SlideShare una empresa de Scribd logo
1 de 96
Descargar para leer sin conexión
Cloud 9 Talks Professionalism
and Ethics in the Virtual World
OCBA Professionalism and Technology
Committees
February 13, 2014 •11:30 a.m. - 3:50 p.m.
Program Faculty:
Daniel D. Whitehouse · Joan Bullock · Patti
Savitz · Nancy Stuparich · C. Todd Smith ·
Ryan Colbert · Mark Miller · Michael Kest ·
Tom Young

Lunch sponsored by:
Agenda (Destination: Cloud 9)
• 11:30 p.m. - 12:00 p.m. Registration and Lunch
• 12:00 p.m. - 12:10 p.m. Introductions
• 12:10 p.m. - 1:00 p.m. Tech Overview and Fl. Ethics Opinion 12-3
– Decide to get away (i.e., change the way we conduct business)

• 1:00 p.m. – 1:50 p.m. Comparing and Contrasting
–

Make our itinerary (the tools of the trade)

• 1:50 p.m. – 2:00 p.m. BREAK
• 2:00 p.m. - 2:50 p.m. Best Practices and Gotchas
– Avoid the geese during takeoff (traps for the unwary)

• 3:00 p.m. - 3:50 p.m. Panel Discussion
– Speak with friends who have returned safely (the panel)

• Enjoy the endeavor!
Introductions
• C. Todd Smith
• Daniel D. Whitehouse
• Tom Young
To be introduced later:
• Joan Bullock
• Ryan Colbert
• Mark Miller
• Patti Savitz
• Nancy Stuparich
So Why Can’t We?
Ethical Concerns:
• Connectivity alternatives
• Data Centers: owned or rented; security; physical location and governing laws
• Vendor’s ability and policies to assure confidentiality and security
• Unclear policies about data ownership
• Policies for data breach notice
• Assurance of data destruction upon termination
• Vendor’s process for complying with litigation hold
• Failure to adequately back up data; location of backups
• Encryption: in transit, during storage, controlled access, verification of data integrity
• Vendor bankruptcy
• What happens for nonpayment for services
• Disgruntled/dishonest insiders
• Hackers
• Server crashes, technical failures, uptime guarantee. and damages
• Viruses
• Data corruption or destruction
• Business interruption
• Absolute loss
•Change of cloud providers
• Exit Strategy


“Informed consent” denotes the agreement by
a person to a proposed course of conduct
after the lawyer has communicated adequate
information and explanation about the
material risks of and reasonably available
alternatives to the proposed course of
conduct.


“The communication necessary to obtain such
consent will vary according to the rule involved and
the circumstances giving rise to the need to obtain
informed consent. The lawyer must make reasonable
efforts to ensure that the client or other person
possesses information reasonably adequate to make
an informed decision. Ordinarily, this will require
communication that includes a disclosure of the facts
and circumstances giving rise to the situation, any
explanation reasonably necessary to inform the client
or other person of the material advantages and
disadvantages of the proposed course of conduct and
a discussion of the client's or other person’s options
and alternatives.”


“Obtaining informed consent will usually require an
affirmative response by the client or other person. In
general, a lawyer may not assume consent from a
client's or other person's silence. Consent may be
inferred, however, from the conduct of a client or other
person who has reasonably adequate information about
the matter.”






4-1.1: A lawyer shall provide
competent representation to a client.
Competent representation requires
the legal knowledge, skill,
thoroughness, and preparation
reasonably necessary for the
representation.
Comments
“Competent handling of a particular
matter includes inquiry into and
analysis of the factual and legal
elements of the problem, and use of
methods and procedures meeting the
standards of competent
practitioners.”
“To maintain the requisite knowledge
and skill, a lawyer should keep
abreast of changes in the law and its
practice, engage in continuing study
and education, and comply with all
continuing legal education
requirements to which the lawyer is
subject.

FLORIDA



1.1
Comments



“To maintain the requisite knowledge
and skill, a lawyer should keep
abreast of changes in the law and its
practice, including the benefits and
risks associated with relevant
technology, engage in continuing
study and education and comply with
all continuing legal education
requirements to which the lawyer is
subject.” Compare Fla. Ethics Op. 123.

MODEL RULE
4-1.4
(a) Informing Client of Status of
Representation. A lawyer shall:
(2) reasonably consult with the client about
the means by which the client’s objectives
are to be accomplished;
(b) Duty to Explain Matters to Client. A lawyer
shall explain a matter to the extent
reasonably necessary to permit the client to
make informed decisions regarding the
representation.
4-1.6
 (a) Consent Required to Reveal
Information. A lawyer shall not reveal
information relating to
representation of a client except as
stated in subdivisions (b), (c), and (d),
unless the client gives informed
consent.


(c) When Lawyer May Reveal
Information. A lawyer may reveal
such information to the extent the
lawyer reasonably believes necessary:
(1) to serve the client's interest
unless it is information the client
specifically requires not to be
disclosed. . . .

FLORIDA





1.6
(a) A lawyer shall not reveal
information relating to the
representation of a client unless the
client gives informed consent, the
disclosure is impliedly authorized in
order to carry out the representation
or the disclosure is permitted by
paragraph (b).
Amended to add (c): “A lawyer shall
make reasonable efforts to prevent
the inadvertent or unauthorized
disclosure of, or unauthorized access
to, information relating to the
representation of a client.”

MODEL RULE
4-5.1 Responsibilities of Partners, Managers,
and Supervisory Lawyers
(a) Duties Concerning Adherence to Rules of
Professional Conduct. A partner in a law firm,
and a lawyer who individually or together with
other lawyers possesses comparable
managerial authority in a law firm, shall make
reasonable efforts to ensure that the firm has
in effect measures giving reasonable
assurance that all lawyers therein conform to
the Rules of Professional Conduct.


Cloud computing is a form of nonlawyer assistance. See
ABA Formal Op. 08-451.

4-5.3 Responsibilities Regarding Nonlawyer Assistants
(b) Supervisory Responsibility. With respect to a nonlawyer
employed or retained by or associated with a lawyer or an
authorized business entity as defined elsewhere in these
Rules Regulating The Florida Bar:
(1) a partner, and a lawyer who individually or together
with other lawyers possesses comparable managerial
authority in a law firm, shall make reasonable efforts to
ensure that the firm has in effect measures giving
reasonable assurance that the person’s conduct is
compatible with the professional obligations of the
lawyer. . . .
Cloud and Tech Overview
Daniel D. Whitehouse, Esq.
• What is the cloud?
– It’s the Internet!

• How do we access the cloud?
–
–
–
–

Desktop/laptop
Smartphone
Tablets
ISP
•

How much bandwidth do I need? And what is bandwidth??

– Wi-Fi

• How do we secure the cloud (if that’s even possible)?
– Encryption
•

What can I encrypt?

• Where do I buy the cloud?
– In the cloud, of course!
– SaaS
– Managed Service Provider
Cloud and Tech Overview
Daniel D. Whitehouse, Esq.
• Are there alternatives to the cloud?
– On-premise solutions

• What are the benefits of the cloud?
– Access from anywhere with an Internet connection
– Reduced costs
•
•

Op-Ex versus Cap-Ex
Support staff

– Enhanced security
•

Wait, what???

• What are the risks of the cloud?
– Loss of Internet access
– Potential target for large-scale security breaches
•

But isn’t it more secure?

