Monthly Archives: November 2014

Ethical Compliance and Cloud Services for Law Firms

Ethical Compliance and Cloud Services for Law Firms
Photo courtesy of LegalInk Magazine

Chances are, if you haven’t heard of the cloud, your head is probably in it! Today, cloud computing is becoming an essential element of personal and professional technology use. From our smartphones to our computers, both are increasingly becoming synchronized with cloud backup systems. From solo attorneys to big-box law firms, many are embracing cloud-based applications and backup options as a way of doing business. Here, we’ll discuss ethical compliance and cloud services for law firms.

You should be aware there are different platforms of cloud computing. Specifically, cloud computing is characterized as “large groups of remote servers networked to allow centralized data storage and online access to computer services or resources.”[1] The two main components of cloud based services boil down to data storage and applications that run locally but are processed in the cloud. It’s what those in the business refer to as Infrastructure as a Service (IaaS) and Software as a Service (SaaS)respectively . The history of cloud computing dates back to 1969 but “since the internet only started to offer significant bandwidth in the nineties, cloud computing for the masses has been something of a late developer.”[2] The concept gained industry notoriety in 2006 when Amazon first developed its Elastic Compute Cloud (EC2) model as the first commercial internet service allowing small businesses and individuals alike the ability to rent computers to run their own computer applications.[3]

Cloud Computing for Law Firms

For the most part, most cloud based application services offered to solo and small firms fall in the SaaS category. [4] Think of Clio, Rocket Matter, My Case, and Amicus cloud based case management platforms. However, many law firms and solo’s alike who don’t use SaaS based platforms have begun to use IaaS based platforms whether they know it or not. For instance, most iPhone users use iCloud to back up their devices even if not specifically intending to do so. Often times, when setting up a newly purchased iDevice, the setup steps require an iTunes log-in info. By doing so, iUsers inadvertently agree to have their digital content backed-up to Apples Cloud based storage. Don’t get me wrong, having a backup of your device’s content can be a Godsend if your device is lost or stolen. However, if you’re a lawyer who receives client related email or text messages on your phone, you just put confidential client information in a medium you neither are aware of, nor have control over.

Ethics Rules Possibly Affected by Cloud Computing

Under rule 1.1 of the Model Rules of Professional Conduct, the duty to “provide competent representation to a client” includes the duty to comprehend the cloud based technology services being used along with the duty to obtain client consent, and some cases the duty to counsel the client with regards to the use of cloud services in connection to representation. [5] Many states bar ethics committees have released opinions which generally permit attorneys to use “web-based storage services (like Google Docs and Dropbox) provided that the attorneys take reasonable steps to ensure their information is secure and not shared with third-parties.”[6] Given recent data breaches involving celebrity photos, cloud data security vulnerability is a very real possibility and should be paid close attention to. Moreover, if you aren’t even aware your client’s confidential information is being stored in the cloud, you certainly cannot claim to have taken reasonable steps to ensure their information is secure. To avoid any uncertainty, attorneys should be cognizant of what data is being backed up and where. Reasonable steps would include; routinely monitoring End User License Agreements, ascertaining where cloud providers store data, and keeping abreast of their retention policies.

Under, Rule 1.6, which includes an attorney’s duty to “exercise reasonable care to prevent . . . others whose services are utilized by the lawyer from disclosing or using confidential information of a client, comes another set of cloud related responsibility. “[7] Though some disclosure is permitted under RPC 1.6 where “the disclosure is impliedly authorized to advance the best interest of the client and is either reasonable under the circumstances or customary in the professional community,” an attorney should always know what the data is, where it’s located, and who has access to it. Granted these rules were designed to regulate traditional vendors such as storage facilities or copy services, they are also relevant to cloud computing as well.[8] Bottom line, cloud data storage is ethical so long as attorneys take “reasonable care to ensure the system is secure and the client confidentiality is maintained.”[9]

Under Rule 1.15, a lawyer has a duty to maintain and preserve client records and deliver them promptly upon request. Consequently, this applies to digital records kept locally and those maintained in the cloud, and making sure those files aren’t lost, stolen, or destroyed. Presumably, by using cloud-based backup services, you’re more than likely exercising the requisite reasonable efforts to maintain and preserve client records. Delivering client records upon request may be a sticking point for lawyers who use cloud based storage providers as we’ll get into next.

