Cloud Computing for Attorneys

2017 Herbert W. Walton Bench Bar Conference

Peter C. Simonsen, Presenter

1. What is “the Cloud”.

2. Contractual concerns with Cloud computing.

3. Pitfalls and security concerns with Cloud computing.

4. Advising clients on cyber liability issues.

Law Firms Must Manage Cybersecurity Risks

March, 2017 Edition of the ABA Journal

• 30% of all law firms reported that current or potential

clients had security requirements.

3 Men Made Millions by Hacking Merger Lawyers, U.S.

Says

December 27, 2016 New York Times.

• Top M&A firms in New York

were hacked by Chinese men,

who then used the information

to make $4 million on insider

trading.

The Security Flaws at the Heart of the Panama Papers

April 6, 2016 Wired.

• Security experts found that Mossack Fonseca’s

webmail system hadn’t been

updated since 2009 and its

client portal hadn’t been updated

since 2013.

Chicago Law Firm Accused of Lax Data Security in Lawsuit

December 9, 2016 Bloomberg.

• Chicago law firm was sued in a class action for failing to

take adequate steps to protect the data on its servers.

• Complaint alleged law firm “was a data breach waiting to

happen.”

• Firm was using systems that had not been updated or

maintained.

• Personal Information• Social Security numbers

• Birthdates

• Financial Information• Bank account numbers

• Credit card numbers

• Tax returns

• Corporate Information• Stock purchase agreements

• Confidential information

• Mergers and acquisitions

• Health Information• Medical records

• Mental health assessments

• Medications

• Personal Information

• Financial Information

• Corporate Information

• Health Information

• PCI Compliance

• HIPPA Compliance

• Regulatory oversight

In traditional software licensing, the customer goes to the

store and purchases a physical copy

of software, which is installed locally

on your computer or network.

• You purchase the software up front.

• You pay for however many copies (licenses) you need.

• You own the software. Forever.

• The software is installed on your network or server.

• You do not normally need an internet connection to use the software.

• Any DATA is stored locally on your computer or network.

Example: Microsoft products.

• If you purchased Office 2004, you own Office 2004 forever, even after Microsoft stopped releasing updates.

• If you had 20 computers in your firm, you paid for 20 licenses, up front - maybe with some sort of extended warranty or service plan.

• Office was installed on each computer or on your firm server.

• You could not access it on any other device.

• Your Word documents were stored on your network.

This is traditional software licensing. Many companies still use this model.

Pros:

• You own product.

• You store your data.

Cons:

• Typically higher up front costs.

• Less accessibility and efficiency.

• Data security is your responsibility.

In the late 2000’s, a new model of software use and purchasingbegan to take hold: Software as a service (SAAS). The SAASmodel is subscription based and is centrally hosted by theprovider. This model is now being adopted across the industry.

• You pay a subscription fee.

• You have access to the software over the internet.

• There is little to no software installed on your computer or server.

• There is no limit on how many devices you can use access the software.

• You need access to the internet to access the software.

• Any DATA is stored on the provider’s server.

• Traditional Software is about USE.

• SAAS is about DATA.

• With SAAS – the software is hosted on the provider’s servers. They store your data for you. IN THE CLOUD.

Example: MyCase

• You pay a monthly subscription fee per user.

• If you have an tablet, a smartphone, and a computer, you only pay one fee.

• You access MyCase through the internet.

• All data is stored on MyCase servers.

• If you stop paying the subscription fee, you lose access to the software.

Examples:

• Gmail

• iCloud

• Dropbox

• Evernote

• ADP

• Microsoft Office 365

• Facebook

• Twitter

• DocuSign

• Clio

• Rocket Matter

• MyCase

More and more companies are transiting to this model:

Pros:

• Lower up front costs.

• Access across different platforms.

• Data security provided by vendor.

Cons:

• Data hosted offsite.

• Typically higher costs over time.

From Dropbox’s Standard Terms of Service:

We'll provide you with reasonable advance notice via the email

address associated with your account to remedy the activity that

prompted us to contact you and give you the opportunity to

export Your Stuff from our Services. If after such notice you fail

to take the steps we ask of you, we'll terminate or suspend your

access to the Services.

We won't provide notice before termination where you're in

material breach of these Terms.

From Dropbox’s Standard Terms of Service:

OTHER THAN FOR THE TYPES OF LIABILITY WE CANNOT

LIMIT BY LAW (AS DESCRIBED IN THIS SECTION), WE

LIMIT OUR LIABILITY TO YOU TO THE GREATER OF $20

USD OR 100% OF ANY AMOUNT YOU'VE PAID UNDER

YOUR CURRENT SERVICE PLAN WITH DROPBOX.

