In his recently-published book, Cybersecurity for Executives: A Practical Guide, Retired Brigadier General Gregory Touhill, now Deputy Assistant Secretary at the Department of Homeland Security Office of Cybersecurity and Communications, offers the following quote from Congressman Mike Rogers, Chairman of the House Intelligence Committee, on the state of cybersecurity: “There are two kinds of companies. Those that have been hacked, and those that have been hacked but don’t know it yet.”  What makes the quote particularly interesting? It is from 2011 – long before the headlines regarding Target, Ebay, and Adobe. Not to mention the recently reported efforts of Russian and Chinese hackers. In light of all these events, the question arises “how concerned should directors and officers be about cybersecurity?” Most experts would respond, “very.” 

In October 2011, the SEC Division of Corporate Finance issued its Disclosure Guidance on cybersecurity. The Guidance suggested several risk factor disclosures, including a discussion of material cybersecurity risks to a registrant’s business or operations, a description of cyber incidents experienced by the registrant, and a description of relevant insurance coverage.  A report prepared by the insurance brokerage firm Willis in August 2013, based on a review of 10-Ks and annual reports filed by the Fortune 1000, suggested that companies were describing the possibly material risks to their businesses in broad terms, but were not adequately disclosing actual cyber events or their cyber-related insurance coverage.  Notably, only a few months prior to the Willis report, SEC Chairman Mary Jo White asked her staff to brief her on current cybersecurity disclosure practices for publicly-listed companies, and to provide recommendations for further SEC action. 

Significantly, in a speech delivered in June 2014 at the NYSE “Cyber Risks and the Boardroom” Conference, SEC Commissioner Luis Aguilar suggested one source of guidance for boards regarding cybersecurity.  In February 2014, the National Institute of Standards and Technology (NIST), pursuant to an Executive Order from President Obama, released the first version of the Framework for Improving Critical Infrastructure.  The NIST Framework is intended to provide companies with a set of industry standards and best practices for managing their cybersecurity risks. In his speech at the NYSE conference, Commissioner Aguilar noted, “While the Framework is voluntary guidance for any company, some commentators have already suggested that it will likely become a baseline for best practices by companies, including in assessing legal or regulatory exposure to these issues or for insurance purposes.”   In concluding his speech, Commissioner Aguilar cautioned board members, “Given the heightened awareness of these rapidly evolving risks, directors should take seriously their obligation to make sure that companies are appropriately addressing those risks.”

The obvious takeaway from all of the above is that directors and officers (and their counsel) need to remain closely attuned to both current and future guidance from the SEC both in terms of meeting their obligations to address their company’s own cybersecurity and with respect to their disclosure and reporting obligations regarding cybersecurity.

Finally, anyone interested in understanding the latest developments in cybersecurity, data breaches, privacy law, and related insurance issues should consider attending DRI’s inaugural Data Breach and Privacy Law Seminar in Chicago on September 11-12, 2014. For more information and to register, go to: http://www.dri.org/Event/20140065

Bookmark and Share

Categories: Privacy | Seminar

Actions: E-mail | Comments

 

The Employment and Labor Law Committee is one of several DRI committees participating in DRI's inaugural Data Breach and Privacy Law Seminar, September 11-12, 2014 in Chicago.  Click here to sign up

It seems like every day when we open a newspapaer or turn on the TV, there is another report of a significant data breach, followed by customer outrage and lawsuits!  This seminar will offer presentations from data security and privacy professionals who are at the forefront of cutting-edge data security and privacy issues, as well as industry leaders who will provide valuable insight and practical experience.  I encourage you to attend.   

Attendees will learn from real world scenarios and obtain concrete takeaways to aid in understanding and navigating the field of data security, including presentations on topics such as: 

The "science" of cyber attacks

Industry standards for privacy and data protection

Theories of civil liability and data security breach

Technical requirements for the protection of health records

Effective strategies to respond to data breach incidents, including insurance coverage

Data security ethical issues

The seminar will be an excellent educational and networking opportunity for everyone who attends.  Our committee helped shape the topics and I know you will benefit from attending.

