Presentation on theme: "The New Rules of Risk: How Technology Exposes Your Firm, and What to Do About It Christopher T. Anderson, J.D. Product Manager, LexisNexis June 25, 2013."— Presentation transcript:
The New Rules of Risk: How Technology Exposes Your Firm, and What to Do About It Christopher T. Anderson, J.D. Product Manager, LexisNexis June 25, 2013 CLE CODE: 46657
1 Christopher T. Anderson Christopher Anderson, J.D. Product Manager for LexisNexis Firm Manager®, LexisNexis Christopher Anderson is the Product Manager for the LexisNexis Firm Manager® application in Cary North Carolina. Firm Manager is a web-based practice management system that keeps the attorneys and staff of small law firms connected to all the details of their clients, cases, matters and firm business. Christopher has presented at various State Bar associations, Law Bulletin Ethics Conference, National CLE conference, ABA TECHSHOW, and draws several hundred to webinars where he presents various topics, including running a law firm; effectively using technology and leveraging staff; and technology and trends. Formerly: Managing partner of a full-service law firm in Georgia. Assistant district attorney in New York City, and in Georgia Associate General Counsel and Director of Client Services for RealLegal, a legal software company. Mr. Anderson is a graduate of Cornell University, and received his Juris Doctorate from the University Georgia School of Law in 1994. Christopher Anderson is admitted to practice in the federal and state courts of New York and Georgia.
2 Challenges we face 1.Using the Cloud, Communicating Effectively, Yet Maintaining Privilege, and Our Obligations of Confidentiality 2.Establishing, Following and Testing Effective Policies 3.Continuing to Adapt and Manage Ever Changing Risks 4.Understanding Roles: Who Does What to Maintain Security 5.Admitting we Have a Problem
3 Updated Ethical Guidelines Model Rule of Professional Conduct 1.6: Confidentiality of Information (a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent… (c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. Model Rule of Professional Conduct 1.1 on Competence: To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.
4 New Thinking on Old Standards Model Rule of Professional Conduct 1.15: Safekeeping Property A lawyer shall hold property of clients or third persons that is in a lawyer's possession in connection with a representation separate from the lawyer's own property.... [P]roperty shall be identified as such and appropriately safeguarded. Complete records of [the] property shall be kept by the lawyer and shall be preserved for a period of [five years] after termination of the representation.
7 Data At Risk BYOD - Client confidential data on device - Confidential/privileged data shared on cloud - Lost or stolen device Social Media Its an open book Responsibility for what others post Unintentional breach of confidentiality Discarded Devices Computers Storage media, i.e. USB drives Photocopiers!
8 Actual Terms and Conditions: BRAND X will have no responsibility for any harm to your computer system, loss or corruption of data, or other harm that results from your access to or use of the Services or Software BRAND X: If you add a file to your [Brand X] that has been previously uploaded by you or another user, we may associate all or a portion of the previous file with your account rather than storing a duplicate BRAND Y: When you upload … content to our Services, you give Brand Y (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works … communicate, publish, publicly perform, publicly display and distribute such content. BRAND Y: Your domain administrator may be able to … access or retain information stored as part of your account [and]restrict your ability to delete or edit information… or privacy settings. Cloud Storage and Sharing Lots of Options, But Do your Homework
9 Mitigation Look for the rainbow after the storm
16 Social Media Experts say that people should be very cautious when utilizing social network applications. This is because with 6 degrees of separation reduced to two, you can easily find yourself in hot water when attempting to obtain a job (or keep one.) This particular situation applies to one woman who decided to vent angrily about her current job and boss. However she failed to realize that monitoring your posts with Facebook's privacy options is essential. Her boss was made privy to her rant and was none too pleased. Needless to say, the woman no longer had to worry about her unhappy state of affairs.vent angrily about her current job and boss On Yahoo Voices - Five Most Scandalous Facebook Posts "Take This Job and Shove It..."
21 Document Security Secure File Sharing Secure File Sync Digital Rights Management Secure Web Access Mobile Productivity What to look for
Watchdox: Secure File Sharing and Mobile Productivity Secure Dropbox Mobile Productivity Secure File Sharing Document Control Track and Revoke
23 Public Cloud Data Protection Availability Data Ownership
24 Data In the Cloud - Ownership Questions to ask: What are your contract terms/conditions? Policies on Government requests? Data return procedures? What happens when you cancel? How are third parties vetted? Use of my data internally? Is any anonymized information used? Above all, your confidential client data belongs to your client.
29 Notification Clear Notification to Clients of Practices
30 Five Key Take-A-Ways 1.How to balance paranoia with reality to come up with a privacy and security policy that works 2.Having a privacy and security policy is only half of the battle, is it implemented and adhered to? Audit and test it once in a while or hire a company to do it 3.Educate, Educate, Educate! Train your partners, staff and 3 rd party vendors, you depend on for services. Privacy and security is not a once and your done type of process, its a living 4.Set up a committee who is responsible for meeting and delivering an update to management 5.Know what your risk of attack is and do something!