Pursuant to Rule 1.16, a lawyer has the “duty, upon termination of representation, to promptly deliver all papers and property to which the client is entitled,” which includes the work of cloud service providers.[10] Simply put, you must give the client all their files back after representation. However, if the cloud provider now legally owns the client’s digital content you uploaded, you can be in ethical violation of this rule. For instance, Google docs has a provision in their terms of service that states “when you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones.” To a layman it may appear that Google is seeking an ownership interest in the information you upload, however such licensing rights allow Google the ability store, transfer, and rewrite the data between multitudes of servers for backup purposes. To avoid RPC 1.16 pitfalls, I suggest understanding the terms of service between you and cloud providers.

Reasonable Precautions Attorneys Can Take to Ensure Client Info is Protected

There is a general consensus among ethic committees around the country that lawyers are ethically permitted to use cloud computing, however it should be noted that certain cases involving HIPAA, GLBA or FRCA may have additional restrictions. Overall, the general requirement is that lawyers take “reasonable precautions to ensure client information is protected from disclosure.”[11] Furthermore, the opinions all generally summate that attorneys will not be held as the guarantors of cloud based services. [12] As the New York State Bar Association put it, “the applicable standard is reasonable care, not strict liability,” and provided the following relevant guidelines attorneys should follow in exercising reasonable precautions. [13]

  1. Stay on top of emerging technologies to ensure client information is safeguarded.

  2. Research any cloud providers they are considering using to ensure the providers are well established, reputable, and have appropriate policies and practices to ensure that information is secure, properly handled, and backed up.

  3. Take steps to ensure that the vendor and its personnel are competent to perform the tasks required.

  4. Review all contracts and terms of service to ensure they comply with all ethical requirements.

  5. Take steps to ensure that service contracts: (a) require the cloud provider to safeguard client information; (b) have appropriate provisions about the ownership of data, handling of subpoenas and other legal process, and notification of data breaches; and (c) have appropriate end-of-contract or termination provisions, including the ability to retrieve data regardless of the reason for termination and proper procedures for deleting data from the cloud.

  6. Take steps to determine the geographical location of servers to ensure they are located in jurisdictions with adequate legal protections for data.

  7. Take steps to ensure that data stored in the cloud is accessible when needed, even if the contract is terminated or the vendor goes out of business.

  8. Protect against “end -user” vulnerabilities, such as the failure to use strong passwords or the use of unsecured Internet connections.

  9. Notify clients in the event of a significant data security breach.[14]

Conclusion

If ever unclear about a potential ethical dilemma involving client data or otherwise, simply pick up the phone and call your state bar for guidance. After all, it’s what you pay yearly membership fees for. For those who lack the time to scour end user license agreements the makers of EULAlyzer have created free software that will scan end user license agreements specifically in search of inconspicuous language which unfairly binds users to unfair terms. Bottom line, if you can document that you’ve taken reasonable steps to safeguard your clients data you should be fine.

 

[1] Cloud computing – Wikipedia, the free encyclopedia, , http://en.wikipedia.org/wiki/Cloud_computing (last visited Nov 18, 2014).

[2] A history of cloud computing, , http://www.computerweekly.com/feature/A-history-of-cloud-computing (last visited Nov 18, 2014).

[3] Id.

[4] New York City Bar Association – Ethics Overview – Ethics Panel, , http://www.nycbar.org/ethics/ethics-overview (last visited Nov 18, 2014).

[5] Id.

[6] The Best Law Firm Case Management Software – An In-Depth Comparison, , https://jurispage.com/2013/law-practice-management/the-best-law-firm-case-management-software-an-in-depth-comparison/ (last visited Nov 18, 2014).

[7] New York City Bar Association – Ethics Overview – Ethics Panel, supra note4.

[8] Id.

[9] Id.

[10] Id.

[11] Id.

[12] Id.

[13] Id.

[14] Id.

Law Firm Information Rights Management & Electronic Signatures

Information Rights Management and Electronic Signatures
Protecting Email Signatures

Can my email signature be forged? How about using an electronic signature on legally recognized documents? Both issues were recently presented to me by our senior equity partner at the law firm. My answers, yes & yes, but let me explain. It boils down to understanding Information Rights Management (IRM) and meeting the statutory requirements for using a legally recognized electronic signature.

Issue #1 Information Rights Management

When it comes to preventing email signatures from being altered, copied, or forwarded without authorization, an IRM policy must be implemented. Assuming we’re using an email client such as Outlook 2010 or newer, additional third party Microsoft credentials are required. Here’s how it works.

