antony haynes 4 0 ethics & technology - new york state ......antony k. haynes everyone is a...

Ethics & Technology:The Risks and Legal Ethics of Technology and Legal Practice

Antony K. Haynes

November 10, 2016

Antony K. Haynes

Learning Outcomes

1. Gain knowledge and understanding of professional and ethical responsibilities.

2. Be able to exercise proper professional and ethical responsibilities to clients and to the legal system.

Antony K. Haynes

Ethical Issues

• Competency• Confidentiality• Encryption• Metadata• Cloud Computing• Data Retention

Antony K. Haynes

Everyone Is a Target

•Hackers in the past year have broken into computer systems at the White House, the State Department, the Pentagon, the Internal Revenue Service and the Office of Personnel Management

•Law firms are considered by attackers to be “one stop shops” for attackers because they have high value information and perhaps weaker security than other businesses.

Antony K. Haynes

The Panama Papers

• Files reveal the offshore holdings of 140 politicians and public officials from around the world• Current and former world leaders in the data include the prime minister of Iceland, the president of Ukraine, and the king of Saudi Arabia• More than 214,000 offshore entities appear in the leak, connected to people in more than 200 countries and territories• Major banks have driven the creation of hard‐to‐trace companies in offshore havens

Antony K. Haynes

Cravath, Swaine & Moore

WSJ Post, March 29, 2016• Hackers broke into the computer networks at some of the country’s most prestigious law firms, and federal investigators are exploring whether they stole confidential information for the purpose of insider trading, according to people familiar with the matter.• The firms include Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, which represent Wall Street banks and Fortune 500 companies in everything from lawsuits to multibillion‐dollar merger negotiations

Antony K. Haynes

The Cyber‐Threat

• Robert Mueller, then the FBI Director, put it this way in an address at a major information security conference in 2012:

• I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.

Antony K. Haynes

Recent High Profile Data Breaches

• OPM, Fed’l Gov’t– Suspected Chinese hackers– records of over 22 million federal employees and contractors, including covert operators and other military and intelligence personnel

• Anthem, January 2015– Suspected Chinese hackers

• Sony, November 2014– Suspected Korean hackers

• Target, 2013– Suspected Russian hackers

Antony K. Haynes

ABA Cybersecurity Task Force2012 Report and Resolution

5 Essential Principles for Government to consider when making policy to address cyber‐attacks

– Public/private frameworks– Public/private collaboration and sharing– Legal and policy environments must be modernized to keep up with technology– Privacy and civil liberties remain a priority– Training, workforce development, adequate resources and investing

Antony K. Haynes

Basic Terms/Definitions

• Cyber Security: also known as cybersecurity or IT security, is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide.• Data Breach: the intentional or unintentional release of secure information to an untrusted environment.

Antony K. Haynes


• Two‐Factor Authentication: a security process in which the user provides two means of identification from separate categories of credentials; one is typically a physical token, such as a card, and the other is typically something memorized, such as a security code.

Antony K. Haynes


• The “Cloud”: the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer.

Antony K. Haynes


• “Phishing”: the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.• Encryption: the process of encoding messages or information in such a way that only authorized parties can read it.

Antony K. Haynes


• Botnet: (also known as a zombie army) refers to Internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet.• Patch: a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually called bug fixes, and improving the usability or performance.

Antony K. Haynes

Rule 1.1*

(a) A lawyer should provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.

* “Rule #.#” refers to the New York Rules of Professional Conduct, Effective April 1, 2009, as amended through January 1, 2014, with Commentary as amended through March 28, 2015. Except where noted otherwise, NY Rules are generally used interchangeably with the ABA Model Rules of Professional Conduct in this presentation.

Antony K. Haynes

Rule 1.1 Comment 8

Maintaining Competence

To maintain the requisite knowledge and skill, a lawyer should (i) keep abreast of changes in substantive and procedural law relevant to the lawyer’s practice, (ii) keep abreast of the benefits and risks associated with technology the lawyer uses to provide services to clients or to store or transmit confidential information, and (iii) engage in continuing study and education and comply with all applicable continuing legal education requirements under 22 N.Y.C.R.R. Part 1500 (emphasis added).

