1

Cloud Computing:Avoiding the Ethical Pitfalls

Presented by:Daniel J. Siegel, EsquireIntegrated Technology Services, LLCLaw Offices of Daniel J. Siegel, LLC

Email – dan@techlawyergy.comPhone - (610) 446-3467

About DanAbout Dan

Law Offices of Daniel J. Siegel, LLC

GEEK LAWYER

Ethics Resources Pa. Bar Ethics Hotline Victoria White, Esq., 800-932-0311 x

2214, vwhite@pabar.org Phila. Bar Professional Guidance Hotline Paul Kazaras, Esq., 215-238-6328,

pkazaras@philabar.org Legalethics.com Law.cornell.edu/ethics Abanet.org/adrules ABA/BNA Lawyersʼ Manual on Professional

Conduct

2

Would you let the mailman read your mail?

Would you let Google (or AOL or Yahoo) read your e-mail?

Would you let everyone read your e-mail?

“When you mail a letter to your friend, you hopesheʼll be the only person who reads it. But a lotcould happen to that letter on its way from you toher, and prying eyes might try to take a look.Thatʼs why we send important messages in sealedenvelopes, rather than on postcards.

“Email works in a similar way. Emails that areencrypted as theyʼre routed from sender toreceiver are like sealed envelopes, and lessvulnerable to snooping̶whether by badactors or through government surveillance̶than postcards.” June 03, 2014

3

Who is reading your e-mail? Who is reading your e-mail?

Lawyers can no longer stick their heads in the sand

Lawyers can no longer stick their heads in the sand

4

Duty to Safeguard

Ethics RulesCommon LawContractsLaws & Regulations

Duty to Safeguard

Rule 1.1 CompetenceRule 1.6 ConfidentialityRule 1.4 CommunicationRule 5.1, 5.2, 5.3 Supervision

• As a result of changes that went intoeffect on November 21, 2013, thePennsylvania Rules of ProfessionalConduct now require lawyers torecognize and understand theethical issues that arise in a varietyof subjects, including technology.

• This Rule change goes far beyond theissue of e-mail.

Lawyers can no longer stick their heads in the sand

Aug. 2012 AmendmentsModel Rule 1.1 Competence

[Amendment to Comment:]

Maintaining Competence“…a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with technology…”

PA adopted November 2013

5

Aug. 2012 AmendmentsModel Rule 1.6 Confidentiality of Information[Addition to rule:]

“(c) A lawyer shall make reasonable efforts to prevent the unintended disclosure of, or unauthorized access to, information relating to the representation of a client.”

PA adopted November 2013

Aug. 2012 AmendmentsModel Rule 5.3 Nonlawyer Assistantsce

+ Revisions to Rule and Comments

PA adopted November 2013

• These technology-focused amendmentsmake it clear that lawyers can no longerclaim that technological ignorance isacceptable.

Lawyers can no longer stick their heads in the sand

• Although the framers of the new Ruledo not specify what technology theRule addresses, there is only onelogical conclusion:• The new Comment requireslawyers to be aware of andconsider the risks and benefits ofany technology that is relevant toboth their practices and theirclients.

Lawyers can no longer stick their heads in the sand

6

• Thus, a trial lawyer who goes to trialwithout using any software may wellbe failing to practice using the requisitestandard of care.

• Similarly, an attorney who does notconsider whether a Word documentprovided by opposing counsel hasrelevant metadata may have failed torepresent her client fully.

Lawyers can no longer stick their heads in the sand

• Or, an attorney who does not warn hisclient about social media, and theimpact it could have on the clientʼsmatter is almost certainly failing toadequately represent a client.

Lawyers can no longer stick their heads in the sand

• Or, an attorney who communicatesusing a free or online-hosted emailservice like Gmail or Yahoo may bedisclosing confidential information andgranting these companies an unlimitedlicense to use confidential information.

