In today’s world of smartphones, iPads, web-based software, and online data storage:
• What are your responsibilities when it comes to protecting confidentiality of client data and communications?
• What steps to you need to take to meet minimum “reasonable precautions” standards?
• What are the risks of on-premise vs. online storage and applications?
LeanLaw, an Idaho-based legal software and services company, is conducting a 90-minute webinar, sanctioned by the Idaho State Bar for 1.5 hours of CLE Ethics credits:
“This is a very valuable Ethics course. I learned what the rule changes require and the speakers offered practical suggestions to make my practice safer and more secure. The information was of immediate benefit to me, my clients and my firm." - Deborah Nelson, Partner, Givens Pursley LLP
“I was surprised to learn that many common technology practices aren't necessarily safe, as well as practical ways to make technology more secure and to better protect clients' confidential information. Definitely worth the time, especially the Q&A session at the end.” - Mike Roe, Partner, Givens Pursley LLP
Speakers:
Gary Allen, Partner, Givens Pursley LLP and founder and CEO of LeanLaw, will discuss the legal aspects of compliance and governing law.
Jonathon Fishman, Chief Services Officer of LeanLaw, will review the practical, tangible steps you can take to protect your clients’ data and communications.
2. MANAGEMENT TEAM
2
JONATHON FISHMAN
FOUNDER / CHIEF SERVICE OFFICER
GARY ALLEN
FOUNDER / CEO - ATTORNEY
• 25+ year practicing attorney.
• Idaho native.
• Always wanted better software and
technology services for attorneys.
• 25 years of tech experience.
• 15 years of small business technical
consulting.
• Passionate about creating trusted
relationships with clients.
3. HELPING THE LEGAL COMMUNITY PRACTICE LEAN
ABOUT US
3
SOFTWARE
• Cloud-based
• Easy-to-use
• Low cost
• In your
workflow
CONCIERGE
SERVICE
• User focused
• Trusted
relationships
• Empowers
change
4. LEAN METHODOLOGIES + TECH BEST PRACTICES = ETHICS COMPLIANCE
YOUR MOTIVATION
4
FOCUS ON
PRACTICING LAW
· Time Efficiencies
· Cost Savings
· Data Security
· Peace of Mind
5. PART 1:
OVERVIEW
5
What is safe and what isn’t?
PART 2:
What Are the Rules?
PART 3:
Action Items… the things you can do today.
7. CYBERSECURITY IS NECESSARY.
7
1.
2.
3.
Ethical Reasons. It matters to your clients.
Business Motivations. It matters to your practice.
This is a board room discussion! It isn’t about anti-virus and firewalls or some other
tool. It is about how you run and operate your practice.
4. It needs to carry the same importance as you would apply to accounting or new
business development.
8. THE CLOUD IS THE SAFEST PLACE TO STORE YOUR DATA!
8
LET’S LOOK AT PHYSICAL STORAGE
9. HERE’S WHAT CLOUD STORAGE LOOKS LIKE
9
THE CLOUD IS THE SAFEST PLACE TO STORE YOUR DATA!
10. THE CLOUD IS SAFE AND HERE IS WHY
10
1.
2.
3.
4.
Cloud companies have a culture of security.
Cloud companies will always out perform your IT best practices.
· Better server architecture.
· Better security and IT best practices.
· More know-how.
· They have a built in incentive not to mess this up and always get better.
The cloud architecture is built to be secure, with less user
control and management and data transferred via secure APIs.
Newer authentication and infrastructure models.
11. CHANGES TO IRPC REGARDING TECHNOLOGY
THE RULES
11
· Rule 1.1 – Competency
· Rule 1.6 – Confidentiality
· Rule 5.3 – Supervision of Nonlawyers
Outside the Firm
12. COMPLIANCE DETERMINED AFTER SOMETHING BAD HAS HAPPENED
12
This is true both if you use technology, e.g. your DropBox
account is hacked
Or if you do not, e.g. you fail to check your e-mail and
miss an important message
13. RULE 1.1 - COMPETENCE
13
A lawyer shall provide competent representation to a client. Competent representation requires
the legal knowledge, skill, thoroughness and preparation reasonably necessary for the
representation.