Antony K. Haynes

Rule 1.1 References

Latest ABA Guidance: Old Wine in a Tech‐Ethics Bottle? NYSBA Journal November/December 2012, Article pg. 20, by Devika KewalramaniThis article addresses the importance of lawyers and law firms in keeping up with the advancement in technology while maintaining client confidentiality and the attorney‐client relationship. “Lawyers perhaps deal with more confidential and privileged information than any other professionals. That is why it is imperative that law firms and legal departments understand how to protect and secure the information clients entrust to them. Today, every law firm and legal department maintains electronic client data in some shape or form. This makes the ABA guidance on a lawyer’s use of technology critical to every lawyer’s practice.”

Antony K. Haynes

Rule 1.6

(c) A lawyer shall exercise reasonable care to prevent the lawyer’s employees, associates, and others whose services are utilized by the lawyer from disclosing or using confidential information of a client … (emphasis added).

Antony K. Haynes

Rule 1.6 Ethics Opinions

NYSBA Opinion 820 ‐ 02/08/2008 Topic: Use of e‐mail service provider that scans e‐mails for advertising purposes. Digest: A lawyer may use an e‐mail service provider that conducts computer scans of e‐mails to generate computer advertising, where the e‐mails are not reviewed by or provided to human beings other than the sender and recipient. Rules: DR 4‐101; EC 4‐3.

Antony K. Haynes


NYSBA Opinion 1019 (8/6/2014) Topic: Confidentiality; Remote Access to Firm's Electronic Files Digest: A law firm may give its lawyers remote access to client files, so that lawyers may work from home, as long as the firm determines that the particular technology used provides reasonable protection to client confidential information, or, in the absence of such reasonable protection, if the law firm obtains informed consent from the client, after informing the client of the risks. Rules: 1.0(j), 1.5(a), 1.6, 1.6(a), 1.6(b), 1.6(c), 1.15(d).

Antony K. Haynes


ABA Formal Opinion 11‐459 (8/4/2011) Topic: Duty to Protect the Confidentiality of E‐mail Communications with One’s ClientDigest: A lawyer sending or receiving substantive communications with a client via e‐mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or e‐mail account, where there is a significant risk that a third party may gain access. In the context of representing an employee, this obligation arises, at the very least, when the lawyer knows or reasonably should know that the client is likely to send or receive substantive client‐lawyer communications via e‐mail or other electronic means, using a business device or system under circumstances where there is a significant risk that the communications will be read by the employer or another third party.

Antony K. Haynes

ABA Rule 1.6

• (c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client (emphasis added).

Antony K. Haynes

Duty to Safeguard Confidential Information

• Common law duty‐‐ACP• Legal—statutes protecting medical, financial and personal identification information• Fiduciary/Agency• Legal Ethics—ABA MR 1.6– (c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

• VA adopted new Va. Rule 1.6(d) which is identical, eff. March 1, 2016.

Antony K. Haynes

Va. Rule 1.6(c)—What Are ReasonableEfforts to Protect Client Data?

• Comments 19, 19a, 20 and 21 explain.• Comment 19—factors to consider:– Sensitivity of the information– Risk of disclosure if additional measures not taken– Employment/use of IT professionals– Cost of additional safeguards– Difficulty of implementing additional safeguards– Extent to which safeguards interfere unreasonably with representation of client.

Antony K. Haynes


• Comment 20—”safe harbor”• lawyer is not subject to discipline under this Rule if the lawyer has made reasonable efforts to protect electronic data, even if there is a data breach, cyber‐attack or other incident resulting in the loss, destruction, misdeliveryor theft of confidential client information.• Perfect security is not attainable• Even large businesses and government organizations with sophisticated data security systems have suffered data breaches.• What’s reasonable may depend on size of firm.• Lawyer need not be “tech‐savvy” but may need to employ someone who is.

Antony K. Haynes


• Comment 21—Lawyers should keep abreast on an ongoing basis and periodically review security measures including:• Staff security training and evaluation• Procedures to address departing employees• Access to stored client data by third parties• Back up/storage/and erasure of data on devices• Strong passwords and authentication on devices and networks.• Use of hardware/software to prevent, detect and respond to intrusion, malicious software and activity.

