Category Archives: Security

Duties, Law Practice Management, Security

Beware the Ides of #Google

MP900444301You didn’t think all that free stuff was free, did you?  Sure…multi-billion-dollar conglomerates give you all kinds of tools and want nothing in return.  No, like with most loss-leaders, they lure you through the door at a bargain, make you comfortable, then make it up elsewhere; such as by mining your data.

Beginning March 1st, 2012, Google will be using a bigger shovel.  That’s when they implement their new privacy policy.  Funny…it should probably be deemed a ‘lack-of-privacy’ policy.  Essentially it allows them to mine your data over most of their products in order to create a better profile of you; ostensibly for your benefit, but really, for theirs.

Here’s the deal.  I think most people, including me, are fine with giving up something in order to receive something.  I know that Google mines data, so I tweak my privacy settings to the maximum protection level and also bypass gmail, calendar and contacts sync for my Droid (I do the same with Yahoo and any other site that wants me to upload my contact and calendar information).  Why?  Because I know that Google, et al, wants to get their hands on it!

But, where it’s a problem is for all of the people who have absolutely no concept of what they’re actually giving up.  That means, you, attorneys!  This is the problem with the cloud.  If attorneys store their data – and that of their clients – in the cloud without understanding that its being mined, they’ve already violated their ethical duties in most jurisdictions.

We attorneys call it informed consent.  The problem is, it’s the attorneys who have to inform themselves – and their clients – before they may reasonably consent.

These free services are coming with more and more strings attached (e.g., users who are forced onto Facebook Timeline know what I’m talking about).  The benefits are gradually shifting from the end-user to the provider.  Naturally, we always have a choice; conform or be cast out (thank you, Rush…).

As many of you know, I don’t have a Facebook account.  A while back, when 200 million people were using the service, they seemed unusual.  Now that 800+ million are using it, I seem unusual!  Peer pressure is a bitch, but I was never one to run with the crowd, anyway.

Be cool or be cast out…

Duties, eDiscovery California, Education, eMail, Implementation, Law Practice Management, Privilege, Scope, Security, Strategy, Technology

e-Discovery California: Proposed Formal Opinion Interim No. 10-0003 (VLO) is the Right Answer to the Wrong Question

42.  (That's for those of you who picked up on the 'Hitchhiker's Guide to the Galaxy' reference).

I usually don't feel it necessary to refer you to my disclaimer but, because this is a State Bar of California opinion – and I'm Vice-Chair of their Law Practice Management & Technology Section Executive Committee (LPMT) – I want to remind you that:

MP900442177
"This blog site is published by and reflects the personal views of Perry L. Segal, in his individual capacity.  Any views expressed herein have not been adopted by the California State Bar's Board of Governors or overall membership, nor are they to be construed as representing the position of the State Bar of California."

The LPMT Executive Committee may publish its own, 'official' comments, to which I may also contribute.  That being said…

Technology is an extremely logic-based discipline, in its purest form; or it should be, at least.  Indeed, like the practice of law, success or failure is predicated upon compiling and understanding a particular set of facts, then realistically acting upon those facts.  Note my emphasis on the word, 'realistically'.  If I wish to suspend disbelief and begin with a set of unrealistic criteria, I may be equally able to formulate a reasonable solution, assuming it's possible to locate someone – or something – that fits the original, unrealistic premise.

This is my assessment of Formal Opinion Interim No. 10-0003 (Virtual Law Office).  It's actually a very well-crafted opinion, but it's based on a 'Statement of Facts' that, to me, are an unrealistic portrayal of how an attorney practices – or would practice – law.

First, there's no reason for me to re-invent the wheel.  For another excellent nuts & bolts assessment of the opinion, please see Stephanie Kimbro's post on her Virtual Law Practice blog.  She's an authority on the Virtual Law Office and is also cited as a resource on page one of the opinion itself.

From a pure cloud security standpoint, this is an excellent document and a perfect complement to opinion 2010-179 on wireless networks.  In fact, I would recommend that practitioners ignore the hypotheticals for a moment (especially if they're pressed for time) and proceed to the Discussion heading, Section 1 ("Duties"), which is what I'm doing for the purposes of this post.

Section 1 examines confidentiality issues of employing a cloud-based system with a 3rd-party vendor and provides a five-point list of due diligence factors that includes, but isn't necessarily limited to:

  1. The Credentials of the Vendor
  2. Data Security (Well, that's not very helpful, but it goes on to refer the reader to California, New York and ABA opinions for guidance)
  3. Vendor's Transmission of Client Info in the Cloud Across Jurisdictional Boundaries or Other 3rd-Party Servers (You've heard – or read, I suppose – me pontificate on that one; the "digital roach motel" and "know where your data is")
  4. Attorney's Ability to Supervise the Vendor (As I've reminded you often, you may hire competence, but not delegate this duty)
  5. Terms of Service of Contract with the Vendor (This is huge where the cloud is concerned.  For example, many provider contracts contain language to the effect that, "Once you transfer it to us, it becomes our property.", a major no-no for attorneys)

It also points out the security environment must be periodically reassessed, which is terrific advice.  I usually refer to it as "fire drills".  Finally, it points out that none of this may take place without proper disclosure to the client, who may, by the way, have no idea how any of this works.

