PIN.• Secure key apps.• As needed, encrypt data on your mobile device.

• Use a secure password management tool like Dashline or Lastpass.

• Use a secure document storage tool like Box.com when accessing mobile documents.• Know how to “find your phone” and “remote wipe” your device if

lost.

ACTION ITEM 3: Mobile Management

NEXT STEPS

26

Professional Consumer

ACTION ITEM 4

NEXT STEPS

27

Assess Insurance Coverage.

• Examine your current professional liability policies and understand any “exceptions” or specific adherence needed related to cybersecurity. • Consider purchasing a specific policy for cybersecurity.

ACTION ITEM 5

NEXT STEPS

28

Manage Your Own Behavior• Own this topic. Even delegation or the presence of an in-house IT doesn’t rid your personal responsibility. You don’t have to know all the details, but you are ultimately responsible for yourself.

• Make it a continued conversation. Institutionalize the knowhow and the need for vigilance.

• Don’t be freaked out about security. • Use common sense, Ignorance isn't an excuse.• Don’t allow it to hold you and your team hostage. • Most of the mania related to security are derived from tech marketing

companies and 24/7 news cycles.

LEAN METHODOLOGIES + TECH BEST PRACTICES = ETHICS COMPLIANCE

YOUR MOTIVATION

29

FOCUS ONPRACTICING LAW

· Time Efficiencies

· Cost Savings

· Data Security

· Peace of Mind

Questions & Next Steps

GARY [email protected]

208-388-1257

[email protected]

JONATHON FISHMAN

1. A copy of the slide deck and audio.2. Access CLE submission form on our website.• http://www.leanlaw.co/CLE-AttendanceForm/

3. Free LeanLaw Small Practice Security Assessment.

mailto:[email protected]



http://www.leanlaw.co/CLE-AttendanceForm/