Introduction
Lindsay Stevens
• Director of Software Development • Liquid Litigation Management, Inc. • [email protected]
Tia Gilford
• Senior Counsel
• Rakuten Marketing
Agenda
• What is the Cloud?
• Why do we use the Cloud?
What is the Cloud ?
• An on-demand network access to a shared pool of configurable computing resources
• Cloud Deployment Types
• Private – resources including data operated solely for a single
organization, lower risk, higher cost
• Public – resources available over a network that is open for public use,
higher risk, lower cost
• Community / Controlled – services are not publicly available but may
still be shared by several organizations. Spreads costs with lower risk.
Why do we use the Cloud?
• Elasticity of Resources
• Rapid provisioning of hardware resources pooling across multiple users to distribute cost
• Use only what you need
• Pay for only what you need
• On demand support and team of experts • Availability & Reliability
• 24/7 Access from anywhere
Balancing Act for Lawyers
• Attorney Client Privilege
• Does data and communications in the cloud waive privilege ? • Data Protection
• Are you taking steps to protect your organization or client’s data?
• Data Privacy
• Do issues of privacy around personal identifying information come in to play ? • Data Discovery
• How will providers handle data discovery requests and how will it affect access to your data? • Data Breach
• How will providers handle data security breach and notice ? • Cross-Border Issues
Due Diligence Pre-Negotiation Checklist
Review the Cloud Provider Documents in Conjunction with the Agreement:
Security Policies, Security Certifications (ISO, SSAE 16) & SOC Reports Privacy Policy
Data Breach Notification Policy
SLA (including what services are included in the SLA) Disaster Recovery/Business Continuity Plan
Safe Harbor Certification
Client Confidentiality and Privilege
• Ethical Duty to protect client information and confidences • Law of attorney - client privilege
1. Any Communication
2. Between privilege persons 3. In Confidence
4. For the purpose of obtaining / providing legal assistance for the client
Stengart v. Loving Care Agency, Inc. , 408 N.J. Super. 54 (App. Div. 2009) • Emails to attorney sent thru password protected web based email
provider on a company laptop and cached by browser
• Ruling – Employee could ‘retain an expectation of privacy’ as she took
Governing Rules and Law
• Restatement (Third) of the Law Governing Lawyers, Section 68 • Model Rules of Professional Conduct (ABA)
• FRCP 26(b)(1)
United States Jurisdictions
• Generally found practice of using cloud computing permissible (ABA Chart)
• American Bar Association Model Rule 5.3, Ethics Commission Report (Aug 2012) Comment 3
• “When using such services outside the firm, a lawyer must make
reasonable efforts to ensure that the services are provided in a manner
that is compatible with the lawyer’s professional obligations.”
• 15 State Bar and Ethics Committees provide guidance on cloud computing
International
- Attorney-Client Privilege differences
- EU Data Protection Directive (Directive 95/46/EC) - Data Protection
- Article 17(2) of Directive 95/46/EC puts "full responsibility on cloud clients to choose cloud providers that implement adequate technical and
organizational security measures to protect personal data and to be able to demonstrate accountability"
- Data Transfer
- Article 25 / 26 of Directive 95/46/EC provides for free flow of personal data
to countries located outside the EEA only if that country or the recipient provides an adequate level of data protection
Reasonable Care Guidelines
• Question and understand the technology and security
• Know the terms of any arrangements concerning the protection of client information
Cloud - Storage
Multi-Tenant / Co-mingling Concerns Backup and retention policies
Portability / Export Litigation Holds Data Subpoenas
Cloud – Confidentiality and Accountability
Who has access? • User Access
• Restricted User Access (application level) • Vendor Access
• Subcontractors / The ‘Stack’ Terms of Service
• Privacy Terms
BYOD - The Internet of Things
• Added twists
• More dependent on individual
• Portable / Mobile dimension
• What you the individual can do
• User Access
• Security
Conclusion
• Define clear policies for BYOD and Cloud Computing, including
• Regularly perform due diligence on cloud providers ,technologies and security
• Develop a Cloud Provider Policy
• Develop an Information Security checklist • Insurance policy
• Confirm includes data breach coverage • Service and Privacy agreements
• Ensure confidentiality is not waived • You get what you pay for…
• Pay for higher levels of data confidentiality, integrity and availability
