Category Archives: Ethical Compliance

Data Network Security Breaches and Notification Laws

Data Network Security Breaches and Notification Laws
Data Network Security Breaches and Notification Laws

Ever gotten a notice in the mail that read, something to the effect of, “by law, we’re required to inform you that since our infrastructure passwords were extremely weak, such as “password” and “123456,” a data breach has occurred and your personal information may or may not be in the hands of Russian hackers for sale somewhere in the deep web?”

Well, maybe not that forthcoming, but you know what I’m talking about. When it comes to data network security breaches, there are laws which specifically require an organization to disclose to its customers whenever there has been such a data breach. These laws go  far beyond the ubiquitous Health Insurance Portability and Accountability Act, better known as HIPPA.

For instance, here in Arizona, under Revised Statute § 44-7501, (Conditionally Rpld.) it requires a person that conducts business in this state who becomes aware of a data breach shall conduct a reasonable investigation and after determining a breach in the security system shall notify all individuals affected.[1] Simply put, organizations are required, by law, to disclose the breach, make remedies to resolve it, and can be held responsible for any damages thereof.

Oftentimes, these data network security breaches and subsequent notifications will be accompanied with a free offer for credit monitoring. As a consumer, you should absolutely take it, if you aren’t’ already monitoring your credit through some other third party.

First and foremost, if you discover a data network security breach within your firm, promptly notify your clients and provide measures to protect their interests. More importantly, as an organization, there are several steps you can take to avoid such data network security breaches. Some are as simple as requiring strong password policy. Others include keeping your data stored in a secured, locked environment with very restricted access.

Password Policies

As both an end-user and as an administrator, I know how frustrating complex password policies can be. Yes it’s pain to have a password that must contain 1 uppercase letter, 1 lowercase letter, 1 symbol, 1 number, that cannot be anything you’ve ever used before and cannot have successive numerical values. However, that complexity exists for a reason. Hackers are well aware of the most commonly used password, such as “123456” followed by “password.”[2]

The folks at Microsoft recommend you “set password policy to require complex passwords, which contain a combination of uppercase and lowercase letters, numbers, and symbols, and are typically a minimum of seven characters long or more for all accounts, including administrative accounts, such as local administrator, domain administrator, and enterprise administrator.”[3]

However, consequently, when employees are required to change passwords often, meet minimum complexity requirements, and not repeat a password for a minimum amount of time, they may begin to break the rules and start writing passwords down simply because they cannot remember passwords that change so often.[4] Bottom line, design a password policy that is secure but doesn’t comprise functionality.

Data Network Security Breaches and Notification Laws
Data Network Security Breaches and Notification Laws

End-User Training

Many folks within an organization, while balking at having to change passwords regularly, simply do not understand the reasons behind it or the risks they attempt to advert. To that end, it would be wise for your IT staff to train end-users on why and how to keep their passwords unique and safe. Once employees discover their organization can be levied a hefty fine which may result in cutbacks as a consequence thereof, I’m sure the loudest of the balkers will begin to change their tune.

End-user training can be as simple as memo sent to employees requiring  them to read, sign, and return to management. Alternatively, a once a year run-down presented by IT staff during a mandatory meeting should suffice for larger organizations.

Restricting Access

Your organizations most sensitive client data should be restricted to a need-to-know basis. If there is no need for the receptionist to access client information, then by all means create a security clearance group policy that only allows access to sensitive drives to those who truly require it.

Is your server room open to anyone at the firm? If so, quite frankly, you’re doing it wrong! I don’t care if there are 2 people in your firm, if one doesn’t need access to drives containing sensitive data, then by all means keep that access restricted. Unfortunately, many organizations have the “it’ll never happen to us” mentality that ultimately comes back to bite them in the end. Remember Target? Ever heard of the Panama papers?

Data Network Security Breaches and Notification Laws
Data Network Security Breaches and Notification Laws

Conclusion

Data security is your responsibility. Be not only aware of the legal obligations for your firm’s clients, but for anyone who does business with your organization. Develop corresponding IT policies and procedures to avoid liability that can possibly be the death knell of your organization.

[1] Arizona Revised Statutes, , http://www.azleg.state.az.us/FormatDocument.asp?inDoc=/ars/44/07501.htm&Title=44&DocType=ARS (last visited May 16, 2016).

[2] The 25 Most Popular Passwords of 2015: We’re All Such Idiots, , http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-all-such-id-1753591514 (last visited May 16, 2016).

[3] Creating a Strong Password Policy: Logon and Authentication, , https://technet.microsoft.com/en-us/library/cc736605%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 (last visited May 16, 2016).

