Upload
gary-allen
View
188
Download
1
Embed Size (px)
Citation preview
A Discussion ofETHICS AND TECHNOLOGY
MAY 7, 2015
MANAGEMENT TEAM
2
JONATHON FISHMANFOUNDER / CHIEF SERVICE OFFICER
GARY ALLENFOUNDER / CEO - ATTORNEY
• 25+ year practicing attorney. • Idaho native.• Always wanted better software and
technology services for attorneys.
• 25 years of tech experience.• 15 years of small business technical
consulting.• Passionate about creating trusted
relationships with clients.
HELPING THE LEGAL COMMUNITY PRACTICE LEAN
ABOUT US
3
SOFTWARE• Cloud-based• Easy-to-use• Low cost• In your
workflow
CONCIERGE SERVICE• User focused• Trusted
relationships• Empowers
change
LEAN METHODOLOGIES + TECH BEST PRACTICES = ETHICS COMPLIANCE
YOUR MOTIVATION
4
FOCUS ONPRACTICING LAW
· Time Efficiencies
· Cost Savings
· Data Security
· Peace of Mind
PART 1:
OVERVIEW
5
What is safe and what isn’t?
PART 2:What Are the Rules?
PART 3:Action Items… the things you can do today.
LEANLAW PERSPECTIVE
6
CYBERSECURITY IS NECESSARY.
7
1.
2.
3.
Ethical Reasons. It matters to your clients.
Business Motivations. It matters to your practice.
This is a board room discussion! It isn’t about anti-virus and firewalls or some other tool. It is about how you run and operate your practice.
4. It needs to carry the same importance as you would apply to accounting or new business development.
THE CLOUD IS THE SAFEST PLACE TO STORE YOUR DATA!
8
LET’S LOOK AT PHYSICAL STORAGE
HERE’S WHAT CLOUD STORAGE LOOKS LIKE
9
THE CLOUD IS THE SAFEST PLACE TO STORE YOUR DATA!
THE CLOUD IS SAFE AND HERE IS WHY
10
1.
2.
3.
4.
Cloud companies have a culture of security.
Cloud companies will always out perform your IT best practices. · Better server architecture. · Better security and IT best practices. · More know-how. · They have a built in incentive not to mess this up and always get better.
The cloud architecture is built to be secure, with less usercontrol and management and data transferred via secure APIs.
Newer authentication and infrastructure models.
CHANGES TO IRPC REGARDING TECHNOLOGY
THE RULES
11
· Rule 1.1 – Competency
· Rule 1.6 – Confidentiality
· Rule 5.3 – Supervision of Nonlawyers Outside the Firm
COMPLIANCE DETERMINED AFTER SOMETHING BAD HAS HAPPENED
12
This is true both if you use technology, e.g. your DropBoxaccount is hacked
Or if you do not, e.g. you fail to check your e-mail andmiss an important message
RULE 1.1 - COMPETENCE
13
A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.
Comment ... Maintaining Competence
[6] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
…keep abreast of changes in the law and its practice,including the benefits and risks associated with relevant technology,
SO, WHAT DOES THIS MEAN TO YOU?
RULE 1.1 - COMPETENCE
14
• Take ownership of the topic. • You or a delegate must make it a part of their job to understand the technology used within your firms practice.
• Think workflows such as email or document management.
•Align yourself with someone in the know. • An IT firm or tech savvy lawyer. You need a go to person or company. • ABA Tech section: http://www.americanbar.org/groups/departments_offices/legal_technology_resources.html
• Make sure your technology is documented.
CYBERSECURITY CONCEPTS YOU SHOULD KNOW
15
1.
2.
3.
4.
Physical and Environmental Controls. · Who has access to where the data is stored? How is this managed?
Least Privilege. · Limit data access to only those that it is essential to their work. · Think Snowden.
Encryption at Rest and in Transit. · Is the data so critical that it should stay in an encrypted state even when stored in your local environment. (Encryption at rest)
User Access Control and Logs. · Ensure you have a process in place to know who touched the data, where and when. · Is there a company policy or at least a known best practice?
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Comment ... Acting Competently to Preserve Confidentiality [16] …The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are notemployed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). . . .
RULE 1.6 - CONFIDENTIALITY
16
The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Comment ... Acting Competently to Preserve Confidentiality [16] …The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are notemployed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). . . .
RULE 1.6 - CONFIDENTIALITY
16
The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.
…sensitivity of the information
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Comment ... Acting Competently to Preserve Confidentiality [16] …The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are notemployed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). . . .
RULE 1.6 - CONFIDENTIALITY
16
The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.
