Cloud 9 Talks Professionalism and Ethics in the Virtual World

OCBA Professionalism and Technology Committees

February 13, 2014 •11:30 a.m. - 3:50 p.m.

Lunch sponsored by:

Program Faculty:Daniel D. Whitehouse · Joan Bullock · Patti Savitz · Nancy Stuparich · C. Todd Smith · Ryan Colbert · Mark Miller · Michael Kest ·

Tom Young

Agenda (Destination: Cloud 9)

• 11:30 p.m. - 12:00 p.m. Registration and Lunch• 12:00 p.m. - 12:10 p.m. Introductions• 12:10 p.m. - 1:00 p.m. Tech Overview and Fl. Ethics Opinion 12-3

– Decide to get away (i.e., change the way we conduct business)

• 1:00 p.m. – 1:50 p.m. Comparing and Contrasting– Make our itinerary (the tools of the trade)

• 1:50 p.m. – 2:00 p.m. BREAK• 2:00 p.m. - 2:50 p.m. Best Practices and Gotchas

– Avoid the geese during takeoff (traps for the unwary)

• 3:00 p.m. - 3:50 p.m. Panel Discussion– Speak with friends who have returned safely (the panel)

• Enjoy the endeavor!

Introductions

• C. Todd Smith • Daniel D. Whitehouse • Tom Young

To be introduced later:• Joan Bullock • Ryan Colbert • Mark Miller • Patti Savitz• Nancy Stuparich

Everybody Else Is Doing It

So Why Can’t We?

Ethical Concerns:• Connectivity alternatives • Data Centers: owned or rented; security; physical location and governing laws• Vendor’s ability and policies to assure confidentiality and security• Unclear policies about data ownership• Policies for data breach notice• Assurance of data destruction upon termination• Vendor’s process for complying with litigation hold• Failure to adequately back up data; location of backups• Encryption: in transit, during storage, controlled access, verification of data integrity• Vendor bankruptcy• What happens for nonpayment for services• Disgruntled/dishonest insiders• Hackers• Server crashes, technical failures, uptime guarantee. and damages• Viruses• Data corruption or destruction• Business interruption • Absolute loss •Change of cloud providers• Exit Strategy

PREAMBLE: A LAWYER'S RESPONSIBILITIES

“Informed consent” denotes the agreement by a person to a proposed course of conduct after the lawyer has communicated adequate information and explanation about the material risks of and reasonably available alternatives to the proposed course of conduct.

PREAMBLE: A LAWYER'S RESPONSIBILITIES

“The communication necessary to obtain such consent will vary according to the rule involved and the circumstances giving rise to the need to obtain informed consent. The lawyer must make reasonable efforts to ensure that the client or other person possesses information reasonably adequate to make an informed decision. Ordinarily, this will require communication that includes a disclosure of the facts and circumstances giving rise to the situation, any explanation reasonably necessary to inform the client or other person of the material advantages and disadvantages of the proposed course of conduct and a discussion of the client's or other person’s options and alternatives.”

PREAMBLE: A LAWYER'S RESPONSIBILITIES

“Obtaining informed consent will usually require an affirmative response by the client or other person. In general, a lawyer may not assume consent from a client's or other person's silence. Consent may be inferred, however, from the conduct of a client or other person who has reasonably adequate information about the matter.”

COMPETENCE

FLORIDA MODEL RULE

4-1.1: A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation.

Comments “Competent handling of a particular

matter includes inquiry into and analysis of the factual and legal elements of the problem, and use of methods and procedures meeting the standards of competent practitioners.”

“To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, engage in continuing study and education, and comply with all continuing legal education requirements to which the lawyer is subject.

1.1

Comments

“To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.” Compare Fla. Ethics Op. 12-3.

4-1.4(a) Informing Client of Status of Representation. A lawyer shall:

(2) reasonably consult with the client about the means by which the client’s objectives are to be accomplished;

(b) Duty to Explain Matters to Client. A lawyer shall explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.