– Employee burnout (always connected)
Cloud and Tech Overview
Daniel D. Whitehouse, Esq.
• What else is in the cloud?
–
–
–
–
–

Phone service (Voice over IP, or VoIP)
Sending faxes (eFax.com and others)
Postage (Stamps.com)
Thank You cards (Postable, Shutterfly, etc.)
Photos (Snapfish, Flickr, Facebook, etc.)

• Law firms are in the cloud!
– Virtual Offices

• What is a virtual law firm?
– Representing clients without the need to see them face to face
•

Where do I sign??
Virtual Law Office
Daniel D. Whitehouse, Esq.
• How does a virtual law office work?
–
–
–
–

Attorneys work wherever the cloud is available
Meet with clients via video or voice conferencing
Have calls forwarded to their cell phone (or cloud VoIP)
Transfer documents back and forth (email, document storage, or another portal)

• What about checking the mail?
– You don’t want mail!
– Be as paperless as possible and encourage your clients to do the same

• Who else can be virtual?
– Receptionists
– Paralegals
– Bookkeepers
Virtual Law Office
Daniel D. Whitehouse, Esq.
• Will clients utilize the services of a virtual law office?
– It depends
– Some need to “tell their story” and want to do it in person
•

Push for video conferencing

– Many appreciate the flexibility (and don’t like downtown)

• Are there ethical issues with operating a virtual law office?
– Of course!
– We’ll discuss them at 2 p.m.

• How do we start?
Segue to Cloud 9
Daniel D. Whitehouse, Esq.
• "[T]he use of cloud computing raises ethics concerns of
confidentiality, competence, and proper supervision of nonlawyers."
• LOMAS says many lawyers are already using cloud computing

• “72 percent of practicing attorneys at independent law firms in the
U.S. are more likely to use cloud tools in 2014 than the previous
year.” (Inside Counsel)
• Recent Florida Bar survey: 63% of Florida lawyers surveyed carry
an iPhone; 14% carry an Android phone
Ethics Opinion 12-3
Daniel D. Whitehouse, Esq.
• "Lawyers may use cloud computing if they take reasonable
precautions to ensure that confidentiality of client information is
maintained, that the service provider maintains adequate security,
and that the lawyer has adequate access to the information stored
remotely. The lawyer should research the service provider to be
used."
• “[L]awyers have an obligation to remain current not only in
developments in the law, but also developments in technology that
affect the practice of law.”
• “Lawyers who use cloud computing therefore have an ethical
obligation to understand the technology they are using and how it
potentially impacts confidentiality of information relating to client
matters, so that the lawyers may take appropriate steps to comply
with their ethical obligations.”
Ethics Opinion 12-3
Daniel D. Whitehouse, Esq.
• "[L]awyers must perform due diligence in researching the outside
service provider(s) to ensure that adequate safeguards exist to
protect information stored by the service provider(s).“
• “[L]awyers must be able to access the lawyer’s own information
without limit”
• “[C]onsider whether the information stored via cloud computing is
also stored elsewhere by the lawyer in the event the lawyer cannot
access the information via ‘the cloud.’”
Extracting the Guidelines
Daniel D. Whitehouse, Esq.
• We need to obtain advice about cloud security
• We need to read terms of service
• We need terms that acknowledge the law firm owns the data
• We need the provider to preserve confidentiality
• We need to know that data is destroyed when we wish it to be
destroyed
How can we Comply?
Daniel D. Whitehouse, Esq.
• Advice about cloud security
– Use reputable vendors (Is “Joe’s Cloud Computing and Waffles” reputable?)
– What standards does the vendor follow and have they been audited?
•
•

SSAE 16 is the standard for datacenters
PCI is the standard for credit card processing

– How often is your data backed up?
– Where is it located?
– Is the provider’s infrastructure redundant (or is the data redundant)

• Read terms of service for:
–
–
–
–

Data ownership
Confidentiality
Info sharing with third parties (likely in the privacy policy)
Data destruction policies
The Fear of the Cloud
Daniel D. Whitehouse, Esq.
• LOMAS’ Tips
– Look like they contain checklists
– If read literally, no one would ever use the cloud

• Remember the language of 12-3: “reasonable precautions”
CLOUD 9 TALKS PROFESSIONALISM
AND ETHICS IN THE VIRTUAL WORLD

Comparing and Contrasting
Cloud Case Management Tools
C. Todd Smith & Daniel Whitehouse
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
PROGRESS
Why go to
the cloud?
Your entire
practice in
the palm of
your hand
• NetDocs
• Office 365
• Google Apps for
Business (Gmail)
• Amicus
• RocketMatter
• Clio
• MyCase
• Total Attorney
• Dropbox
• Evernote

Frequently
Used
Cloudbased
Products
Cloud Case
Management (today):
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
Features and Functions
Case Management
Time Tracking & Billing
Document Assembly
Contact Management
Calendar & Docketing
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
So, is this
cloud stuff
secure?
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
Price Comparison:
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
Fine Print: For users 2-6 the monthly fees start at $49.99
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys
These links and more at:

http://bit.ly/CloudEthics
http://bit.ly/CloudCaseMgt
So, is this
cloud stuff
secure
(and ethical)?
Products’ Terms of Service
Daniel D. Whitehouse, Esq.
•
•
•
•
•
•
•

Clio
Dropbox
Google
Google Business
Net Documents
Office 365
Rocket Matter
Clio’s Terms of Service
Daniel D. Whitehouse, Esq.
•
•
•
•
•
•

http://www.goclio.com/legal/tos/
Claims no intellectual property rights with respect to content
Can immediately disable your subscription if you exceed bandwidth
Can discontinue any feature without notice
Stores content on redundant servers
Odd provision about escrow data agents.
– User must request this
– Do they not perform regular backups on their own?

• Company located in Canada
• Data deleted immediately upon cancellation
– Escrowed data will be stored for six months

• Transmission and processing may be unencrypted
• Disclaims: everything
Dropbox’s Terms of Service
Daniel D. Whitehouse, Esq.
• https://www.dropbox.com/privacy#terms
• “You retain full ownership to your stuff”
• Data is stored on Amazon’s S3 servers
– Sent to Amazon’s site to learn about their security

• Claim they won’t share your content
• Not responsible for loss or corruption of data, nor for any costs of
backing up or restoring it
• Can terminate service at any point without notice, but will “try” to let
you know in advance
• Disclaims: everything
• Venue: San Francisco County, CA
• Checks all files uploaded for duplicates by other users
• Can use geo-location info to “optimize your experience”
More Dropbox Terms of Service
Daniel D. Whitehouse, Esq.
• Data stored online is encrypted
• Can decrypt before providing to law enforcement
• Will “try” to delete your information quickly upon request
– Could be latency in doing so, and backed-up versions “might” exist after deletion
– Files in common with other users are not deleted

• Cannot guarantee absolute security
• Dropbox employees are prohibited from viewing your content but are
permitted to view metadata
• Oh, but a small number of employees must be able to access your
data
– Huh?

