cloud computing - avoiding the ethical pitfalls · 6/3/2014 · 1 cloud computing: avoiding the...
TRANSCRIPT
1
Cloud Computing:Avoiding the Ethical Pitfalls
Presented by:Daniel J. Siegel, EsquireIntegrated Technology Services, LLCLaw Offices of Daniel J. Siegel, LLC
Email – [email protected] - (610) 446-3467
About DanAbout Dan
Law Offices of Daniel J. Siegel, LLC
GEEK LAWYER
Ethics Resources Pa. Bar Ethics Hotline Victoria White, Esq., 800-932-0311 x
2214, [email protected] Phila. Bar Professional Guidance Hotline Paul Kazaras, Esq., 215-238-6328,
[email protected] Legalethics.com Law.cornell.edu/ethics Abanet.org/adrules ABA/BNA Lawyersʼ Manual on Professional
Conduct
2
Would you let the mailman read your mail?
Would you let Google (or AOL or Yahoo) read your e-mail?
Would you let everyone read your e-mail?
“When you mail a letter to your friend, you hopesheʼll be the only person who reads it. But a lotcould happen to that letter on its way from you toher, and prying eyes might try to take a look.Thatʼs why we send important messages in sealedenvelopes, rather than on postcards.
“Email works in a similar way. Emails that areencrypted as theyʼre routed from sender toreceiver are like sealed envelopes, and lessvulnerable to snooping̶whether by badactors or through government surveillance̶than postcards.” June 03, 2014
3
Who is reading your e-mail? Who is reading your e-mail?
Lawyers can no longer stick their heads in the sand
Lawyers can no longer stick their heads in the sand
4
Duty to Safeguard
Ethics RulesCommon LawContractsLaws & Regulations
Duty to Safeguard
Rule 1.1 CompetenceRule 1.6 ConfidentialityRule 1.4 CommunicationRule 5.1, 5.2, 5.3 Supervision
• As a result of changes that went intoeffect on November 21, 2013, thePennsylvania Rules of ProfessionalConduct now require lawyers torecognize and understand theethical issues that arise in a varietyof subjects, including technology.
• This Rule change goes far beyond theissue of e-mail.
Lawyers can no longer stick their heads in the sand
Aug. 2012 AmendmentsModel Rule 1.1 Competence
[Amendment to Comment:]
Maintaining Competence“…a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with technology…”
PA adopted November 2013
5
Aug. 2012 AmendmentsModel Rule 1.6 Confidentiality of Information[Addition to rule:]
“(c) A lawyer shall make reasonable efforts to prevent the unintended disclosure of, or unauthorized access to, information relating to the representation of a client.”
PA adopted November 2013
Aug. 2012 AmendmentsModel Rule 5.3 Nonlawyer Assistantsce
+ Revisions to Rule and Comments
PA adopted November 2013
• These technology-focused amendmentsmake it clear that lawyers can no longerclaim that technological ignorance isacceptable.
Lawyers can no longer stick their heads in the sand
• Although the framers of the new Ruledo not specify what technology theRule addresses, there is only onelogical conclusion:• The new Comment requireslawyers to be aware of andconsider the risks and benefits ofany technology that is relevant toboth their practices and theirclients.
Lawyers can no longer stick their heads in the sand
6
• Thus, a trial lawyer who goes to trialwithout using any software may wellbe failing to practice using the requisitestandard of care.
• Similarly, an attorney who does notconsider whether a Word documentprovided by opposing counsel hasrelevant metadata may have failed torepresent her client fully.
Lawyers can no longer stick their heads in the sand
• Or, an attorney who does not warn hisclient about social media, and theimpact it could have on the clientʼsmatter is almost certainly failing toadequately represent a client.
Lawyers can no longer stick their heads in the sand
• Or, an attorney who communicatesusing a free or online-hosted emailservice like Gmail or Yahoo may bedisclosing confidential information andgranting these companies an unlimitedlicense to use confidential information.