COMMUNICATION

CONFIDENTIALITY

FLORIDA MODEL RULE

4-1.6 (a) Consent Required to Reveal

Information. A lawyer shall not reveal information relating to representation of a client except as stated in subdivisions (b), (c), and (d), unless the client gives informed consent.

(c) When Lawyer May Reveal Information. A lawyer may reveal such information to the extent the lawyer reasonably believes necessary:

(1) to serve the client's interest unless it is information the client specifically requires not to be disclosed. . . .

1.6 (a) A lawyer shall not reveal

information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).

Amended to add (c): “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

4-5.1 Responsibilities of Partners, Managers, and Supervisory Lawyers

(a) Duties Concerning Adherence to Rules of Professional Conduct. A partner in a law firm, and a lawyer who individually or together with other lawyers possesses comparable managerial authority in a law firm, shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that all lawyers therein conform to the Rules of Professional Conduct.

MANAGEMENT RESPONSIBILITIES

Cloud computing is a form of nonlawyer assistance. See ABA Formal Op. 08-451.

4-5.3 Responsibilities Regarding Nonlawyer Assistants(b) Supervisory Responsibility. With respect to a nonlawyer employed or retained by or associated with a lawyer or an authorized business entity as defined elsewhere in these Rules Regulating The Florida Bar:

(1) a partner, and a lawyer who individually or together with other lawyers possesses comparable managerial authority in a law firm, shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that the person’s conduct is compatible with the professional obligations of the lawyer. . . .

NONLAWYER ASSISTANCE

Cloud and Tech OverviewDaniel D. Whitehouse, Esq.

• What is the cloud?– It’s the Internet!

• How do we access the cloud?– Desktop/laptop– Smartphone– Tablets– ISP

• How much bandwidth do I need? And what is bandwidth??

– Wi-Fi

• How do we secure the cloud (if that’s even possible)?– Encryption

• What can I encrypt?

• Where do I buy the cloud?– In the cloud, of course!– SaaS– Managed Service Provider

Cloud and Tech Overview Daniel D. Whitehouse, Esq.

• Are there alternatives to the cloud?– On-premise solutions

• What are the benefits of the cloud?– Access from anywhere with an Internet connection– Reduced costs

• Op-Ex versus Cap-Ex• Support staff

– Enhanced security• Wait, what???

• What are the risks of the cloud?– Loss of Internet access– Potential target for large-scale security breaches

• But isn’t it more secure?

– Employee burnout (always connected)

Cloud and Tech OverviewDaniel D. Whitehouse, Esq.

• What else is in the cloud?– Phone service (Voice over IP, or VoIP)– Sending faxes (eFax.com and others)– Postage (Stamps.com)– Thank You cards (Postable, Shutterfly, etc.)– Photos (Snapfish, Flickr, Facebook, etc.)

• Law firms are in the cloud!– Virtual Offices

• What is a virtual law firm?– Representing clients without the need to see them face to face

• Where do I sign??

Virtual Law OfficeDaniel D. Whitehouse, Esq.

• How does a virtual law office work?– Attorneys work wherever the cloud is available– Meet with clients via video or voice conferencing– Have calls forwarded to their cell phone (or cloud VoIP)– Transfer documents back and forth (email, document storage, or another portal)

• What about checking the mail?– You don’t want mail!– Be as paperless as possible and encourage your clients to do the same

• Who else can be virtual?– Receptionists– Paralegals– Bookkeepers

Virtual Law OfficeDaniel D. Whitehouse, Esq.

• Will clients utilize the services of a virtual law office?– It depends– Some need to “tell their story” and want to do it in person

• Push for video conferencing

– Many appreciate the flexibility (and don’t like downtown)

• Are there ethical issues with operating a virtual law office?– Of course!– We’ll discuss them at 2 p.m.

• How do we start?

Segue to Cloud 9Daniel D. Whitehouse, Esq.

• "[T]he use of cloud computing raises ethics concerns of confidentiality, competence, and proper supervision of nonlawyers."

• LOMAS says many lawyers are already using cloud computing

• “72 percent of practicing attorneys at independent law firms in the U.S. are more likely to use cloud tools in 2014 than the previous year.” (Inside Counsel)

• Recent Florida Bar survey: 63% of Florida lawyers surveyed carry an iPhone; 14% carry an Android phone

Ethics Opinion 12-3Daniel D. Whitehouse, Esq.

