Listen to Perry Segal’s interview on Cloud Privacy & Attorney Ethics on KUCI 88.9 FM
Here's a few of the additional details:
Privacy Piracy (88.9FM and www.kuci.org), a half-hour public affairs show with no
commercials broadcasts from the University of California, Irvine campus on
Mondays from 8:00 a.m. – 8:30 a.m. Pacific Time. To learn more
about the show and listen to archived interviews, please visit www.kuci.org/privacypiracy.
Why have I been missing in action the past couple of weeks? Because I over-committed, that's why! Note to self: Don't propose two presentations for the CalBar 85th Annual Meeting, thinking that only one will be selected…WRONG!!! So, to kick-off my re-appearance on this blawg, here are my two upcoming presentations in Monterey:
eDiscovery eVolution: Crawl, Walk, then Run Your Case! (Program 25)
Thursday, October 11, 2012 4:15 p.m.-5:15 p.m.
Strategy matters, and litigation is a term of art and a
little showmanship. Learn how to strategize during a case to get the
most out of each other for the clients' benefit.
Presenters: Perry L. Segal, Derick Roselli
CLE: 1.0 Hour General Credit
This is going to be a good one, because I'm taking the role of attorney (type-casting) and my LPMT colleague, Derick Roselli, takes the role of technology expert; which is his true specialty at HP/Autonomy. We're going to do a walk-through of a case from the perspective of the attorney consulting with his expert on a case, from start to finish.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
The Cloud: Secure? Yes. Ethical? Not so FAST! (Program 50)
Friday, October 12, 2012 10:30 a.m.-12 noon
It's essential to conduct due diligence regarding a
vendor's security practices to insure the confidentiality of client
data. Even if the data is believed to be secure, it may violate an
attorney's legal/ethical obligations. Learn the next step– assuring
client communications are secure and ethical.
Presenters, Perry L. Segal, Donna Seyle
CLE: 1.5 Hours of Which 1.0 Hour Applies to Legal Ethics
Donna Seyle is another of my LPMT colleagues, and we're going to do a practical examination of attorney ethics rules – both ABA and California – as they pertain to data and social media interaction in the cloud. Our goal is to explain to attorneys how even a secure cloud may violate ethical obligations to the client if additional precautions are not followed.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
I 'officially' assume the Chairmanship of LPMT at noon, Sunday, October 14th. Here we go!
You didn’t think all that free stuff was free, did you? Sure…multi-billion-dollar conglomerates give you all kinds of tools and want nothing in return. No, like with most loss-leaders, they lure you through the door at a bargain, make you comfortable, then make it up elsewhere; such as by mining your data.
Here’s the deal. I think most people, including me, are fine with giving up something in order to receive something. I know that Google mines data, so I tweak my privacy settings to the maximum protection level and also bypass gmail, calendar and contacts sync for my Droid (I do the same with Yahoo and any other site that wants me to upload my contact and calendar information). Why? Because I know that Google, et al, wants to get their hands on it!
But, where it’s a problem is for all of the people who have absolutely no concept of what they’re actually giving up. That means, you, attorneys! This is the problem with the cloud. If attorneys store their data – and that of their clients – in the cloud without understanding that its being mined, they’ve already violated their ethical duties in most jurisdictions.
We attorneys call it informed consent. The problem is, it’s the attorneys who have to inform themselves – and their clients – before they may reasonably consent.
These free services are coming with more and more strings attached (e.g., users who are forced onto Facebook Timeline know what I’m talking about). The benefits are gradually shifting from the end-user to the provider. Naturally, we always have a choice; conform or be cast out (thank you, Rush…).
As many of you know, I don’t have a Facebook account. A while back, when 200 million people were using the service, they seemed unusual. Now that 800+ million are using it, I seem unusual! Peer pressure is a bitch, but I was never one to run with the crowd, anyway.
Be cool or be cast out…
42. (That's for those of you who picked up on the 'Hitchhiker's Guide to the Galaxy' reference).
I usually don't feel it necessary to refer you to my disclaimer but, because this is a State Bar of California opinion – and I'm Vice-Chair of their Law Practice Management & Technology Section Executive Committee (LPMT) – I want to remind you that:
"This blog site is published by and reflects the personal views of Perry L. Segal, in his individual capacity. Any views expressed herein have not been adopted by the California State Bar's Board of Governors or overall membership, nor are they to be construed as representing the position of the State Bar of California."
The LPMT Executive Committee may publish its own, 'official' comments, to which I may also contribute. That being said…
Technology is an extremely logic-based discipline, in its purest form; or it should be, at least. Indeed, like the practice of law, success or failure is predicated upon compiling and understanding a particular set of facts, then realistically acting upon those facts. Note my emphasis on the word, 'realistically'. If I wish to suspend disbelief and begin with a set of unrealistic criteria, I may be equally able to formulate a reasonable solution, assuming it's possible to locate someone – or something – that fits the original, unrealistic premise.
