Published by Al Saikali

What are law firms doing to protect their clients’ sensitive information?  What are clients doing to determine whether their outside counsel are using reasonable security measures to protect their sensitive information (confidential communication, customer data, financial information, protected health information, intellectual property, etc.)?

According to the data forensic firm Mandiant, at least 80 major law firms were hacked in 2011 by attackers who were seeking secret deal information.  The threats to law firms are real and are publicly documented.  In 2011, during the conflict in Libya, law firms that represented oil and gas companies received PDF files purporting to provide information about the effect of the war on the price of oil.  These documents contained malware that infected the networks of the firms that received them.  Similarly, law firms can be a target of political “hacktivism”, as was the case of a law firm that was attacked by Anonymous after representing a soldier in a controversial case, resulting in the public release of 2.6 gigabytes of email belonging to the firm.  And, of course, law firms are just as susceptible to the same risks as other companies when it comes to employee negligence (e.g., lost mobile devices containing sensitive information), inside jobs (misusing access to sensitive information for personal gain), and theft of data.

With these threats in mind, it is useful for lawyers to remember that they have a number of ethical responsibilities to secure their clients’ information, in addition to important business interests.

The Ethical Obligations

Duty to be competent – lawyers cannot stick their heads in the sand when it comes to technology.  They have an ethical obligation to understand the technology they use to secure client information, or they must retain/consult with someone who can make them competent.  As the Arizona Bar stated in Opinion 09-04 (Dec. 2009), “[i]t is important that lawyers recognize their own competence limitations regarding computer security measures and take the necessary time and energy to become competent or alternatively consult available experts in the field.”

Duty to secure – lawyers have an obligation under Model Rule of Professional Conduct 1.6(c) to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”  Because the model rule was only recently adopted by the ABA, there is no easy definition of “reasonable efforts”, but Comment 18 to Rule 1.6(c) requires consideration of several factors:  (1) the sensitivity of the information; (2) the likelihood of disclosure if additional safeguards are not employed; (3) the cost of employing additional safeguards; (4) the difficulty of implementing the safeguards; and (5) the extent to which the safeguards adversely affect the lawyer’s ability to represent clients.  The Arizona Bar’s 09-04 opinion again provides some helpful details:  “In satisfying the duty to take reasonable security precautions, lawyers should consider firewalls, password protection schemes, encryption, anti-virus measures, etc.”  The Arizona Bar rightfully recognized, however, that the duty “does not require a guarantee that the system will be invulnerable to unauthorized access.”  Also, what are considered “reasonable efforts today” may change, as an opinion of the New Jersey Advisory Committee on Professional Ethics pointed out when it expressed reluctance “to render a specific interpretation of RPC 1.6 or impose a requirement that is tied to a specific understanding of technology that may very well be obsolete tomorrow.”

Duty to update – the duty to secure client information is not static; it evolves and changes as technology changes. Arizona Bar Opinion 09-04 is again helpful:  “technology advances may make certain protective measures obsolete over time . . . [Therefore,] [a]s technology advances occur, lawyers should periodically review security measures to ensure that they still reasonably protect the security and confidentiality of the clients’ documents and information.”

Duty to transmit securely – lawyers have an obligation to securely transmit information.  For example, the ABA requires that “[a] lawyer sending or receiving substantive communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, where there is a significant risk that a third party may gain access.”  One example is where a lawyer represents the employee of a company and the employee uses her employer’s email account to communicate with her attorney – in that instance, the attorney should advise his client that there is a risk the employer could access the employee’s email communications.

Duty to outsource securely – Model Rule of Professional Conduct 5.2 states that “a lawyer retaining an outside service provider is required to make reasonable efforts to ensure that the service provider will not make unauthorized disclosure of client information.”  ABA Formal Opinion 95-398 interprets this rule as requiring that a lawyer ensure that the service provider has in place reasonable procedures to protect the confidentiality of information to which it gains access.  The ABA recommends that lawyers obtain from the service provider a written statement of the service provider’s assurance of confidentiality.  In an upcoming blog post I will write about a Florida Bar Proposed Advisory Opinion that provides guidance on how lawyers should be engaging cloud computing service providers, which is an emerging trend in the practice of law.