Bookmark and Share

Categories: Privacy | Seminar

Actions: E-mail | Comments

 


Earlier this week, the ABA adopted a resolution encouraging all private and public sector organizations, including law firms, to adopt appropriate cyber security programs. An accompanying report cites the growing sophistication and frequency of cyber crimes. It notes, in particular, the importance of law firms to be proactive in protecting sensitive client information. According to the report, as many as 80 law firms were hacked in 2011 alone. The ABA’s report cites the ethical obligations of attorneys both to understand the risks of modern technology and to adequately protect client information. 


DRI is getting out in front of cyber risk issues. It is launching its first ever Data Breach and Privacy Law Seminar, September 11–12, at the Conrad Chicago. The seminar will address cyber risks, theories of liability for data breaches, preparing in-house response plans, insurance coverage for cyber crime, and other issues relating to data security. The seminar brochure provides registration details. Anyone involved in law firm or corporate risk management and any lawyer advising or representing clients on these issues should attend.

Bookmark and Share

Categories: Privacy | Seminar

Actions: E-mail | Comments

 

ABA v. NSA: An Unhelpful Exchange

Posted on March 26, 2014 03:31 by Brandi Blair


The Edward Snowden scandal brought to light evidence that the National Security Agency obtained information from foreign intelligence services, which included privileged attorney-client communications between U.S. law firms and their foreign clients.  

Concerned about this discovery, the American Bar Association (ABA) sought clarification from the NSA. In correspondence to the NSA, ABA president James Silkenat underscored the importance of the attorney-client privilege as the “bedrock legal principle of our free society.” In essence, privileged attorney-client communications facilitate the “full and frank discussion between lawyer and client that is essential for effective legal representation.”  As our interests continue to globalize, this full and frank discussion increasingly involves electronic and voice communication with foreign clients. Although many of us would welcome an excuse to increase our global travel, it is simply not feasible for US law firms to limit their communications with foreign clients to in-person interviews. 

Given the disturbing evidence that the NSA retained information obtained from privileged communications, Mr. Silkenat requested that the NSA fully explain its policies pertaining to the collection and use of such information. A full understanding of the NSA’s policies and procedures, regarding the collection, retention, and use of privileged communications, is necessary for law firms to meet their ethical obligations to safe guard the confidentiality of client communications.     

NSA Director, General Keith Alexander, responded that he appreciated “the opportunity to clarify [the NSA’s] current policies and practices.” Unfortunately, in the response that followed, the NSA fell short of the open dialogue contemplated by the ABA’s request. Instead, General Alexander’s response attempts to reassure the bar that the agency is “firmly committed to the bedrock legal principle of attorney-client privilege.” According to General Alexander, potentially privileged communications are examined on a “case-by-case basis to determine whether the information is in fact privileged and, if so, the appropriate steps to be taken.” This response does not offer guidance, or the specificity necessary for attorneys to take adequate precautions to safeguard their client confidences, or to rest assured that the information is being appropriately safeguarded by the intelligence agencies.

Until the time that the NSA provides a more substantive response, and in the wake of this exchange of correspondence, it remains unclear what reasonable steps attorneys can take to adequately safeguard their foreign client communications. It appears the options are to trust foreign and domestic intelligence agencies, or start banking more flight miles abroad.  Either option is potentially costly to law firms, and their foreign clients. 

Brandi Blair is an attorney at Jones, Skelton & Hochuli in Phoenix, Arizona. She concentrates her practice on § 1983 defense, professional liability, and wrongful death and personal injury defense. She is currently the Publications Chair for DRI's Lawyers' Professionalism and Ethics Committee.  The views expressed herein are her own.

Bookmark and Share

 

It is a deposition question that too often surprises lawyers and corporate-witness deponents.  Upon return from a water or lunch recess, the deposing lawyer asks the witness: “So, tell me what you and your company’s lawyer discussed during the break?”  Can the deposing lawyer ask that?  Does the defending lawyer have an attorney-client privilege objection?

In-House and outside counsel focus their deposition preparation on reviewing the notice-of-deposition topics, selecting the most appropriate corporate employee for the deposition task, and preparing that witness with the boilerplate deposition ”dos and don’ts.”  And while many lawyers defending depositions see every break as an opportunity to consult with the witness, they neglect to consider whether these in-deposition consultations are privileged and, importantly, to prepare the witness how to answer an out-of-the break question about those consultations.