Lawyers can no longer stick their heads in the sand
Model Rule 1.6 Comment [19]
New Jersey Opinion 701 (2006)
California Formal Opinion No. 2010-179
Pennsylvania Formal Opinion 2011-200
Encryption
7
Cloud Security Basics
1. Secure endpoints
2. Secure Internet
connection
4. Secure data at rest
InternetInternet
3. Authentication &access control
Encryption - Who has the key?
End User
InternetInternet
Cloud Service Provider
Data Transfer - Risky
27
Data Transfer – More Secure
28
BusinessEnterprise
8
EncryptionPassword protection encrypts
with some software:
LimitedProtection
Microsoft Office
1
2
3
Microsoft Office
4
5
A worldwide license to• use,• host,• store,• reproduce,• modify,• create derivative works,• communicate,• publish,• publicly perform,• publicly display, and• distribute your e-mail and all of the documents
attached to your e-mail?
Would you ever agree to give your Internet provider:
9
• Have a license that continues – even ifyou stop using the providerʼs Services?
Would you ever agree that an Internet provider may:
• If you use Gmail or Yahoo or AOL ormany other free e-mail services, youare almost certainly granting the e-mailprovider a license to use, publish or dowhatever it wants with your email.
Guess what?
Lawyers can no longer stick their heads in the sand
iCloud Terms and Conditions(October 2017, 2014)
• H. Content Submitted or Made Available by You on the Service
• 1. License from You. Except for material we may license to you, Apple does not claim ownership of the materials and/or Content you submit or make available on the Service.
10
iCloud Terms and Conditions(October 2017, 2014)
• However, by submitting or posting such Content on areas of the Service that are accessible by the public or other users with whom you consent to share such Content, you grant Apple a worldwide, royalty-free, non-exclusive license to use, distribute, reproduce, modify, adapt, publish, translate, publicly perform and publicly display such Content on the Service solely for the purpose for which such Content was submitted or made available, without any compensation or obligation to you.
Apple Privacy Policy (September 17, 2014)
• All the information you provide may betransferred or accessed by entitiesaround the world as described in thisPrivacy Policy.
• 89.5 percent of Googleʼs $59.06 billionin revenue came from advertisers
(http://www.statista.com/statistics/266249/advertising-revenue-of-google/)
The numbers
11
• Things you do• When you use our services ̶ for example, do a
search on Google, get directions on GoogleMaps, or watch a video on YouTube ̶ wecollect basic information to make these serviceswork. This can include:•Things you search for•Websites you visit•Videos you watch•Ads you click on or tap•Your location•Device information•IP address and cookie data(https://privacy.google.com/data-we-collect.html/)
What information Google collects about you
• Things that make you “you”• When you sign up for a Google Account, we
keep the basic information you give us. This caninclude your:•Name•Email address and password•Birthday•Gender•Phone number•Country
• If you have given us your billing information inorder to make a purchase, we securely store iton our servers, just like we do with your basicinformation.(https://privacy.google.com/data-we-collect.html/)
What information Google collects about you
• Things you create• If you are signed in with your Google Account,
we store and protect what you create using ourservices, so you will always have yourinformation when you need it. This can include:•Emails you send and receive on Gmail•Contacts you add•Calendar events•Photos and videos you upload•Docs, Sheets, and Slides on Drive(https://privacy.google.com/data-we-collect.html/)
What information Google collects about you
• Google uses a process it calls “content extraction” to review its customerʼs email.
• “Content Extractor is professional data-mining software that organizes collected information for a convenient work.”
• While Google has not released technical details of how the Gmail e-mail "content extraction" and analysis works, the patent (#20040059712) filed with the US Patent and Trademark Office provides some clues.
(http://epic.org/privacy/gmail/faq.html/ and https://code.google.com/p/content-extractor/)
What information Google collects about you
12
• Gmail examines the entire content of the e-mail message including the header and addressing information in order to derive the "concepts" contained in the e-mail.
• Relevant ads are then placed to the subscriber when the e-mail is displayed.
• Different ads may be served at different times depending on when the e-mail message is viewed, or re-viewed.
