"Cloud" security is a major concern in the world today. For lawyers, that concern is compounded by the ethical obligations that come with storing or sending confidential client data or communications in the cloud. For those unfamiliar with tech-speak, “the cloud” is merely a clever marketer’s term for the Internet (or “the web”). Or, maybe it was just another of Al Gore’s inventions.
The inspiration for this post (although not in line with my previously intended topic) came from a recent CLE event I attended. More specifically, Ethical Rule 1.1. (Competence) as it relates to Cloud Computing and Arizona Ethics Opinion 09-04. This post is not intended to address Rule 1.6 (Confidentiality); although, there are rumors that the Arizona Bar is all but endorsing cloud solutions for attorneys – but that is a topic for another day.
The above-mentioned Opinion states that lawyers either need to become competent regarding computer security or consult available experts. But WHO are “the experts?”
A well-established and respected attorney seated behind me at the aforementioned event passionately exclaimed “. . . there is Nobody that knows this stuff!”
No one else in the room disagreed.
But, there are people who know this stuff. And they’re not out of reach.
If anyone reading this post was there, and even for those who weren’t, I hope this provides some useful and interesting information.
THE RULE:
Ethical Rule 1.1 (Competence) states that: “A lawyer shall provide competent representation to a client. Compentent representation requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation.”
Further, Ethics Opinion 09-04 states: “. . . It is also important that lawyers recognize their own competence limitations regarding computer security measures and take the necessary time and energy to become competent or alternatively consult available experts in the field. The competence requirements of ER 1.1 apply not only to a lawyer’s legal skills, but also generally to “those matters reasonably necessary for the representation.” Therefore, as a necessary prerequisite to making a determination regarding the reasonableness of online file security precautions, the lawyer must have, or consult someone with, competence in the field of online computer security. . . “
THE PROBLEM:
The problem with the ethical rules as they deal with technology is actually three-fold. First, lawyers are not technologists (at least not most of us). Second, “reasonable” is ambiguous, open-ended, and can be used as a sword or a shield. Third, lawyers are cheap – be it by necessity or choice.
i-d-10-t Error?
Perhaps the Section Title is a bit harsh. But, as a rule, lawyers just don’t get technology (and, consequently, may not get the joke referenced in the section title either). Prior to becoming a lawyer, I spent more than 10 years in the IT industry. During that time I worked at virtually every level of data management and security – from the end-user’s desktop computer to the mainframe systems in a worldwide data center. I also spent several years supporting my company’s in-house legal department. I witnessed, firsthand, that brilliant attorneys could be crippled by relatively minor changes in their computing environment. Let’s face it; lawyers don’t want to be bothered with technology. They just want it to work.
Does this make them incompetent? For purposes of Rule 1.1 - Maybe. Does it make them incapable? Certainly not. Technology moves and evolves extremely quickly. It is the lawyer’s job to stay abreast of benefits and risks of their employed technologies. To some lawyers this may mean devoting time to reading manuals, publications, or forum discussions; for others it could mean asking a trusted and qualified professional to explain – in lay terms – the available options. And there is a world of options – whether they are in-house data systems or cloud-based solutions. Either way, it is the attorney who must comply with the Rule in spite of any techno-phobia.
IllegalAccessException()
We (lawyers) love to find the exception to the rule. "Reasonable" is ambiguous. And ambiguity is a breeding ground for exceptions, loopholes, excuses, rationalization, and, sometimes, willful inaction. The irony here is that malicious users and would-be hackers are playing a similar game – looking for loopholes and exceptions in security code. . . oh, and violating the law.
With respect to the condition “. . . or alternatively consult available experts in the field” many of my colleagues are likely to say “I hired an IT guy to come in and set up all my stuff. I think that qualifies as reasonable.” Or, “I use <insert your cloud providers name here> and they specialize in providing solutions to law offices. I think that qualifies as reasonable.”
Both of these things may be true and may easily satisfy the requirement under Rule 1.1, but have you understood your IT professional or service provider? Do you really know what you have?