• You can use your own encryption method
Dropbox in the News
Daniel D. Whitehouse, Esq.
Dropbox in the News
Daniel D. Whitehouse, Esq.
Dropbox in the News
Daniel D. Whitehouse, Esq.
Google’s Terms of Service
Daniel D. Whitehouse, Esq.
• https://www.google.com/intl/en/policies/terms/
• “[W]hat belongs to you stays yours.”
• “When you upload or otherwise submit content to our Services, you
give Google (and those we work with) a worldwide license to use,
host, store, reproduce, modify, create derivative works (such as
those resulting from translations, adaptations or other changes we
make so that your content works better with our Services),
communicate, publish, publicly perform, publicly display and
distribute such content.”
– Does this sound like confidentiality to you?

• We need not review Google’s terms any further
• To be clear, this is the consumer version, NOT Business
Google Business’ Terms of Service
Daniel D. Whitehouse, Esq.
•
•
•
•
•
•
•

http://www.google.com/apps/intl/en/terms/premier_terms.html
Adheres to reasonable security standards
Will notify customer of third-party requests for information
Each party will protect its confidential information
Can use your name and brand features in a list of customers
Disclaims: everything
Termination after 30 days’ notice
– Will provide access to and ability to export data for a commercially reasonable
period of time
– Reasonable efforts to delete pointers to active data
– Actual data will be overwritten over time

• Liability capped at the amount paid for service
• Venue: Santa Clara County, CA
Net Documents’ Terms of Service
Daniel D. Whitehouse, Esq.
•
•
•
•
•
•

http://www.netdocuments.com/en-us/TermsConditions/TermsOfUse
Your responsibility to have backups before terminating
Cannot use an automatic device to make copies of data
They disclaim any interest in your data
Will notify you if they receive a request for your data
Information posted on website is for general info purposes and you
rely on it at your own risk
– Interesting that the policy is posted on the website

• Disclaims: everything
– Including that the files are free of viruses or other destructive code
– Along with security and reliability

• Venue: Salt Lake City and Salt Lake County, UT
• Other registered users can view your name, email, phone,
organization, etc.
Office 365’sTerms of Service
Daniel D. Whitehouse, Esq.
• Terms of Service are tricky due to Home and Business versions
• http://office.microsoft.com/en-us/business/office-365-trust-centercloud-computing-security-FX103030390.aspx
• You own and retain all rights to your data
• Will use commercially reasonable efforts to notify if request to
produce
• Says data can be transferred anywhere MS maintains facilities
– But provides a regional map to narrow the scope

• Access to data is only for troubleshooting or processing
– And they can produce audit logs
– The environment operates like an office, so certain internal users can be granted
access to internal data

• Will notify customer if MS becomes aware of unlawful access
Rocket Matter's Terms of Service
Daniel D. Whitehouse, Esq.
•
•
•
•
•
•

http://www.rocketmatter.com/pages/subscription_agreement.html
Agrees to keep all data confidential
But notes that they have access to the data
Reserve the right to terminate your account at any time
After termination, data deleted within approximately 100 days
Can attempt to “restore” data within 90 days of cancellation, which
consists of reactivating the account
• Disclaims: everything
• The service is not fault tolerant
• Explicit that the data is stored in the U.S.
Summary of Terms of Service
Daniel D. Whitehouse, Esq.
• Read them!
• Ask clarifying questions (if you can get them on the phone)
• Read them again!
• Some technical terms are terms of art
– Ask a technical person (or technical attorney) to interpret them

• Keep your eyes and ears open for security concerns
Break Time

We will reconvene in 10 minutes
Best Practices and Gotchas
• Introductions:
– Joan Bullock
– Ryan Colbert
– Mark Miller
Operating in the Cloud
• Joan R. M. Bullock, JD, MBA, CPA
Operating in the Cloud
• Opinion 12-3: Lawyers may use cloud computing if they take
reasonable steps to ensure
• Confidentiality of client information maintained
• Service provider maintains adequate security
• Lawyer has adequate access to information stored remotely
Confidentiality of Client Information Maintained

• All information related to client’s representation

• Data Security and Confidentiality
• Bring your own device (BYOD) policy
• Policy regarding non-business use on firm’s network?

• Device protection from malware
• Should you limit the types of devices that are able to access
information?

• Obligation to proactively monitor against risks?
• Incidence Response Plan
• Cybersecurity Insurance Policy
Service Provider Maintains Adequate Security
• Due Diligence
• Are you paying for the service or getting it for free?
• Is information encrypted—in storage and in transmission?
•

•
•
•
•

Does service provider have all your encryption keys?

Who owns your data?
How and when will you be notified in the event of a data breach?
What are the security and privacy controls in place with the service provider?
What happens if contract terminated?
•
•
•

What is procedure for revoking access rights assigned to the service provider?
Will data be returned in a format accessible by you?
What assurances are there that your data will be properly expunged from their system?

• What is the service provider’s business continuity and disaster recovery plan?
• Data redundancy across multiple data centers?
Janet A. Stiven, Technology: A Lack of Due Diligence Still a Top Threat in the Cloud, INSIDE COUNSEL,Dec.
6, 2013.
Lawyer has adequate access to information stored remotely

• Anytime/anywhere?

• Competence: obligation to understand technology and how it
potentially impacts confidentiality of client information
• Update to ensure protection against new threats
Take-aways
• Develop due diligence checklist
• Cloud service providers
• Third-party technology

• Proactively monitor risks
• Consider limiting number and types of devices that can access
your firm’s information
• Develop a plan for data loss or other security breach
• Build in redundancy for system interruption
• Stay current; what you don’t know CAN hurt you
Questions?

Joan R. M. Bullock, JD, MBA, CPA - “THE REFORMED LAW PROF”
Associate Dean for Teaching and Faculty Development
and Professor of Law
Florida A&M University College of Law
joan.bullock@famu.edu
Moving to the Cloud
Daniel D. Whitehouse, Esq., Ryan Colbert & Mark Miller

• Three common approaches:
– Move all existing documents
•
•

Advantage: one place to manage everything
Disadvantage: could be time-consuming and costly

– Move “active” documents
•

Advantage: staff go to one place for active documents

– Place new documents in the cloud
•
•

Disadvantage: multiple places for documents
Could delay full adoption
Training and Policies
• Training has two forms:
– Vendor training
• How to use our product

– In-house training
• How to use their product for our firm

– Both are needed
• Consider necessary policies before training internal staff
• Takes more time up front but reduces overall implementation time
BP&G: Device Security
• Secure your smartphone
– Make sure it’s password protected!
– Consider auto erase after X invalid login attempts
– Enable remote wipe abilities

• LoJack®-type software for laptops
• Consider encryption (more on this in a moment)
BP&G: Password Policies
• Use secure passwords
– “password” is no longer first! (“123456” is)
– TimPws0! (This is my password stay out!)

• Change passwords often
– No more than every 90 days; 60 is preferred

• Don’t use the same password everywhere
• What about password vault software?
BP&G: Encryption
• Encrypt what?
– Hard drives (whole-disk encryption)
– Files

– Removable media (thumb drives)
– Smartphones and tablets?
– Communications, such as Wi-Fi
BP&G: Wi-Fi
• What does the “lock” mean?
– Password to gain access, NOT that the connection is secure!
– Data can still be spoofed

– Verify individual connections, such as HTTPS
BP&G: File Sharing
• Convenient, but has risks
• Scenario 1:
– You grant your client rights to folder
– Client adds a third person (or even a spouse)
– What happens to privilege?