Comment
...
Maintaining Competence
[6] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes
in the law and its practice, including the benefits and risks associated with relevant
technology, engage in continuing study and education and comply with all continuing legal
education requirements to which the lawyer is subject.
…keep abreast of changes in the law and its practice,
including the benefits and risks associated with relevant technology,
14. SO, WHAT DOES THIS MEAN TO YOU?
RULE 1.1 - COMPETENCE
14
• Take ownership of the topic.
• You or a delegate must make it a part of their job to
understand the technology used within your firms practice.
• Think workflows such as email or document management.
•Align yourself with someone in the know.
• An IT firm or tech savvy lawyer. You need a go to person or
company.
• ABA Tech section:
http://www.americanbar.org/groups/departments_offices/legal_technology_resources.html
• Make sure your technology is documented.
15. CYBERSECURITY CONCEPTS YOU SHOULD KNOW
15
1.
2.
3.
4.
Physical and Environmental Controls.
· Who has access to where the data is stored? How is this
managed?
Least Privilege.
· Limit data access to only those that it is essential to their
work.
· Think Snowden.
Encryption at Rest and in Transit.
· Is the data so critical that it should stay in an encrypted state
even
when stored in your local environment. (Encryption at rest)
User Access Control and Logs.
· Ensure you have a process in place to know who touched the data, where and
when.
· Is there a company policy or at least a known best practice?
16. (c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or
unauthorized access to, information relating to the representation of a client.
Comment
...
Acting Competently to Preserve Confidentiality
[16] …The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of
paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the
reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional
safeguards are notemployed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to
which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software
excessively difficult to use). . . .
RULE 1.6 - CONFIDENTIALITY
16
The unauthorized access to, or the inadvertent or unauthorized disclosure of,
confidential information does not constitute a violation of paragraph (c) if the
lawyer has made reasonable efforts to prevent the access or disclosure.
17. (c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or
unauthorized access to, information relating to the representation of a client.
Comment
...
Acting Competently to Preserve Confidentiality
[16] …The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of
paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the
reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional
safeguards are notemployed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to
which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software
excessively difficult to use). . . .
RULE 1.6 - CONFIDENTIALITY
16
The unauthorized access to, or the inadvertent or unauthorized disclosure of,
confidential information does not constitute a violation of paragraph (c) if the
lawyer has made reasonable efforts to prevent the access or disclosure.…sensitivity of the information
18. (c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or
unauthorized access to, information relating to the representation of a client.
Comment
...
Acting Competently to Preserve Confidentiality
[16] …The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of
paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the
reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional
safeguards are notemployed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to
which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software
excessively difficult to use). . . .
RULE 1.6 - CONFIDENTIALITY
16
The unauthorized access to, or the inadvertent or unauthorized disclosure of,
confidential information does not constitute a violation of paragraph (c) if the
lawyer has made reasonable efforts to prevent the access or disclosure.…sensitivity of the information
the likelihood of disclosure if additional safeguards are not employed
19. (c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or
unauthorized access to, information relating to the representation of a client.
Comment
...
Acting Competently to Preserve Confidentiality
[16] …The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of
paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the
reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional
safeguards are notemployed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to
which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software
excessively difficult to use). . . .
RULE 1.6 - CONFIDENTIALITY
16
The unauthorized access to, or the inadvertent or unauthorized disclosure of,
confidential information does not constitute a violation of paragraph (c) if the
lawyer has made reasonable efforts to prevent the access or disclosure.…sensitivity of the information
the likelihood of disclosure if additional safeguards are not employed
…the cost of employing additional safeguards
20. (c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or
unauthorized access to, information relating to the representation of a client.
Comment
...