• "Lawyers may use cloud computing if they take reasonable precautions to ensure that confidentiality of client information is maintained, that the service provider maintains adequate security, and that the lawyer has adequate access to the information stored remotely. The lawyer should research the service provider to be used."

• “[L]awyers have an obligation to remain current not only in developments in the law, but also developments in technology that affect the practice of law.”

• “Lawyers who use cloud computing therefore have an ethical obligation to understand the technology they are using and how it potentially impacts confidentiality of information relating to client matters, so that the lawyers may take appropriate steps to comply with their ethical obligations.”

Ethics Opinion 12-3Daniel D. Whitehouse, Esq.

• "[L]awyers must perform due diligence in researching the outside service provider(s) to ensure that adequate safeguards exist to protect information stored by the service provider(s).“

• “[L]awyers must be able to access the lawyer’s own information without limit”

• “[C]onsider whether the information stored via cloud computing is also stored elsewhere by the lawyer in the event the lawyer cannot access the information via ‘the cloud.’”

Extracting the GuidelinesDaniel D. Whitehouse, Esq.

• We need to obtain advice about cloud security

• We need to read terms of service

• We need terms that acknowledge the law firm owns the data

• We need the provider to preserve confidentiality

• We need to know that data is destroyed when we wish it to be destroyed

How can we Comply?Daniel D. Whitehouse, Esq.

• Advice about cloud security– Use reputable vendors (Is “Joe’s Cloud Computing and Waffles” reputable?)– What standards does the vendor follow and have they been audited?

• SSAE 16 is the standard for datacenters• PCI is the standard for credit card processing

– How often is your data backed up?– Where is it located?– Is the provider’s infrastructure redundant (or is the data redundant)

• Read terms of service for:– Data ownership– Confidentiality– Info sharing with third parties (likely in the privacy policy)– Data destruction policies

The Fear of the CloudDaniel D. Whitehouse, Esq.

• LOMAS’ Tips– Look like they contain checklists– If read literally, no one would ever use the cloud

• Remember the language of 12-3: “reasonable precautions”

CLOUD 9 TALKS PROFESSIONALISM AND ETHICS IN THE VIRTUAL WORLD

Comparing and Contrasting Cloud Case Management Tools

C. Todd Smith & Daniel Whitehouse

PROGRESS

Why go to the cloud?

Your entire practice in the palm of your hand

Frequently Used Cloud-based Products

• NetDocs • Office 365 • Google Apps for

Business (Gmail)• Amicus• RocketMatter • Clio• MyCase• Total Attorney• Dropbox• Evernote

Cloud Case Management (today):

Features and FunctionsCase Management

Time Tracking & Billing

Document Assembly

Contact Management

Calendar & Docketing

So, is this cloud stuffsecure?

Price Comparison:

Fine Print: For users 2-6 the monthly fees start at $49.99

These links and more at:

http://bit.ly/CloudEthics

http://bit.ly/CloudCaseMgt

So, is this cloud stuffsecure (and ethical)?

Products’ Terms of ServiceDaniel D. Whitehouse, Esq.

• Clio• Dropbox• Google• Google Business• Net Documents• Office 365• Rocket Matter

Clio’s Terms of ServiceDaniel D. Whitehouse, Esq.

• http://www.goclio.com/legal/tos/ • Claims no intellectual property rights with respect to content• Can immediately disable your subscription if you exceed bandwidth• Can discontinue any feature without notice• Stores content on redundant servers• Odd provision about escrow data agents.

– User must request this– Do they not perform regular backups on their own?

• Company located in Canada• Data deleted immediately upon cancellation

– Escrowed data will be stored for six months

• Transmission and processing may be unencrypted• Disclaims: everything

Dropbox’s Terms of ServiceDaniel D. Whitehouse, Esq.

