Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law

So, you thought our cloud series was over?  Wishful thinking.  It is time to talk about ethics.  Yes, ethics.  Historically, lawyers and technologists lived in different worlds.  The lawyers were over here, and IT was over there.  Well, maybe not just historically.  As recently as last year, I attended an ediscovery CLE where a trial lawyer announced to the audience of litigators, with great emphasis, that they would have to start talking to the "geeks" and understanding technology in order to competently handle ediscovery in almost any commercial litigation.  This made the audience laugh.  I have found myself on conference calls with seasoned litigators who claim that ediscovery is not their area of practice.  As a more general matter, I find that lawyers believe that they do not need to concern themselves with security controls for protecting sensitive information because they are already subject to existing ethics rules and standards governing the protection of privileged information.  In the meantime, lawyers everywhere, particularly solo practitioners, are singing the virtues of cloud computing solutions for case management and are casually storing client data - often unencrypted - with a third party.

Here's the reality:  Technology - whether we are talking cloud computing, ediscovery or data security generally - IS very much the business of lawyers.  This is true both from a legal ethics point of view and from a best practices data security point of view.  The issue of ethics and the use of cloud by lawyers is not new - I recommend this piece by Jeremy Feinberg and Maura Grossman and this blog post by E. Michael Power.  A few State Bar associations have opined on the subject of lawyer use of cloud computing and other technologies.  This blog post does not purport to cover that entire universe.  Instead, this post focuses on three recent documents, ranging from formal opinions to draft issue papers, issued by three very prominent Bar associations -- the American Bar Association (ABA), the New York State Bar Association (NYSBA), and the State Bar of California (CA Bar).  These opinions and papers all drive home the following points:  as succinctly stated by the ABA, "[l]awyers must take reasonable precautions to ensure that their clients’ confidential information remains secure"; AND lawyers must keep themselves educated on changes in technology and in the law relating to technology.  The question, as always, is what is "reasonable"?  Also, what role should Bar associations play in providing guidelines/best practices and/or mandating compliance with particular data security rules?  Technology, and lawyer use of technology, is evolving at a pace that no Bar association can hope to meet.  At the end of the day, do the realities of the modern business world render moot any effort by the Bar(s) to provide guidance or impose restrictions?  Read on and tell us - and the ABA - what you think.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Nearly every day, businesses are entering into arrangements to save the enterprise what appear to be significant sums on information technology infrastructure by placing corporate data ‘‘in the cloud.’’ Win-win, right?  Not so fast.  If it seems too good to be true, it probably is.  Many of these deals are negotiated quickly, or not negotiated at all, due to the perceived cost savings.  Indeed, many are closed not in a conference room with signature blocks, ceremony, and champagne, but in a basement office with the click of a mouse.  Unfortunately, with that single click, organizations may be putting the security of their sensitive data (personal information, trade secrets, intellectual property, and more) at risk, and may be overlooking critical compliance requirements of privacy and data security law (not to mention additional regulations).  My article "Contracting for Cloud Computing Services: Privacy and Data Security Considerations," published this week in BNA's Privacy & Security Law Report, explores a number of contractual provisions that organizations should consider in purchasing cloud services.  You can read the full article here, reprinted with the permission of BNA.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

The ISSA Journal was recently kind enough to provide me with the opportunity to publish an article entitled "The Legal Defensibility Era" (the cover article for its May 2010 publication, which focuses on legal issues impacting information security).  Here is the abstract for the article:

The era of legal defensibility is upon us. The legal risk associated with information security is significant and will only increase over time. Security professionals will have to defend their security decisions in a foreign realm: the legal world. This article discusses implementing security that is both secure and legally defensible, which is key for managing information security legal risk.

So, what does "legal defensibility" mean in the security context? 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC.  The conference will be in full swing tomorrow, and I will report on various panels and topics of interest.  In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days:

• How can we harmonize the EU Data Protection Directive and EU member country privacy laws with the flow of data in today's global economy?  It is unfortunate that a number of IAPP participants from the EU will not make it to DC for the Summit this year due to the Icelandic volcano.  Nonetheless, I expect active dialogue regarding cross-border data transfers, safe harbor v. standard contractual clauses v. binding corporate rules, and, in particular, the impact of the growth of cloud computing and other outsourcing arrangements (or, at least, the growth of the hype around cloud computing).  It would also be nice to hear more about the EU Cookie Consent law - there is a panel scheduled to take place, but unknown if that will happen in light of the volcano debacle.
   
• HIPAA/HITECH and Medical Identity Theft:  Health care privacy topics are hotter than ever, especially with the growing number of reported security breaches affecting more than 500 individuals under the new HHS breach notification rules promulgated pursuant to the HITECH Act.
   
• "Reasonable Security":  What does Massachusetts think?  What does the FTC think?  What in the world is it and how in the world can organizations comply?
   
• On a related note, FTC Enforcement, with a focus on behavioral marketing issues and evolving notions of notice and consent.  What trends will we see over the next several years, particularly with the growth of social media and online behavioral advertising?
   
• Social media:  how it affects the workplace, corporate policies and procedures, and "reasonable expectations" of privacy.
   
• The forecast for federal legislation - not just on breach notification, but security requirements, online behavioral marketing and, getting lots of media attention these days, potential revisions to ECPA (being driven, once again, by the cloud computing explosion).
   
• Breaches, breaches, and more breaches.  Of course.

A few things that appear to be missing from this year's agenda - the FTC's current review of the rules under the Children's Online Privacy Protection Act (COPPA), enforcement of the Red Flags Rule (the FTC will start enforcing the Rule June 1), and the growing number of state laws (Washington, Nevada, Minnesota) requiring compliance with the PCI Standard.

Stay tuned, I will endeavor to post developments on a daily basis.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

How does cloud computing affect the risks of lost, incomplete, or altered data? Often, the discussion of this question focuses on the security risks in transmitting data over public networks and storing it in dispersed facilities, sometimes in the control of diverse entities. Less often recognized is the fact that cloud computing, if not properly implemented, may jeopardize data integrity simply in the way that transactions are entered and recorded.  Questionable data integrity has legal as well as operational consequences, and it should be taken into account in due diligence, contracting, and reference to standards in cloud computing solutions.

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

With the report of another data security-related lawsuit involving online banking (another 2009 lawsuit referenced here involved an alleged loss of over $500,000), and a recent victory for a plaintiff on a summary judgment motion in a similar online banking data security breach case, the question arises whether online banking breaches will yield some substantive case law on the issue of “reasonable” security procedures as a matter of law. Ironically, this question may be answered by reference to a 20 year old model code (UCC 4A) originally drafted to address technological advances from that era. This post explores two complaints recently filed against banks for online banking  (Patco Construction Co. v. People’s United Bank ("PATCO”) and JM Test Systems, Inc. v. Capital One Bank ("JMT")) and a court’s ruling on a motion for summary judgment in similar lawsuit (Shames-Yeakel v. Citizens Bank Memo and Memo Order on Motion for Summary Judgment – “Shames-Yeakel” case).  In short, since the Shames-Yeakel case proceeded past the "damages" pleading phase, it (and possibly these other online breach suits) reveals how some courts view security "standards" and approach the question of whether a company has achieved "reasonable security."  I also believe they demonstrate the difficulty defendants face if they have to defend their security measures in a litigation context after a security breach.

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link