TECHNOLOGY & ETHICS Association of Corporate Counsel © 2015 The information contained in these materials should not be construed as legal advice or legal opinion on specific facts, and should not be considered representative of the views of ACC or any of its lawyers or consultants, unless so stated. The information contained in these materials is not intended to be a definitive statement on the subject but rather to serve as a resource providing practical information for the reader.
Our Goals Understand primary ethical responsibilities governing tech issues Provide practical tips for dealing with technology Identify resources to learn more about tech issues 2
What is Your Level of Tech Knowledge? Poor…little to none Good…I get by without much difficulty Very good…I am an early adaptor & stay ahead of the curve High…I am an expert and should teach this class 3 Image courtesy of Boians Cho Joo Young at FreeDigitalPhotos.net
Ethical Duties Affecting Tech Knowledge In August 2012, the ABA modernized the Model Rules to address technology issues, including… 4 Competence: Rule 1.1Confidentiality: Rule 1.6 Metadata: Rule 4.4 Outsourcing/Cloud Computing:Rule 5.3 Remember to read your state rules!
Technology and Competence ABA Model Rule 1.1: “Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” Comment [8] (new): “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology…” 5 Image courtesy of twobee at FreeDigitalPhotos.net
Practical Relevance Responding to discovery Storing client information in the cloud Compliance with data privacy regulations Protecting data and responding to a breach (“Cyber Security”) Managing corporate information flows Advising on document retention policies Sending & receiving documents with metadata Leveraging technology to lower legal department costs Advising on social media for investigations, hiring, etc. The proficiency you need may vary. 6
Takeaways on Competence Not a new obligation—nor is it difficult to grasp You should understand how technology works Standards evolve as practice changes—context matters and standards may vary You can still rely on consultants and IT experts (and probably should with appropriate diligence) Ethical duty of competence minimal standard; as a practical matter client business needs may require more You are in best position to see the big picture (e.g., PA Bar Ethics Op , p. 4) This is how you can provide value 7
“An attorney’s obligations under the ethical duty of competence evolve as new technologies develop and then become integrated with the practice of law.” California State Bar Formal Opinion Interim No (Feb. 28, 2014) (related to ESI and discovery request) See also, Luddite Lawyers Are Ethical Violations Waiting to Happen, Lawyerist, By Megan Zavieh, July 10, waiting-happen/ 8
Technology and Confidentiality ABA Model Rule 1.6(c) (new): “A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client.” Earlier focus was simply: “A lawyer shall not reveal information relating to the representation of a client * * *.” ABA Model Rule 1.6(a) 9 Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Cyber Security and Lawyers FBI: Law firms and law departments are among the most vulnerable targets for cyber attacks. Lawyers are reported to… Have limited resources to dedicate to computer security Lack a sophisticated appreciation of technology risks Lack an instinct for cyber security Source: The ABA Cyber Security Handbook Consider breach of several Canadian law firms: targetted-in-top-10-worst-cyber-attacks.html targetted-in-top-10-worst-cyber-attacks.html 10
Cyber Security and Reasonableness Ethical duties vs. legal & regulatory obligations –Lawyer & law department data & communications –Corporate & business data Ethical considerations –Sensitivity –Cost –Difficulty –Likelihood of disclosure NDA or Confidentiality Agreements HIPAA, EU Directive and other regulatory obligations 11
HYPO 1 – Working at home! Situation: In-house counsel’s work is never done at the end of the day. In-house counsel just received information from the compliance team that an employee may be acting inappropriately to advantage certain clients seeking to purchase assets. Action: IHC forwards the relevant documents and s, including the name and other data on the suspected employee, to a personal account so that she can spend the rest of the night working on the issue. This is much easier than trying to log back in through VPN. And the home network is password protected. Issue: Is the in-house counsel meeting the ethical obligation to make reasonable efforts to prevent inadvertent disclosure? 12
Takeaways on Confidentiality Assess risks of handling information – systemically &matter specific “Reasonable efforts” is the standard for ethical duty; business needs may require more Analyze separately from data privacy obligations Bottom line - add value: Develop approaches to protect data Employee training Contracts 13
Receiving Metadata ABA Model Rule 4.4(b): “A lawyer who receives a document or electronically stored information [ESI] relating to the representation of the lawyer’s client and knows or reasonably should know that the document or electronically stored information was inadvertently sent shall promptly notify the sender.” 14 Image courtesy of David Castillo Dominici at FreeDigitalPhotos.net
ABA Model Rule 4.4(b) Obligations Notify sender No need to send back You can read metadata But avoid using special forensic software to access it Rules vary by state, e.g., New Jersey, do not read the document; stop reading the document; promptly notify the sender; and return the document to the sender. NJ RPC 4.4(b) For a summary of metadata ethics opinions from around the US, see datachart.html datachart.html 15
Notify the Sender Triggers Must know or should know ESI sent inadvertently Relates to representation “Inadvertently sent” ESI itself Info that includes ESI 16 Image courtesy of Stuart Miles at FreeDigitalPhotos.net
HYPO 2 – Nasty Letter! Situation: The HR Department receives an with an attached letter from an employee alleging discrimination and breach of contract. The letter is very well written and very specific in stating the desired remedies. Action: The HR department brings the to your attention. You decide to check the metadata to see if the employee has retained a lawyer. Next steps: Any problems? 17