Unfortunately, there is no uniform rule on whether lawyers may have privileged conversations with witnesses during deposition breaks.  Some jurisdictions prohibit all during-the-break consultations except when necessary to assert an evidentiary privilege.  Other jurisdictions reject this draconian rule for the more practical approach of permitting break-time discussions except when a question is pending.  In my recent article, Protecting Attorney-Corporate Witness Consultations During Deposition Breaks, published by Inside Counsel, I explore the various rules on this issue and provide practical tips for preparing lawyers and witnesses for this inevitable happening.

You may access the article at this link.  How does your jurisdiction–state or federal–handle this situation?  Place your comments in this post–perhaps we can gather the local rules, judicial rulings, and local practices so that others may find answers in a single forum.

As originally published at presnellonprivileges.com 
Bookmark and Share

 

New Technology = New Concerns For Hotels

Posted on December 5, 2012 04:20 by Philip M. Gulisano

Recently Forbes.com published an article exposing a security flaw in common keycard hotel room locks that permitted hackers with a digital device to effortlessly trigger the opening of the locking mechanisms. This, of course, would allow the hacker to have access to the personal belongings inside the room or, worse yet, unwanted access to the guests themselves.  The “security vulnerability” was said to be present in keycard locks built by a particular lock company and specifically in a model of lock that appears in at least four million hotel rooms worldwide. There are believed to be a number of “patches” to fix the issue, which vary in cost.

While the lock manufacturer in such an instance may certainly be responsible if its locks do not perform as intended, generally, a property owner or lessor, such as a hotel, has a duty to keep its guests safe from known or reasonably anticipated dangers. This begs the question of what is a hotel’s duty or obligation to its guests when it knows, or should know, that the locks present on the hotel room doors, which guests would reasonably anticipate are capable of keeping people out, are highly vulnerable to hackers.
 
To start, any hotel that has direct knowledge that its room door locking mechanisms, whichever they are, do not perform as intended and as relied upon by its guests, would be wise to immediately remedy the problem to ensure the safety and comfort of the guests.  One could easily imagine the horrific publicity and liability if it was discovered that guests were losing property, being assaulted or otherwise attacked in the confines of their presumptively safe hotel room if the hotel knew that the locks were easily by-passed. 
 
Often times, with new technology comes uncertainty with how it will perform and whether there will be “bugs” in the system.  However, almost by definition technology has faults that its possessors must investigate, anticipate and seek to minimize.  It would be wise for any hotel to understand what issues and/or risks exist with the technology it uses and develop a plan to minimize those risks and ensure its guests have a safe stay and come back again.

Bookmark and Share

Categories: Hospitality Law | Privacy | Retail | Technology

Actions: E-mail | Comments

 

Rent to Own Computers and the FTC

Posted on October 12, 2012 02:19 by Chad Godwin

Wired Magazine recently reported that seven rent-to-own companies and a software manufacturer are settling charges with the Federal Trade Commission.  The charges claimed that computers rented from the rent-to-own companies used pre-installed spyware to obtain a host of data from the users.  The settlement only requires the companies to stop using the spyware, known as “Detective Mode,” which has been installed on as many as 420,000 rental computers.  In addition to secretly turning on a computer’s webcam, the software was capable of logging keystrokes, and  taking screen shots of a user’s activity.  The software then transmitted the secretly gathered information to the manufacturer, DesignerWare, who forwarded the material on to the rent-to-own company, all without the user’s knowledge.  The settlement still allows the rent-to-own companies to employ the software so long as they notify the renters.  Further, the FTC lacks criminal jurisdiction, so the companies have yet to face any criminal charges.  However, the FTC acknowledged that criminal activity appears to have occurred in a nod to the potential for ongoing investigations. 

The computers at issue collected everything from addresses, photos and video of often compromising situations, to phone numbers, email and social media passwords and financial logins, begging the question of what type and how much information a user should feel comfortable entering on a computer they don’t own.  In the case of someone renting a computer, it can be easy to see how a user operates under the impression that they have unfettered access to the machine for the term of the rental.  Nonetheless, there are measures that such parties can take in an effort to secure their privacy.  There are free firewall programs, such as Zone Alarm and Windows Firewall, that allow users to designate and monitor every program that accesses and/or attempts to access outbound internet connections.  Had the renters correctly configured and employed such a program, they would have known that a program, by whatever name, was attempting to send information from the subject computer.  In the event that renters were unable to install or configure (in the case of pre-installed Windows Firewall) such programs, it should serve as a red flag to carefully consider the manner in which to employ a rental or loaner computer. 

