BEYOND TECHNOPHOBIA:
LAWYERS’ ETHICAL AND LEGAL
OBLIGATIONS TO MONITOR
EVOLVING TECHNOLOGY
Timothy J. Toohey
Richmond Journal of Law and Technology Symposium
University of Richmond School of Law
27 February 2014
Overview
• Technophobia and the Legal Profession
• Security Threats
• Lawyers’ Legal and Ethical Obligations
– Email
– Cloud Computing
• Practical implications for practice of law
1
Technology and Legal Profession
• Lawyers and technophobia
• Security risks to professionals
• Client data
– Employee data (private information)
– Protected Health Information (PHI)
• Sources of attacks
–
–
–
–
DDoS
External hackers
Internal: malice and incompetence
Nation-state attacks
2
Growing Threats
• ABA 2014 Cybersecurity Resolution: “[t]he threat of
cyber attacks against law firms is growing”;
“[l]awyers and law firms are facing unprecedented
challenges from the widespread use of electronic
records and mobile devices.”
• Easier for hackers to attack lawyers and law firms
than clients
• Lawyers’ insistence on mobility and accessibility
increase risks
• Increasing amounts of material stored electronically
(ESI)
• Use of personal devices
3
Vulnerability of Law Firms
• Few specifics regarding hacks
• Law firm documents exposed in other hacks
– SPE
• Cyberinsurance
– E&O (Professional Liability)/Cyber Insurance gap?
– First party losses
• Greater exposure to firm and client data through
changing technology
– Email
– Cloud computing
– Mobile and IoT
4
General Legal Obligations
• State law
– Entities owning, licensing or maintaining personal
information about Californians must “implement and
maintain reasonable security procedures and practices
appropriate to the nature of the information, to protect
the personal information from unauthorized access,
destruction, use modification or disclosure.” (Cal. Civ. C.
1798.81)
– Data breach notification (personal information)
• Federal law
– HIPAA (Protected Health Information)
– FTC Act
5
Ethical Obligations: ABA Model Rules
• ABA Model Rule 1.1 Comment 8 obligation “[t]o maintain
the requisite knowledge and skill, a lawyer should keep
abreast in changes in the law and its practice, including the
benefits and risks associated with relevant technology,
engage in continuing study and education and comply with
all continuing legal education requirements to which the
lawyer is subject.” (Emphasis added.)
• ABA Model Rule 1.6(c) Comment 18 “requires a lawyer to
act competently to safeguard information relating to the
representation of a client against unauthorized access by
third parties and against inadvertent or unauthorized
disclosure by a lawyer or other persons who are
participating in the representation of the client or who are
subject to the lawyer’s supervision.”
6
California Formal Opinion No. 2010-179
• Technology is “ever evolving” and integrated into
“virtually every aspect” of our lives
• “Many attorneys, as with a large contingent of the
general public, do not possess much, if any,
technological savvy.”
• Although lawyers do not have to “develop a mastery
of the security features and deficiencies of each
technology available, the duties of confidentiality and
competence that attorneys owe to their clients do
require a basic understanding of the electronic
protections afforded by the technologies used in their
practice.” (Emphasis added.)
– Hire a consultant if lawyer doesn’t have the
7
competence.
California Formal Opinion 2010-179
• Because of “the evolving nature of technology
and the differences in security features that are
available, the attorney must ensure the steps are
sufficient for each form of technology being used
and must continue to monitor the efficacy of such
steps.” (Emphasis added.)
8
Our Emails are Secure, Aren’t They?
9
And So Are The Files on Our Network?
• http://i.kinja-img.com/gawkermedia/image/upload/s--lUHXRGu0-/mkytekmz9xzifmwzmva1.jpg
10
Ethics of Email
• ABA Formal Opinion 99-143: email has “[t]he
same privacy accorded U.S. and commercial mail,
land-line telephonic transmissions, and facsimiles
applies to Internet email.”
• ABA Formal Opinion 11-459: lawyers “sending or
receiving substantive communications with a
client via email or other electronic means
ordinarily must warn the client about the risk of
sending or receiving electronic communications
using a computer or other device, or email
account, where there is a significant risk that a
third party may gain access.”
11
Web-Based Email
12
Ethics of Web-Based Mail
• NY Ethics Op. 820: web-based email that uses
targeted advertisements ethical
– Gmail (but not named as such)
– No review of email by humans
• Did not consider Google’s Terms of Service (TOS)
– Apply to all of Google’s products and services
• Current Google TOS
– Disclaim all warranties
– Unilateral right to “communicate, publish, publicly
perform, publicly display and distribute” the
content of emails
13
Users’ Expectation of Privacy
• In re Google Inc. Gmail Litigation, N.D. Cal.
– “Just as a sender of a letter to a business colleague
cannot be surprised that the recipient’s assistant
opens the letter, people who use web-based email
today cannot be surprised if their communications
are processed by the recipient’s E[lectronic]
C[ommunication] S[ervice] provider in the course
of delivery. Indeed, ‘a person has no legitimate
expectation of privacy in information he voluntarily
turns over to third parties.’” (quoting Smith v.