Duty to dispose securely – lawyers also have an obligation to dispose of client information securely.  This is not as much an ethical duty as a legal obligation to do so.  Many states have data disposal laws that govern how companies (law firms are no exception) should dispose of sensitive information like financial information, medical information, or other personally identifiable information.  Examples of secure disposal include shredding of sensitive information and ensuring that leased electronic equipment containing sensitive information on hard drives are disposed of securely.  In one instance, the Federal Trade Commission fined three financial services companies that were accused of discarding sensitive financial information of their customers in dumpsters near their facilities without first shredding that information.  An example of an unnoticed machine that usually stores sensitive information is the copy machine, many of which have hard drives that store electronic copies of information copied by the machine.  Fortunately, the FTC has provided a useful guide to minimize some of these risks.

The Legal Obligations

The ethical obligations discussed above are separate from any legal obligations that govern certain types of information under HIPPA/HITECH, Gramm-Leach-Bliley, the Payment Card Industry’s Data Security Standards, state document disposal laws, state data breach notification laws, and international data protection laws.  Depending on the type of information the law firms collect, those laws may impose additional proactive requirements to secure data, train employees, and prepare written policies.

The Business Interests

Finally, even if the ethical and legal obligations to secure sensitive information do not provide sufficient incentives for law firms to evaluate their security measures with respect to client information, there are business interests that should compel law firms to do so.  Companies are recognizing the risks presented by sharing sensitive information with service providers like law firms and are, at a minimum, inquiring about the security safeguards the providers have adopted and, in some cases, are requiring a certain level of security and auditing that level of security.  One such example is Bank of America.  According to a recent report, following pressure from regulators, Bank of America now requires its outside counsel to adopt certain security requirements and it is auditing the firms’ compliance with those requirements.

Specifically, Bank of America requires its outside counsel to have a written information security plan, and to follow that plan.  Firms must also encrypt sensitive information that Bank of America shares with the firms.  Bank of America also wants their law firms to safeguard information on their employees’ mobile devices.  Most importantly, law firms must train their employees about their security policies and procedures.  Finally, Bank of America is auditing their law firms to ensure they are complying with these requirements.

So with these threats, ethical responsibilities, and business interests in mind, it is important that law firms, like all other companies that handle sensitive information, evaluate their administrative, technical, and physical safeguard to minimize the risks associated with their storage, use, and disposal of their clients’ sensitive information.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

The phrase “cyber attack” elicits thoughts of a compromised information system, a crashed computer network, or inappropriate access to sensitive electronic information.  It doesn’t usually conjure up images of machinery setting on fire, and smoke emerging from a factory.  Nevertheless, here is a video of an experimental cyber attack named Aurora, which took place on a generator in a manufacturing plant.

 

The experiment, which took place approximately five years ago, demonstrated potential vulnerabilities that could be used to attack much larger generators that produce the country’s electric power.  It is an interesting reminder of the impact that cyber attacks can have on critical infrastructure.

I’m a big fan of Bloomberg West.  Perhaps more so than almost any other television news program, it does a terrific job of providing both depth and breadth on issues that are important to the technology industry.  Tonight’s report by Megan Hughes about breaking developments on the cybersecurity front today was no exception.  Watch it here:

President Obama Seeks CEO Input on Cyber Battle: Video – Bloomberg.

The highlights:

  • President Obama met with CEO’s of major multinational corporations, financial leaders, and big players in critical infrastructure  at the White House . . . in the Situation Room.  The parties allegedly discussed the need for cybersecurity legislation and the President’s recent Executive Order on cybersecurity.
  • First Lady Obama’s personal information has allegedly been compromised.  The President used the development to create awareness of the problems posed by hackers and the proliferation of websites where stolen credit card numbers are sold on the black market.
  • The President of Mandiant will be testifying before the U.S. Senate next week.  No doubt, this report by Mandiant will be a significant topic of discussion.
  • The Director of National Intelligence has said that cyberattacks are now considered the #1 threat to U.S. security, replacing terrorism at the top of the list.
  • There were three separate Congressional hearings relating to Cybersecurity today, ranging from criminal prosecution and the FBI to Homeland Security and critical infrastructure to issues relating to funding for cyber initiatives.