Did you know what questions to ask?
Has he or she explained to you what they have done and why?
Did you hire or rely on someone who appears to be brilliant, but can’t string two coherent sentences together when it comes to describing what they’ve implemented for you?
Is your “IT professional” a friend’s high-school-age son or daughter who “knows a lot about computers?”
While I am not disparaging the talents, abilities, and understanding of others, hiring people who do not or will not explain to you what they have put in place (in a language you can understand); OR hiring less-than-qualified individuals to save a few bucks may not be an exercise of “reasonable competence” when it comes to securing your client’s data.
My point here is – hire a reputable firm or professional that communicates with you and will withstand any scrutiny related to whether it was reasonable for you to rely on them. They do exist.
In terms of what to look for, I have the following recommendations –
1. Certifications do not make a competent IT professional.
In general, I don’t place a lot of stock in certifications. Don’t get me wrong, they have their place, but in many instances the requirements to take certification exams are not very strict. I know that there are many people who use them as a starting point for their IT careers – myself included – but just because a person understands the technology, does not mean they understand the legal or business implications of your data systems.
On the other hand, some certifications (such as the Certified Information Systems Security Professional) require years of experience in the industry prior to even qualifying to sit for the certification exam. These types of certifications indicate a commitment to the profession as well as a level of technical competence and are very credible in my opinion.
If an IT professional touts his "certification" as his "qualification," make sure and do your homework on what is required to acquire that credential.
2. Don’t be too wowed by the techno-speak. Make your IT professional speak English.
It is easy to listen to someone dazzle you with the terms that seem very “techno” – which, obviously means they know what they’re doing, right? Wrong! In one position that I worked, a co-worker (yes, a fellow “IT Professional”) asked – “where do I find the drivers to allow a CD player to read DVD’s?”
Hmm. For any that aren’t laughing – CD players and DVD players are physically different – i.e. different physical machinery. A “driver” is a piece of software that allows the computer to properly connect to and use a device. Thus, a driver (being software) will not alter the hardware (being physical machinery). This was pretty basic. But it was a trained IT professional that was asking the question, and the customer whom he was serving didn’t have the foggiest idea of how ridiculous the question was.
3. There are solid and even exceptional professionals at reasonable prices in every career field. Find someone you trust and use his or her services. (More on how to find and determine who is “good” in future posts).
Frugal to a Fault?
Even in a vibrant economy lawyers have a reputation for extreme frugality. Is that “reasonable?” The real question here is based on risk/reward or cost/benefit.
Some lawyers and firms can afford to implement rigid (and expensive) security technologies. Often they are left questioning whether the investment was worthwhile. This may be because discouraged exploitation attempts cannot always be measured. Who knows how many would-be hackers passed them by looking for easier targets.
On the other hand, most of us who choose not to implement expensive technologies practice in small firms or as solo attorneys. We either can’t or won’t afford the bigger, more complex systems. This may be because we don’t have the time or money to spend to be able to understand them. System security aside, it is often our time that prevents our understanding. We don’t want to spend what could be billable time doing non-billable stuff. Driven by the need or desire to be billing, we feel that it would not be “reasonable” to spend the time or money required to fully understand our information systems. Although there are no specific implementation requirements, presumably, what the bar does require is – if you can’t afford a consultant, spend the time to research it yourself. Conversely, if you don’t have the time or interest to research it yourself, make sure you consult with someone who does.
THE TAKE AWAY:
"Competence" regarding your data systems is not out of reach;
Your technology may not be as “reasonable” as you think; and
Your IT Professional does not have to be expensive.
*********
Biographical info: Mr. Cox’s pre-law experience includes more than 10 years in IT operations, data, and network management. He has worked with all levels of consumer and Enterprise systems and now practices law in Mesa, Arizona. Mr. Cox is available for questions via the online contact form, or via telephone at the number shown at the top of this page.