• https://www.dropbox.com/privacy#terms• “You retain full ownership to your stuff”• Data is stored on Amazon’s S3 servers

– Sent to Amazon’s site to learn about their security

• Claim they won’t share your content• Not responsible for loss or corruption of data, nor for any costs of

backing up or restoring it• Can terminate service at any point without notice, but will “try” to let

you know in advance• Disclaims: everything• Venue: San Francisco County, CA• Checks all files uploaded for duplicates by other users• Can use geo-location info to “optimize your experience”

More Dropbox Terms of ServiceDaniel D. Whitehouse, Esq.

• Data stored online is encrypted• Can decrypt before providing to law enforcement• Will “try” to delete your information quickly upon request

– Could be latency in doing so, and backed-up versions “might” exist after deletion– Files in common with other users are not deleted

• Cannot guarantee absolute security• Dropbox employees are prohibited from viewing your content but

are permitted to view metadata• Oh, but a small number of employees must be able to access your

data– Huh?

• You can use your own encryption method

Dropbox in the NewsDaniel D. Whitehouse, Esq.

Dropbox in the NewsDaniel D. Whitehouse, Esq.

Dropbox in the NewsDaniel D. Whitehouse, Esq.

Google’s Terms of ServiceDaniel D. Whitehouse, Esq.

• https://www.google.com/intl/en/policies/terms/• “[W]hat belongs to you stays yours.”• “When you upload or otherwise submit content to our Services, you

give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.”

– Does this sound like confidentiality to you?

• We need not review Google’s terms any further• To be clear, this is the consumer version, NOT Business

Google Business’ Terms of ServiceDaniel D. Whitehouse, Esq.

• http://www.google.com/apps/intl/en/terms/premier_terms.html• Adheres to reasonable security standards• Will notify customer of third-party requests for information• Each party will protect its confidential information• Can use your name and brand features in a list of customers• Disclaims: everything• Termination after 30 days’ notice

– Will provide access to and ability to export data for a commercially reasonable period of time

– Reasonable efforts to delete pointers to active data– Actual data will be overwritten over time

• Liability capped at the amount paid for service• Venue: Santa Clara County, CA

Net Documents’ Terms of ServiceDaniel D. Whitehouse, Esq.

• http://www.netdocuments.com/en-us/TermsConditions/TermsOfUse • Your responsibility to have backups before terminating• Cannot use an automatic device to make copies of data• They disclaim any interest in your data• Will notify you if they receive a request for your data• Information posted on website is for general info purposes and you

rely on it at your own risk– Interesting that the policy is posted on the website

• Disclaims: everything– Including that the files are free of viruses or other destructive code– Along with security and reliability

• Venue: Salt Lake City and Salt Lake County, UT• Other registered users can view your name, email, phone,

organization, etc.

Office 365’sTerms of ServiceDaniel D. Whitehouse, Esq.

• Terms of Service are tricky due to Home and Business versions• http://

office.microsoft.com/en-us/business/office-365-trust-center-cloud-computing-security-FX103030390.aspx

• You own and retain all rights to your data• Will use commercially reasonable efforts to notify if request to

produce• Says data can be transferred anywhere MS maintains facilities

– But provides a regional map to narrow the scope

• Access to data is only for troubleshooting or processing– And they can produce audit logs– The environment operates like an office, so certain internal users can be granted

access to internal data

• Will notify customer if MS becomes aware of unlawful access

Rocket Matter's Terms of ServiceDaniel D. Whitehouse, Esq.

• http://www.rocketmatter.com/pages/subscription_agreement.html• Agrees to keep all data confidential• But notes that they have access to the data• Reserve the right to terminate your account at any time• After termination, data deleted within approximately 100 days• Can attempt to “restore” data within 90 days of cancellation, which

consists of reactivating the account• Disclaims: everything• The service is not fault tolerant• Explicit that the data is stored in the U.S.

Summary of Terms of ServiceDaniel D. Whitehouse, Esq.

• Read them!

• Ask clarifying questions (if you can get them on the phone)

• Read them again!