In short, the Cyber Battle is on, and it’s going to take a united front between the  Executive branch, Congress, and the private sector for the U.S. to minimize the risks associated with cyber attacks.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

 

 

It is sometimes easy to forget with the increasing mobility of electronic information and our ability to “work from anywhere” that behind our office laptop, desktop, or tablet computing device is a network of servers that may be located anywhere in the world.  When we hit “send”, “save”, or “open”, we use the network to transmit, store, or obtain information that may be located outside our office building.  A recent U.S. Second Circuit Court of Appeals decision reminds us why it is a good idea for companies and their employees to know where and how data is stored.

In MacDermid, Inc. v. Deiter, No. 11-5388-cv (2d Cir. Dec. 26, 2012), the Second Circuit held that a Connecticut court can exercise jurisdiction over a defendant who, while domiciled in another country, allegedly accessed a computer server located in Connecticut to obtain confidential information belonging to her employer.

The plaintiff in MacDermid, Inc., a Connecticut-based company, sued the defendant, a former employee living and working in Canada, because the defendant allegedly forwarded confidential and proprietary company information to her personal email account from her work email account after she became aware of her impending termination from the company.  The U.S. District Court for the District of Connecticut dismissed the lawsuit, ruling that it lacked personal jurisdiction over the defendant.  The Second Circuit reversed.

In reversing the District Court, the Second Circuit applied a two-step analysis:  (1) did Connecticut’s long-arm statute provide jurisdiction over the defendant and, if so, (2) would such jurisdiction meet due process requirements of the Fourteenth Amendment.  Both questions would have to be answered affirmatively for the Connecticut court to exercise personal jurisdiction over the defendant.

Long-Arm Jurisdiction

Connecticut’s long-arm statute states that a “court may exercise personal jurisdiction over any nonresident individual . . . who in person or through an agent . . . uses a computer . . . or a computer network . . . located within [Connecticut].”  The long-arm statute adopts the definitions of a “computer” and a “computer network” set forth in the state’s computer crimes statute:

“Computer” means an electronic, magnetic or optical device or group of devices that, pursuant to a computer program, human instruction or permanent instructions contained in the device or group of devices, can automatically perform computer operations with or on computer data and can communicate the results to another computer or to a person.  “Computer” includes any connected or directly related device, equipment or facility that enables the computer to store, retrieve or communicate computer programs, computer data or the results of computer operations to or from a person, another computer or another device. . . . “Computer network” means a set of related, remotely connected devices and any communications facilities including more than one computer with the capability to transmit data among them through the communications facilities.

The District Court reasoned that the defendant had not used a Connecticut computer or computer network but had simply sent email from one computer in Canada (her work computer) to another computer in Canada (her personal computer).  The Second Circuit rejected this analysis, pointing to the fact that to use her work email and access work data, the defendant accessed computer servers located in the plaintiff’s Connecticut offices.

The court held that a “computer server” meets the Connecticut long-arm statute’s definition of a computer because it is:

An electronic . . . device . . . that, pursuant to . . . human instruction . . . can automatically perform computer operations with . . . computer data and can communicate the results to another computer or to a person [or is a] connected or directly related device . . . that enables the computer to store, retrieve or communicate . . . computer data . . . to or from a person, another computer or another device.

In short, the court noted, “[i]t is not material that [the defendant] was outside of Connecticut when she accessed the [Connecticut] servers.  The statute requires only that the computer or network, not the user, be located in Connecticut.  The statute reaches persons outside the state who remotely access computers within the state.

Due Process

Having concluded that jurisdiction over the defendant existed under the Connecticut long-arm statute, the court next turned to the second step in the analysis:  whether such jurisdiction meets the due process requirements of the Fourteenth Amendment.  To make this determination, the court had to decide that:  (1) there were minimum contacts between the defendant and Connecticut, and (2) the exercise of personal jurisdiction over the defendant was reasonable.

In determining whether minimum contacts existed between the defendant and Connecticut, the court looked to whether the defendant purposefully availed herself of the privilege of conducting activities within Connecticut, thus invoking the benefits and protections of its laws.  The court held that the defendant did purposefully avail herself because she:

was aware of the centralization and housing of the [plaintiff’s] email system and the storage of confidential, proprietary information and trade secrets in Waterbury, Connecticut, and she used that email system and its Connecticut servers in retrieving and emailing confidential files. . . . [The plaintiff alleged that the defendant] knew that the email servers she used and the confidential files she misappropriated were both located in Connecticut.  She used those servers to send an email which itself constituted the alleged tort.  And . . . she directed her allegedly tortious conduct towards [the plaintiff], a Connecticut corporation.