Outsourcing & Cloud Computing ABA Model Rule 5.3 “With respect to a nonlawyer employed or retained by or associated with a lawyer: * * * (b) A lawyer having direct supervisory authority over the nonlawyer shall make reasonable efforts to ensure that the person’s conduct is compatible with the professional obligations of the lawyer; * * *.” 18 Image courtesy of ddpavumba at FreeDigitalPhotos.net
ABA Model Rule 5.3 What’s new? Comment clarifies that rule applies to nonlawyers outside dept. –Investigators –Paraprofessionals –Document management –Printing or scanning co. –Internet-based services Comment includes monitoring responsibility 19 Image courtesy of stockimages at FreeDigitalPhotos.net
Reasonableness Depends On… [Vendor’s] education, experience and reputation Nature of services How client information is protected Legal & ethical environments of jurisdictions 20 Image courtesy of pakorn at FreeDigitalPhotos.net
Cloud Computing Ethics rules allow it It is a form of outsourcing Exercise reasonable care to protect confidentiality of client information States largely agree that reasonable care required WSBA Advisory Opinion 2215 (2012) 21 Image courtesy of ddpavumba at FreeDigitalPhotos.net
States May Require a Mix of Precautions… Stay abreast of best practices Depending on sensitivity of date, get client consent Heed client instructions Understand provider’s security controls Periodically review security measures Have enforceable confidentiality agreement Get notice of breach Ensure access to client data Delete data & return to client when not needed Ensure back-up strategy E.g. New Hampshire State Bar Opinion /4 (Cloud Computing) 22
Takeaways on outsourcing Give appropriate instructions to non-lawyers. If directing outside counsel to use certain vendors, agree on who is monitoring the vendors. Ensure nonlawyers in non-US jurisdictions understand your professional obligations. Remember, cloud computing is a form of outsourcing – so the same standards of diligence apply. 23 Image courtesy of digitalart at FreeDigitalPhotos.net
HYPO 3 – We need cutting edge! Situation: GC determines that the widely dispersed legal team needs a more efficient way to communicate real time to serve the client. Additionally, legal documents – including contracts, advice memos, and board documents – need to be stored and properly catalogued in a central repository with tiered access rights. Action: GC is poised to hire an innovative start-up that would provide a custom solution at a competitive cost. Issue: Is there anything the GC needs to consider before signing the deal? 24
Practical Takeaways Ten Tips for Working With Technology* *Jennifer Mailander, Associate GC, Corporation Services Co., and Chair of the ACC Litigation Committee, originally developed these tips for a presentation to the ACC Chicago Chapter. They have been modified and adapted for this presentation and are used with prior permission from the author. 25
10. Understand Your Company’s Technology Understand your company’s business and the technology your company uses on a daily basis Understand your company’s technology strategy Understand who has responsibility for buying and maintaining technology o What is Legal’s role? o What is your process for buying? o Make sure it includes a process to identify when Shadow IT is being used (when user/department finds Cloud provider when IT too busy) Know the regulations that apply to your industry Update your policies and procedures 26
9. Know Your Vendors and Your Vendors’ Vendors Know who your vendors are and what services they provide Connect and work with your security team -You both need to know when you find new places to store data Put a process in place to identify new technology being used -It’s happening: you just may not know about it NOTE: Hackers see your vendors as conduits to your data o Data loss at Target and Home Depot resulted from sub-contractor and 3 rd party vendor breaches 27
8. Know Your Law Firm’s Security Practices Understand your obligations as in-house counsel when working with your law firms Law firms are prime targets for hacks and unauthorized intrusions Join the ACC Litigation Committee Subcommittee on Cyber Security and Law Firms –Contact: Evan Slavitt, Join the ACC Working Group on Data Security for Law Firms –Contact: Amar Sarwal, 28
7. Be A Partner To The Business Find a way to help your business partners understand and mitigate technology risks; help them achieve success Host a series of lunch and learns with your business and technology counterparts –Present on areas of respective expertise Contract and licensing 101 Technology 101 Sales 101; Operations 101 etc. –Meet regularly to discuss issues, trends, etc 29
6. Conduct A Data Audit Form a cross-functional team to identify data practices Understand what and how data is managed -What is the data? -Who has (and should have) access? -Where does it go? -How long is it stored? Don’t collect data you do not need 30
5. Assess Your Individual Data Practices Where do you keep your personal data? –At home? –At work? Use a password manager –Do not store your passwords online 31
4. Know Your Company’s Breach and Incident Response Plan and Practices If you do not have a plan—create one! -Disaster recovery plan; incident response -Communication protocols -Key Stakeholders -Identify 3 rd Party Vendor in advance Know the plan and practices Know who has what roles in the plan Practice, practice, practice 32
3. Employee Training on Technology, Security & Privacy JUST DO IT! Employees are your biggest threat—poor security practices o Phishing o E.g., Sony 2. Get Comfortable With Technology Use your ACC resources: ACC Committees and Chapterswww.acc.com o Webcasts; ACC Docket; Inhouse ACCess blog; eGroup David Pogue TED Talk o ps?language=en ps?language=en 33
2. Get Comfortable With Technology Password Storage o Lifehacker: Five Best Password Managers o PinHawk Law Technology Digest o ABA’s Law Technology Today o The Lawyerist o Google iPhone and Android tips Take a class 34
1. Network Inside and Outside Your Organization Develop a core team of company contacts to assist on technology issues -Use your contacts in other parts of the organization (e.g., IT, Security) to help keep you up to date on technology developments affecting your business Talk with your peers outside the company regarding best practices and stay current on new developments 35
THANK YOU! Association of Corporate Counsel 36