…sensitivity of the informationthe likelihood of disclosure if additional safeguards are not
employed
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Comment ... Acting Competently to Preserve Confidentiality [16] …The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are notemployed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). . . .
RULE 1.6 - CONFIDENTIALITY
16
The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.
…sensitivity of the informationthe likelihood of disclosure if additional safeguards are not
employed…the cost of employing additional safeguards
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Comment ... Acting Competently to Preserve Confidentiality [16] …The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are notemployed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). . . .
RULE 1.6 - CONFIDENTIALITY
16
The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.
…sensitivity of the informationthe likelihood of disclosure if additional safeguards are not
employed…the cost of employing additional safeguards…the difficulty of implementing the safeguards
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Comment ... Acting Competently to Preserve Confidentiality [16] …The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are notemployed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). . . .
RULE 1.6 - CONFIDENTIALITY
16
The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.
…sensitivity of the informationthe likelihood of disclosure if additional safeguards are not
employed…the cost of employing additional safeguards…the difficulty of implementing the
safeguards…the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use)
RULE 1.6 - CONFIDENTIALITY
17
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Comment ...
Acting Competently to Preserve Confidentiality
[16] …A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule.
…A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule.
RULE 1.6 - CONFIDENTIALITY
18
[17] When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule. Whether a lawyer may be required to take additional steps in order to comply with other law, such as state and federal laws that govern data privacy, is beyond the scope of these Rules.
Whether a lawyer may be required to take additional steps in order to comply with other law, such as state and federal laws that govern data privacy, is beyond the scope of these Rules.
RULE 1.6 – STATE AND FEDERAL RULES THAT GOVERN DATA PRIVACY
1. Health Care • HIPAA 45 CFR Part 160, Part 164 (Subparts A & E) • Administrative Safeguards. • Physical Safeguards. • Technical Safeguards. 2. Banking/Consumer Finance • Fair Credit Reporting Act, 15 USC 1681 et seq. • Gramm-Leach-Bliley - 15 USC 6802.
• FTC 16 CFR Part 313.• SEC 17 CFR Part 248.
3. California Online Privacy Act of 2003 • Cal. Bus. & Prof. Code §§ 22575-22579.
4. Massachusetts 940 CMR 27
5. Canada • PIPEDA S.C. 2000, c. 5 • British Columbia – FOIPA RSBC 1996, Ch.165
6. European Union • Data Protection Directive 95/46/EC
7. Insurance • Best practices required for cyber coverage
19
HOW TO THINK ABOUT CONFIDENTIALITY?
RULE 1.6 - CONFIDENTIALITY
20
1. Client Requirements Trump the Rule • Extra security measures. • Waiver.
2. Workflows • Client engagement. • Document execution. • Data discovery. • Trial preparation.
3. Where You Work • Home / Office / Vacation home.
4. Think About Who You Work With
EXAMPLE: DOCUMENT MANAGEMENT
RULE 1.6 - CONFIDENTIALITY
21
HARDTO USE
LESS SECURE MORE SECURE
EASYTO USE
LOCAL SERVER STORAGE
FLASH DRIVE STORAGE STORAGE PROVIDERS
REMOTE ACCESS
SUPERVISION OF NON-LAWYERS OUTSIDE THE FIRM
RULE 5.3
22
Nonlawyers Outside the Firm
When using such services outside the firm, a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations. The extent of this obligation will depend upon the circumstances, including the education, experience and reputation of the nonlawyer; the nature of the services involved; the terms of any arrangements concerning the protection of client information; and the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality. See also Rules 1.1 (competence), 1.2 (allocation of authority), 1.4 (communication with client), 1.6 (confidentiality), 5.4(a) (professional independence of the lawyer), and 5.5(a) (unauthorized practice of law).
. . . reasonable efforts . .
.
SUPERVISION OF NON-LAWYERS OUTSIDE THE FIRM
RULE 5.3
22
Nonlawyers Outside the Firm
When using such services outside the firm, a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations. The extent of this obligation will depend upon the circumstances, including the education, experience and reputation of the nonlawyer; the nature of the services involved; the terms of any arrangements concerning the protection of client information; and the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality. See also Rules 1.1 (competence), 1.2 (allocation of authority), 1.4 (communication with client), 1.6 (confidentiality), 5.4(a) (professional independence of the lawyer), and 5.5(a) (unauthorized practice of law).
. . . reasonable efforts . .
