1 / 46

IT : The Department You Need to Make Your Best Friend

IT : The Department You Need to Make Your Best Friend. (Session 907) Mia Chiu, General Counsel, Ebates Inc., a Rakuten Company Harold Federow , Contract , Vendor & IP Manager, Port of Seattle David Gilmartin, Associate General Counsel, The Joint Commission

bridgetr
Download Presentation

IT : The Department You Need to Make Your Best Friend

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT: The Department You Need to Make Your Best Friend (Session 907) Mia Chiu, General Counsel, EbatesInc., a RakutenCompany Harold Federow , Contract, Vendor & IP Manager, Port of Seattle David Gilmartin, Associate General Counsel, The Joint Commission Sasha Kipervarg, Director of DevOps, Workday

  2. The opinions expressed in this presentation and on the following slides are solely those of the presenter and not necessarily of their employers.  Their employers do not guarantee the accuracy or reliability of the information provided herein.    The presentation is provided for informational purposes only and should not be construed as legal advice.

  3. TECHNOLOGY AND THE RULES OF PROFESSIONAL CONDUCT Lawyer’s ethical obligations relating to technology Risks driving change Relevant laws relating to information security

  4. A Lawyer’s Ethical Obligations ABA Model Rule 1.1: Competence A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation. Comment 8 (revised 2012) To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.

  5. Risks Driving Change Inadvertence, mistake: Law Firm’s Documents Dumped in Trash, Gainesville Times, October 16, 2011 Cyber attack: Wiley Rein Hack LLP Hack (2011) Physical Security: Laptop Stolen from Law Offices of David A. Krausz, Sensitive Info at Risk, Softpedia. Insider threats: Orrick breach

  6. Risks Driving Change Importance Citigroup Chides Law Firms for Silence on Hackings-- New York Times (March 26, 2015): Spotlight on law firms as companies require their law firm partners to comply with the same data security regulations as their clients. Banks Demand That Law Firms Harden Cyberattack Defenses--Wall Street Journal (October 26, 2014): Banks demand that law firms do more to protect sensitive information, including background checks for employees and on-site audits from clients.

  7. Risks Driving Change To what extent are obligations different for In-house lawyers?

  8. Small/ med org • Firewall activity hits • Daily: 560,000 hits rejected out of 600,000 received • Email SPAM • Daily: 157,000 blocked emails • Viruses • Monthly: 100+ detected

  9. Relevant Laws Relating to Legal Obligations First there was Zubulake (2004) Not only was it pivotal in how e-discovery should be undertaken, it essentially established the duty for lawyers to know where the data is located and how it could be accessed/preserved – requiring some level of understanding of the underlying technology

  10. Relevant Laws Relating to Legal Obligations Arizona Arkansas Connecticut Delaware Florida (9/29/16) Idaho Illinois Iowa Kansas Massachusetts Minnesota New Hampshire New Mexico New York North Carolina* North Dakota Ohio Oklahoma Pennsylvania Utah Virginia Washington West Virginia Wisconsin (eff. 1/1/2017) Wyoming *phrase adopted by N.C. varies slightly from the Model Rule: “… including the benefits and risks associated with the technology relevant to the lawyer’s practice.” All 50 states and DC have adopted ABA Model Rule 1.1 (either in whole or with modifications). At least 25 states have adopted Comment 8:

  11. Relevant Laws Relating to Legal Obligations Illustration of the broad reach this rule has: Q: Does anyone here believe that the Rules of Professional Conduct impose any duty on a transactional attorney to be familiar with litigation software? 1. Certain commentators have said “yes.” 2. Even though a transactional attorney is highly unlikely to ever use litigation software, like Summation, the revised Comment 8 to Rule 1.1 imposes a responsibility on that attorney to be generally aware that such technology exists and whether it may be useful to a client.