[4] Password Policy, , http://www.comptechdoc.org/independent/security/policies/password-policy.html (last visited May 16, 2016).

Windows 10 vs. Rule 1.6

2015-05-13_02-07-12
Is Windows 10 Ethically Compliant?

Is Windows 10 MRPC Compatible?

Apparently, from the feedback I’m getting, Microsoft® finally got it right with Windows 10! As a legal technology professional I have been inundated with inquiries from attorneys on whether Windows 10 is worth the upgrade (even though it’s free), and if they should think about making the switch. My response has consistently been to wait.

First, like any new product I always suggest letting the manufacturer work out the kinks before jumping aboard. Similarly, like purchasing a new model year car, you never really want the first batch rolling off the assembly line. That said, after digging further under the hood, it appears there are other potential pitfalls with Windows 10 that could specifically leave attorneys on the wrong side of the rules of professional conduct!

EULA

What Windows 10 End User License Agreement Says

Apparently, Microsoft is following the footsteps of other “Big Data” mining companies and has gotten creative in their user terms and conditions. How creative you ask, well apparently creative enough to give Microsoft ingress to virtually any and all data you may have or had access to while using their operating system! This ingress gives Microsoft permission to track your location, activities, browser history, and more importantly, READ YOUR EMAILS! Further, there does not appear to be a way for less sophisticated users to disable these settings. This is why it’s so important to be aware of what’s in that End User License Agreement.

Moreover, as pointed out by Daily Kos, Microsoft’s privacy policy specifically states the following:

Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to:

  1. comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies;

  2. protect our customers, for example to prevent spam or attempts to defraud users of the services, or to help prevent the loss of life or serious injury of anyone;

  3. operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or

  4. protect the rights or property of Microsoft, including enforcing the terms governing the use of the services – however, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property of Microsoft, we will not inspect a customer’s private content ourselves, but we may refer the matter to law enforcement.[1]

Model-Rules-of-Professional-Conduct

What the Model Rules of Professional Conduct Say

Generally, under Model Rules of Professional Conduct (MRPC) Rule 1.6, a lawyer is prohibited from revealing any information related to the representation of a client. Either voluntarily or involuntarily, unless informed consent is given by his/her client.[2] Recently, the New York State Bar specifically addressed this very conceivable dilemma in its Opinion 782, which addressed inadvertent confidential data disclosures through email, opining in part that, “a lawyer must exercise reasonable care to ensure that he or she does not inadvertently disclose his or her client’s confidential information.”[3]

Though some disclosures are unavoidable, under MRPC 1.6, where “the disclosure is impliedly authorized to advance the best interest of the client and is either reasonable under the circumstances or customary in the professional community,” is permitted, however an attorney should always know what the data is, where it’s located, and who has access to it. Granted these rules were designed to regulate traditional vendors such as storage facilities or copy services, they are also relevant to any form of data transmission. One could arguably say that since there is little control over the settings that control the data sharing in Windows 10, or since the data mining is customary a lawyer should be in the clear, right? Wrong. The model rules consistently say attorneys should take reasonable steps to protect a client’s data at all times. This includes everything from choosing to forgo using Windows 10 all together, to familiarizing yourself with ways to prevent data ingress.

What Can You Do About It?

By now, I’m sure you’re thinking, it’s probably just not worth using Window’s 10 if you want to remain MRPC 1.6 compliant. I would tend to agree, especially at this stage when little is known about the vastness of Microsoft’s data mining. However, for those who have already made the switch, there are some options. As Jacob Siegal noted, a simple program called “The Windows Club” allows users to tweak Windows 10 in order to disable some pervasive features such as user tracking, telemetry, and hiding your network from others.[4] Additionally, I would not recommend integrating the same email address used for client data with the operating systems if prompted. Simply put, keep your business email separate from Windows 10 operating system. Of course, if you use an email client such as Outlook, this may be unavoidable. However, I’m specifically referring to the prompt for your email address when initially setting up the operating system. Either avoid supplying an email address all together, or if unavoidable, use an email address not associated with clients. Alternatively, to completely protect your neck, consider weaving in the possibility of ostensible third party data disclosures through the use of operating systems or cloud based data into your fee agreement.

Conclusion

The bottom line, use caution when implementing a new operating system, and use your best judgment when integrating your firm’s email with your operating system. Even with Windows 8, Microsoft wanted to link your email address to your operating system. Personally, I use Outlook Web App (OWA) for sending/receiving email to avoid using native programs such as Outlook. With today’s web (cloud) based email, virtually all the functionality of an email client is built right in. Of course, Ethical Compliance and Cloud Services for Law Firms is a whole other issue, but this generally means that one has taken reasonable steps to protect client data from being shared. This is really all you can do in order to be MRPC Rule 1.6 compliant.