• Scenario 2:
– You mean to grant access to CasesClient X
– Instead, you grant access to “Cases”
– Whoops

• Case management portals can help avoid the issues above
• Consider posting only publically accessible documents
BP&G: Erasing Data
• Equipment Disposal
– Use DoD erasure algorithms for devices
– Phones as well!
– “Brute force” method if all else fails

• Speaking of printers… they need to be erased as well!
– And fax machines

• What about VoIP voicemails?
• **Don’t forget about legal holds and other requirements**
BP&G: BYOD Issues
• You can bring it to a party, but it’s not what you think it is
• BYOD = Bring Your Own Device
• Convenient, but carries risk
• What happens if employee leaves?
– You want company data erased, right?

• What if device needs to be produced?
• Have a policy that outlines requirements
BP&G: Misc. Items
• If something happens to a solo, how do others gain access to cloud
material?
• Do any regulatory requirements have stricter standards than the
Bar?
– HIPPA
– FINRA
– PCI, etc.

• Smartphone apps and other general security
– Phishing expeditions for privileged info

• What about remote access to on-premise computers?
– Is that really “cloud computing”?
– If using a service, go through the same process of reviewing their ToS
•
•
•

Security standards
Data collection
Breach notifications, etc.
BP&G: Virtual Office Perils
• Advertising rules in Florida
– Bona fide office requirement
– City or County
– “Available for consultation”

•
•
•
•

Unauthorized Practice of Law
Duty to supervise
Conflicts of interest
Business registrations
– Home address?
– “Virtual” office providers
BP&G: Client Consent
• Is client consent required?
• 12-3: “A lawyer may not voluntarily disclose any information relating
to a client’s representation without either application of an exception
to the confidentiality rule or the client’s informed consent.”
• “A lawyer has the obligation to ensure that confidentiality of
information is maintained by nonlawyers under the lawyer’s
supervision, including nonlawyers that are third parties used by the
lawyer in the provision of legal services.”
• 07-02: “the attorney make reasonable efforts to ensure that the
nonlawyers’ conduct is consistent with the ethics rules.”
• 10-2: “If a nonlawyer will have access to confidential information, the
lawyer must obtain adequate assurances from the nonlawyer that
confidentiality of the information will be maintained.“
BP&G: Client Consent
• Is client consent required?
• Not if the lawyer takes reasonable precautions and obtains
adequate assurances to protect confidential information
• But just in case:

• “The firm reserves the right to utilize Internet-based, “cloud
computing” services to store its communications and files, including
confidential client information.”
BP&G: Client Consent
•

Another option:

•

Client understands and agrees that Counsel uses a variety of technology, including the
Internet and secure computer servers of one or more third-party vendors, to communicate
with clients, to store documents, and to perform other activities. The practice of using third
party software and servers to transmit and store data over the Internet is known as “cloud
computing.” The type of technology Counsel uses is substantially similar to the technology
used by online applications such as online banking, Facebook, PayPal, Twitter, ebay,
Dropbox, Gmail, iCloud Mail, Yahoo! Mail, Outlook.com, and many other “software as a
service” applications that utilize the cloud with encryption technology. Counsel believes
Google and other vendors used have security and management practices that meet or
exceed applicable ethics requirements and, therefore, that the “cloud” is a secure method
of communication and operation.

•

Client represents and affirms that Client understands the risks and benefits of cloud
computing. Further, Client represents and affirms that Client expects Counsel to use
elements of “cloud computing” to facilitate timely communication and to facilitate less
expensive and more efficient legal representation. Finally, Client expressly authorizes
Counsel to use those cloud-based applications and services that Counsel believes are
appropriate for communicating with Client, storing documents, and carrying out other
necessary tasks in the course of representing Client.
BP&G: In Case of Breach
•
•
•
•
•

Fla. Stat. § 817.5681: Breach of security concerning PI
Requires notice to compromised residents within 45 days
Fines up to $500,000
Vendors must notify their clients within 10 days
What is PI?
– First name, first initial of last name, or any middle name and last name, AND:
•
•
•

Social security number;
Driver’s license or Florida ID number; or
Account number, credit card number, or debit card number, combined with some code that would
permit access to a financial account

• How many of us store client SSNs?
• Does this apply only to cloud computing?
Summary of Policies
• Device security policies
– Do the policies require encryption where available?

• Password policies

• Device disposal policies
• BYOD policy
• Breach notifications
• Engagement letter verbiage
Panel Discussion
• Introductions:
– Patti Savitz
– Nancy Stuparich
Panel Discussion

Más contenido relacionado

Similar a OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys

Understanding Legal Technology Competence with Bob Ambrogi and Joshua Lenon
Understanding Legal Technology Competence with Bob Ambrogi and Joshua LenonUnderstanding Legal Technology Competence with Bob Ambrogi and Joshua Lenon
Understanding Legal Technology Competence with Bob Ambrogi and Joshua LenonClio - Cloud-Based Legal Technology
 
Cloud Computing Legal for Pennsylvania Bar Association
Cloud Computing Legal for Pennsylvania Bar AssociationCloud Computing Legal for Pennsylvania Bar Association
Cloud Computing Legal for Pennsylvania Bar AssociationAmy Larrimore
 
Ethical Dangers of Technology in the Law Practice
Ethical Dangers of Technology in the Law PracticeEthical Dangers of Technology in the Law Practice
Ethical Dangers of Technology in the Law PracticeRobert Ambrogi
 
MISA Cloud Workshop_ ipc privacy in the cloud
MISA Cloud Workshop_ ipc privacy in the cloudMISA Cloud Workshop_ ipc privacy in the cloud
MISA Cloud Workshop_ ipc privacy in the cloudMISA Ontario Cloud SIG
 
Cyber Recovery - Legal Toolkit
Cyber Recovery - Legal ToolkitCyber Recovery - Legal Toolkit
Cyber Recovery - Legal ToolkitKevin Duffey
 
Trends in Law Practice Management – Calculating the Risks
Trends in Law Practice Management – Calculating the RisksTrends in Law Practice Management – Calculating the Risks
Trends in Law Practice Management – Calculating the RisksNicole Garton
 
Cloud and mobile computing for lawyers
Cloud and mobile computing for lawyersCloud and mobile computing for lawyers
Cloud and mobile computing for lawyersNicole Black
 
Moving to the Cloud: Client Communication Best Practices for Law Firms
Moving to the Cloud: Client Communication Best Practices for Law FirmsMoving to the Cloud: Client Communication Best Practices for Law Firms
Moving to the Cloud: Client Communication Best Practices for Law FirmsClio - Cloud-Based Legal Technology
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rulessaurnou
 
Legal education of the future is information and technology
Legal education of the future is information and technologyLegal education of the future is information and technology
Legal education of the future is information and technologyOmar Ha-Redeye
 
Small and solo in the cloud
Small and solo in the cloudSmall and solo in the cloud
Small and solo in the cloudOmar Ha-Redeye
 
12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotatedwdsnead
 
The Story of a Lean Law Firm: Escaping the Overhead Swamp, Surviving Disrupti...
The Story of a Lean Law Firm: Escaping the Overhead Swamp, Surviving Disrupti...The Story of a Lean Law Firm: Escaping the Overhead Swamp, Surviving Disrupti...
The Story of a Lean Law Firm: Escaping the Overhead Swamp, Surviving Disrupti...Gary Allen
 
Cloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from realityCloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from realityRussell_Kennedy
 