Section 2 examines competence issues as follows:

  1. Proper management of attorney's intake system to determine one of the basics; "Who is the client?"
  2. Determining whether attorney may perform the requested services
  3. Determining that the client comprehends the services being performed (This document also refers to comprehension issues due to a language barrier)
  4. Keeping the client reasonably informed
  5. Determining that the client understands technology (When I read #3 above, it immediately triggered the thought that technology is another language both attorney and client must understand…)
  6. Determining when to decline to represent a client via a VLO, and whether representation may continue through traditional means

This section also re-raises the supervisory issue, but this time it's in terms of the attorney supervising other attorneys and/or non-attorneys.

Ok, so you know what I like, now let's get into what I don't like.  The hypothetical describes the VLO as a password-protected and encrypted portal that sits on a 3rd-party cloud.  So far, so good.  But then, it goes on to say that the attorney plans not to communicate with clients by phone, email or in person, but will limit communication solely to the portal.

Yeah, that covers a lot of us, doesn't it? 

I understand that it's possible for attorneys to communicate this way, but is it probable?  Does this opinion realistically apply to most attorneys; now and even into the future?  I'm not trying to be snarky here, but you can't blame me for being a tech guy.  Immediately, my mind wanders to what would likely happen in this scenario.  A technology or communication issue arises and the frustrated attorney – or client – resorts to email or a phone call.

And what about secrecy?  No, I'm not alluding to some nefarious purpose.  There are legitimate reasons why attorney and/or client might not want to document ideas or discussions – electronically or otherwise – in the short-term (what comes to mind is a nervous potential client who has invented a new product, but doesn't want to provide a lot of written detail to attorneys, while soliciting the representation of several of them, for fear that the inventor's intellectual property will be revealed).

The second thing that bothers me is the "Issue" statement that opens the opinion.  It states, verbatim:

"May an attorney maintain a virtual law office practice ("VLO") and still comply with her ethical obligations, if the communication with the client, and storage of and access to all information about the client's matter, are all conducted solely through the internet using the secure computer servers of a third-party vendor (i.e., "cloud computing")."  [Italics/bold added.  It's posed as a question, but in the text, the paragraph ends with a period – not sure if it's a typo that will be corrected in a later version].

What's the danger here?  Hello?  Facebook is the cloud!  Google is the cloud!  Email is the cloud!  A lot of communication is taking place – right now – through means not anticipated in this opinion.  What I'm saying is, if one removes the term, "VLO", from this document, it could just as easily apply to methods attorneys use to communicate with their clients on a daily basis, while at the same time, being completely unaware that many of these products are in the cloud.

It also fails to anticipate one other factor; what will happen the day these measures apply to all cloud-based technology (that day is coming, and in some cases, is already here).  As it stands today, if most attorneys attempted to comply with these security measures, law practice as we know it would grind to a halt.

Better start preparing now…

eDiscovery LOL, Media, Security, Technology, vDiscovery Insights

v-Discovery Insights: #Facebook – An Arm of the #CIA

Well, this is my wrap-up post for 2011.  I'm about halfway through writing my assessment of CalBar's Proposed Formal Opinion Interim No. 10-0003 (Virtual Law Office) and should have it up by early next week.

And no, I'm not finished with my sections of the Calbar book, yet…

I see all of the year-end predictions and top-ten lists out there, but I'm closing out 2011 with this video from The Onion News Network.  I'm laughing, but not too much…

 

Happy New Year!

California Lawyer, Duties, eDiscovery California, Education, Implementation, Law Practice Management, Security, Technology

e-Discovery California: Wow – I Coulda had a VLO!!!

MP900315631Happy Holidays, everyone.  I'm about 2/3 of the way through my book-writing and with any luck, I hope to submit most of my remaining contribution before New Years (that is, if I don't succumb to the most wonderful time of the year – Bowl Season!).  Hopefully, then, I can get back to posting here more often.

In the meantime, I have some homework for you.  The California State Bar Standing Committee on Professional Responsibility and Conduct (COPRAC) has posted, "Proposed Formal Opinion Interim No. 10-0003 (Virtual Law Office)" for public comment [Warning; link opens a 7-page PDF].

I'm currently working on an in-depth analysis of the proposal and hope to post it next week, but when I first scanned the opinion, my mind wandered to the law of unintended consequences.  I'll reserve commenting further until I've completed my analysis, however, I encourage you to familiarize yourselves with the opinion – whether you personally make use of a VLO or not.  After all, (and it pains me to say this), it isn't all about you; the attorneys at the other end of your communications may make use of a VLO.

The public comment period remains open until March 23rd, 2012.  Hope to see you before the ball drops, but if not, please be safe and have a great holiday!

Education, eMail, Security

When Your #Privacy is #Breached, This is how It’ll Happen

MP900177963The best examples in life are of the 'real-world' variety.  These days, I've been hunkered down in my bunker (also known as my dining room) writing sections for the upcoming State Bar of California book, "Growing and Managing a Law Office".  This will also explain why I haven't been posting on the blog as often as I'd prefer.