Acting Competently to Preserve Confidentiality
[16] …The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of
paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the
reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional
safeguards are notemployed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to
which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software
excessively difficult to use). . . .
RULE 1.6 - CONFIDENTIALITY
16
The unauthorized access to, or the inadvertent or unauthorized disclosure of,
confidential information does not constitute a violation of paragraph (c) if the
lawyer has made reasonable efforts to prevent the access or disclosure.…sensitivity of the information
the likelihood of disclosure if additional safeguards are not employed
…the cost of employing additional safeguards
…the difficulty of implementing the safeguards
21. (c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or
unauthorized access to, information relating to the representation of a client.
Comment
...
Acting Competently to Preserve Confidentiality
[16] …The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of
paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the
reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional
safeguards are notemployed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to
which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software
excessively difficult to use). . . .
RULE 1.6 - CONFIDENTIALITY
16
The unauthorized access to, or the inadvertent or unauthorized disclosure of,
confidential information does not constitute a violation of paragraph (c) if the
lawyer has made reasonable efforts to prevent the access or disclosure.…sensitivity of the information
the likelihood of disclosure if additional safeguards are not employed
…the cost of employing additional safeguards
…the difficulty of implementing the safeguards
…the extent to which the safeguards adversely affect the lawyer’s ability to
represent clients (e.g., by making a device or important piece of software
excessively difficult to use)
22. RULE 1.6 - CONFIDENTIALITY
17
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of,
or unauthorized access to, information relating to the representation of a client.
Comment
...
Acting Competently to Preserve Confidentiality
[16] …A client may require the lawyer to implement special security measures not required
by this Rule or may give informed consent to forgo security measures that would otherwise
be required by this Rule.
…A client may require the lawyer to implement special security measures
not required by this Rule or may give informed consent to forgo security
measures that would otherwise be required by this Rule.
23. RULE 1.6 - CONFIDENTIALITY
18
[17] When transmitting a communication that includes information relating to the
representation of a client, the lawyer must take reasonable precautions to prevent the
information from coming into the hands of unintended recipients. This duty, however, does
not require that the lawyer use special security measures if the method of communication
affords a reasonable expectation of privacy. Special circumstances, however, may warrant
special precautions. Factors to be considered in determining the reasonableness of the
lawyer’s expectation of confidentiality include the sensitivity of the information and the
extent to which the privacy of the communication is protected by law or by a confidentiality
agreement. A client may require the lawyer to implement special security measures not
required by this Rule or may give informed consent to the use of a means of
communication that would otherwise be prohibited by this Rule. Whether a lawyer may be
required to take additional steps in order to comply with other law, such as state and
federal laws that govern data privacy, is beyond the scope of these Rules.
Whether a lawyer may be required to take additional steps in order to
comply with other law, such as state and federal laws that govern data
privacy, is beyond the scope of these Rules.
24. RULE 1.6 – STATE AND FEDERAL RULES THAT GOVERN DATA
PRIVACY
1. Health Care
• HIPAA 45 CFR Part 160, Part 164
(Subparts A & E)
• Administrative Safeguards.
• Physical Safeguards.
• Technical Safeguards.
2. Banking/Consumer Finance
• Fair Credit Reporting Act, 15 USC
1681 et seq.
• Gramm-Leach-Bliley - 15 USC 6802.
• FTC 16 CFR Part 313.
• SEC 17 CFR Part 248.
3. California Online Privacy Act of 2003
• Cal. Bus. & Prof. Code §§ 22575-22579.
4. Massachusetts 940 CMR 27
5. Canada
• PIPEDA S.C. 2000, c. 5
• British Columbia – FOIPA RSBC 1996,
Ch.165
6. European Union
• Data Protection Directive 95/46/EC
7. Insurance
• Best practices required for cyber
coverage
19
25. HOW TO THINK ABOUT CONFIDENTIALITY?
RULE 1.6 - CONFIDENTIALITY
20
1. Client Requirements Trump the Rule
• Extra security measures.
• Waiver.
2. Workflows
• Client engagement.