BYOD: Advice for Employers and Employees
BYOD: Advice for Employers and EmployeesBYOD: Advice for Employers and Employees
BYOD: Advice for Employers and EmployeesCassie McGarvey, JD
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016centralohioissa
 

Similar a OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys (20)

Understanding Legal Technology Competence with Bob Ambrogi and Joshua Lenon
Understanding Legal Technology Competence with Bob Ambrogi and Joshua LenonUnderstanding Legal Technology Competence with Bob Ambrogi and Joshua Lenon
Understanding Legal Technology Competence with Bob Ambrogi and Joshua Lenon
 
Ethics for lawyers in the cloud
Ethics for lawyers in the cloudEthics for lawyers in the cloud
Ethics for lawyers in the cloud
 
Cloud Computing Legal for Pennsylvania Bar Association
Cloud Computing Legal for Pennsylvania Bar AssociationCloud Computing Legal for Pennsylvania Bar Association
Cloud Computing Legal for Pennsylvania Bar Association
 
Evaluating Legal Technology for Your Law Firm
Evaluating Legal Technology for Your Law FirmEvaluating Legal Technology for Your Law Firm
Evaluating Legal Technology for Your Law Firm
 
Ethical Dangers of Technology in the Law Practice
Ethical Dangers of Technology in the Law PracticeEthical Dangers of Technology in the Law Practice
Ethical Dangers of Technology in the Law Practice
 
MISA Cloud Workshop_ ipc privacy in the cloud
MISA Cloud Workshop_ ipc privacy in the cloudMISA Cloud Workshop_ ipc privacy in the cloud
MISA Cloud Workshop_ ipc privacy in the cloud
 
Informed consent and cloud computing
Informed consent and cloud computingInformed consent and cloud computing
Informed consent and cloud computing
 
Cyber Recovery - Legal Toolkit
Cyber Recovery - Legal ToolkitCyber Recovery - Legal Toolkit
Cyber Recovery - Legal Toolkit
 
Trends in Law Practice Management – Calculating the Risks
Trends in Law Practice Management – Calculating the RisksTrends in Law Practice Management – Calculating the Risks
Trends in Law Practice Management – Calculating the Risks
 
Cloud and mobile computing for lawyers
Cloud and mobile computing for lawyersCloud and mobile computing for lawyers
Cloud and mobile computing for lawyers
 
Moving to the Cloud: Client Communication Best Practices for Law Firms
Moving to the Cloud: Client Communication Best Practices for Law FirmsMoving to the Cloud: Client Communication Best Practices for Law Firms
Moving to the Cloud: Client Communication Best Practices for Law Firms
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
 
Legal education of the future is information and technology
Legal education of the future is information and technologyLegal education of the future is information and technology
Legal education of the future is information and technology
 
Small and solo in the cloud
Small and solo in the cloudSmall and solo in the cloud
Small and solo in the cloud
 
12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated
 
The Story of a Lean Law Firm: Escaping the Overhead Swamp, Surviving Disrupti...
The Story of a Lean Law Firm: Escaping the Overhead Swamp, Surviving Disrupti...The Story of a Lean Law Firm: Escaping the Overhead Swamp, Surviving Disrupti...
The Story of a Lean Law Firm: Escaping the Overhead Swamp, Surviving Disrupti...
 
Cloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from realityCloud computing in Australia - Separating hype from reality
Cloud computing in Australia - Separating hype from reality
 
BYOD: Advice for Employers and Employees
BYOD: Advice for Employers and EmployeesBYOD: Advice for Employers and Employees
BYOD: Advice for Employers and Employees
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
 
How to Choose a Legal Technology Consultant
How to Choose a Legal Technology ConsultantHow to Choose a Legal Technology Consultant
How to Choose a Legal Technology Consultant
 

Último

The Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsThe Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsEugene Lysak
 
How to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesHow to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesCeline George
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?TechSoup
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxraviapr7
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfMohonDas
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.EnglishCEIPdeSigeiro
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfTechSoup
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17Celine George
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17Celine George
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxDr. Santhosh Kumar. N
 
The basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxThe basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxheathfieldcps1
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17Celine George
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfYu Kanazawa / Osaka University
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxDr. Asif Anas
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17Celine George
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.raviapr7
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxEduSkills OECD
 
Patterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxPatterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxMYDA ANGELICA SUAN
 
How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17Celine George
 
General views of Histopathology and step
General views of Histopathology and stepGeneral views of Histopathology and step
General views of Histopathology and stepobaje godwin sunday
 

Último (20)

The Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George WellsThe Stolen Bacillus by Herbert George Wells
The Stolen Bacillus by Herbert George Wells
 
How to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 SalesHow to Manage Cross-Selling in Odoo 17 Sales
How to Manage Cross-Selling in Odoo 17 Sales
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptx
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdf
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17
 
M-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptxM-2- General Reactions of amino acids.pptx
M-2- General Reactions of amino acids.pptx
 
The basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptxThe basics of sentences session 10pptx.pptx
The basics of sentences session 10pptx.pptx
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17
 
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdfP4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
P4C x ELT = P4ELT: Its Theoretical Background (Kanazawa, 2024 March).pdf
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptx
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
 
Patterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptxPatterns of Written Texts Across Disciplines.pptx
Patterns of Written Texts Across Disciplines.pptx
 
How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17
 
General views of Histopathology and step
General views of Histopathology and stepGeneral views of Histopathology and step
General views of Histopathology and step
 