Antony K. Haynes

Other Things to Consider

• There is no such thing as “set it and forget it” security. The threats and the defenses to those threats change constantly and firms must strive to keep up with the changes.• So the new mantra is Identify (assets that need to be protected), Protect, Detect, Respond and Recover.• 100% Prevention is not possible—you will lose credibility if you think and assert this.

Antony K. Haynes

State Agencies and NGOs

• NYS Enterprise Information Security Office (EISO) and Advisories• NYS Office of Information Technology Services (ITS) Policies• Center for Internet Security

Antony K. Haynes

Encryption

• 1990s consensus: in general, and except in special circumstances, the use of email, including unencrypted email, is a proper method of communicating confidential information.

• A Texas state bar ethics opinion has indicated that there may be circumstances where lawyers may have to encrypt e‐mail communications with their clients.

Antony K. Haynes

Encryption Ethics Opinions

NYCBA Formal Opinion 1998‐2 A law firm need not encrypt all e‐mail communications containing confidential client information, but should advise its clients and prospective clients communicating with the firm by e‐mail that security of communications over the Internet is not as secure as other forms of communications. Rules: DR 2‐101(D), (F), (H), (I); DR 2‐104(A), (C), (E); Canon 4; Canon 6; EC 2‐5.

Antony K. Haynes

Sedona Conference on Metadata

Competence requires that lawyers understand that• metadata is created in the generation of electronic files,• transmission of electronic files will include transmission of metadata,

• recipients of the files can access metadata, and• actions can be taken to prevent or minimize the transmission of metadata.

See, e.g., Minnesota Lawyers Professional Responsibility Board Opinion No. 22 (Mar. 26, 2010) (“[A] lawyer is ethically required to act competently to avoid improper disclosure of confidential and privileged information in metadata in electronic documents.”)

Antony K. Haynes

What Is Metadata?

• Data about data• Applications: “Substantive metadata, also known as application metadata, is ‘created as a function of the application software used to create the document or file’ and reflects substantive changes made by the user ... and includes data that instructs the computer how to display the fonts and spacing in a document. ... Substantive metadata is embedded in the document it describes and remains with the document when it is moved or copied.”

See Aguilar v. Immigration & Customs Enforcement Div. of U.S. Dep’t of Homeland Sec., 255 F.R.D. 350 (S.D.N.Y. 2008).

Antony K. Haynes

What Is Metadata?

• Data about data• System: “System metadata ‘reflects information created by the user or by the organization’s information management system.’ ... This data ... can usually be easily retrieved from whatever operating system is in use. ... Examples of system metadata include data concerning ‘the author, date and time of creation, and the date a document was modified.’”


Antony K. Haynes

What Is Metadata?

• Data about data• Embedded: “Embedded metadata consists of ‘text, numbers, content, data, or other information that is directly or indirectly inputted into a [n]ative [f ]ile by a user and which is not typically visible to the user viewing the output display’ of the native file. …’12 Examples include spreadsheet formulas, hidden columns, externally or internally linked files (such as sound files), hyperlinks, references and fields, and database information.’”


Antony K. Haynes

Metadata Ethics Opinions

NYSBA Opinion #782 ‐ 12/08/2004 Topic: E‐mailing documents that may contain hidden data reflecting client confidences and secrets. Digest: Lawyers must exercise reasonable care to prevent the disclosure of confidences and secrets contained in "metadata" in documents they transmit electronically to opposing counsel or other third parties. Rules: DR 1‐102(A)(5), 4‐101(B), (C), (D); EC 4‐5.

Antony K. Haynes


NYSBA Opinion 749 ‐ 12/12/2001 Topic: Use of computer software to surreptitiously examine and trace e‐mail and other electronic documentsDigest: Lawyers may not ethically use available technology to surreptitiously examine and trace email and other electronic documents.Rules: DR 1‐102(A)(4), DR 1‐102(A)(5), DR 4‐101, DR 7‐102(A)(8), Canon 4, Canon 7, EC 4‐1