Lawyers can no longer stick their heads in the sand

Model Rule 1.6 Comment [19]

New Jersey Opinion 701 (2006)

California Formal Opinion No. 2010-179

Pennsylvania Formal Opinion 2011-200

Encryption

7

Cloud Security Basics

1. Secure endpoints

2. Secure Internet

connection

4. Secure data at rest

InternetInternet

3. Authentication &access control

Encryption - Who has the key?

End User

InternetInternet

Cloud Service Provider

E-mail

Data Transfer - Risky

27

Data Transfer – More Secure

28

BusinessEnterprise

8

EncryptionPassword protection encrypts

with some software:

LimitedProtection

Microsoft Office

1

2

3

Microsoft Office

4

5

A worldwide license to• use,• host,• store,• reproduce,• modify,• create derivative works,• communicate,• publish,• publicly perform,• publicly display, and• distribute your e-mail and all of the documents

attached to your e-mail?

Would you ever agree to give your Internet provider:

9

• Have a license that continues – even ifyou stop using the providerʼs Services?

Would you ever agree that an Internet provider may:

• If you use Gmail or Yahoo or AOL ormany other free e-mail services, youare almost certainly granting the e-mailprovider a license to use, publish or dowhatever it wants with your email.

Guess what?

Lawyers can no longer stick their heads in the sand

iCloud Terms and Conditions(October 2017, 2014)

• H. Content Submitted or Made Available by You on the Service

• 1. License from You. Except for material we may license to you, Apple does not claim ownership of the materials and/or Content you submit or make available on the Service.

10

iCloud Terms and Conditions(October 2017, 2014)

• However, by submitting or posting such Content on areas of the Service that are accessible by the public or other users with whom you consent to share such Content, you grant Apple a worldwide, royalty-free, non-exclusive license to use, distribute, reproduce, modify, adapt, publish, translate, publicly perform and publicly display such Content on the Service solely for the purpose for which such Content was submitted or made available, without any compensation or obligation to you.

Apple Privacy Policy (September 17, 2014)

• All the information you provide may betransferred or accessed by entitiesaround the world as described in thisPrivacy Policy.

• 89.5 percent of Googleʼs $59.06 billionin revenue came from advertisers

(http://www.statista.com/statistics/266249/advertising-revenue-of-google/)

The numbers

11

• Things you do• When you use our services ̶ for example, do a

search on Google, get directions on GoogleMaps, or watch a video on YouTube ̶ wecollect basic information to make these serviceswork. This can include:•Things you search for•Websites you visit•Videos you watch•Ads you click on or tap•Your location•Device information•IP address and cookie data(https://privacy.google.com/data-we-collect.html/)

What information Google collects about you

• Things that make you “you”• When you sign up for a Google Account, we

keep the basic information you give us. This caninclude your:•Name•Email address and password•Birthday•Gender•Phone number•Country

• If you have given us your billing information inorder to make a purchase, we securely store iton our servers, just like we do with your basicinformation.(https://privacy.google.com/data-we-collect.html/)

What information Google collects about you

• Things you create• If you are signed in with your Google Account,

we store and protect what you create using ourservices, so you will always have yourinformation when you need it. This can include:•Emails you send and receive on Gmail•Contacts you add•Calendar events•Photos and videos you upload•Docs, Sheets, and Slides on Drive(https://privacy.google.com/data-we-collect.html/)

What information Google collects about you

• Google uses a process it calls “content extraction” to review its customerʼs email.

• “Content Extractor is professional data-mining software that organizes collected information for a convenient work.”

• While Google has not released technical details of how the Gmail e-mail "content extraction" and analysis works, the patent (#20040059712) filed with the US Patent and Trademark Office provides some clues.

(http://epic.org/privacy/gmail/faq.html/ and https://code.google.com/p/content-extractor/)

What information Google collects about you

12

• Gmail examines the entire content of the e-mail message including the header and addressing information in order to derive the "concepts" contained in the e-mail.

• Relevant ads are then placed to the subscriber when the e-mail is displayed.

• Different ads may be served at different times depending on when the e-mail message is viewed, or re-viewed.