OCBA Cloud 9: Cloud Computing and Ethics for Florida Attorneys

  • 1. Cloud 9 Talks Professionalism and Ethics in the Virtual World OCBA Professionalism and Technology Committees February 13, 2014 •11:30 a.m. - 3:50 p.m. Program Faculty: Daniel D. Whitehouse · Joan Bullock · Patti Savitz · Nancy Stuparich · C. Todd Smith · Ryan Colbert · Mark Miller · Michael Kest · Tom Young Lunch sponsored by:
  • 2. Agenda (Destination: Cloud 9) • 11:30 p.m. - 12:00 p.m. Registration and Lunch • 12:00 p.m. - 12:10 p.m. Introductions • 12:10 p.m. - 1:00 p.m. Tech Overview and Fl. Ethics Opinion 12-3 – Decide to get away (i.e., change the way we conduct business) • 1:00 p.m. – 1:50 p.m. Comparing and Contrasting – Make our itinerary (the tools of the trade) • 1:50 p.m. – 2:00 p.m. BREAK • 2:00 p.m. - 2:50 p.m. Best Practices and Gotchas – Avoid the geese during takeoff (traps for the unwary) • 3:00 p.m. - 3:50 p.m. Panel Discussion – Speak with friends who have returned safely (the panel) • Enjoy the endeavor!
  • 3. Introductions • C. Todd Smith • Daniel D. Whitehouse • Tom Young To be introduced later: • Joan Bullock • Ryan Colbert • Mark Miller • Patti Savitz • Nancy Stuparich
  • 5. Ethical Concerns: • Connectivity alternatives • Data Centers: owned or rented; security; physical location and governing laws • Vendor’s ability and policies to assure confidentiality and security • Unclear policies about data ownership • Policies for data breach notice • Assurance of data destruction upon termination • Vendor’s process for complying with litigation hold • Failure to adequately back up data; location of backups • Encryption: in transit, during storage, controlled access, verification of data integrity • Vendor bankruptcy • What happens for nonpayment for services • Disgruntled/dishonest insiders • Hackers • Server crashes, technical failures, uptime guarantee. and damages • Viruses • Data corruption or destruction • Business interruption • Absolute loss •Change of cloud providers • Exit Strategy
  • 6.  “Informed consent” denotes the agreement by a person to a proposed course of conduct after the lawyer has communicated adequate information and explanation about the material risks of and reasonably available alternatives to the proposed course of conduct.
  • 7.  “The communication necessary to obtain such consent will vary according to the rule involved and the circumstances giving rise to the need to obtain informed consent. The lawyer must make reasonable efforts to ensure that the client or other person possesses information reasonably adequate to make an informed decision. Ordinarily, this will require communication that includes a disclosure of the facts and circumstances giving rise to the situation, any explanation reasonably necessary to inform the client or other person of the material advantages and disadvantages of the proposed course of conduct and a discussion of the client's or other person’s options and alternatives.”
  • 8.  “Obtaining informed consent will usually require an affirmative response by the client or other person. In general, a lawyer may not assume consent from a client's or other person's silence. Consent may be inferred, however, from the conduct of a client or other person who has reasonably adequate information about the matter.”
  • 9.    4-1.1: A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation. Comments “Competent handling of a particular matter includes inquiry into and analysis of the factual and legal elements of the problem, and use of methods and procedures meeting the standards of competent practitioners.” “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, engage in continuing study and education, and comply with all continuing legal education requirements to which the lawyer is subject. FLORIDA  1.1 Comments  “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.” Compare Fla. Ethics Op. 123. MODEL RULE
  • 10. 4-1.4 (a) Informing Client of Status of Representation. A lawyer shall: (2) reasonably consult with the client about the means by which the client’s objectives are to be accomplished; (b) Duty to Explain Matters to Client. A lawyer shall explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.
  • 11. 4-1.6  (a) Consent Required to Reveal Information. A lawyer shall not reveal information relating to representation of a client except as stated in subdivisions (b), (c), and (d), unless the client gives informed consent.  (c) When Lawyer May Reveal Information. A lawyer may reveal such information to the extent the lawyer reasonably believes necessary: (1) to serve the client's interest unless it is information the client specifically requires not to be disclosed. . . . FLORIDA   1.6 (a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b). Amended to add (c): “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” MODEL RULE
  • 12. 4-5.1 Responsibilities of Partners, Managers, and Supervisory Lawyers (a) Duties Concerning Adherence to Rules of Professional Conduct. A partner in a law firm, and a lawyer who individually or together with other lawyers possesses comparable managerial authority in a law firm, shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that all lawyers therein conform to the Rules of Professional Conduct.
  • 13.  Cloud computing is a form of nonlawyer assistance. See ABA Formal Op. 08-451. 4-5.3 Responsibilities Regarding Nonlawyer Assistants (b) Supervisory Responsibility. With respect to a nonlawyer employed or retained by or associated with a lawyer or an authorized business entity as defined elsewhere in these Rules Regulating The Florida Bar: (1) a partner, and a lawyer who individually or together with other lawyers possesses comparable managerial authority in a law firm, shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that the person’s conduct is compatible with the professional obligations of the lawyer. . . .
  • 14. Cloud and Tech Overview Daniel D. Whitehouse, Esq. • What is the cloud? – It’s the Internet! • How do we access the cloud? – – – – Desktop/laptop Smartphone Tablets ISP • How much bandwidth do I need? And what is bandwidth?? – Wi-Fi • How do we secure the cloud (if that’s even possible)? – Encryption • What can I encrypt? • Where do I buy the cloud? – In the cloud, of course! – SaaS – Managed Service Provider
  • 15. Cloud and Tech Overview Daniel D. Whitehouse, Esq. • Are there alternatives to the cloud? – On-premise solutions • What are the benefits of the cloud? – Access from anywhere with an Internet connection – Reduced costs • • Op-Ex versus Cap-Ex Support staff – Enhanced security • Wait, what??? • What are the risks of the cloud? – Loss of Internet access – Potential target for large-scale security breaches • But isn’t it more secure? – Employee burnout (always connected)
  • 16. Cloud and Tech Overview Daniel D. Whitehouse, Esq. • What else is in the cloud? – – – – – Phone service (Voice over IP, or VoIP) Sending faxes (eFax.com and others) Postage (Stamps.com) Thank You cards (Postable, Shutterfly, etc.) Photos (Snapfish, Flickr, Facebook, etc.) • Law firms are in the cloud! – Virtual Offices • What is a virtual law firm? – Representing clients without the need to see them face to face • Where do I sign??
  • 17. Virtual Law Office Daniel D. Whitehouse, Esq. • How does a virtual law office work? – – – – Attorneys work wherever the cloud is available Meet with clients via video or voice conferencing Have calls forwarded to their cell phone (or cloud VoIP) Transfer documents back and forth (email, document storage, or another portal) • What about checking the mail? – You don’t want mail! – Be as paperless as possible and encourage your clients to do the same • Who else can be virtual? – Receptionists – Paralegals – Bookkeepers
  • 18. Virtual Law Office Daniel D. Whitehouse, Esq. • Will clients utilize the services of a virtual law office? – It depends – Some need to “tell their story” and want to do it in person • Push for video conferencing – Many appreciate the flexibility (and don’t like downtown) • Are there ethical issues with operating a virtual law office? – Of course! – We’ll discuss them at 2 p.m. • How do we start?
  • 19. Segue to Cloud 9 Daniel D. Whitehouse, Esq. • "[T]he use of cloud computing raises ethics concerns of confidentiality, competence, and proper supervision of nonlawyers." • LOMAS says many lawyers are already using cloud computing • “72 percent of practicing attorneys at independent law firms in the U.S. are more likely to use cloud tools in 2014 than the previous year.” (Inside Counsel) • Recent Florida Bar survey: 63% of Florida lawyers surveyed carry an iPhone; 14% carry an Android phone
  • 20. Ethics Opinion 12-3 Daniel D. Whitehouse, Esq. • "Lawyers may use cloud computing if they take reasonable precautions to ensure that confidentiality of client information is maintained, that the service provider maintains adequate security, and that the lawyer has adequate access to the information stored remotely. The lawyer should research the service provider to be used." • “[L]awyers have an obligation to remain current not only in developments in the law, but also developments in technology that affect the practice of law.” • “Lawyers who use cloud computing therefore have an ethical obligation to understand the technology they are using and how it potentially impacts confidentiality of information relating to client matters, so that the lawyers may take appropriate steps to comply with their ethical obligations.”