• Some technical terms are terms of art– Ask a technical person (or technical attorney) to interpret them

• Keep your eyes and ears open for security concerns

Break Time

We will reconvene in 10 minutes

Best Practices and Gotchas

• Introductions:

– Joan Bullock

– Ryan Colbert

– Mark Miller

Operating in the Cloud

• Joan R. M. Bullock, JD, MBA, CPA

Operating in the Cloud

• Opinion 12-3: Lawyers may use cloud computing if they take reasonable steps to ensure

• Confidentiality of client information maintained

• Service provider maintains adequate security

• Lawyer has adequate access to information stored remotely

Confidentiality of Client Information Maintained

• All information related to client’s representation

• Data Security and Confidentiality• Bring your own device (BYOD) policy• Policy regarding non-business use on firm’s network?

• Device protection from malware• Should you limit the types of devices that are able to access

information?

• Obligation to proactively monitor against risks?• Incidence Response Plan• Cybersecurity Insurance Policy

Service Provider Maintains Adequate Security

• Due Diligence• Are you paying for the service or getting it for free?• Is information encrypted—in storage and in transmission?

• Does service provider have all your encryption keys?

• Who owns your data?• How and when will you be notified in the event of a data breach?• What are the security and privacy controls in place with the service provider?• What happens if contract terminated?

• What is procedure for revoking access rights assigned to the service provider?

• Will data be returned in a format accessible by you?

• What assurances are there that your data will be properly expunged from their system?

• What is the service provider’s business continuity and disaster recovery plan? • Data redundancy across multiple data centers?

Janet A. Stiven, Technology: A Lack of Due Diligence Still a Top Threat in the Cloud, INSIDE COUNSEL,Dec. 6, 2013.

Lawyer has adequate access to information stored remotely

• Anytime/anywhere?

• Competence: obligation to understand technology and how it potentially impacts confidentiality of client information

• Update to ensure protection against new threats

Take-aways

• Develop due diligence checklist• Cloud service providers• Third-party technology

• Proactively monitor risks

• Consider limiting number and types of devices that can access your firm’s information

• Develop a plan for data loss or other security breach

• Build in redundancy for system interruption

• Stay current; what you don’t know CAN hurt you

Questions?

Joan R. M. Bullock, JD, MBA, CPA - “THE REFORMED LAW PROF”

Associate Dean for Teaching and Faculty Development and Professor of Law

Florida A&M University College of Lawjoan.bullock@famu.edu

Moving to the CloudDaniel D. Whitehouse, Esq., Ryan Colbert & Mark Miller

• Three common approaches:– Move all existing documents

• Advantage: one place to manage everything • Disadvantage: could be time-consuming and costly

– Move “active” documents• Advantage: staff go to one place for active documents

– Place new documents in the cloud• Disadvantage: multiple places for documents• Could delay full adoption

Training and Policies

• Training has two forms:– Vendor training

• How to use our product

– In-house training• How to use their product for our firm

– Both are needed

• Consider necessary policies before training internal staff

• Takes more time up front but reduces overall implementation time

BP&G: Device Security

• Secure your smartphone– Make sure it’s password protected!– Consider auto erase after X invalid login attempts– Enable remote wipe abilities

• LoJack®-type software for laptops• Consider encryption (more on this in a moment)

BP&G: Password Policies

• Use secure passwords– “password” is no longer first! (“123456” is)– TimPws0! (This is my password stay out!)

• Change passwords often– No more than every 90 days; 60 is preferred

• Don’t use the same password everywhere

• What about password vault software?

BP&G: Encryption

• Encrypt what?

– Hard drives (whole-disk encryption)

– Files

– Removable media (thumb drives)

– Smartphones and tablets?

– Communications, such as Wi-Fi

BP&G: Wi-Fi

• What does the “lock” mean?

– Password to gain access, NOT that the connection is secure!

– Data can still be spoofed

– Verify individual connections, such as HTTPS

BP&G: File Sharing

• Convenient, but has risks

• Scenario 1:– You grant your client rights to folder– Client adds a third person (or even a spouse)– What happens to privilege?

