Posts in Standards

20/20, ABA, client confidentiality, COPRAC, encrypt, encryption, ethics, Formal Opinion Interim No- 08-0002, lawyers, New York State Bar Association, online storage, Opinion 842, professional responsibility, State Bar of California, technology, wifi

Legal Implications of Cloud Computing -- Part Five (Ethics or Why All Lawyers-Not Just Technogeek Lawyers Like Me-Should Care About Data Security)

By InfoLawGroup LLP on October 19, 2010

So, you thought our cloud series was over? Wishful thinking. It is time to talk about ethics. Yes, ethics. Historically, lawyers and technologists lived in different worlds. The lawyers were over here, and IT was over there. Here's the reality: Technology - whether we are talking cloud computing, ediscovery or data security generally - IS very much the business of lawyers. This post focuses on three recent documents, ranging from formal opinions to draft issue papers, issued by three very prominent Bar associations -- the American Bar Association (ABA), the New York State Bar Association (NYSBA), and the State Bar of California (CA Bar). These opinions and papers all drive home the following points: as succinctly stated by the ABA, "[l]awyers must take reasonable precautions to ensure that their clients' confidential information remains secure"; AND lawyers must keep themselves educated on changes in technology and in the law relating to technology. The question, as always, is what is "reasonable"? Also, what role should Bar associations play in providing guidelines/best practices and/or mandating compliance with particular data security rules? Technology, and lawyer use of technology, is evolving at a pace that no Bar association can hope to meet. At the end of the day, do the realities of the modern business world render moot any effort by the Bar(s) to provide guidance or impose restrictions? Read on and tell us - and the ABA - what you think.

AICPA, best practices, BITS, cloud computing, COBIT, contracts, FIPS, information security, ISO 27001, ISO 27002, NIST, outsourcing, PCI DSS, SAS 70, SP 800-53, standards

Information Security Standards and Certifications in Contracting

By W. Scott Blackmer on May 26, 2010

It often makes sense to refer to an information security management framework or standard in an outsourcing contract, but this is usually not very meaningful unless the customer also understands what particular security measures the vendor will apply to protect the customer's data.

compliance, contracting, contracts, privacy, risk management, Security

Contracting for Cloud Computing Services

By InfoLawGroup LLP on May 18, 2010

Nearly every day, businesses are entering into arrangements to save the enterprise what appear tobe significant sums on information technology infrastructure by placing corporate data ''in the cloud.'' Win-win, right? Not so fast. If it seems too good to be true, it probably is. Many of these deals are negotiated quickly, or not negotiated at all, due to the perceived cost savings. Indeed, many are closed not in a conference room with signature blocks, ceremony, and champagne, but in a basement office with the click of a mouse. Unfortunately, with that single click, organizations may be putting the security of their sensitive data (personal information, trade secrets, intellectual property, and more) at risk, and may be overlooking critical compliance requirements of privacy and data security law (not to mention additional regulations). My article "Contracting for Cloud Computing Services: Privacy and Data Security Considerations," published this week in BNA's Privacy & Security Law Report, explores a number of contractual provisions that organizations should consider in purchasing cloud services. You can read the full article here, reprinted with the permission of BNA.

compliance, contract management, data protection, data security, information governance, information security, management, pia, privacy, privacy audit, privacy governance, privacy impact assessment, procurement, risk management, security governance, standards

Information Governance

By W. Scott Blackmer on May 06, 2010

Security governance is often well established in large organizations, but privacy governance typically lags. It is time for a broader approach to "information governance" that focusses on the kinds of sensitive data handled by the enterprise and establishes policies to assure compliance and effective risk management, as well as better customer, employee, government, and business relations.

IAPP, International Association of Privacy Professionals, Red Flags Rule

Live from the IAPP Global Privacy Summit in Washington, DC, It's Monday Afternoon

By InfoLawGroup LLP on April 19, 2010

This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC. The conference will be in full swing tomorrow, and I will report on various panels and topics of interest. In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days.

agreements, breach notice, certification, compliance, confidentiality, contracts, incident response, indemnification, information security, insurance, liability, risk management, standards

Information Security Clauses and Certifications - Part 1

By W. Scott Blackmer on January 17, 2010

Service contracts that involve protected personal information should include provisions allocating responsibility for protecting that information and responding to security breaches. Increasingly, this means incorporating specific references to applicable laws and information security standards, and often certifications of conformance.

Confidentiality agreements, intellectual property, NDA, nondisclosure agreements, standards, trade secrets, uniform trade secrets act, UTSA

NDAs: Worth the Effort?

By W. Scott Blackmer on November 16, 2009

In business or technical discussions with potential investors, customers, suppliers, licensors, franchisees, or joint venture partners, it is often very difficult to determine how much needs to be disclosed and exactly who "owns" which information and ideas. Were the parties just brainstorming? Did they independently develop a similar approach to a problem? Litigation over NDAs can be costly, public, and ultimately unsatisfactory to the party claiming a breach, especially if it is hard to prove the intended scope of the agreement and the actual source of information. When is it worthwhile using NDAs, and how can they be made more effective?