Information Rights Management (IRM) allows you to specify access permissions to email messages. IRM helps prevent sensitive information from being read, printed, forwarded, or copied by unauthorized people. After permission for a message is restricted by using IRM, the access and usage restrictions are enforced regardless of where the message goes, because the permissions to access an email message are stored in the message file itself.

IRM is generally implemented at the server level using Microsoft Exchange software. Alternatively, IRM is hosted on Microsoft servers by Microsoft for free, but requires a Microsoft Live ID (@hotmail.com email) to use. In order to utilize IRM internally, for example, a law firm would need one of the following: (1) running their own Microsoft Exchange server and managing it in-house, or (2) use a new or existing Microsoft Live ID (@hotmail.com ID) in conjunction with a firms existing hosted email to take advantage of IRM hosted for free on Microsoft servers. Clearly the latter is the most cost effective; however it would require several additional steps in sending an IRM equipped email.

Information rights management and electronic signatures
Legally Recognized Electronic Signatures

Issue #2 Using Electronic Signature

Here in Arizona, under Arizona Revised Statutes, an electronic signature is defined as an electronic process that is attached to or logically associated with a record that is executed or adopted by an individual with the intent to sign the record. A.R.S § 44-7002
Furthermore, a signature is considered secure if, at the time it was made, and applied through a security procedure it is; (1) unique to the person using it, (2) capable of verification (3) under the sole control of the person using it, and (4) linked to the electronic record to which it relates in such a manner that if the record were changed the electronic signature would be invalidated. A.R.S § 44-7003

Generally speaking, an electronic signature can be any electronic means of indicating that a person adopts the contents of an electronic message. However, under A.R.S. § 44-7003, to qualify as a secure electronic signature, the operative requirement is element (4), the necessity to have ones identity validated through a third-party security certificate service. Such services are seemingly analogous to credit reporting agencies however solely for electronic identity. Currently, there are seven credentialing services customarily used throughout the industry. Those seven services include ARX CoSign, Avoco secure2trust, ChosenSecurity, Comodo, GlobalSign, My Credential, and VeriSign.

If your firm decides to implement a secure electronic signature digital ID, it is recommended you use a platform you may already be using. For instance, at our firm, we use Norton for anti-virus protection. It just so happens Norton is who issues VeriSign electronic signatures. A yearly subscription is required however, with a digital ID, a possessor would not only be able to securely sign electronic documents, but also send digitally signed emails which, in and of itself, constitutes a secure verified document. The process is fairly simple; a YouTube video explaining the process can be viewed here.

Conclusion

In conclusion, to protect email signatures from alteration, unauthorized copying and forwarding, a law firm has the option to implement Microsoft IRM services through the use of Microsoft Live ID accounts in lieu of costly in-house Exchange server management. Furthermore, secure electronic signatures pursuant to A.R.S § 44-7031, can be achieved through the use of digital ID’s validated through third-party security certificate services.

 

Understanding Civil Forfeiture Laws

Understanding Civil Forfeiture Laws
Understanding Civil Forfeiture Laws

Has your personal property been naughty lately? If so, it could be sued by federal, state, and municipal governments resulting in a good ole bona fide Fourth Amendment seizure. Also known as civil forfeiture, the practice has been around for decades. Although once generally limited to suspected drug dealers, with increasing bureaucratic budget shortfalls, its’ becoming widely used by government agencies as a source of department revenue across the nation.

Civil Forfeiture on the Federal Level

Civil forfeiture is codified on the federal level by 18 U.S.C. § 981 (paralleling 18 U.S.C. § 982) and 21 U.S.C. § 881.[1] Essentially, the government initiates civil actions against the property itself, not the owner to remedy a harm, through the fiction of the property’s “guilt.”[2] The result, if your property has been naughty – I.e., involved in or an instrumentality to a crime – it may be seized by the government without its’ owner (you) ever being charged or convicted of a crime. With regards to the guilt or lack thereof of the property’s owner, the Supreme Court ruled that Due Process does not require pre-seizure notice or hearing, and that the innocence of the owner is not a general defense.[3] What’s worse, state and local governments have since jumped on the bandwagon implementing their own form of civil forfeiture laws punishing naughty property by seizing it, selling it for 100% profit, and then incorporating the funds into their general operating budget.