[1] Windows 10 comes with built-in spyware. If your work requires confidentiality, DO NOT INSTALL., , http://www.dailykos.com/story/2015/08/02/1408113/-Windows-10-comes-with-built-in-spyware-If-your-work-requires-confidentiality-DO-NOT-INSTALL (last visited Aug 31, 2015).

[2] New York City Bar Association – Ethics Overview – Ethics Panel, , http://www.nycbar.org/ethics/ethics-overview (last visited Nov 18, 2014).

[3] Id.

[4] Windows 10: Modify your OS with Ultimate Windows Tweaker 4 | BGR, , http://bgr.com/2015/08/28/windows-10-ultimate-tweaks-download/ (last visited Aug 31, 2015).

Ethical Compliance and Cloud Services for Law Firms

Ethical Compliance and Cloud Services for Law Firms
Photo courtesy of LegalInk Magazine

Chances are, if you haven’t heard of the cloud, your head is probably in it! Today, cloud computing is becoming an essential element of personal and professional technology use. From our smartphones to our computers, both are increasingly becoming synchronized with cloud backup systems. From solo attorneys to big-box law firms, many are embracing cloud-based applications and backup options as a way of doing business. Here, we’ll discuss ethical compliance and cloud services for law firms.

You should be aware there are different platforms of cloud computing. Specifically, cloud computing is characterized as “large groups of remote servers networked to allow centralized data storage and online access to computer services or resources.”[1] The two main components of cloud based services boil down to data storage and applications that run locally but are processed in the cloud. It’s what those in the business refer to as Infrastructure as a Service (IaaS) and Software as a Service (SaaS)respectively . The history of cloud computing dates back to 1969 but “since the internet only started to offer significant bandwidth in the nineties, cloud computing for the masses has been something of a late developer.”[2] The concept gained industry notoriety in 2006 when Amazon first developed its Elastic Compute Cloud (EC2) model as the first commercial internet service allowing small businesses and individuals alike the ability to rent computers to run their own computer applications.[3]

Cloud Computing for Law Firms

For the most part, most cloud based application services offered to solo and small firms fall in the SaaS category. [4] Think of Clio, Rocket Matter, My Case, and Amicus cloud based case management platforms. However, many law firms and solo’s alike who don’t use SaaS based platforms have begun to use IaaS based platforms whether they know it or not. For instance, most iPhone users use iCloud to back up their devices even if not specifically intending to do so. Often times, when setting up a newly purchased iDevice, the setup steps require an iTunes log-in info. By doing so, iUsers inadvertently agree to have their digital content backed-up to Apples Cloud based storage. Don’t get me wrong, having a backup of your device’s content can be a Godsend if your device is lost or stolen. However, if you’re a lawyer who receives client related email or text messages on your phone, you just put confidential client information in a medium you neither are aware of, nor have control over.

Ethics Rules Possibly Affected by Cloud Computing

Under rule 1.1 of the Model Rules of Professional Conduct, the duty to “provide competent representation to a client” includes the duty to comprehend the cloud based technology services being used along with the duty to obtain client consent, and some cases the duty to counsel the client with regards to the use of cloud services in connection to representation. [5] Many states bar ethics committees have released opinions which generally permit attorneys to use “web-based storage services (like Google Docs and Dropbox) provided that the attorneys take reasonable steps to ensure their information is secure and not shared with third-parties.”[6] Given recent data breaches involving celebrity photos, cloud data security vulnerability is a very real possibility and should be paid close attention to. Moreover, if you aren’t even aware your client’s confidential information is being stored in the cloud, you certainly cannot claim to have taken reasonable steps to ensure their information is secure. To avoid any uncertainty, attorneys should be cognizant of what data is being backed up and where. Reasonable steps would include; routinely monitoring End User License Agreements, ascertaining where cloud providers store data, and keeping abreast of their retention policies.