  12. Application Discovery--document collection and preservation – How knowledgeable are you with current technology? (particularly small law departments—may be more likely to rely on outside counsel if litigation outsourced) • Commonly think of email collection and have perhaps text messages. • But what about … • Facebook posts, tweets, Instagram posts, snapchats, WhatsApp texts • Smartphones & tablets • New rules create a need to expand view of potential data sources • Are you properly advising your clients related to record retention if you don’t know where the data is held? • Can you properly implement a legal hold? • Do your clients know where their data is and whether it can hurt them?

  13. Application Impact on litigation strategy • Need to understand how to effectively pursue a party in a dispute – where is their information • Social media? If you do preliminary investigations before involving outside counsel, other ethical issues may arise • One ethics commentator noted that “Lawyers increasingly have turned to social networking sites, such as Facebook, Twitter and YouTube, as potential sources of evidence for use in litigation. The potential availability of helpful evidence on these internet-based sources makes them an attractive new weapon in a lawyer’s arsenal of formal and informal discovery devices.”

  14. Application Cybersecurity– Is it an IT problem? • Do you as in-house counsel have a duty to understand the technology aspects in order to sufficiently understand the risk to properly advise your clients as to potential liability? • Do you do, or know how to do, an effective risk assessment? • Does your client or vendor have the right insurance coverage to protect against the risks

  15. Data Security Breach Infographic Link to Data Breach Infographic

  16. Information Security Policies and Incident Response Plans Purpose for information security policies and incident response plans Legal as a stakeholder and resource Internal governanceand compliance Laws provide guidance on areas of risk in re: types of data (e.g., data breach notification laws)

  17. Data Breach Notification Laws at a Glance

  18. Data Breach Notification Laws at a Glance

  19. Information Security in Contracts • Not just inbound IT infrastructure procurement contracts • Sales Agreements • Partner Agreements • B-2-C T&Cs, Privacy Policies • Any agreement relevant to data transfer or storage! • First step is understanding your IT structure: • Location of servers • Location of data • How data is shared in your company and with third party services (one point of entry/exit via API, batch files, etc.)

  20. Application Contract Reviews • Is your supply chain properly protecting your client’s information? • Is a Business Associate Agreement needed? • Do you know what data security provisions should be in place (on the flip side do you know what security provisions your client can comply with) • Are you requesting SSAE16, SOC1, SOC 2 or SOC 3 Reports? • Do you know what they are and when they are needed? • These reports will focus on controls at a service organization relevant to security, availability, processing integrity, confidentiality, and/or privacy • What about PCI compliance? • Does the vendor’s insurance cover the security risks?

  21. Security Representations and Warranties Examples • Party X represents that it shall comply with the Payment Card Industry Data Security Standards (“PCI-DSS”) with respect to the environments which collect, store, or process Payment Card Information under this Agreement and shall only use PCI compliant service providers in connection with the Services offered under this Agreement. “Payment Card Information” means data associated with a payment card or otherwise protected under PCI-DSS, as amended and updated from time to time, relating to a cardholder who is provided end services by Party X under this Agreement. • Party Y will handle all Payment Card Data, Customer Data, and Transaction Data it receives in connection with this Agreement or other equally sensitive data, and it will all comply with applicable laws, regulations and ordinances in fulfilling its obligations hereunder. Further, Party Y represents and warrants that it has contractual agreements in place with its service providers providing that: (A) such service provider will handle Payment Card Data, Customer Data, and Transaction Data as they would their own equally sensitive data, and (B) service provider will all comply with applicable laws, regulations and ordinances in fulfilling their obligations hereunder and in connection with facilitation of Services.

  22. Drafting Considerations Definition of data and related data use and prohibition rights Ownership of data Confidentiality Sections Indemnification for security breaches, sole remedy Exclusions of indemnification claims and confidentiality from LOLs Data deletion requirements during the term and at termination

  23. Vendor represents and warrants that at all times relevant to this Agreement, it shall utilize proper physical and administrative safeguards to protect Customer’s data. Physical safeguards include, but are not limited to, controlling access to the rooms in which servers are located and to specific servers. Administrative safeguards include, but are not limited to, ensuring that only those Vendor personnel who must have access to Customer’s data to perform this Agreement have such access.