Understanding Civil Forfeiture Laws
State & Local Civil Forfeiture

Civil Forfeiture on State and Local Levels

Originally the law was designed to give the federal government the authority to seize drug kingpin property used in illegal drug trafficking. For instance, if a drug trafficker was using his private plane or boat to transport narcotics, under the; RICO, Criminal and Drug Forfeiture Acts, the Feds could legally confiscate those items in order to prevent further trafficking. However recently, state and local level civil forfeiture laws have given local police departments the authority to forfeit personal items such as a jewelry, cash, homes and essentially anything else that can be sold. As noted, though the property owners are never charged, local & state agencies can bring action against the item itself leading to nonsensical forfeiture case names such as State of Texas vs. One Gold Crucifix or South Dakota v. Fifteen Impounded Cats.[4]

Here, in State of Texas vs. One Gold Crucifix, the “police confiscated a simple gold cross that a woman wore around her neck after pulling her over for a minor traffic violation.” [5] Since the defendant in civil forfeiture cases is the property itself, the rights of the owner have no bearing on the outcome. As a result, many individuals whose property is confiscated simply choose not to fight due the high costs of legal fees.

Further, one jurisdiction in particular, Philadelphia, PA, engages in the most notorious and aggressive civil forfeiture tactics in the country. Specifically, in a recent case involving a couple whose son was caught selling $40 worth of narcotics outside their family home, Philadelphia authorities sought to confiscate the couple’s entire home, sell it at auction, then retain the profits. As a result, The Institute for Justice has taken on the couples – and others similarly situated – case(s) filing a class action lawsuit seeking an injunction against the City of Philadelphia to halt what it refers to as “violations of rights guaranteed by the Due Process Clause of the Fourteenth Amendment.”

Defenses to Civil Forfeitures

As noted, unless provided by statute, the innocence of the owner is generally not a defense to a civil forfeiture. Even where statutory defenses are available, they are narrowly construed by the courts. [6] For example, “courts may apply an objective standard to determine if the owner should have had knowledge of the property’s illegal use, rather than require proof of actual knowledge.”[7]

In certain situations, owners may be able to argue that if no crime occurred, the government lacks probable cause, “or that the property is not closely enough connected to the crime to be considered an instrumentality or proceeds.”[8] Even where the government is required to return the property seized, it is not liable for any further damages resulting from its confiscation, nor any interest ordinarily accrued on actual forfeited funds.

Proposed changes

On the national level there has been chatter on reforming federal civil forfeiture statutes however not much has been done. There is bi-partisan support for the proposed Civil Asset Forfeiture Reform Act proposed by Tim Walberg (R-Mich) however it faces an uphill battle in the Judiciary Committee.

Currently, North Carolina is the only state in the country that prohibits civil forfeiture unless the owner of the property has been convicted of a crime. A state lawmaker in Virginia, Delegate Mark Cole, is proposing legislation in the 2015 general assembly to curtail current civil forfeiture statutes.[9] Hopefully other lawmakers will catch on as this little known, seemingly secret process is being brought to light.

Understanding Civil Forfeiture Law
Now that Its Affecting Many more Americans than Originally Intended . . .

Conclusion

If your property has been naughty or even has the inclination of naughtiness, have a sit down with it and explain the ramifications of its behavior. If that sounds ludicrous, so does the governments rationale for seizing it! My theory is that since this practice was primarily directed at inner-city “drug dealers” many Americans simply didn’t care. Once its pervasiveness started sprawling into suburban America, it now has become a problem that needs reform. It’ll be interesting to see how much government the limited government folks will tolerate once their loved ones and neighbors are affected.

 

 

[1] Forfeiture | Wex Legal Dictionary / Encyclopedia | LII / Legal Information Institute, , http://www.law.cornell.edu/wex/forfeiture (last visited Nov 6, 2014).

[2] Id.

[3] Calero Toledo v. Pearson Yacht Leasing Co., 416 U.S. 663 (1974).

[4] Civil forfeiture perverts justice – Technician: Opinion, , http://www.technicianonline.com/opinion/article_f07018ae-5a60-11e4-a320-0017a43b2370.html (last visited Nov 6, 2014).

[5] Id.

[6] Forfeiture | Wex Legal Dictionary / Encyclopedia | LII / Legal Information Institute, supra note1.

[7] Id.

[8] Id.

[9] State lawmaker targets civil forfeiture | Alexandria Times, , http://alextimes.com/2014/10/state-lawmaker-targets-civil-forfeiture/ (last visited Nov 6, 2014).