 

 

Bookmark and Share

 

RETAILERS WHO “SPY” BEWARE

Posted on September 27, 2012 02:22 by Philip M. Gulisano

Retailers providing consumers with electronics on a rent-to-own basis face many challenges in ensuring that they are paid for the electronics that they rent.  In particular, computers are small and easy to hide if a retailer seeks to repossess the computer from a non-paying customer.  The temptation to use software that allows the retailer to view where the computer is located and what the renter is doing with the computer is strong, however, the consequences of doing so can be high.  Obtaining information from the computer without the renter’s knowledge or consent not only erodes the renter’s trust and confidence in the retailer, but also opens the retailer up to possible civil and criminal liability.

The recent settlement of charges brought against several rent-to-own companies by the Federal Trade Commission highlights that using software that can log onto a computer, turn on the webcam to take photographs, take screen shots of the computer user’s activities on the computer, and log the keystrokes of the computer user, comes with a price.   According to one news report, civil penalties are not a part of the settlement because civil penalties cannot be imposed for a first violation of the Federal Trade Commission Act.  However, the companies are required to cease using their “spy tools” and, presumably in the future, advise renters of the use of tracking software.  

Further, aside from possible federal action and the costs associated with defending such actions, retailers need to consider possible civil and criminal liability under state laws.  While laws vary from state to state, several states recognize a tort for invasion of privacy, such as intrusion upon seclusion.  Capturing images of a person in a private setting, particularly while engaged in private acts, without the person’s knowledge or consent, may subject a retailer to a civil action.   Even in states that do not recognize a tort for invasion of privacy, under certain circumstances, a person who secretly videotapes an individual engaged in private actions may be liable for the tort of intentional infliction of emotional distress.  Remember that if you use a webcam to take pictures of the area surrounding the computer, you may be capturing images of individuals other than the renters.  Criminal liability is also arguably possible if the state has a statute prohibiting unlawful surveillance and, in some states, there is the possibility, in certain situations, of criminal liability for installing and using key stroke logging software to collect personal information.

If you decide that despite the risks, it is necessary to install and use tracking software, be sure to advise renters of the presence of the software, its uses, and your policy on its use.  The best practice would be to obtain an acknowledgement from the renter, in writing, that the renter was so advised.

Bookmark and Share

 

Ethics 20/20: The Impact of Technology

Posted on August 30, 2012 03:19 by J. Logan Murphy

Every day, we see the impact of technology on the practice of law. Blogs, social networking, electronically stored information, and other legal resources create enormous economies and unprecedented depth in our field. But with these advantages come unrecognized perils. The transparency and mobility of electronic information creates significant risks to clients, unless properly controlled. As part of the project to rein in technology in the practice of law, the American Bar Association launched an ambitious multi-year project called Ethics 20/20. One of the major goals of Ethics 20/20 was to modernize the rules of ethics and bring them into congruence with the state of technology.


At its most recent meeting, the ABA passed multiple resolutions amending the Model Rules of Professional Responsibility to reflect the evolution of technology in the practice of law. This article provides a brief overview of those amendments. Those who are more interested in the details of the amendments can click here to read the reports online.


Confidentiality When Using Computers
Resolution 105A makes changes to help lawyers understand how to protect client confidences when using new technology, including cloud computing, tablets, and smartphones. Though small, one of the most significant changes is included in Comment 6 to Rule 1.1 (Competence). The Rule now includes a requirement that “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” No longer can attorneys simply ignore developments in favor of staid methods of practice. To be competent, an attorney must work effectively with technology and keep alert to technological improvements and changes.

The amendment to Rule 1.6 (Confidentiality of Information) is probably the largest and most impactful rule change related to confidentiality. Now, Rule 1.6(c) requires attorneys to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating the representation of a client.” The comments make it clear that attorneys are required to utilize reasonable safeguards to protect confidential information. These changes are geared toward the protection of electronic data, especially given the innumerable bits of sensitive information flying around every day.