Antony K. Haynes


NYCBA Formal Opinion 2012‐1 Topic: Inadvertent Disclosure of DocumentsDigest: A lawyer who receives a letter, fax, e‐mail or other communication that the lawyer knows or reasonably should know was transmitted by mistake must promptly notify the sender, pursuant to Rule 4.4(b) of the New York Rules of Professional Conduct, and follow any other applicable law. To the extent that it imposed requirements beyond those set forth in Rule 4.4(b), ABCNY Formal Opinion 2003‐04, which addressed the same issue under the New York Code of Professional Responsibility, is withdrawn, but there may be circumstances in which a lawyer may choose to act in conformity with the guidance in Formal Opinion 2003‐04 without thereby per se violating Rule 4.4(b).Rules: 4.4(b)

Antony K. Haynes

Metadata Ethics OpinionsNYCBA Formal Opinion 2003‐04 Topic: Obligations Upon Receiving a Communication Containing Confidences or Secrets Not Intended for the RecipientDigest: When a lawyer receives a letter, fax, e‐mail or other communication containing confidences or secrets that the lawyer knows or reasonably should know were transmitted by mistake, the lawyer confronts a number of issues implicating the administration of justice, respect for the attorney‐client relationship and the obligation to zealously represent one's own client. This opinion examines the various approaches to these issues and concludes that a lawyer receiving a misdirected communication containing confidences or secrets (1) has obligations to promptly notify the sending attorney, to refrain from review of the communication, and to return or destroy the communication if so requested, but, (2) in limited circumstances, may submit the communication for in camera review by a tribunal, and (3) is not ethically barred from using information gleaned prior to knowing or having reason to know that the communication contains confidences or secrets not intended for the receiving lawyer. However, it is essential as an ethical matter that the receiving attorney promptly notify the sending attorney of the disclosure in order to give the sending attorney a reasonable opportunity to promptly take whatever steps he or she feels are necessary.Rules: DR 1‐102(A)(5), DR 4‐101, DR 7‐101(A), DR 9‐102(C)

Antony K. Haynes

Cloud Computing

• Is it permitted under NY Ethics Law? Yes• Standard: Reasonable care• Opinion 842

• Vendor must have an enforceable obligation to preserve confidentiality and security, and should notify lawyer if served with process for client data.

• Use available technology to guard against foreseeable attempts to infiltrate data.

• Investigate vendor security practices and periodically review to be sure they remain up‐to‐date.

• Investigate any potential security breaches or lapses by vendor to ensure client data was not compromised.

Antony K. Haynes

Cloud Computing Ethics Opinions

NYSBA Opinion 842 (9/10/10) Topic: Using an outside online storage provider to store client confidential information. Digest: A lawyer may use an online data storage system to store and back up client confidential information provided that the lawyer takes reasonable care to ensure that confidentiality will be maintained in a manner consistent with the lawyer's obligations under Rule 1.6. In addition, the lawyer should stay abreast of technological advances to ensure that the storage system remains sufficiently advanced to protect the client's information, and should monitor the changing law of privilege to ensure that storing the information online will not cause loss or waiver of any privilege. Rules: 1.4, 1.6(a), 1.6(c)

Antony K. Haynes

Data Retention Ethics Opinions

NYSBA Opinion 940 (10/16/12) Topic: Use of off‐site backup tapes to store a client's confidential information; retention of files in original paper form Digest: Lawyer may store confidential information on off‐site backup tapes if lawyer takes reasonable care to ensure adequacy of systems to protect confidentiality. When records must be retained, nature of the records determines whether lawyer (i) must maintain originals, (ii) may discard originals and maintain electronic copies in particular formats, or (iii) may maintain electronic copies in any format. Rules: 1.6(a) & (c), 1.15(d)

Antony K. Haynes

Cloud Computing Ethics Opinions

NYSBA Opinion 1020 (9/12/2014) Topic: Confidentiality; use of cloud storage for purposes of a transaction Digest: Whether a lawyer to a party in a transaction may post and share documents using a “cloud” data storage tool depends on whether the particular technology employed provides reasonable protection to confidential client information and, if not, whether the lawyer obtains informed consent from the client after advising the client of the relevant risks. Rules: 1.1, 1.6

Antony K. Haynes

Cloud Computing References

Being Prepared When the Cloud Rolls In, NYSBA Journal October 2014, Article pg. 24, by by Natalie SulimaniThis article addresses maintaining client confidentiality and the attorney‐client relationship and the advantages and ethical considerations of cloud computing and storage of data; the use of encrypted email; notification policies when using cloud computing or breach of security occurs.

