Cloud Computing for Attorneys 2017 Herbert W. …...Cloud Computing for Attorneys 2017 Herbert W....
Transcript of Cloud Computing for Attorneys 2017 Herbert W. …...Cloud Computing for Attorneys 2017 Herbert W....
Cloud Computing for Attorneys
2017 Herbert W. Walton Bench Bar Conference
Peter C. Simonsen, Presenter
1. What is “the Cloud”.
2. Contractual concerns with Cloud computing.
3. Pitfalls and security concerns with Cloud computing.
4. Advising clients on cyber liability issues.
Law Firms Must Manage Cybersecurity Risks
March, 2017 Edition of the ABA Journal
• 30% of all law firms reported that current or potential
clients had security requirements.
3 Men Made Millions by Hacking Merger Lawyers, U.S.
Says
December 27, 2016 New York Times.
• Top M&A firms in New York
were hacked by Chinese men,
who then used the information
to make $4 million on insider
trading.
The Security Flaws at the Heart of the Panama Papers
April 6, 2016 Wired.
• Security experts found that Mossack Fonseca’s
webmail system hadn’t been
updated since 2009 and its
client portal hadn’t been updated
since 2013.
Chicago Law Firm Accused of Lax Data Security in Lawsuit
December 9, 2016 Bloomberg.
• Chicago law firm was sued in a class action for failing to
take adequate steps to protect the data on its servers.
• Complaint alleged law firm “was a data breach waiting to
happen.”
• Firm was using systems that had not been updated or
maintained.
• Personal Information• Social Security numbers
• Birthdates
• Financial Information• Bank account numbers
• Credit card numbers
• Tax returns
• Corporate Information• Stock purchase agreements
• Confidential information
• Mergers and acquisitions
• Health Information• Medical records
• Mental health assessments
• Medications
• Personal Information
• Financial Information
• Corporate Information
• Health Information
• PCI Compliance
• HIPPA Compliance
• Regulatory oversight
In traditional software licensing, the customer goes to the
store and purchases a physical copy
of software, which is installed locally
on your computer or network.
• You purchase the software up front.
• You pay for however many copies (licenses) you need.
• You own the software. Forever.
• The software is installed on your network or server.
• You do not normally need an internet connection to use the software.
• Any DATA is stored locally on your computer or network.
Example: Microsoft products.
• If you purchased Office 2004, you own Office 2004 forever, even after Microsoft stopped releasing updates.
• If you had 20 computers in your firm, you paid for 20 licenses, up front - maybe with some sort of extended warranty or service plan.
• Office was installed on each computer or on your firm server.
• You could not access it on any other device.
• Your Word documents were stored on your network.
This is traditional software licensing. Many companies still use this model.
Pros:
• You own product.
• You store your data.
Cons:
• Typically higher up front costs.
• Less accessibility and efficiency.
• Data security is your responsibility.
In the late 2000’s, a new model of software use and purchasingbegan to take hold: Software as a service (SAAS). The SAASmodel is subscription based and is centrally hosted by theprovider. This model is now being adopted across the industry.
• You pay a subscription fee.
• You have access to the software over the internet.
• There is little to no software installed on your computer or server.
• There is no limit on how many devices you can use access the software.
• You need access to the internet to access the software.
• Any DATA is stored on the provider’s server.
• Traditional Software is about USE.
• SAAS is about DATA.
• With SAAS – the software is hosted on the provider’s servers. They store your data for you. IN THE CLOUD.
Example: MyCase
• You pay a monthly subscription fee per user.
• If you have an tablet, a smartphone, and a computer, you only pay one fee.
• You access MyCase through the internet.
• All data is stored on MyCase servers.
• If you stop paying the subscription fee, you lose access to the software.
Examples:
• Gmail
• iCloud
• Dropbox
• Evernote
• ADP
• Microsoft Office 365
• DocuSign
• Clio
• Rocket Matter
• MyCase
More and more companies are transiting to this model:
Pros:
• Lower up front costs.
• Access across different platforms.
• Data security provided by vendor.
Cons:
• Data hosted offsite.
• Typically higher costs over time.
From Dropbox’s Standard Terms of Service:
We'll provide you with reasonable advance notice via the email
address associated with your account to remedy the activity that
prompted us to contact you and give you the opportunity to
export Your Stuff from our Services. If after such notice you fail
to take the steps we ask of you, we'll terminate or suspend your
access to the Services.
We won't provide notice before termination where you're in
material breach of these Terms.
From Dropbox’s Standard Terms of Service:
OTHER THAN FOR THE TYPES OF LIABILITY WE CANNOT
LIMIT BY LAW (AS DESCRIBED IN THIS SECTION), WE
LIMIT OUR LIABILITY TO YOU TO THE GREATER OF $20
USD OR 100% OF ANY AMOUNT YOU'VE PAID UNDER
YOUR CURRENT SERVICE PLAN WITH DROPBOX.