DISCLAIMER: This website is for Informational Purposes only. The information provided is not comprehensive, does not constitute legal advice, and does not create an attorney-client relationship. If you need legal advice, please contact an attorney in your local community or State.
The inspiration for this post (although not in line with my previously intended topic) came from a recent CLE event I attended. More specifically, Ethical Rule 1.1. (Competence) as it relates to Cloud Computing and Arizona Ethics Opinion 09-04. This post is not intended to address Rule 1.6 (Confidentiality); although, there are rumors that the Arizona Bar is all but endorsing cloud solutions for attorneys – but that is a topic for another day.
The above-mentioned Opinion states that lawyers either need to become competent regarding computer security or consult available experts. But WHO are “the experts?”
A well-established and respected attorney seated behind me at the aforementioned event passionately exclaimed “. . . there is Nobody that knows this stuff!”
No one else in the room disagreed.
But, there are people who know this stuff. And they’re not out of reach.
If anyone reading this post was there, and even for those who weren’t, I hope this provides some useful and interesting information.
THE RULE:
Ethical Rule 1.1 (Competence) states that: “A lawyer shall provide competent representation to a client. Compentent representation requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation.”
Further, Ethics Opinion 09-04 states: “. . . It is also important that lawyers recognize their own competence limitations regarding computer security measures and take the necessary time and energy to become competent or alternatively consult available experts in the field. The competence requirements of ER 1.1 apply not only to a lawyer’s legal skills, but also generally to “those matters reasonably necessary for the representation.” Therefore, as a necessary prerequisite to making a determination regarding the reasonableness of online file security precautions, the lawyer must have, or consult someone with, competence in the field of online computer security. . . “
THE PROBLEM:
The problem with the ethical rules as they deal with technology is actually three-fold. First, lawyers are not technologists (at least not most of us). Second, “reasonable” is ambiguous, open-ended, and can be used as a sword or a shield. Third, lawyers are cheap – be it by necessity or choice.
i-d-10-t Error?
Perhaps the Section Title is a bit harsh. But, as a rule, lawyers just don’t get technology (and, consequently, may not get the joke referenced in the section title either). Prior to becoming a lawyer, I spent more than 10 years in the IT industry. During that time I worked at virtually every level of data management and security – from the end-user’s desktop computer to the mainframe systems in a worldwide data center. I also spent several years supporting my company’s in-house legal department. I witnessed, firsthand, that brilliant attorneys could be crippled by relatively minor changes in their computing environment. Let’s face it; lawyers don’t want to be bothered with technology. They just want it to work.
Does this make them incompetent? For purposes of Rule 1.1 - Maybe. Does it make them incapable? Certainly not. Technology moves and evolves extremely quickly. It is the lawyer’s job to stay abreast of benefits and risks of their employed technologies. To some lawyers this may mean devoting time to reading manuals, publications, or forum discussions; for others it could mean asking a trusted and qualified professional to explain – in lay terms – the available options. And there is a world of options – whether they are in-house data systems or cloud-based solutions. Either way, it is the attorney who must comply with the Rule in spite of any techno-phobia.
IllegalAccessException()
We (lawyers) love to find the exception to the rule. "Reasonable" is ambiguous. And ambiguity is a breeding ground for exceptions, loopholes, excuses, rationalization, and, sometimes, willful inaction. The irony here is that malicious users and would-be hackers are playing a similar game – looking for loopholes and exceptions in security code. . . oh, and violating the law.
With respect to the condition “. . . or alternatively consult available experts in the field” many of my colleagues are likely to say “I hired an IT guy to come in and set up all my stuff. I think that qualifies as reasonable.” Or, “I use <insert your cloud providers name here> and they specialize in providing solutions to law offices. I think that qualifies as reasonable.”
Both of these things may be true and may easily satisfy the requirement under Rule 1.1, but have you understood your IT professional or service provider? Do you really know what you have?
Did you know what questions to ask?
Has he or she explained to you what they have done and why?