Antony K. Haynes


NYSBA Opinion 680 ‐ 01/10/1996 Topic: Record Retention By Electronic Means Digest: Lawyers may retain some records in the form of computer images, but certain records must be retained in original form. Rules: DR 9‐102(D), 9‐102(H)

Antony K. Haynes


NYSBA Opinion 940 (10/16/12) Topic: Use of off‐site backup tapes to store a client's confidential information; retention of files in original paper form Digest: Lawyer may store confidential information on off‐site backup tapes if lawyer takes reasonable care to ensure adequacy of systems to protect confidentiality. When records must be retained, nature of the records determines whether lawyer (i) must maintain originals, (ii) may discard originals and maintain electronic copies in particular formats, or (iii) may maintain electronic copies in any format. Rules: 1.6(a) & (c), 1.15(d)

Antony K. Haynes


NYSBA Opinion 950 (12/17/12) Topic: Saving law firm mail in paper or electronic form Digest: Law firm that retains electronic copies of mail may destroy the original paper mail, except when it finds that particular items must be retained in paper form, if it follows reliable procedures to identify and retain those particular items. Rules: 1.6, 1.15(d)

Antony K. Haynes


NYCBA Formal Opinion 2008‐1 Topic: Files of client; Computers; E‐mail. Digest: A lawyer is not required to organize or store electronic documents or e‐mails in any particular manner or medium. E‐mails present more difficulty than electronic documents because they often are deleted automatically after a certain period, and generally are not stored in a document management system. Because a lawyer may not charge a client file retrieval costs that could reasonably have been avoided, there is much to commend a practice of organizing saved e‐mails for ease of retrieval Rules: DR 2‐106, DR 2‐110(2), DR 9‐102; ABA Rules 1.0(n), 1.16(d);

Antony K. Haynes

HypotheticalYour organization is preparing to transition its email, web, and datastorage from in‐house services to a cloud computing provider. Asyour organization is a legal services provider, you wish to make surethat use of cloud computing satisfies your individual andorganization legal ethics duties. Analyze the provided customerservice agreement and answer the following questions:• What additional information, if any, do you require?• What legal ethics issues, if any, are triggered by the agreement?• What advice would you give your organization regarding adoptionof the agreement?

Antony K. Haynes

Resources

• See Security Tips for Law Firms in Written Material.• See also, NIST Cybersecurity Framework (http://www.nist.gov/cyberframework/). This document was developed through a lengthy consultation process with industry; it is meant to provide a general approach to cybersecurity, and to point businesses toward the relevant existing standards. In many industry contexts, it is becoming the de facto “standard of care.”

Antony K. Haynes

Resources

• The Legal Cloud Computing Association has developed basic and concise standards that lawyers and laws firms should use in selecting a cloud computing provider. http://www.legalcloudcomputingassociation.org/standards/.• Federal Trade Commission, “Start with Security” guidance to businesses (https://www.ftc.gov/system/files/documents/plain‐language/pdf0205‐startwithsecurity.pdf). This is generic guidance drawn from the FTC’s recent enforcement cases. It’s fairly simple and written in non‐technical language, but it provides some insight into what one group of federal regulators are thinking is (or should be) the standard of care for a business.

Antony K. Haynes

Resources

• The ABA Legal Technology Resource Center http://www.americanbar.org/groups/departments_offices/legal_technology_resources.html

• ABA Section of Law Practice Management website: Cloud Ethics Opinions Around the U.S. http://www.americanbar.org/groups/departments_offices/legal_technology_

Antony K. Haynes

Resources

• ABA Section of Law Practice Management Section: eLawyering Task Force http://apps.americanbar.org/dch/committee.cfm?com=EP024500. The E‐Lawyering task force has published “Guidelines for the Use of Cloud Computing in Law Practice” http://meetings.abanet.org/webupload/commupload/EP024500/relatedresources/cloudcomputingguidelines05.30.2011.pdf (2011).

Antony K. Haynes

Resources

• ABA Section of Science & Technology Law: Cloud Computing Committee http://apps.americanbar.org/dch/committee.cfm?com=ST202100