  • 21. Ethics Opinion 12-3 Daniel D. Whitehouse, Esq. • "[L]awyers must perform due diligence in researching the outside service provider(s) to ensure that adequate safeguards exist to protect information stored by the service provider(s).“ • “[L]awyers must be able to access the lawyer’s own information without limit” • “[C]onsider whether the information stored via cloud computing is also stored elsewhere by the lawyer in the event the lawyer cannot access the information via ‘the cloud.’”
  • 22. Extracting the Guidelines Daniel D. Whitehouse, Esq. • We need to obtain advice about cloud security • We need to read terms of service • We need terms that acknowledge the law firm owns the data • We need the provider to preserve confidentiality • We need to know that data is destroyed when we wish it to be destroyed
  • 23. How can we Comply? Daniel D. Whitehouse, Esq. • Advice about cloud security – Use reputable vendors (Is “Joe’s Cloud Computing and Waffles” reputable?) – What standards does the vendor follow and have they been audited? • • SSAE 16 is the standard for datacenters PCI is the standard for credit card processing – How often is your data backed up? – Where is it located? – Is the provider’s infrastructure redundant (or is the data redundant) • Read terms of service for: – – – – Data ownership Confidentiality Info sharing with third parties (likely in the privacy policy) Data destruction policies
  • 24. The Fear of the Cloud Daniel D. Whitehouse, Esq. • LOMAS’ Tips – Look like they contain checklists – If read literally, no one would ever use the cloud • Remember the language of 12-3: “reasonable precautions”
  • 25. CLOUD 9 TALKS PROFESSIONALISM AND ETHICS IN THE VIRTUAL WORLD Comparing and Contrasting Cloud Case Management Tools C. Todd Smith & Daniel Whitehouse
  • 32. Why go to the cloud?
  • 33. Your entire practice in the palm of your hand
  • 34. • NetDocs • Office 365 • Google Apps for Business (Gmail) • Amicus • RocketMatter • Clio • MyCase • Total Attorney • Dropbox • Evernote Frequently Used Cloudbased Products
  • 37. Features and Functions Case Management Time Tracking & Billing Document Assembly Contact Management Calendar & Docketing
  • 47. So, is this cloud stuff secure?
  • 52. Fine Print: For users 2-6 the monthly fees start at $49.99
  • 55. These links and more at: http://bit.ly/CloudEthics http://bit.ly/CloudCaseMgt
  • 56. So, is this cloud stuff secure (and ethical)?
  • 57. Products’ Terms of Service Daniel D. Whitehouse, Esq. • • • • • • • Clio Dropbox Google Google Business Net Documents Office 365 Rocket Matter
  • 58. Clio’s Terms of Service Daniel D. Whitehouse, Esq. • • • • • • http://www.goclio.com/legal/tos/ Claims no intellectual property rights with respect to content Can immediately disable your subscription if you exceed bandwidth Can discontinue any feature without notice Stores content on redundant servers Odd provision about escrow data agents. – User must request this – Do they not perform regular backups on their own? • Company located in Canada • Data deleted immediately upon cancellation – Escrowed data will be stored for six months • Transmission and processing may be unencrypted • Disclaims: everything
  • 59. Dropbox’s Terms of Service Daniel D. Whitehouse, Esq. • https://www.dropbox.com/privacy#terms • “You retain full ownership to your stuff” • Data is stored on Amazon’s S3 servers – Sent to Amazon’s site to learn about their security • Claim they won’t share your content • Not responsible for loss or corruption of data, nor for any costs of backing up or restoring it • Can terminate service at any point without notice, but will “try” to let you know in advance • Disclaims: everything • Venue: San Francisco County, CA • Checks all files uploaded for duplicates by other users • Can use geo-location info to “optimize your experience”
  • 60. More Dropbox Terms of Service Daniel D. Whitehouse, Esq. • Data stored online is encrypted • Can decrypt before providing to law enforcement • Will “try” to delete your information quickly upon request – Could be latency in doing so, and backed-up versions “might” exist after deletion – Files in common with other users are not deleted • Cannot guarantee absolute security • Dropbox employees are prohibited from viewing your content but are permitted to view metadata • Oh, but a small number of employees must be able to access your data – Huh? • You can use your own encryption method
  • 61. Dropbox in the News Daniel D. Whitehouse, Esq.
  • 62. Dropbox in the News Daniel D. Whitehouse, Esq.
  • 63. Dropbox in the News Daniel D. Whitehouse, Esq.
  • 64. Google’s Terms of Service Daniel D. Whitehouse, Esq. • https://www.google.com/intl/en/policies/terms/ • “[W]hat belongs to you stays yours.” • “When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.” – Does this sound like confidentiality to you? • We need not review Google’s terms any further • To be clear, this is the consumer version, NOT Business
  • 65. Google Business’ Terms of Service Daniel D. Whitehouse, Esq. • • • • • • • http://www.google.com/apps/intl/en/terms/premier_terms.html Adheres to reasonable security standards Will notify customer of third-party requests for information Each party will protect its confidential information Can use your name and brand features in a list of customers Disclaims: everything Termination after 30 days’ notice – Will provide access to and ability to export data for a commercially reasonable period of time – Reasonable efforts to delete pointers to active data – Actual data will be overwritten over time • Liability capped at the amount paid for service • Venue: Santa Clara County, CA
  • 66. Net Documents’ Terms of Service Daniel D. Whitehouse, Esq. • • • • • • http://www.netdocuments.com/en-us/TermsConditions/TermsOfUse Your responsibility to have backups before terminating Cannot use an automatic device to make copies of data They disclaim any interest in your data Will notify you if they receive a request for your data Information posted on website is for general info purposes and you rely on it at your own risk – Interesting that the policy is posted on the website • Disclaims: everything – Including that the files are free of viruses or other destructive code – Along with security and reliability • Venue: Salt Lake City and Salt Lake County, UT • Other registered users can view your name, email, phone, organization, etc.
  • 67. Office 365’sTerms of Service Daniel D. Whitehouse, Esq. • Terms of Service are tricky due to Home and Business versions • http://office.microsoft.com/en-us/business/office-365-trust-centercloud-computing-security-FX103030390.aspx • You own and retain all rights to your data • Will use commercially reasonable efforts to notify if request to produce • Says data can be transferred anywhere MS maintains facilities – But provides a regional map to narrow the scope • Access to data is only for troubleshooting or processing – And they can produce audit logs – The environment operates like an office, so certain internal users can be granted access to internal data • Will notify customer if MS becomes aware of unlawful access
  • 68. Rocket Matter's Terms of Service Daniel D. Whitehouse, Esq. • • • • • • http://www.rocketmatter.com/pages/subscription_agreement.html Agrees to keep all data confidential But notes that they have access to the data Reserve the right to terminate your account at any time After termination, data deleted within approximately 100 days Can attempt to “restore” data within 90 days of cancellation, which consists of reactivating the account • Disclaims: everything • The service is not fault tolerant • Explicit that the data is stored in the U.S.
  • 69. Summary of Terms of Service Daniel D. Whitehouse, Esq. • Read them! • Ask clarifying questions (if you can get them on the phone) • Read them again! • Some technical terms are terms of art – Ask a technical person (or technical attorney) to interpret them • Keep your eyes and ears open for security concerns
  • 70. Break Time We will reconvene in 10 minutes
  • 71. Best Practices and Gotchas • Introductions: – Joan Bullock – Ryan Colbert – Mark Miller
  • 72. Operating in the Cloud • Joan R. M. Bullock, JD, MBA, CPA
  • 73. Operating in the Cloud • Opinion 12-3: Lawyers may use cloud computing if they take reasonable steps to ensure • Confidentiality of client information maintained • Service provider maintains adequate security • Lawyer has adequate access to information stored remotely