Under, Rule 1.6, which includes an attorney’s duty to “exercise reasonable care to prevent . . . others whose services are utilized by the lawyer from disclosing or using confidential information of a client, comes another set of cloud related responsibility. “[7] Though some disclosure is permitted under RPC 1.6 where “the disclosure is impliedly authorized to advance the best interest of the client and is either reasonable under the circumstances or customary in the professional community,” an attorney should always know what the data is, where it’s located, and who has access to it. Granted these rules were designed to regulate traditional vendors such as storage facilities or copy services, they are also relevant to cloud computing as well.[8] Bottom line, cloud data storage is ethical so long as attorneys take “reasonable care to ensure the system is secure and the client confidentiality is maintained.”[9]

Under Rule 1.15, a lawyer has a duty to maintain and preserve client records and deliver them promptly upon request. Consequently, this applies to digital records kept locally and those maintained in the cloud, and making sure those files aren’t lost, stolen, or destroyed. Presumably, by using cloud-based backup services, you’re more than likely exercising the requisite reasonable efforts to maintain and preserve client records. Delivering client records upon request may be a sticking point for lawyers who use cloud based storage providers as we’ll get into next.

Pursuant to Rule 1.16, a lawyer has the “duty, upon termination of representation, to promptly deliver all papers and property to which the client is entitled,” which includes the work of cloud service providers.[10] Simply put, you must give the client all their files back after representation. However, if the cloud provider now legally owns the client’s digital content you uploaded, you can be in ethical violation of this rule. For instance, Google docs has a provision in their terms of service that states “when you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones.” To a layman it may appear that Google is seeking an ownership interest in the information you upload, however such licensing rights allow Google the ability store, transfer, and rewrite the data between multitudes of servers for backup purposes. To avoid RPC 1.16 pitfalls, I suggest understanding the terms of service between you and cloud providers.

Reasonable Precautions Attorneys Can Take to Ensure Client Info is Protected

There is a general consensus among ethic committees around the country that lawyers are ethically permitted to use cloud computing, however it should be noted that certain cases involving HIPAA, GLBA or FRCA may have additional restrictions. Overall, the general requirement is that lawyers take “reasonable precautions to ensure client information is protected from disclosure.”[11] Furthermore, the opinions all generally summate that attorneys will not be held as the guarantors of cloud based services. [12] As the New York State Bar Association put it, “the applicable standard is reasonable care, not strict liability,” and provided the following relevant guidelines attorneys should follow in exercising reasonable precautions. [13]

  1. Stay on top of emerging technologies to ensure client information is safeguarded.

  2. Research any cloud providers they are considering using to ensure the providers are well established, reputable, and have appropriate policies and practices to ensure that information is secure, properly handled, and backed up.

  3. Take steps to ensure that the vendor and its personnel are competent to perform the tasks required.

  4. Review all contracts and terms of service to ensure they comply with all ethical requirements.

  5. Take steps to ensure that service contracts: (a) require the cloud provider to safeguard client information; (b) have appropriate provisions about the ownership of data, handling of subpoenas and other legal process, and notification of data breaches; and (c) have appropriate end-of-contract or termination provisions, including the ability to retrieve data regardless of the reason for termination and proper procedures for deleting data from the cloud.

  6. Take steps to determine the geographical location of servers to ensure they are located in jurisdictions with adequate legal protections for data.

  7. Take steps to ensure that data stored in the cloud is accessible when needed, even if the contract is terminated or the vendor goes out of business.

  8. Protect against “end -user” vulnerabilities, such as the failure to use strong passwords or the use of unsecured Internet connections.

  9. Notify clients in the event of a significant data security breach.[14]

Conclusion

If ever unclear about a potential ethical dilemma involving client data or otherwise, simply pick up the phone and call your state bar for guidance. After all, it’s what you pay yearly membership fees for. For those who lack the time to scour end user license agreements the makers of EULAlyzer have created free software that will scan end user license agreements specifically in search of inconspicuous language which unfairly binds users to unfair terms. Bottom line, if you can document that you’ve taken reasonable steps to safeguard your clients data you should be fine.

 

[1] Cloud computing – Wikipedia, the free encyclopedia, , http://en.wikipedia.org/wiki/Cloud_computing (last visited Nov 18, 2014).

[2] A history of cloud computing, , http://www.computerweekly.com/feature/A-history-of-cloud-computing (last visited Nov 18, 2014).

[3] Id.

[4] New York City Bar Association – Ethics Overview – Ethics Panel, , http://www.nycbar.org/ethics/ethics-overview (last visited Nov 18, 2014).

[5] Id.

[6] The Best Law Firm Case Management Software – An In-Depth Comparison, , https://jurispage.com/2013/law-practice-management/the-best-law-firm-case-management-software-an-in-depth-comparison/ (last visited Nov 18, 2014).

[7] New York City Bar Association – Ethics Overview – Ethics Panel, supra note4.

[8] Id.

[9] Id.

[10] Id.

[11] Id.

[12] Id.

[13] Id.

[14] Id.