• Scenario 2:– You mean to grant access to Cases\Client X– Instead, you grant access to “Cases”– Whoops

• Case management portals can help avoid the issues above• Consider posting only publically accessible documents

BP&G: Erasing Data

• Equipment Disposal– Use DoD erasure algorithms for devices– Phones as well!– “Brute force” method if all else fails

• Speaking of printers… they need to be erased as well!– And fax machines

• What about VoIP voicemails?• **Don’t forget about legal holds and other requirements**

BP&G: BYOD Issues

• You can bring it to a party, but it’s not what you think it is

• BYOD = Bring Your Own Device

• Convenient, but carries risk

• What happens if employee leaves?– You want company data erased, right?

• What if device needs to be produced?

• Have a policy that outlines requirements

BP&G: Misc. Items

• If something happens to a solo, how do others gain access to cloud material?

• Do any regulatory requirements have stricter standards than the Bar?

– HIPPA– FINRA– PCI, etc.

• Smartphone apps and other general security– Phishing expeditions for privileged info

• What about remote access to on-premise computers?– Is that really “cloud computing”?– If using a service, go through the same process of reviewing their ToS

• Security standards• Data collection• Breach notifications, etc.

BP&G: Virtual Office Perils

• Advertising rules in Florida– Bona fide office requirement– City or County– “Available for consultation”

• Unauthorized Practice of Law• Duty to supervise• Conflicts of interest• Business registrations

– Home address?– “Virtual” office providers

BP&G: Client Consent

• Is client consent required?• 12-3: “A lawyer may not voluntarily disclose any information relating

to a client’s representation without either application of an exception to the confidentiality rule or the client’s informed consent.”

• “A lawyer has the obligation to ensure that confidentiality of information is maintained by nonlawyers under the lawyer’s supervision, including nonlawyers that are third parties used by the lawyer in the provision of legal services.”

• 07-02: “the attorney make reasonable efforts to ensure that the nonlawyers’ conduct is consistent with the ethics rules.”

• 10-2: “If a nonlawyer will have access to confidential information, the lawyer must obtain adequate assurances from the nonlawyer that confidentiality of the information will be maintained.“

BP&G: Client Consent

• Is client consent required?• Not if the lawyer takes reasonable precautions and obtains

adequate assurances to protect confidential information• But just in case:

• “The firm reserves the right to utilize Internet-based, “cloud computing” services to store its communications and files, including confidential client information.”

BP&G: Client Consent

• Another option:

• Client understands and agrees that Counsel uses a variety of technology, including the Internet and secure computer servers of one or more third-party vendors, to communicate with clients, to store documents, and to perform other activities. The practice of using third party software and servers to transmit and store data over the Internet is known as “cloud computing.” The type of technology Counsel uses is substantially similar to the technology used by online applications such as online banking, Facebook, PayPal, Twitter, ebay, Dropbox, Gmail, iCloud Mail, Yahoo! Mail, Outlook.com, and many other “software as a service” applications that utilize the cloud with encryption technology. Counsel believes Google and other vendors used have security and management practices that meet or exceed applicable ethics requirements and, therefore, that the “cloud” is a secure method of communication and operation.

• Client represents and affirms that Client understands the risks and benefits of cloud computing. Further, Client represents and affirms that Client expects Counsel to use elements of “cloud computing” to facilitate timely communication and to facilitate less expensive and more efficient legal representation. Finally, Client expressly authorizes Counsel to use those cloud-based applications and services that Counsel believes are appropriate for communicating with Client, storing documents, and carrying out other necessary tasks in the course of representing Client.

BP&G: In Case of Breach

• Fla. Stat. § 817.5681: Breach of security concerning PI• Requires notice to compromised residents within 45 days• Fines up to $500,000• Vendors must notify their clients within 10 days• What is PI?

– First name, first initial of last name, or any middle name and last name, AND:• Social security number;• Driver’s license or Florida ID number; or• Account number, credit card number, or debit card number, combined with some code that would

permit access to a financial account

• How many of us store client SSNs?• Does this apply only to cloud computing?

Summary of Policies

• Device security policies– Do the policies require encryption where available?

• Password policies

• Device disposal policies

• BYOD policy

• Breach notifications

• Engagement letter verbiage

Panel Discussion

• Introductions:

– Patti Savitz

– Nancy Stuparich

Panel Discussion