(http://epic.org/privacy/gmail/faq.html)
What information Google collects about you
• “Itʼs ʻinconceivableʼ that someone usinga Gmail account would not be awarethat the information in their emailwould be known to Google,”*
• In other words, if you use Gmail tocommunicate with clients, Google isreading your mail and arguing that itstechnology is exempt from privacy andwiretap laws.*(http://www2.macleans.ca/2013/09/05/google-says-it-has-right-to-scan-peoples-gmail-accounts/)
Google believes everyone knows itʼs reading their e-mail
• You meet with a client, John Jones, for lunchat La Secret Café to discuss a possibledivorce action
• You confirm the lunch in an e-mail usingyour free Gmail account
• You add the appointment to your free GoogleCalendar
• Google indexes the e-mail and calendar• Your clientʼs spouse, Mary Jones, does a
Google search for La Secret Café becauseshe is meeting a co-worker there
Consider one scenario
• The search results say:• “Your friend, John Jones, likes LaSecret Café, and recently met withAttorney Miller there.”
• And of course, Mary Jones know thatyou are the most prominent divorcelawyer in town.
Consider one scenario
13
Consider another scenario• Everything you search or write in a Google
service – especially the free services – is upfor grabs by advertisers.
• As far as Google is concerned, users have noright to expect privacy if they freely handover their information.
• In their motion to have the lawsuitdismissed, Google stated that: “[A] personhas no legitimate expectation of privacy ininformation he voluntarily turns over to thirdparties.”
(http://www.afr.com/p/technology/no_privacy_for_users_who_hand_over_aOe2qkEg2X2wDd4QDuQRbN/)
What Google will say
• Business uses of our Services• If you are using our Services on behalf of a
business, that business accepts these terms.It will hold harmless and indemnify Googleand its affiliates, officers, agents, andemployees from any claim, suit or actionarising from or related to the use of theServices or violation of these terms,including any liability or expense arisingfrom claims, losses, damages, suits,judgments, litigation costs and attorneysʼfees.(http://www.google.com/intl/en/policies/terms/)
And you have released Google from any liability All with the click of a mouse
14
So How Do You Keep Your Client Data Confidential?
•Understand the Rules•Understand relevant Terms of Service
•Understand Ethics Opinions•Understand the Risks•Be Careful
So How Do You Keep Your Client Data Confidential?
Donʼt Use “Free” Services When it comes to e-mail, pay for a private e-mail address• Having a domain-based e-mail address,such as [email protected] isinexpensive
• Clients expect lawyers to have a domain-based e-mail
• After all, donʼt you prefer to purchasefrom Amazon than from Bill, who justhas a Yahoo e-mail address?
15
These tips apply to all cloud-based services• There are many free services providinge-mail, backup, file sharing and otherservices lawyers use
• While some of these services may befine, many are new, and many haveTerms of Service that could compromiseyour obligations to your clients
• As a result, you generally can controlyour legal rights more effectively with apaid service
These tips apply to all cloud-based services• You must read the Terms of Service, orat least the portions of the Terms ofService that address:• Data ownership• Data access• Security• Other relevant considerations
Stuff Happens Stuff Happens
http://www.eweek.com/c/a/Desktops-and-Notebooks/Dropbox-Snafu-Microsoft-BPOS-Outages-Raise-Cloud-Questions-741784/
Dropbox applied a code change that caused problems with the authentication mechanism, switching off users' account passwords for nearly four hours.
That meant anyone could access any account belonging to the service's 25 million customers.
"This should never have happened," Dropbox founder and CTO Arash Ferdowsi wrote in a June 20 corporate blog posting.
16
What most states are saying
• Lawyers have an ethical duty to protectsensitive client data
• To meet the standard of reasonable care,attorneys must:• Be knowledgeable about how providerswill handle the data entrusted to them
• Include terms in any agreement withthe provider requiring the provider topreserve the confidentiality andsecurity of the data
www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/cloud-ethics-chart.html
62
Pa. Bar Formal Opinion 2011-200
• An attorney may ethically allow clientconfidential material to be stored in"the cloud" provided the attorney takesreasonable care to assure that:• (1) all such materials remain
confidential, and• (2) reasonable safeguards are
employed to ensure that the data isprotected from breaches, data lossand other risks.