• Document execution.
• Data discovery.
• Trial preparation.
3. Where You Work
• Home / Office / Vacation home.
4. Think About Who You Work With
26. EXAMPLE: DOCUMENT MANAGEMENT
RULE 1.6 - CONFIDENTIALITY
21
HARD
TO USE
LESSSECURE MORE SECURE
EASY
TO USE
LOCAL SERVER STORAGE
FLASH DRIVESTORAGE STORAGEPROVIDERS
REMOTE ACCESS
27. SUPERVISION OF NON-LAWYERS OUTSIDE THE FIRM
RULE 5.3
22
Nonlawyers Outside the Firm
When using such services outside the firm, a lawyer must make reasonable efforts to
ensure that the services are provided in a manner that is compatible with the lawyer’s
professional obligations. The extent of this obligation will depend upon the circumstances,
including the education, experience and reputation of the nonlawyer; the nature of the
services involved; the terms of any arrangements concerning the protection of client
information; and the legal and ethical environments of the jurisdictions in which the
services will be performed, particularly with regard to confidentiality. See also Rules 1.1
(competence), 1.2 (allocation of authority), 1.4 (communication with client), 1.6
(confidentiality), 5.4(a) (professional independence of the lawyer), and 5.5(a) (unauthorized
practice of law).
. . . reasonable efforts . . .
28. SUPERVISION OF NON-LAWYERS OUTSIDE THE FIRM
RULE 5.3
22
Nonlawyers Outside the Firm
When using such services outside the firm, a lawyer must make reasonable efforts to
ensure that the services are provided in a manner that is compatible with the lawyer’s
professional obligations. The extent of this obligation will depend upon the circumstances,
including the education, experience and reputation of the nonlawyer; the nature of the
services involved; the terms of any arrangements concerning the protection of client
information; and the legal and ethical environments of the jurisdictions in which the
services will be performed, particularly with regard to confidentiality. See also Rules 1.1
(competence), 1.2 (allocation of authority), 1.4 (communication with client), 1.6
(confidentiality), 5.4(a) (professional independence of the lawyer), and 5.5(a) (unauthorized
practice of law).
. . . reasonable efforts . . .
. . . the education, experience and
reputation of the nonlawyer
29. SUPERVISION OF NON-LAWYERS OUTSIDE THE FIRM
RULE 5.3
22
Nonlawyers Outside the Firm
When using such services outside the firm, a lawyer must make reasonable efforts to
ensure that the services are provided in a manner that is compatible with the lawyer’s
professional obligations. The extent of this obligation will depend upon the circumstances,
including the education, experience and reputation of the nonlawyer; the nature of the
services involved; the terms of any arrangements concerning the protection of client
information; and the legal and ethical environments of the jurisdictions in which the
services will be performed, particularly with regard to confidentiality. See also Rules 1.1
(competence), 1.2 (allocation of authority), 1.4 (communication with client), 1.6
(confidentiality), 5.4(a) (professional independence of the lawyer), and 5.5(a) (unauthorized
practice of law).
. . . reasonable efforts . . .
. . . the education, experience and
reputation of the nonlawyer
. . . the nature of the services involved
30. SUPERVISION OF NON-LAWYERS OUTSIDE THE FIRM
RULE 5.3
22
Nonlawyers Outside the Firm
When using such services outside the firm, a lawyer must make reasonable efforts to
ensure that the services are provided in a manner that is compatible with the lawyer’s
professional obligations. The extent of this obligation will depend upon the circumstances,
including the education, experience and reputation of the nonlawyer; the nature of the
services involved; the terms of any arrangements concerning the protection of client
information; and the legal and ethical environments of the jurisdictions in which the
services will be performed, particularly with regard to confidentiality. See also Rules 1.1
(competence), 1.2 (allocation of authority), 1.4 (communication with client), 1.6
(confidentiality), 5.4(a) (professional independence of the lawyer), and 5.5(a) (unauthorized
practice of law).
. . . reasonable efforts . . .