From Dropbox’s Standard Terms of Service:
Judicial forum for disputes. You and Dropbox agree that any
judicial proceeding to resolve claims relating to these Terms or
the Services will be brought in the federal or state courts of San
Francisco County, California, subject to the mandatory
arbitration provisions below. Both you and Dropbox consent to
venue and personal jurisdiction in such courts.
Ask for:
• Removal of Limitation of Liability or carve outs
• Choice of law and venue in Kansas, or at least defendant’s
choice so you don’t get sued in California.
• Termination for convenience by you (Typically not standard in
paid services).
• No termination of services by them. Do not let them shut you
down unilaterally or worse destroy your data. Allow them to
get an injunction if they really need to stop you from using the
service.
Ask for:
• Spelled out procedure for getting your data back.
• Warranty for data security (Don’t let them disclaim everything)
• Cyber liability insurance.
• No modification without written agreement signed by both
parties.
• Click-to-accept disclaimer.
• Indemnification for data related losses.
• Disaster recovery plan and security credentials (Like PCI
compliance)
KRPC 1.1 – Competence
A lawyer has a duty to possess knowledge and keep abreast of
changes in the law and its practice.
Comment 8
To maintain the requisite knowledge and skill, a lawyer should
keep abreast of changes in the law and its practice, including
the benefits and risks associated with relevant technology.
KRPC 1.6(c) – Confidentiality of Information
A lawyer shall make reasonable efforts to prevent the
inadvertent or unauthorized disclosure of, or unauthorized
access to, information relating to the representation of a client.
KRPC 1.6 – Confidentiality of Information
Comment 26
Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation of a client against
unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are
participating in the representation of the client or who are subject to the lawyer's supervision. See Rules 1.1, 5.1, and 5.3. The
unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a
client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access
or disclosure. Factors to be considered in determining the reasonableness of the lawyer's efforts include, but are not limited to,
the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing
additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the
lawyer's ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client
may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo
security measures that would otherwise be required by this Rule. Whether a lawyer may be required to take additional steps to
safeguard a client's information in order to comply with other law, such as state and federal laws that govern data privacy or that
impose notification requirements upon the loss of, or unauthorized access to, electronic information, is beyond the scope of
these Rules. For a lawyer's duties when sharing information with nonlawyers outside the lawyer's own firm, see Rule 5.3,
Comments [3]-[4].
ABA Cloud Computing Ethics Opinions around the US
ABA Cloud Computing Ethics Opinions around the US
• All published ethics opinions have stated that cloud
computing is permitted under the ethical rules.
• Lawyer must use reasonable care.
• No Kansas or Missouri guidance.
Hypothetical 1:
You leave a physical file in your unlocked car and it gets stolen.
Hypothetical 2:
Your law firm burns down.
Hypothetical 3:
Your Dropbox gets hacked because your password was 1234.
Hypothetical 4:
The Russians hack Microsoft’s servers, where your data is
stored.
Malpractice insurance typically covers third party claims. It doesnot typically cover first party claims. Even as it pertains to thirdparties, there could be gaps in the coverage such as:
• Privacy notification requirements.
• Crisis management.
• Cyber extortion (ransomware).
• Business interruption.
• Recovery of data.
Commercial General Liability policies, also known as BusinessOwner’s Policies have their own gaps. Many now explicitlyexclude data related losses.
Commercial General Liability Exclusion:
Excludes coverage, under Coverages A and B, for injury or
damage arising out of any access to or disclosure of any
person’s or organization’s confidential or personal information,
including patents, trade secrets, processing methods, customer
lists, financial information, credit card information, health
information or any other type of nonpublic information.
CG 21 06 05 14 (Exclusion – Access Or Disclosure Of
Confidential Or Personal Information And Data-Related Liability
– With Bodily Injury Exception)
Cyber Liability Insurance specifically covers these coverage gaps. Oftentimes include:
• Liability for security or privacy breaches, including loss of confidential information by
allowing, or failing to prevent, unauthorized access to computer systems;
• The costs associated with a privacy breach, such as consumer notification, customer
support, and costs of providing credit monitoring services to affected consumers;
• The costs associated with restoring, updating, or replacing business assets stored
electronically;
• Business interruption and extra expense related to a security or privacy breach;
• Liability associated with libel, slander, copyright infringement, product disparagement,
or reputational damage to others when the allegations involve a business website,
social media, or print media;
• Expenses related to cyber extortion or cyberterrorism; and
• Coverage for expenses related to regulatory compliance for billing errors.
• The biggest concern with Cloud Computing is the location of your
data. Make sure it is secure.
• Review SAAS agreements and make sure you understand what your
rights and remedies are.
• Preserve confidentially.
• Get cyber liability insurance for your firm and recommend it to your
clients.
• Put good cybersecurity procedures in place.