(http://epic.org/privacy/gmail/faq.html)

What information Google collects about you

• “Itʼs ʻinconceivableʼ that someone usinga Gmail account would not be awarethat the information in their emailwould be known to Google,”*

• In other words, if you use Gmail tocommunicate with clients, Google isreading your mail and arguing that itstechnology is exempt from privacy andwiretap laws.*(http://www2.macleans.ca/2013/09/05/google-says-it-has-right-to-scan-peoples-gmail-accounts/)

Google believes everyone knows itʼs reading their e-mail

• You meet with a client, John Jones, for lunchat La Secret Café to discuss a possibledivorce action

• You confirm the lunch in an e-mail usingyour free Gmail account

• You add the appointment to your free GoogleCalendar

• Google indexes the e-mail and calendar• Your clientʼs spouse, Mary Jones, does a

Google search for La Secret Café becauseshe is meeting a co-worker there

Consider one scenario

• The search results say:• “Your friend, John Jones, likes LaSecret Café, and recently met withAttorney Miller there.”

• And of course, Mary Jones know thatyou are the most prominent divorcelawyer in town.

Consider one scenario

13

Consider another scenario• Everything you search or write in a Google

service – especially the free services – is upfor grabs by advertisers.

• As far as Google is concerned, users have noright to expect privacy if they freely handover their information.

• In their motion to have the lawsuitdismissed, Google stated that: “[A] personhas no legitimate expectation of privacy ininformation he voluntarily turns over to thirdparties.”

(http://www.afr.com/p/technology/no_privacy_for_users_who_hand_over_aOe2qkEg2X2wDd4QDuQRbN/)

What Google will say

• Business uses of our Services• If you are using our Services on behalf of a

business, that business accepts these terms.It will hold harmless and indemnify Googleand its affiliates, officers, agents, andemployees from any claim, suit or actionarising from or related to the use of theServices or violation of these terms,including any liability or expense arisingfrom claims, losses, damages, suits,judgments, litigation costs and attorneysʼfees.(http://www.google.com/intl/en/policies/terms/)

And you have released Google from any liability All with the click of a mouse

14

So How Do You Keep Your Client Data Confidential?

•Understand the Rules•Understand relevant Terms of Service

•Understand Ethics Opinions•Understand the Risks•Be Careful

So How Do You Keep Your Client Data Confidential?

Donʼt Use “Free” Services When it comes to e-mail, pay for a private e-mail address• Having a domain-based e-mail address,such as lawyer@johnthelawyer.com isinexpensive

• Clients expect lawyers to have a domain-based e-mail

• After all, donʼt you prefer to purchasefrom Amazon than from Bill, who justhas a Yahoo e-mail address?

15

These tips apply to all cloud-based services• There are many free services providinge-mail, backup, file sharing and otherservices lawyers use

• While some of these services may befine, many are new, and many haveTerms of Service that could compromiseyour obligations to your clients

• As a result, you generally can controlyour legal rights more effectively with apaid service

These tips apply to all cloud-based services• You must read the Terms of Service, orat least the portions of the Terms ofService that address:• Data ownership• Data access• Security• Other relevant considerations

Stuff Happens Stuff Happens

http://www.eweek.com/c/a/Desktops-and-Notebooks/Dropbox-Snafu-Microsoft-BPOS-Outages-Raise-Cloud-Questions-741784/

Dropbox applied a code change that caused problems with the authentication mechanism, switching off users' account passwords for nearly four hours.

That meant anyone could access any account belonging to the service's 25 million customers.

"This should never have happened," Dropbox founder and CTO Arash Ferdowsi wrote in a June 20 corporate blog posting.

16

What most states are saying

• Lawyers have an ethical duty to protectsensitive client data

• To meet the standard of reasonable care,attorneys must:• Be knowledgeable about how providerswill handle the data entrusted to them

• Include terms in any agreement withthe provider requiring the provider topreserve the confidentiality andsecurity of the data

www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/cloud-ethics-chart.html

62

Pa. Bar Formal Opinion 2011-200

• An attorney may ethically allow clientconfidential material to be stored in"the cloud" provided the attorney takesreasonable care to assure that:• (1) all such materials remain

confidential, and• (2) reasonable safeguards are

employed to ensure that the data isprotected from breaches, data lossand other risks.