  • 74. Confidentiality of Client Information Maintained • All information related to client’s representation • Data Security and Confidentiality • Bring your own device (BYOD) policy • Policy regarding non-business use on firm’s network? • Device protection from malware • Should you limit the types of devices that are able to access information? • Obligation to proactively monitor against risks? • Incidence Response Plan • Cybersecurity Insurance Policy
  • 75. Service Provider Maintains Adequate Security • Due Diligence • Are you paying for the service or getting it for free? • Is information encrypted—in storage and in transmission? • • • • • Does service provider have all your encryption keys? Who owns your data? How and when will you be notified in the event of a data breach? What are the security and privacy controls in place with the service provider? What happens if contract terminated? • • • What is procedure for revoking access rights assigned to the service provider? Will data be returned in a format accessible by you? What assurances are there that your data will be properly expunged from their system? • What is the service provider’s business continuity and disaster recovery plan? • Data redundancy across multiple data centers? Janet A. Stiven, Technology: A Lack of Due Diligence Still a Top Threat in the Cloud, INSIDE COUNSEL,Dec. 6, 2013.
  • 76. Lawyer has adequate access to information stored remotely • Anytime/anywhere? • Competence: obligation to understand technology and how it potentially impacts confidentiality of client information • Update to ensure protection against new threats
  • 77. Take-aways • Develop due diligence checklist • Cloud service providers • Third-party technology • Proactively monitor risks • Consider limiting number and types of devices that can access your firm’s information • Develop a plan for data loss or other security breach • Build in redundancy for system interruption • Stay current; what you don’t know CAN hurt you
  • 78. Questions? Joan R. M. Bullock, JD, MBA, CPA - “THE REFORMED LAW PROF” Associate Dean for Teaching and Faculty Development and Professor of Law Florida A&M University College of Law joan.bullock@famu.edu
  • 79. Moving to the Cloud Daniel D. Whitehouse, Esq., Ryan Colbert & Mark Miller • Three common approaches: – Move all existing documents • • Advantage: one place to manage everything Disadvantage: could be time-consuming and costly – Move “active” documents • Advantage: staff go to one place for active documents – Place new documents in the cloud • • Disadvantage: multiple places for documents Could delay full adoption
  • 80. Training and Policies • Training has two forms: – Vendor training • How to use our product – In-house training • How to use their product for our firm – Both are needed • Consider necessary policies before training internal staff • Takes more time up front but reduces overall implementation time
  • 81. BP&G: Device Security • Secure your smartphone – Make sure it’s password protected! – Consider auto erase after X invalid login attempts – Enable remote wipe abilities • LoJack®-type software for laptops • Consider encryption (more on this in a moment)
  • 82. BP&G: Password Policies • Use secure passwords – “password” is no longer first! (“123456” is) – TimPws0! (This is my password stay out!) • Change passwords often – No more than every 90 days; 60 is preferred • Don’t use the same password everywhere • What about password vault software?
  • 83. BP&G: Encryption • Encrypt what? – Hard drives (whole-disk encryption) – Files – Removable media (thumb drives) – Smartphones and tablets? – Communications, such as Wi-Fi
  • 84. BP&G: Wi-Fi • What does the “lock” mean? – Password to gain access, NOT that the connection is secure! – Data can still be spoofed – Verify individual connections, such as HTTPS
  • 85. BP&G: File Sharing • Convenient, but has risks • Scenario 1: – You grant your client rights to folder – Client adds a third person (or even a spouse) – What happens to privilege? • Scenario 2: – You mean to grant access to CasesClient X – Instead, you grant access to “Cases” – Whoops • Case management portals can help avoid the issues above • Consider posting only publically accessible documents
  • 86. BP&G: Erasing Data • Equipment Disposal – Use DoD erasure algorithms for devices – Phones as well! – “Brute force” method if all else fails • Speaking of printers… they need to be erased as well! – And fax machines • What about VoIP voicemails? • **Don’t forget about legal holds and other requirements**
  • 87. BP&G: BYOD Issues • You can bring it to a party, but it’s not what you think it is • BYOD = Bring Your Own Device • Convenient, but carries risk • What happens if employee leaves? – You want company data erased, right? • What if device needs to be produced? • Have a policy that outlines requirements
  • 88. BP&G: Misc. Items • If something happens to a solo, how do others gain access to cloud material? • Do any regulatory requirements have stricter standards than the Bar? – HIPPA – FINRA – PCI, etc. • Smartphone apps and other general security – Phishing expeditions for privileged info • What about remote access to on-premise computers? – Is that really “cloud computing”? – If using a service, go through the same process of reviewing their ToS • • • Security standards Data collection Breach notifications, etc.
  • 89. BP&G: Virtual Office Perils • Advertising rules in Florida – Bona fide office requirement – City or County – “Available for consultation” • • • • Unauthorized Practice of Law Duty to supervise Conflicts of interest Business registrations – Home address? – “Virtual” office providers
  • 90. BP&G: Client Consent • Is client consent required? • 12-3: “A lawyer may not voluntarily disclose any information relating to a client’s representation without either application of an exception to the confidentiality rule or the client’s informed consent.” • “A lawyer has the obligation to ensure that confidentiality of information is maintained by nonlawyers under the lawyer’s supervision, including nonlawyers that are third parties used by the lawyer in the provision of legal services.” • 07-02: “the attorney make reasonable efforts to ensure that the nonlawyers’ conduct is consistent with the ethics rules.” • 10-2: “If a nonlawyer will have access to confidential information, the lawyer must obtain adequate assurances from the nonlawyer that confidentiality of the information will be maintained.“
  • 91. BP&G: Client Consent • Is client consent required? • Not if the lawyer takes reasonable precautions and obtains adequate assurances to protect confidential information • But just in case: • “The firm reserves the right to utilize Internet-based, “cloud computing” services to store its communications and files, including confidential client information.”
  • 92. BP&G: Client Consent • Another option: • Client understands and agrees that Counsel uses a variety of technology, including the Internet and secure computer servers of one or more third-party vendors, to communicate with clients, to store documents, and to perform other activities. The practice of using third party software and servers to transmit and store data over the Internet is known as “cloud computing.” The type of technology Counsel uses is substantially similar to the technology used by online applications such as online banking, Facebook, PayPal, Twitter, ebay, Dropbox, Gmail, iCloud Mail, Yahoo! Mail, Outlook.com, and many other “software as a service” applications that utilize the cloud with encryption technology. Counsel believes Google and other vendors used have security and management practices that meet or exceed applicable ethics requirements and, therefore, that the “cloud” is a secure method of communication and operation. • Client represents and affirms that Client understands the risks and benefits of cloud computing. Further, Client represents and affirms that Client expects Counsel to use elements of “cloud computing” to facilitate timely communication and to facilitate less expensive and more efficient legal representation. Finally, Client expressly authorizes Counsel to use those cloud-based applications and services that Counsel believes are appropriate for communicating with Client, storing documents, and carrying out other necessary tasks in the course of representing Client.
  • 93. BP&G: In Case of Breach • • • • • Fla. Stat. § 817.5681: Breach of security concerning PI Requires notice to compromised residents within 45 days Fines up to $500,000 Vendors must notify their clients within 10 days What is PI? – First name, first initial of last name, or any middle name and last name, AND: • • • Social security number; Driver’s license or Florida ID number; or Account number, credit card number, or debit card number, combined with some code that would permit access to a financial account • How many of us store client SSNs? • Does this apply only to cloud computing?
  • 94. Summary of Policies • Device security policies – Do the policies require encryption where available? • Password policies • Device disposal policies • BYOD policy • Breach notifications • Engagement letter verbiage
  • 95. Panel Discussion • Introductions: – Patti Savitz – Nancy Stuparich