This is my assessment of Formal Opinion Interim No. 10-0003 (Virtual Law Office). It's actually a very well-crafted opinion, but it's based on a 'Statement of Facts' that, to me, are an unrealistic portrayal of how an attorney practices – or would practice – law.
First, there's no reason for me to re-invent the wheel. For another excellent nuts & bolts assessment of the opinion, please see Stephanie Kimbro's post on her Virtual Law Practice blog. She's an authority on the Virtual Law Office and is also cited as a resource on page one of the opinion itself.
From a pure cloud security standpoint, this is an excellent document and a perfect complement to opinion 2010-179 on wireless networks. In fact, I would recommend that practitioners ignore the hypotheticals for a moment (especially if they're pressed for time) and proceed to the Discussion heading, Section 1 ("Duties"), which is what I'm doing for the purposes of this post.
Section 1 examines confidentiality issues of employing a cloud-based system with a 3rd-party vendor and provides a five-point list of due diligence factors that includes, but isn't necessarily limited to:
- The Credentials of the Vendor
- Data Security (Well, that's not very helpful, but it goes on to refer the reader to California, New York and ABA opinions for guidance)
- Vendor's Transmission of Client Info in the Cloud Across Jurisdictional Boundaries or Other 3rd-Party Servers (You've heard – or read, I suppose – me pontificate on that one; the "digital roach motel" and "know where your data is")
- Attorney's Ability to Supervise the Vendor (As I've reminded you often, you may hire competence, but not delegate this duty)
- Terms of Service of Contract with the Vendor (This is huge where the cloud is concerned. For example, many provider contracts contain language to the effect that, "Once you transfer it to us, it becomes our property.", a major no-no for attorneys)
It also points out the security environment must be periodically reassessed, which is terrific advice. I usually refer to it as "fire drills". Finally, it points out that none of this may take place without proper disclosure to the client, who may, by the way, have no idea how any of this works.
Section 2 examines competence issues as follows:
- Proper management of attorney's intake system to determine one of the basics; "Who is the client?"
- Determining whether attorney may perform the requested services
- Determining that the client comprehends the services being performed (This document also refers to comprehension issues due to a language barrier)
- Keeping the client reasonably informed
- Determining that the client understands technology (When I read #3 above, it immediately triggered the thought that technology is another language both attorney and client must understand…)
- Determining when to decline to represent a client via a VLO, and whether representation may continue through traditional means
This section also re-raises the supervisory issue, but this time it's in terms of the attorney supervising other attorneys and/or non-attorneys.
Ok, so you know what I like, now let's get into what I don't like. The hypothetical describes the VLO as a password-protected and encrypted portal that sits on a 3rd-party cloud. So far, so good. But then, it goes on to say that the attorney plans not to communicate with clients by phone, email or in person, but will limit communication solely to the portal.
Yeah, that covers a lot of us, doesn't it?
I understand that it's possible for attorneys to communicate this way, but is it probable? Does this opinion realistically apply to most attorneys; now and even into the future? I'm not trying to be snarky here, but you can't blame me for being a tech guy. Immediately, my mind wanders to what would likely happen in this scenario. A technology or communication issue arises and the frustrated attorney – or client – resorts to email or a phone call.
And what about secrecy? No, I'm not alluding to some nefarious purpose. There are legitimate reasons why attorney and/or client might not want to document ideas or discussions – electronically or otherwise – in the short-term (what comes to mind is a nervous potential client who has invented a new product, but doesn't want to provide a lot of written detail to attorneys, while soliciting the representation of several of them, for fear that the inventor's intellectual property will be revealed).
The second thing that bothers me is the "Issue" statement that opens the opinion. It states, verbatim:
"May an attorney maintain a virtual law office practice ("VLO") and still comply with her ethical obligations, if the communication with the client, and storage of and access to all information about the client's matter, are all conducted solely through the internet using the secure computer servers of a third-party vendor (i.e., "cloud computing")." [Italics/bold added. It's posed as a question, but in the text, the paragraph ends with a period – not sure if it's a typo that will be corrected in a later version].
What's the danger here? Hello? Facebook is the cloud! Google is the cloud! Email is the cloud! A lot of communication is taking place – right now – through means not anticipated in this opinion. What I'm saying is, if one removes the term, "VLO", from this document, it could just as easily apply to methods attorneys use to communicate with their clients on a daily basis, while at the same time, being completely unaware that many of these products are in the cloud.
It also fails to anticipate one other factor; what will happen the day these measures apply to all cloud-based technology (that day is coming, and in some cases, is already here). As it stands today, if most attorneys attempted to comply with these security measures, law practice as we know it would grind to a halt.
Better start preparing now…
Folks, I'm not going to bag on Amazon.com too much for their Elastic Compute Cloud (EC2) failure; I'm sure they're getting enough flack from their customers. However, this is why I dislike any absolute statements when we're dealing with this type of technology. Technically, they're right. You don't have to worry about the cloud. You do have to worry about your cloud.
The cloud may have a backup plan for you. Do you have a backup plan for your cloud?
Sent from my Verizon Wireless BlackBerry