  24. Cybersecurity Insurance Coverage at a Glance

  25. Relevant Laws Relating to Information Security • Other Applicable Rules Driving Obligations? • Data Privacy/Security Laws (state, federal, int’l) • Data Breach Notification laws (47 states have these laws) HIPAA/HITECH • Gramm Leach Bliley • Federal Trade Commission Act • Fiduciary Duties?

  26. Application Lawyer Productivity • Basic Tools—Word, Excel, PowerPoint, SharePoint, Adobe Acrobat, OneDrive, Skype, … • many tools/apps that may enhance a lawyer’s performance for his/her client (see ACC Resources)

  27. Some Other Relevant Ethical Rules • Model Rule 1.6 (e) (Confidentiality of Information) (see comments 18, 19) • Model Rule 1.4 (Communication) • Model Rules 5.1, 5.2, 5.3 (Duty of Supervision)

  28. Other Ethical Rules Duty of Confidentiality Model Rule 1.6(c) (see comments 18, 19) – “A lawyer shall make reasonable effortsto prevent the inadvertent or unauthorized disclosure of, or unauthorized access to information relating to the representation of a client.”

  29. Other Ethical Rules Comment to Model Rule 1.6 • Acting Competently to Preserve Confidentiality • Comment [18] Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use) “A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule.”

  30. Application Broad Application of Duty of Confidentiality • Your emails and other communications? • Your trash? • Your desk and office? • Working at a coffee shop? • Your workspace at home? • Portable data storage devices? • Your laptop? • Working in the “cloud”?

  31. Other Ethical Rules Duty of Confidentiality Example: Phishing/Ransomware emails: • Even in-house counsel can subject important client information to a hacking attempt • Litigation • M&A • Public company context (non-public financial or other information)

  32. Other Ethical Rules Duties of Competence and Confidentiality • Arizona Bar Opinion 09-04 • Lawyer encrypted files, installed layers of password protection, randomly generated folder names and passwords, and converted each document to PDF format that required password. • “In satisfying the duty to take reasonable security precautions, lawyers should consider firewalls, password protection schemes, encryption, anti-virus measures, etc.” • The duty “does not require a guarantee that the system will be invulnerable to unauthorized access.”

  33. Other Ethical Rules • Duty to Encrypt Emails? “A lawyer may transmit information relating to the representation of a client by unencrypted e-mail... because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint.” “A lawyer should consult with the client and follow her instructions, however, as to the mode of transmitting highly sensitive information....” ABA Formal Op. 99-413 (Mar. 10, 1999) “Encrypting email may be a reasonable step for an attorney to take ... when the circumstance calls for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous.” Cal. Op. 2010-179 • Same application to in-house counsel?

  34. Other Ethical Rules Can you use of public wifi -- working at the local coffee shop on a company laptop? • Short answer: In California, probably, if you take appropriate steps … which may include client consent

  35. Other Ethical Rules THE STATE BAR OF CALIFORNIAFORMAL OPINION NO. 2010-179 • Evaluated against Duty of Confidentiality (3-100) and Duty of Competence (3-110) • With regard to the use of a public wireless connection, the Committee believes that, due to the lack of security features provided in most public wireless access locations, Attorney risks violating his duties of confidentiality and competence in using the wireless connection at the coffee shop to work on Client’s matter unless he takes appropriate precautions, such as using a combination of file encryption, encryption of wireless transmissions and a personal firewall. Depending on the sensitivity of the matter, Attorney may need to avoid using the public wireless connection entirely or notify Client of possible risks attendant to his use of the public wireless connection, including potential disclosure of confidential information and possible waiver of attorney-client privilege or work product protections, and seek her informed consent to do so.” • “[I]f Attorney’s personal wireless system has been configured with appropriate security features, the Committee does not believe that Attorney would violate his duties of confidentiality and competence by working on Client’s matter at home. Otherwise, Attorney may need to notify Client of the risks and seek her informed consent, as with the public wireless connection.