Next, the court determined that personal jurisdiction was reasonable, relying on factors such as the lack of burden on the defendant, the interests of Connecticut, and the plaintiff’s interest in obtaining relief.  The court held that although the defendant would have to travel to Connecticut to defend the lawsuit, that burden alone did not render the exercise of personal jurisdiction unreasonable.  The court also pointed to the fact that the plaintiff is based in Connecticut, the majority of corporate witnesses are located in Connecticut, and Connecticut has an interest in the proper interpretation of its laws.  The court ended its analysis by noting that “efficiency and social policies against computer-based theft are generally best served by adjudication in the state from which computer files have been misappropriated.”

Let’s Keep This Decision In Context . . .

Some may argue that the Second Circuit’s opinion will pave the way for plaintiffs to obtain personal jurisdiction over foreign defendants in cases involving electronic information, but it is important to keep this decision in context with the facts that may distinguish it from other situations.

For example, Connecticut’s long-arm jurisdiction statute explicitly provides for jurisdiction based on the use of a computer or computer network in Connecticut.  Not all states provide such long arm jurisdiction or provide specific definitions of computers and computer networks.

Also, the court noted that the defendant purposefully availed herself of the privilege of conducting activities in Connecticut in part because she was informed ahead of time that her company’s email system and the storage of confidential information were in Connecticut.  If the defendant had not previously been informed of the location of those company servers, it is quite possible (perhaps even likely) that the outcome would have been different.

Finally, it is not clear from the facts presented in the opinion whether servers existed in states other than Connecticut.  If a company has servers in multiple jurisdictions and employees are not informed about the location of data/systems they might access (email, document management, etc.), the plaintiff will have a more difficult time persuading a court that the defendant purposefully availed herself of the privilege of conducting activities in that forum.

Despite these cautionary notes, the opinion is still an example of a U.S. court’s impressive jurisdictional reach where the underlying controversy involves electronic information.  The fact that a person and her computing device may be located in one jurisdiction does not mean that she is not subject to jurisdiction in another state (or country).  The court’s opinion reminds us that a computer is like the tip of an iceberg—beneath the surface is a much larger support system that facilitates the storage, transmission, and monitoring of an entire network of computers and electronic information.

The Takeaway

There are several important points that underlie this opinion, but if I were corporate counsel reading this opinion, one practical “next step” I might want to take is to ensure that my employees are informed (in writing) about the location of the company’s electronic information and computer servers, assuming that the information is stored in a jurisdiction where I may want to file a lawsuit to protect the company’s confidential and proprietary information in the future.  Another “next step” might also include researching the long arm jurisdiction statute where my company might want to invoke personal jurisdiction at some point in the future to see whether and under what circumstances they include the use of a computer or computer network.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Maybe it’s because I’m in New York City for a few days this week, but this article in the Wall Street Journal and this one in the New York Times caught my eye.  New York City has surpassed Boston as the #1 tech sector for Internet and mobile technologies on the east coast.  The story was based on a report released by the Center for an Urban Future.  Here are some of the key findings from the report:

  • “[T]here has been an explosion of tech start-ups in New York City, most of which are companies that leverage the Internet and mobile technologies.”  Specifically the Center for Urban Future identified 486 digital start-ups formed in NYC since 2007 that received angel, seed, or VC funding, and there are over 1,000 web-based technology start-ups in the city.
  • NYC was the only technology region in the country to see an increase in the number of venture capital deals between 2007 and 2011.
  • The start-ups located in NYC are growing significantly.  Fifteen have raised more than $50 million in investments, 27 have raised at least $25 million in investments, and 81 have raised at least $10 million.
  • The NYC technology sector has created 52,900 jobs in the past few years, a 28.7% increase for that sector (as compared to the 3.6 percent growth rate in the NYC private jobs sector generally).
  • This explosion in growth appears to be sustainable.  The start-ups are less focused on building new technology and more focused on applying existing technology to traditional industries like advertising, media, fashion, finance, and health care.

This last finding is perhaps the most significant because the application of existing technology to industries in which New York City already excels, appears to be lynchpin to the city’s strong tech growth and a distinguishing factor from the “dot com” bubble in the late 90’s.  The report is well worth reading as a case study of how and why a city develops a strong technology sector.  This is great news for my favorite city in the world!

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.