A couple of days ago, I experienced a serious breach of privacy.  Not my own, mind you, but someone else's!  Specifically, I was emailed a copy of their surgical records.  Why?  Human error.  The sender simply got the email address wrong.

The message contained a 'HIPAA' privacy notice, with contact information.  Not wanting to create another electronic record by replying to the email, I picked up the phone and left a voice mail message that the person had sent the records in error and I was immediately destroying the original message.  Apparently, they didn't check their voice mail, because a few minutes later, the same person emailed me the password to access the records.  At that point, I figured I'd better reply to the message itself…

The sender – and the patient – were lucky in at least two respects:

  1. They sent the records to an eDiscovery attorney, and
  2. I wasn't the least bit interested in looking at them.

Fifteen years ago, when I was purely on the data side, people used to ask me how difficult it was to refrain from peeking at so much confidential information.  My answer was the same then as it is today; curious people don't do well in our line of business.  Now, you'll note, I didn't say 'inquisitive'.  Obviously, there are times and events that will require a reasonable investigation – but this isn't one of them.

As I've oft repeated, a disaster or breach will not likely manifest itself in the manner you expect.  In this case, it wouldn't have mattered if the sender's company employed the most cutting-edge security procedures available.  In the end, the whole thing was thwarted by the 'send' key.

How do you think their security, technology and legal personnel would feel if they knew?

Admissibility, Constitution, Criminal Liability, Scope, Security, Technology

License to Pry

GR-RRR!Back to the future.  All-of-a-sudden, the term "1984" has become quite popular in the news, on TV and on a certain blog & Twitter feed you may be reading at the moment.  It started with the U.S. v. Jones case regarding warrantless GPS tracking.

But 'Jones' is child's play compared to what the District of Columbia is doing on a daily basis.  At least in Jones, the issue revolves around the government tracking specific vehicles for specific purposes.  In DC, they track the license plates of all of the vehicles, all of the time.  Not only that, they retain the database, sometimes for years.

I don't know whether to be in awe or appalled!  As a techno-weenie, I can't help but be fascinated by technology that can accomplish this; but that doesn't mean I lose sight of the obvious risks to privacy.  Examples?

The Good:  A crime is committed, a witness jots down a license plate and the authorities are able to input said plate into the database and locate the perpetrator.

The Bad:  A husband calls police to report his wife missing.  They input her license plate into the database, locate her vehicle in front of an apartment building – and discover she's having an affair.

The Ugly:  Talk amongst yourselves…

As has been the case so many times before, this capability may be used for good, evil, or with good intent that becomes inherently evil.

Of course, the same could be said of chocolate cake.  In moderation, it's great; but eat too much and you can make yourself sick.  The question is, who's going to be responsible for making sure we don't overindulge?

Criminal Liability, Security

Keep Your Friends Close…Keep Your Children Closer

MP900431825As many of us already know – and some of us have learned the hard way – heavy emotion, technology and litigation don't mix.  Most people are probably on guard, if at all, when it comes to strangers.  They don't tend to think that they might be done in by someone very close to them who is either reacting emotionally, doesn't understand the consequences of their actions or simply means to do them harm.

The example I cite here is an 11-year-old boy who was angry with his mother and stepfather for their marijuana use.  Egged on by his biological father, the boy photographed the drugs, gave the photos to his father and his father turned them in to the police; who arrested them.

This isn't a moral discussion about whether they got what they deserved – that's an entirely separate issue.  Was the 11-year-old manipulated by his father (who may or may not have had another agenda)?  Did the child want his parents to be arrested?

Substitute the drugs with a PDA or laptop.  Do you leave your personal device booted up in the living room without a password?  What about your company device?  What's on it?  Who might have access to it?  What might they do if they're angry with you?

Just something to think about…

Cost, Criminal Liability, eDiscovery California, Law, Security, Technology

e-Discovery California: How am I Behaving? Text 800-IM-DRUNK

MP900443394 A bunch of people get together on a Saturday night.  They drink beer.  They drink more beer.  At last call, wanting to keep the buzz going, they order two more beers – and guzzle them.  Somebody looks at somebody else sideways and a fight breaks out.  And so it goes at the local pub?

Yes, but so it also goes at the local baseball diamond, etc.  "I went to the fights and a hockey game broke out!"

Now, California Assemblyman Mike Gatto (D-L.A.) wants to establish a new law that would beef up penalties for fan misbehavior at sporting events.  It would also fund a reward-based program to encourage fans to report other fans.  Here's why I think this is a misguided idea:

  1. Ever heard of Crime Stoppers, et al?  Mechanisms already exist for reporting crimes.
  2. Why is this venue singled out?  Because it's on the news?

A more reasonable approach, among others, is the method adopted by some teams that enables fans to text information about incidents directly to security personnel.

The minute one introduces pay-for-play to the mix, the potential for abuse increases.

Heck…next you'll tell me they're gonna pay kids to go to school!