. . . the education, experience and
reputation of the nonlawyer
. . . the nature of the services involved
. . . the terms of any arrangements concerning the
protection of client information
31. SUPERVISION OF NON-LAWYERS OUTSIDE THE FIRM
RULE 5.3
22
Nonlawyers Outside the Firm
When using such services outside the firm, a lawyer must make reasonable efforts to
ensure that the services are provided in a manner that is compatible with the lawyer’s
professional obligations. The extent of this obligation will depend upon the circumstances,
including the education, experience and reputation of the nonlawyer; the nature of the
services involved; the terms of any arrangements concerning the protection of client
information; and the legal and ethical environments of the jurisdictions in which the
services will be performed, particularly with regard to confidentiality. See also Rules 1.1
(competence), 1.2 (allocation of authority), 1.4 (communication with client), 1.6
(confidentiality), 5.4(a) (professional independence of the lawyer), and 5.5(a) (unauthorized
practice of law).
. . . reasonable efforts . . .
. . . the education, experience and
reputation of the nonlawyer
. . . the nature of the services involved
. . . the terms of any arrangements concerning the
protection of client information. . . the legal and ethical environments of the jurisdictions in
which the services will be performed, particularly with regard
to confidentiality.
32. SUPERVISION OF NON-LAWYERS OUTSIDE THE FIRM
RULE 5.3
23
• Expert Witnesses/eDiscovery Vendors
• Confidentiality agreements
• Some understanding of practices
• Opinions on cloud computing:
http://www.americanbar.org/groups/
departments_offices/legal_technology_resources/
resources/charts_fyis/cloud-ethics-chart.html#OR
33. ACTION ITEM 1:
NEXT STEPS
24
Define accountability and “reasonable steps”
for you and your firm.
What is your firm doing to manage this topic?
34. ACTION ITEM 2
NEXT STEPS
25
Client / Vendor Engagement & Management.
You set the terms with the client,
your staff and your vendors.
35. ACTION ITEM 3
NEXT STEPS
26
Get mobile right…or at least not wrong.
• Make sure your mobile device is secure.
• Strong login password / PIN.
• Secure key apps.
• As needed, encrypt data on your mobile device.
• Use a secure password management tool like Dashline or Lastpass.
• Use a secure document storage tool like Box.com when accessing mobile
documents.
• Know how to “find your phone” and “remote wipe” your device if lost.
36. ACTION ITEM 3: Mobile Management
NEXT STEPS
26
Professional Consumer
37. ACTION ITEM 4
NEXT STEPS
27
Assess Insurance Coverage.
• Examine your current professional liability policies and understand any “exceptions”
or specific adherence needed related to cybersecurity.
• Consider purchasing a specific policy for cybersecurity.
38. ACTION ITEM 5
NEXT STEPS
28
Manage Your Own Behavior
• Own this topic. Even delegation or the presence of an in-house IT doesn’t rid your
personal responsibility. You don’t have to know all the details, but you are ultimately
responsible for yourself.
• Make it a continued conversation. Institutionalize the knowhow and the need
for vigilance.
• Don’t be freaked out about security.
• Use common sense, Ignorance isn't an excuse.
• Don’t allow it to hold you and your team hostage.
• Most of the mania related to security are derived from tech marketing
companies and 24/7 news cycles.
39. LEAN METHODOLOGIES + TECH BEST PRACTICES = ETHICS COMPLIANCE
YOUR MOTIVATION
29
FOCUS ON
PRACTICING LAW
· Time Efficiencies
· Cost Savings
· Data Security
· Peace of Mind
40. Questions & Next Steps
GARY ALLEN
gary.allen@leanlaw.c
o
208-388-1257
fishman@leanlaw.co
208-254-0324
JONATHON FISHMAN
1. A copy of the slide deck and audio.
2. Access CLE submission form on our website.
• http://www.leanlaw.co/CLE-AttendanceForm/
3. Free LeanLaw Small Practice Security Assessment.