. . . . the education, experience and reputation of the nonlawyer
SUPERVISION OF NON-LAWYERS OUTSIDE THE FIRM
RULE 5.3
22
Nonlawyers Outside the Firm
When using such services outside the firm, a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations. The extent of this obligation will depend upon the circumstances, including the education, experience and reputation of the nonlawyer; the nature of the services involved; the terms of any arrangements concerning the protection of client information; and the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality. See also Rules 1.1 (competence), 1.2 (allocation of authority), 1.4 (communication with client), 1.6 (confidentiality), 5.4(a) (professional independence of the lawyer), and 5.5(a) (unauthorized practice of law).
. . . reasonable efforts . .
. . . . the education, experience and reputation of the nonlawyer. . . the nature of the services
involved
SUPERVISION OF NON-LAWYERS OUTSIDE THE FIRM
RULE 5.3
22
Nonlawyers Outside the Firm
When using such services outside the firm, a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations. The extent of this obligation will depend upon the circumstances, including the education, experience and reputation of the nonlawyer; the nature of the services involved; the terms of any arrangements concerning the protection of client information; and the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality. See also Rules 1.1 (competence), 1.2 (allocation of authority), 1.4 (communication with client), 1.6 (confidentiality), 5.4(a) (professional independence of the lawyer), and 5.5(a) (unauthorized practice of law).
. . . reasonable efforts . .
. . . . the education, experience and reputation of the nonlawyer. . . the nature of the services
involved. . . the terms of any arrangements concerning the protection of client information
SUPERVISION OF NON-LAWYERS OUTSIDE THE FIRM
RULE 5.3
22
Nonlawyers Outside the Firm
When using such services outside the firm, a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations. The extent of this obligation will depend upon the circumstances, including the education, experience and reputation of the nonlawyer; the nature of the services involved; the terms of any arrangements concerning the protection of client information; and the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality. See also Rules 1.1 (competence), 1.2 (allocation of authority), 1.4 (communication with client), 1.6 (confidentiality), 5.4(a) (professional independence of the lawyer), and 5.5(a) (unauthorized practice of law).
. . . reasonable efforts . .
. . . . the education, experience and reputation of the nonlawyer. . . the nature of the services
involved. . . the terms of any arrangements concerning the protection of client information
. . . the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality.
SUPERVISION OF NON-LAWYERS OUTSIDE THE FIRM
RULE 5.3
23
• Expert Witnesses/eDiscovery Vendors
• Confidentiality agreements
• Some understanding of practices
• Opinions on cloud computing:http://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/cloud-ethics-chart.html#OR
ACTION ITEM 1:
NEXT STEPS
24
Define accountability and “reasonable steps”for you and your firm.
What is your firm doing to manage this topic?
ACTION ITEM 2
NEXT STEPS
25
Client / Vendor Engagement & Management.
You set the terms with the client,your staff and your vendors.
ACTION ITEM 3
NEXT STEPS
26
Get mobile right…or at least not wrong.• Make sure your mobile device is secure.
• Strong login password / PIN.• Secure key apps.• As needed, encrypt data on your mobile device.
• Use a secure password management tool like Dashline or Lastpass.
• Use a secure document storage tool like Box.com when accessing mobile documents.• Know how to “find your phone” and “remote wipe” your device if
lost.
ACTION ITEM 3: Mobile Management
NEXT STEPS
26
Professional Consumer
ACTION ITEM 4
NEXT STEPS
27
Assess Insurance Coverage.
• Examine your current professional liability policies and understand any “exceptions” or specific adherence needed related to cybersecurity. • Consider purchasing a specific policy for cybersecurity.
ACTION ITEM 5
NEXT STEPS
28
Manage Your Own Behavior• Own this topic. Even delegation or the presence of an in-house IT doesn’t rid your personal responsibility. You don’t have to know all the details, but you are ultimately responsible for yourself.
• Make it a continued conversation. Institutionalize the knowhow and the need for vigilance.
• Don’t be freaked out about security. • Use common sense, Ignorance isn't an excuse.• Don’t allow it to hold you and your team hostage. • Most of the mania related to security are derived from tech marketing
companies and 24/7 news cycles.
LEAN METHODOLOGIES + TECH BEST PRACTICES = ETHICS COMPLIANCE
YOUR MOTIVATION
29
FOCUS ONPRACTICING LAW
· Time Efficiencies
· Cost Savings
· Data Security
· Peace of Mind
Questions & Next Steps
GARY [email protected]
208-388-1257
JONATHON FISHMAN
1. A copy of the slide deck and audio.2. Access CLE submission form on our website.• http://www.leanlaw.co/CLE-AttendanceForm/
3. Free LeanLaw Small Practice Security Assessment.