Pa. Bar Formal Opinion 2011-200The standard of reasonable care may include:• Backing up data;• Installing a firewall to limit access to the firm's

network;• Limiting information that is provided to others

as to what is required, needed, or requested;• Avoiding inadvertent disclosure of information;• Verifying the identity of individuals to whom

the attorney provides confidential information;• Refusing to disclose confidential information to

unauthorized individuals (including familymembers and friends) without clientpermission;

17

Pa. Bar Formal Opinion 2011-200The standard of reasonable care may include:• Protecting electronic records containing

confidential data, including backups, byencrypting the confidential data;

• Implementing electronic audit trail proceduresto monitor who is accessing the data;

• Creating plans to address security breaches,including the identification of persons to benotified about any known or suspected securitybreach involving confidential data;

Always be prepared

CIO Magazine, May 1, 2013

• You must be knowledgeable about how cloud providers will handle the data you entrust to them.

• This means that lawyers cannot merely click "I Agree" to electronic/ online contracts (SLAs) or fail to obtain appropriate advice about cloud security.

What is reasonable care?• The Terms of Service must state that anydata:• is owned by the client/law firm• is not owned by the cloud provider, and• the cloud provider affirmatively agreesto this condition

What is reasonable care?

18

• Include terms in any SLA or otheragreement requiring the provider topreserve the confidentiality and security ofthe data.

What is reasonable care?• Include terms in any SLA or other

agreement requiring the provider toassure, should data be removed, or thecontract terminated, that all confidentialdata will be destroyed (as will any copiesor backups) using a method thatguarantees that no other persons can everaccess the data. Otherwise, a firm's datacould reside on a server indefinitely andfall prey to a savvy hacker.

What is reasonable care?

• Is there a third party audit of security?• If cloud data is subject to a litigationhold, what is the process to complywith the hold?

• What is the uptime guarantee?• What is the compensation for a failure?

What is reasonable care?• A copy of your digital data should bestored onsite

• Many vendors will tell you this is notnecessary

• Although there is some cost to do this,it allows you to protect your ability torepresent your client regardless ofunforeseen circumstances

What is Reasonable Care?

19

• You access the cloud through theInternet

• You must have an alternate way toconnect to the Internet

What is reasonable care?Is your network configured with the

appropriate setup and security settings?Verify your internal network settings to

ensure the most efficient and secure levels of accessVerify your Internet Service Provider's (ISP)

security and data storage and management settingsUnderstand the rules and general practices

of your cloud vendor'' ISPsReview and regularly monitor your SLA

(Service-Level Agreements) with your cloud vendors

A Cloud Computing Checklist

Keep an updated list of your cloud services and vendors' main contact information with alternate means of contact Create internal office policies and procedures for accessing and using cloud systems in your officeIncorporate your cloud usage into the overall firm disaster recovery plan and business continuation modelsPerform regular (daily preferred) backups and run regular test restores of all data

A Cloud Computing Checklist Have a Disaster Recovery Plan

20

•Understand the Rules•Understand relevant Terms of Service

•Understand Ethics Opinions•Understand the Risks•Be Careful

So How Do You Keep Your Client Data Confidential?

Ethics Resources Pa. Bar Ethics Hotline Victoria White, Esq., 800-932-0311 x

2214, vwhite@pabar.org Phila. Bar Professional Guidance Hotline Paul Kazaras, Esq., 215-238-6328,

pkazaras@philabar.org Legalethics.com Law.cornell.edu/ethics Abanet.org/adrules ABA/BNA Lawyersʼ Manual on Professional

Conduct

Cloud Computing:Avoiding the Ethical Pitfalls

Presented by:Daniel J. Siegel, EsquireIntegrated Technology Services, LLCLaw Offices of Daniel J. Siegel, LLC

Email – dan@techlawyergy.comPhone - (610) 446-3467