Putting Your Practice on Cloud 9
2
Cloud Compu*ng
So.ware-‐as-‐a-‐Service
Web Application
ASP
3
4
5
tradi*onal compu*ng model
The Internet Local Area Network
so.ware-‐as-‐a-‐service model
The Internet Local Area Network
typical small law office
tradi/onal so1ware distribu*on
cloud compu/ng
whycloud computing?
You need to delivera better experience to your clients
13
We’re screwed.
14
There is a profound message here for lawyers—when thinking IT and the Internet, the challenge is not to automate current working practices that are not efficient. The challenge is to innovate, to practice law in ways that we could not have done in the past.
It’s not just what you sell
It’s how you sell it
47%53%
Deliver a cloud experience to your clients
inno
vato
rs 2
.5%
early
ado
pter
s 13.
5%
early
maj
ority
34%
late
maj
ority
34%
lagg
ards
16%
21
up and running fast
22
save money
23
cash flow
ethics of cloud computing
North Carolina State Bar Ethics Inquiry
•2011 FEO 6 "Subscribing to So.ware as a Service While Fulfilling Confiden*ality and Preserva*on of Client Property"
•First ethics opinion in North America specifically focused on use of cloud compu*ng in a law firm
Inquiry #1
Is it within the Rules of Professional Conduct for an attorney/law 7irm to use online ("cloud computing")
practice management programs (e.g., the Clio program) as part of the practice of law? These are instances where the software program is accessed online with a password and is not software installed on a computer within the
5irm's of5ice.
North Carolina Proposed Formal Ethics Opinion
Yes, provided steps are taken effectively to minimize the risk of inadvertent or unauthorized disclosure of con5idential client
information and to protect client property, including 5ile information, from risk of loss.
Other States Following Suit• Pennsylvania Formal Opinion 2011-‐200
• California Formal Opinion No. 2010-‐179
• Alabama State Bar Ethics Opinion 2010-‐02
• Arizona State Bar Formal Opinion 09-‐04
• Nevada State Bar Formal Opinion No. 33
• New York State Bar Associa*on Opinion 842 of 2010
• Iowa Op. 11-‐01
• Oregon Formal Op. 2011-‐188
• Vermont Advisory Ethics Op. 2010-‐6
• Massachuse[s MBA Ethics Opinion 12-‐03
29
ABA 20/20 Ethics Commission
•Examining how a lawyer’s ethical responsibili*es apply to cloud compu*ng
•Recommenda*ons adopted in August 2012
30
ABA 20/20 Ethics Commission
•The development of a centralized, user-‐friendly website that contains con*nuously updated and detailed informa*on about confiden*ality-‐related ethics issues arising from lawyer’s use of technology, including the latest data security standards.
•Amendments to several Model Rules of Professional Conduct and their Comments to offer specific guidance and expecta*ons rela*ng to technology.
31
ABA 20/20 Ethics Commission
32
The Commission concluded that competent lawyers must have some awareness of basic features of technology. To make this point, the Commission is recommending an amendment to Comment [6] of Model Rule 1.1 (Competence) that would emphasize that, in order to stay abreast
of changes in the law and its practice, lawyers need to have a basic understanding of technology’s bene5its and risks.
ABA 20/20 Ethics Commission
33
Proposed new Model Rule 1.6(c) would make clear that a lawyer has an ethical duty to take reasonable measures to protect a client’s con7idential information from inadvertent disclosure and
unauthorized access. This duty is already implicit in Model Rule 1.6 and is described in several existing comments, but the Commission concluded that, in light of the pervasive use of technology to store and transmit con5idential client information, this obligation should be stated explicitly in the black
letter of Model Rule 1.6.
ABA Model Rules of Professional Conduct
34
“ When transmitting a communication that includesinformation relating to the representation of a client, thelawyer must take reasonable precautions to prevent theinformation from coming into the hands of unintendedrecipients. This duty, however, does not require that thelawyer use special security measures if the method ofcommunication affords a reasonable expectation ofprivacy.” (Emphasis added)Comment 17, Rule 1.6
security of cloud computing
36
Security
Encryption
Data Privacy
Data Availability
Terms of Service
encryption
terminology
•Secure Sockets Layer (SSL)ØIndustry standard protocol for securing Internet communica*ons
ØBanks, e-‐commerce sites (Amazon.com, etc.) all use SSL for secure communica*ons
without ssl
Informa*on exchanged is insecure
Please give me my bank account balance
$2,031.34
Your Computer Your Bank’s Server
with ssl
11010001110
01101010001010110101010100101010
Your Computer Your Bank’s Server
Informa*on exchanged is encrypted for security
Firefox:
A sealed lock icon indicates a secure connec*on
Internet Explorer:
verifying ssl connec*ons
Safari:
server security
Are third-‐party audits being performed?
server security
server security
endpoint security
HIPAA
47
49
50
privacy
privacy
•Does the SaaS provider have a published privacy policy?•Need to ensure you own your data•The private client informa*on stored with your SaaS provider cannot be used for any other purposes
facebook privacy policy You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid,
worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store,
retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame,
translate, excerpt, adapt, create derivative works and distribute (through multiple tiers),
any User Content you (i) Post on or in connection with the Facebook Service or the promotion
thereof subject only to your privacy settings.
You may remove your User Content from the Site at any time. If you choose to remove your User
Content, the license granted above will automatically expire, however you acknowledge that
the Company may retain archived copies of your User Content.
How is sensi*ve informa*on being handled?
TRUSTe
“TRUSTe’s program requirements are based upon the Fair
Informa*on Principles and OCED Guidelines around no*ce,
choice, access, security, and redress -‐ the core founda*ons of
privacy and building trust. Sealholders are required to undergo a
rigorous review process to assess the accuracy of privacy
disclosures and compliance with TRUSTe’s requirements in order
to obtain cer*fica*on.”
data availability
56
57
58
59
Data Loca/on
•Where is main data center(s)•Is data backed up to mul*ple offsite loca*ons?
external backup provisions
•Can you perform an export of your data?
Comma Separated Values (CSV)
Extensible Markup Language (XML)
Microso1 Excel (XLS)
business con*nuity
What if the SaaS provider goes out of business?
op*on 1: data export
Cross your fingers and hope you’re up to date…
Comma Separated Values (CSV)
Extensible Markup Language (XML)
Microso1 Excel (XLS)
If it isn’t automated you’ll forget to do it
op*on 2: data escrow
saas provider escrow provider
saas user
terms of service /service level agreement
terms of service
•Easily accessible, published ToS?•Outlines the condi*ons under which you agree to use the service
•Ensure you’ve reviewed and accepted your provider’s terms of service
service level agreement
•SLA•Outlines guaranteed up*me percentages•E.g. 99.9%•Usually providers for some kind of compensa*on if down*me exceeds SLA guarantee
data center security
70
71
72
Thank You
Top Related