Maryland)
• Court did not accept this argument
14
Google’s Privacy Policy
• Does not restrict Google’s use of personal
information, but only how it is shared with third
parties
• Inapplicable to information that does not
constitute “private” information
– Proprietary client information is not “private”
information
• Fate of the third party doctrine and NSA
surveillance
15
Email Passwords Must be Complex!
(Dilbert 2005/9/10)
16
Email Security Risks
• Email security risks go beyond web-based e-mail
• Phishing/spear-phishing attacks often used to
gain access to computer systems
• Passwords may be insecure
• Training in use of email
–
–
–
–
–
Lack of security
“Reply All”
Preservation/destruction
Encryption
Consider alternatives
17
Wally on Cloud Computing
(Dilbert (12/8/14))
18
Cloud Computing
• Vague marketing term
– Outsourcing
– “Ubiquitous, convenient on-demand network access
to a shared pool of configurable computing
resources” (NIST)

Word processing, accounting, document storage
• Private clouds
• Public clouds
– Amazon Simple Storage Service (Amazon S3)
– Google Docs, Sheets and Slides (Chrome)
– Dropbox for file sharing
19
Ethics of Cloud Computing
• Iowa Ethics Opinion 11-01
– Lawyers must take reasonable precautions to
prevent information coming into hands of
unintended recipients.
– “This duty, however, does not require that the
lawyer use special security measures if the
method of communication affords a reasonable
expectation of privacy. Special circumstances,
however, may warrant special precautions.”
20
New York Ethics Opinion 842
• Lawyers must:
– Ensure that the online data storage provider has an
enforceable obligation to preserve confidentiality and security,
and that the provider will notify the lawyer if served with
process requiring the production of client information;
– Investigate the online data storage provider's security
measures, policies, recoverability methods, and other
procedures to determine if they are adequate under the
circumstances;
– Employ available technology to guard against reasonably
foreseeable attempts to infiltrate the data that is stored;
and/or
– Investigate the storage provider's ability to purge and wipe
any copies of the data, and to move the data to a different
host, if the lawyer becomes dissatisfied with the storage
provider or for other reasons changes storage providers.
21
California Ethics Opinion 2010-179
• “The greater the sensitivity of the information,
the less risk the attorney should take with
technology. If the information is of a highly
sensitive nature and there is a risk of disclosure
when using a particular technology, the attorney
should consider alternatives unless the client
provides informed consent."
22
Google TOS
• "NEITHER GOOGLE NOR ITS SUPPLIERS OR DISTRIBUTORS
MAKE ANY SPECIFIC PROMISES ABOUT THE SERVICES.
FOR EXAMPLE, WE DON'T MAKE ANY COMMITMENTS
ABOUT THE CONTENT WITHIN THE SERVICES, THE
SPECIFIC FUNCTIONS OF THE SERVICES, OR THEIR
RELIABILITY, AVAILABILITY, OR ABILITY TO MEET YOUR
NEEDS. WE PROVIDE THE SERVICES 'AS IS.'“
(Capitalization in Original)
• “WHEN PERMITTED BY LAW, GOOGLE AND GOOGLE'S
SUPPLIERS AND DISTRIBUTORS, WILL NOT BE
RESPONSIBLE FOR LOST PROFITS, REVENUES, OR DATA,
FINANCIAL LOSSES OR INDIRECT, SPECIAL
CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES.”
23
Amazon TOS
• In no event will our or our software licensors' total liability to you
for all damages (other than as may be required by applicable law
in cases involving personal injury) arising out of or related to your
use or inability to use the Software exceed the amount of fifty
dollars ($50.00).
• In no event will our total liability to you for all damages arising
from your use of the Service or information, materials or products
included on or otherwise made available to you through the
Service (excluding the Software), exceed the amount you paid for
the Service related to your claim for damages.
• We have no liability for any loss, damage or misappropriation of
Your Files under any circumstances or for any consequences
related to changes, restrictions, suspensions or termination of the
Service or the Agreement. These limitations will apply to you even
if the remedies fail of their essential purpose.
24
Mobile Technology
• Blurs lines between work and personal uses
• Allows access (and rapid dissemination) of
protected information
• Increases security risks
• Creates additional ethical challenges
• Lack of understanding of technology and security
issues by some lawyers
25
Recommendations
• Encryption
• Training of law firm personnel
• Policies and procedures
– Limitations on use of web-based email and public
cloud
• Consider risks when using particular technology
– Avoid for highly sensitive documents and
communications
• Awareness of security risks
26
27
Contact Information
Timothy J. Toohey
Morris Polich & Purdy
1055 West Seventh Street
Twenty-Fourth Floor
Los Angeles, California 90017 USA
TToohey@mpplaw.com
+1-213-417-5324
www.privacydatasecurity.com
28