Did you hire or rely on someone who appears to be brilliant, but can’t string two coherent sentences together when it comes to describing what they’ve implemented for you?
Is your “IT professional” a friend’s high-school-age son or daughter who “knows a lot about computers?”
While I am not disparaging the talents, abilities, and understanding of others, hiring people who do not or will not explain to you what they have put in place (in a language you can understand); OR hiring less-than-qualified individuals to save a few bucks may not be an exercise of “reasonable competence” when it comes to securing your client’s data.
My point here is – hire a reputable firm or professional that communicates with you and will withstand any scrutiny related to whether it was reasonable for you to rely on them. They do exist.
In terms of what to look for, I have the following recommendations –
1. Certifications do not make a competent IT professional.
In general, I don’t place a lot of stock in certifications. Don’t get me wrong, they have their place, but in many instances the requirements to take certification exams are not very strict. I know that there are many people who use them as a starting point for their IT careers – myself included – but just because a person understands the technology, does not mean they understand the legal or business implications of your data systems.
On the other hand, some certifications (such as the Certified Information Systems Security Professional) require years of experience in the industry prior to even qualifying to sit for the certification exam. These types of certifications indicate a commitment to the profession as well as a level of technical competence and are very credible in my opinion.
If an IT professional touts his "certification" as his "qualification," make sure and do your homework on what is required to acquire that credential.
2. Don’t be too wowed by the techno-speak. Make your IT professional speak English.
It is easy to listen to someone dazzle you with the terms that seem very “techno” – which, obviously means they know what they’re doing, right? Wrong! In one position that I worked, a co-worker (yes, a fellow “IT Professional”) asked – “where do I find the drivers to allow a CD player to read DVD’s?”
Hmm. For any that aren’t laughing – CD players and DVD players are physically different – i.e. different physical machinery. A “driver” is a piece of software that allows the computer to properly connect to and use a device. Thus, a driver (being software) will not alter the hardware (being physical machinery). This was pretty basic. But it was a trained IT professional that was asking the question, and the customer whom he was serving didn’t have the foggiest idea of how ridiculous the question was.
3. There are solid and even exceptional professionals at reasonable prices in every career field. Find someone you trust and use his or her services. (More on how to find and determine who is “good” in future posts).
Frugal to a Fault?
Even in a vibrant economy lawyers have a reputation for extreme frugality. Is that “reasonable?” The real question here is based on risk/reward or cost/benefit.
Some lawyers and firms can afford to implement rigid (and expensive) security technologies. Often they are left questioning whether the investment was worthwhile. This may be because discouraged exploitation attempts cannot always be measured. Who knows how many would-be hackers passed them by looking for easier targets.
On the other hand, most of us who choose not to implement expensive technologies practice in small firms or as solo attorneys. We either can’t or won’t afford the bigger, more complex systems. This may be because we don’t have the time or money to spend to be able to understand them. System security aside, it is often our time that prevents our understanding. We don’t want to spend what could be billable time doing non-billable stuff. Driven by the need or desire to be billing, we feel that it would not be “reasonable” to spend the time or money required to fully understand our information systems. Although there are no specific implementation requirements, presumably, what the bar does require is – if you can’t afford a consultant, spend the time to research it yourself. Conversely, if you don’t have the time or interest to research it yourself, make sure you consult with someone who does.
THE TAKE AWAY:
"Competence" regarding your data systems is not out of reach;
Your technology may not be as “reasonable” as you think; and
Your IT Professional does not have to be expensive.
*********
Biographical info: Mr. Cox’s pre-law experience includes more than 10 years in IT operations, data, and network management. He has worked with all levels of consumer and Enterprise systems and now practices law in Mesa, Arizona. Mr. Cox is available for questions via the online contact form, or via telephone at the number shown at the top of this page.
DISCLAIMER: This website is for Informational Purposes only. The information provided is not comprehensive, does not constitute legal advice, and does not create an attorney-client relationship. If you need legal advice, please contact an attorney in your local community or State.