  36. California Rule 3-110 Failing to Act Competently (A) A member shall not intentionally, recklessly, or repeatedly fail to perform legal services with competence. (B) For purposes of this rule, "competence" in any legal service shall mean to apply the 1) diligence, 2) learning and skill, and 3) mental, emotional, and physical ability reasonably necessary for the performance of such service. (C) If a member does not have sufficient learning and skill when the legal service is undertaken, the member may nonetheless perform such services competently by 1) associating with or, where appropriate, professionally consulting another lawyer reasonably believed to be competent, or 2) by acquiring sufficient learning and skill before performance is required.

  37. Impact of Cloud Storage? • Numerous ethical opinions relevant to this topic: • Illinois State Bar Ethics Op. 10-01 (July 2009) • Pennsylvania Formal Opinion 2011-200 • North Carolina 2011 Formal Op. 6 • New York State Bar Ethics Opinion 842 • Alabama Ethics Opinion 2010-2 • Washington State Bar Advisory Opinion 2215 • Iowa Bar Ethic Opinion 11-01 • Vermont Ethics Opinion 2010-6 • Massachusetts Bar Ethics Opinion 12-03 • New Hampshire Ethics Committee Advisory Op. #2012-13/4

  38. How Do You Stay Abreast of Technology • ACC On-line Resources • ACC IT and Privacy Committee • CLE • ACC Webinars • ACC local chapter offerings • Other providers • Various Publications—Legal Tech News • Your IT department

  39. Ways you can better protect your client – with a little help from your friend … the IT Dept! • Ensure company has adopted and maintains an appropriate security program • Audit your portable data storage devices and assess whether the data on those devices is secure—is your phone secure? • Clean up your hard drives—consider audit of historical electronic files (are you following record retention protocols) • Where company uses shared drives or databases like SharePoint, ensure Legal Department’s storage is secure • If you work remotely, familiarize yourself with the security of your home network and use appropriate security measures • Whenever possible, encrypt data at rest and data in transit. • When the Legal Dept or company are using outside vendors, make sure you understand how vendors are protecting company information

  40. Additional Resources • Ethics Opinions Related To Technology (California Bar) • http://ethics.calbar.ca.gov/Ethics/EthicsTechnologyResources/EthicsOpinionsRelatedtoTechnology.aspx • Cloud Ethics Opinions Around the U.S. (ABA Legal Technology Resource Center) - • http://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/cloud-ethics-chart.html • Metadata Ethics Opinions Around the U.S. (ABA Legal Technology Resource Center) • http://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/metadatachart.html

  41. Additional Resources Ethical Obligations in the Modern Era, ACC Annual Meeting 2011 Cybersecurity – A Legal Issue Disguised as an IT Problem Illinois Bar Journal, Low-tech is Not an Option, March 2014, Vol 102, No. 3, p 112 Illinois Bar Journal, New ethics rules address outsourcing, technological competence, and more, December 2015, Vol 103, No. 12, p 12 Florida Bar Journal, January 2016, 90-Jan Fla. B.J. 34, Behind Stable and Saloons: The Legal Profession’s Race to the Back of the Technological Pack The Use of Technology by Lawyers and the Rules of Professional Conduct, Daniel A. Cotter, CBA Record, September 30, 2016, p 30-35 Luddites Not Welcome in the Legal Profession, Jennifer Williams-Alverez, Corporate Counsel (on-line), October 5, 2016

  42. Additional Resources Glossaries of technology-related terms: • Webopedia • http://www.webopedia.com/ • NetLingo • http://www.netlingo.com/ • TechTarget • http://whatis.techtarget.com/

More Related