ETHICS + DATA Dennis Kennedy Patrick Reagan Cyber12 - NKU - PowerPoint PPT Presentation

ETHICS + DATA Dennis Kennedy Patrick Reagan Cyber12 - NKU Cybersecurity Symposium - October 11, 2019

ROADMAP  Part 1: Today’s data security issues  Part 2: Ethical obligations of lawyers  Part 3: Ethical obligations of IT professionals  Part 4: FTC Health Breach Notification Rule  Part 5: Conclusion  Part 6: Q&A

TODAY’S DATA SECURITY ISSUES  Fake data generation  Pollutes a company’s data pool. Makes analytics faulty.  Non-encrypted data  For cloud storage, this is a huge problem.  Granular access control  Controlling who sees what limits noticeability of breaches.  Creative hackers  E.g. emails asking for your password.  Data provenance difficulties  Responding to a breach is more difficult if you don’t know where data came from.  Distributed storage frameworks  Storing data in multiple locations makes breach identification difficult.  Lack of security audits  You don’t know what you don’t know.

ETHICAL OBLIGATIONS OF LAWYERS from this to this

ETHICAL OBLIGATIONS OF LAWYERS  Massive amounts of client data is digitized  Law firms now have data security issues  DLA Piper 2017 data breach  Multi-day shutdown and millions in costs to fix  Cravath  Weil Gotshal  Law firms that work in healthcare have special HIPAA obligations  Regulating authorities are enacting new laws  GDPR  CCPA

ETHICAL OBLIGATIONS OF LAWYERS  ABA Model Rule 1.1/SCR 3.130 (1.1): must keep up with technology to maintain competence.  ABA Model Rule 1.6/SCR 3.130 (1.6): core of lawyers’ ethical obligations to their clients.  ABA Opinion 99-413/KBA E-403: email with clients permissible  ABA Opinion 477R/KBA E-446: must secure Internet devices  ABA Opinion 483/KBA E-446: must notify clients of data breach

DUTY TO MAINTAIN COMPETENCE  ABA Model Rule 1.1/SCR 3.130 (1.1)  “A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.”  Comment 8 – ABA: “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”  Kentucky comment is identical.

DUTY OF CONFIDENTIALITY  Core duty of a lawyer  Bedrock of attorney-client relationship  Foundation of the duty to keep client files and data secure  ABA Rule 1.6(c): “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”  Comment 14 to SCR 3.130 (1.6): “A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer's supervision.”

ABA OPINION 99-413  The genesis of legal opinions on how to protect client data  Authorized email with clients  “Lawyers have a reasonable expectation of privacy in communications made by all forms of e-mail, including unencrypted email sent on the Internet, despite some risk of interception and disclosure. It therefore follows that its use is consistent with the duty under Rule 1.6 to use reasonable means to maintain the confidentiality of information relating to a client’s representation.”

SINCE OPINION 99-413  2012 technology amendments  Comment 8 to Rule 1.1:  “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”  Kentucky SCR 3.130 (1.1), comment 6 states similarly.  Rule 1.6(c)  “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”  Comment 18: if a lawyer makes reasonable efforts to prevent data access/disclosure, she has met her obligation under Rule 1.6.

CYBERSECURITY AND REASONABLE EFFORTS  Comment 18 to Rule 1.6(c); KBA Opinion E-446  Sensitivity of the information  Likelihood of disclosure if additional safeguards are not employed  Cost of employing additional safeguards  Difficulty of implementing the safeguards  Extent to which safeguards adversely affect the lawyer’s ability to represent clients  E.g. whether a safeguard would make a device or important piece of software excessively difficult to use

EXAMPLES OF REASONABLE EFFORTS  Firewall  Encryption  Avoiding instant message platforms  Using complex passwords  Retaining the ability to remotely wipe lost devices containing client information  Exercising caution when communicating with a client whose computers or other devices are controlled/accessed by a third party  Training all staff on how to properly use technology and follow security protocols  Remember: almost no data is ever truly “deleted”

VENDORS  Risk of breach and/or malfeasance  Kentucky allows contracting with vendors: KBA E-446: “an attorney selecting an online provider of storage or other services must investigate the provider to be sure that client information is reasonably sure to remain confidential and secure.”  Rule 5.3: lawyers supervising nonlawyers must make “reasonable efforts to ensure that” the nonlawyers’ “conduct is compatible with the professional obligations of the lawyer.” This includes confidentiality.  When hiring vendors, evaluate the vendor’s:  References and credentials  Security policies and protocols  Hiring practices  Use of confidentiality agreements  Conflict check system  Availability of options to pursue legal relief for violations of vendor agreement  Beware of arbitration clauses. You want a court’s equitable powers if there is a breach or malfeasance.

THIRD PARTY SERVICES  Examples: cloud-based storage services  Comment 3 to Model Rule 5.3  Must use reasonable efforts to ensure third party service follows lawyer’s ethical obligations  Factors to look at when evaluating third party services:  Education, experience, and reputation of nonlawyer third party service  Nature of services involved  Terms of any arrangements concerning protection of client information  Legal and ethical environments of jurisdictions in which services will be performed— especially regarding confidentiality.  When communicating highly sensitive client information to a third party service, disclose that to the client.  KBA E-446: attorneys must make reasonable efforts to adopt sufficient security policies regarding vendors and third party services.

KENTUCKY LAWYERS’ OBLIGATIONS WITH CLOUD COMPUTING  KBA E-437  Main authorities  “As with storage of files in a bricks-and-mortar law office or in an off-site warehouse, client information stored in the cloud cannot be protected absolutely. Burglars can break into law offices and warehouses despite the utmost care to protect against such happenings. Likewise, sophisticated hackers can access online information despite the utmost care to protect confidential client information.”  Lawyer must make reasonable efforts to supervise a provider of online storage to ensure compliance with confidentiality rules and the lawyer’s other obligations  Lawyers should also consider advising clients with highly sensitive information they are storing their data on the cloud  Review any agreements made with cloud storage providers  Consider the following:  Protections the providers has to prevent disclosure of confidential client information  Whether the provider is contractually obligated to protect security/confidentiality  Whether the service agreement states the provider will “own” the data  What procedures the provider uses when responding to governmental/judicial attempts to obtain confidential client information.

LAWYERS’ OBLIGATIONS REGARDING DATA BREACHES  ABA Opinion 483: “lawyers utilizing technology [must] safeguard and monitor the security of electronically-stored client property and information.”  Ethical obligations arise only when (1) there is a breach of material client information; or (2) a lawyer’s ability to perform legal services is significantly impaired by a cyber episode.  Not taking steps to reasonably prevent a data breach is where an ethical violation occurs—not necessarily the occurrence of the breach itself.  KBA E-446: if there is a disclosure of the client’s specific confidential and/or privileged information to third parties that would constitute a significant development affecting the client’s representation, a disclosure must be made to the client about this development.  KBA E-446: rule regarding safeguarding client(s)’ property applies to client data

STOPPING BREACHES MITIGATING DAMAGES  Duty to prevent breaches is not one of strict liability. Rather, it is one of “reasonable effort.”  Even if data has been accessed, if the lawyer took reasonable efforts to prevent the breach she has not committed a violation.  Draft an incident response plan with specific procedures for responding to a data breach.  Identify team members and their backups.  Determine specifically what occurred.  Gather enough information to determine the breach has been stopped.  Evaluate what data was lost or accessed.