Pa. Bar Formal Opinion 2011-200The standard of reasonable care may include:• Backing up data;• Installing a firewall to limit access to the firm's
network;• Limiting information that is provided to others
as to what is required, needed, or requested;• Avoiding inadvertent disclosure of information;• Verifying the identity of individuals to whom
the attorney provides confidential information;• Refusing to disclose confidential information to
unauthorized individuals (including familymembers and friends) without clientpermission;
17
Pa. Bar Formal Opinion 2011-200The standard of reasonable care may include:• Protecting electronic records containing
confidential data, including backups, byencrypting the confidential data;
• Implementing electronic audit trail proceduresto monitor who is accessing the data;
• Creating plans to address security breaches,including the identification of persons to benotified about any known or suspected securitybreach involving confidential data;
Always be prepared
CIO Magazine, May 1, 2013
• You must be knowledgeable about how cloud providers will handle the data you entrust to them.
• This means that lawyers cannot merely click "I Agree" to electronic/ online contracts (SLAs) or fail to obtain appropriate advice about cloud security.
What is reasonable care?• The Terms of Service must state that anydata:• is owned by the client/law firm• is not owned by the cloud provider, and• the cloud provider affirmatively agreesto this condition
What is reasonable care?
18
• Include terms in any SLA or otheragreement requiring the provider topreserve the confidentiality and security ofthe data.
What is reasonable care?• Include terms in any SLA or other
agreement requiring the provider toassure, should data be removed, or thecontract terminated, that all confidentialdata will be destroyed (as will any copiesor backups) using a method thatguarantees that no other persons can everaccess the data. Otherwise, a firm's datacould reside on a server indefinitely andfall prey to a savvy hacker.
What is reasonable care?
• Is there a third party audit of security?• If cloud data is subject to a litigationhold, what is the process to complywith the hold?
• What is the uptime guarantee?• What is the compensation for a failure?
What is reasonable care?• A copy of your digital data should bestored onsite
• Many vendors will tell you this is notnecessary
• Although there is some cost to do this,it allows you to protect your ability torepresent your client regardless ofunforeseen circumstances
What is Reasonable Care?
19
• You access the cloud through theInternet
• You must have an alternate way toconnect to the Internet
What is reasonable care?Is your network configured with the
appropriate setup and security settings?Verify your internal network settings to
ensure the most efficient and secure levels of accessVerify your Internet Service Provider's (ISP)
security and data storage and management settingsUnderstand the rules and general practices
of your cloud vendor'' ISPsReview and regularly monitor your SLA
(Service-Level Agreements) with your cloud vendors
A Cloud Computing Checklist
Keep an updated list of your cloud services and vendors' main contact information with alternate means of contact Create internal office policies and procedures for accessing and using cloud systems in your officeIncorporate your cloud usage into the overall firm disaster recovery plan and business continuation modelsPerform regular (daily preferred) backups and run regular test restores of all data
A Cloud Computing Checklist Have a Disaster Recovery Plan
20
•Understand the Rules•Understand relevant Terms of Service
•Understand Ethics Opinions•Understand the Risks•Be Careful
So How Do You Keep Your Client Data Confidential?
Ethics Resources Pa. Bar Ethics Hotline Victoria White, Esq., 800-932-0311 x
2214, [email protected] Phila. Bar Professional Guidance Hotline Paul Kazaras, Esq., 215-238-6328,
[email protected] Legalethics.com Law.cornell.edu/ethics Abanet.org/adrules ABA/BNA Lawyersʼ Manual on Professional
Conduct
Cloud Computing:Avoiding the Ethical Pitfalls
Presented by:Daniel J. Siegel, EsquireIntegrated Technology Services, LLCLaw Offices of Daniel J. Siegel, LLC
Email – [email protected] - (610) 446-3467