From Dropbox’s Standard Terms of Service:

Judicial forum for disputes. You and Dropbox agree that any

judicial proceeding to resolve claims relating to these Terms or

the Services will be brought in the federal or state courts of San

Francisco County, California, subject to the mandatory

arbitration provisions below. Both you and Dropbox consent to

venue and personal jurisdiction in such courts.

Ask for:

• Removal of Limitation of Liability or carve outs

• Choice of law and venue in Kansas, or at least defendant’s

choice so you don’t get sued in California.

• Termination for convenience by you (Typically not standard in

paid services).

• No termination of services by them. Do not let them shut you

down unilaterally or worse destroy your data. Allow them to

get an injunction if they really need to stop you from using the

service.

Ask for:

• Spelled out procedure for getting your data back.

• Warranty for data security (Don’t let them disclaim everything)

• Cyber liability insurance.

• No modification without written agreement signed by both

parties.

• Click-to-accept disclaimer.

• Indemnification for data related losses.

• Disaster recovery plan and security credentials (Like PCI

compliance)

KRPC 1.1 – Competence

A lawyer has a duty to possess knowledge and keep abreast of

changes in the law and its practice.

Comment 8

To maintain the requisite knowledge and skill, a lawyer should

keep abreast of changes in the law and its practice, including

the benefits and risks associated with relevant technology.

KRPC 1.6(c) – Confidentiality of Information

A lawyer shall make reasonable efforts to prevent the

inadvertent or unauthorized disclosure of, or unauthorized

access to, information relating to the representation of a client.

KRPC 1.6 – Confidentiality of Information

Comment 26

Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation of a client against

unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are

participating in the representation of the client or who are subject to the lawyer's supervision. See Rules 1.1, 5.1, and 5.3. The

unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a

client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access

or disclosure. Factors to be considered in determining the reasonableness of the lawyer's efforts include, but are not limited to,

the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing

additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the

lawyer's ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client

may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo

security measures that would otherwise be required by this Rule. Whether a lawyer may be required to take additional steps to

safeguard a client's information in order to comply with other law, such as state and federal laws that govern data privacy or that

impose notification requirements upon the loss of, or unauthorized access to, electronic information, is beyond the scope of

these Rules. For a lawyer's duties when sharing information with nonlawyers outside the lawyer's own firm, see Rule 5.3,

Comments [3]-[4].

ABA Cloud Computing Ethics Opinions around the US

ABA Cloud Computing Ethics Opinions around the US

• All published ethics opinions have stated that cloud

computing is permitted under the ethical rules.

• Lawyer must use reasonable care.

• No Kansas or Missouri guidance.

Hypothetical 1:

You leave a physical file in your unlocked car and it gets stolen.

Hypothetical 2:

Your law firm burns down.

Hypothetical 3:

Your Dropbox gets hacked because your password was 1234.

Hypothetical 4:

The Russians hack Microsoft’s servers, where your data is

stored.

Malpractice insurance typically covers third party claims. It doesnot typically cover first party claims. Even as it pertains to thirdparties, there could be gaps in the coverage such as:

• Privacy notification requirements.

• Crisis management.

• Cyber extortion (ransomware).

• Business interruption.

• Recovery of data.

Commercial General Liability policies, also known as BusinessOwner’s Policies have their own gaps. Many now explicitlyexclude data related losses.

Commercial General Liability Exclusion:

Excludes coverage, under Coverages A and B, for injury or

damage arising out of any access to or disclosure of any

person’s or organization’s confidential or personal information,

including patents, trade secrets, processing methods, customer

lists, financial information, credit card information, health

information or any other type of nonpublic information.

CG 21 06 05 14 (Exclusion – Access Or Disclosure Of

Confidential Or Personal Information And Data-Related Liability

– With Bodily Injury Exception)

Cyber Liability Insurance specifically covers these coverage gaps. Oftentimes include:

• Liability for security or privacy breaches, including loss of confidential information by

allowing, or failing to prevent, unauthorized access to computer systems;

• The costs associated with a privacy breach, such as consumer notification, customer

support, and costs of providing credit monitoring services to affected consumers;

• The costs associated with restoring, updating, or replacing business assets stored

electronically;

• Business interruption and extra expense related to a security or privacy breach;

• Liability associated with libel, slander, copyright infringement, product disparagement,

or reputational damage to others when the allegations involve a business website,

social media, or print media;

• Expenses related to cyber extortion or cyberterrorism; and

• Coverage for expenses related to regulatory compliance for billing errors.

• The biggest concern with Cloud Computing is the location of your

data. Make sure it is secure.

• Review SAAS agreements and make sure you understand what your

rights and remedies are.

• Preserve confidentially.

• Get cyber liability insurance for your firm and recommend it to your

clients.

• Put good cybersecurity procedures in place.