Using Technology for Marketing
Resolution 105B was designed to help lawyers understand how the principles of attorney advertising already incorporated into the Rules are affected by the growth of Internet-based marketing and social networking. This particular resolution accomplishes three main goals. First, changes to Rule 1.18 offer guidance on how to market online without inadvertently forming an attorney-client relationship. Recent cases have demonstrated confusion on behalf of the general public regarding whether an attorney-client relationship is formed when the potential client emails the attorney or fills out a communication form on the attorney’s website. The amendments to Comment 2 of Rule 1.18 address the concern by stating that a person becomes a prospective client by “consulting” with a lawyer. While the existence of a consultation depends on the circumstances, the Comment eliminates potential passive liability to prospective clients. A consultation “does not occur if a person provides information to a lawyer in response to advertising that merely describes the lawyer’s education, experience, areas of practice, and contact information, or provides legal information of general interest.” But, if the lawyer actively invites information about a possible representation, the lawyer is probably stuck with a prospective client.

Second, the Rules contain a prohibition against paying others for a “recommendation,” and this Resolution modifies that prohibition to account for online lead generation services through chances to Comment 5 of Rule 7.2. Lawyers may now pay others for generating client leads, as long as the Internet-based lead generator does not “recommend” the lawyer. The lawyer is also responsible for the representations of the lead generator, with Comment 5 placing the onus on attorneys to ensure that the lead generator is not making statements that are inconsistent with the rules.

Finally, amendments to Rule 7.3 assist attorneys in determining when communications on the Internet, particularly through social networking sites, may constitute a “solicitation.” Only a “target communication initiated by the lawyer” directed to a “specific person” that “offers to provide” legal services is a solicitation. Communications to the general public, including Internet banners, are not solicitations, so feel free to jump on that Facebook advertising spot.


Outsourcing
Lawyers have been slow to adopt the economies of scale that outsourcing can provide, in part because of the perceived ethical dilemmas presented in outsourcing. Outsourcing can endanger confidential client information and presents a quandary over legal work being performed by attorneys not licensed in the United States. Resolution 105C encourages attorneys to ensure the efficiency, competence, and ethics of any outsourcing process. An entirely new comment is added to Rule 1.1, requiring the informed consent of the client to contract with any lawyer outside of the lawyer’s own firm. And, lest we forget, lawyers are always charged with supervising non-lawyers; that requirement does not abate simply because work is being outsourced to a foreign country. Comments 1 and 3 to Rule 5.3 incorporate this concept and apply the general rule to all non-lawyers outside of the lawyer’s own firm. The basic gist of the changes in Rule 105C is to encourage lawyers to keep a sharp eye on professionals hired from outside their own firm, and to work closely with clients in determining the proper scope of outside contracting and supervision. No surprise there—constant communication with the client is a harbinger of a durable and responsible attorney-client relationship.


Mobile Lawyers
A prevalent by-product of an informationally small, but geographically large, practice is the tendency of lawyers to move their practice. The world does indeed get smaller every year. No longer do lawyers move down the street; more and more, attorneys are moving their practice to different jurisdictions, and virtual law offices are sprouting in all states. The remaining resolutions that passed enable attorneys to establish a practice in another jurisdiction—subject to stringent information protection requirements—while pursuing admission in that jurisdiction. Resolutions 105D and 105E address the ABA Model Rule of Practice Pending Admission and the ABA Model Rule on Admission by Motion, respectively. With a few states signaling their intent to adopt a uniform bar exam, these model rules and their amendments continue the progress toward a more uniform practice of law. In case you have never encountered these model rules, or their state versions, their purpose is to allow experienced lawyers who have moved into a different jurisdiction to continue to practice while awaiting an expedited admission to the Bar. 

Bookmark and Share

 

As reported by InsideCounsel, the American Bar Association House of Delegates (“ABAHD”) recently approved an amended model rule stating that it is ethical for lawyers to disclose client information when trying to move from one firm to another.

Specifically, the rule states that it is ethical for an attorney in negotiations for a different job, as well as attorneys in merging firms, to disclose the identities of clients and the amount of business they generate because the information can help point out any conflicts of interest that might exist.  However, the model rule states that lawyers still should not reveal clients' financial information.

Although the model rule has been approved by the ABAHD, the rule is simply an advisory rule.  In addition, the rule provides little guidance for attorneys faced with the question of how much client information can be ethically revealed in states whose bar associations do not have rules covering this topic.  Thus, prior to revealing any information, lawyers should carefully consider and weigh this model rule against Model Rules of Professional Conduct 1.6 and 1.9.

Bookmark and Share

 
 

Submit Blog

If you wish to submit a blog posting for DRI Today, send an email to today@dri.org with "Blog Post" in the subject line. Please include article title and any tags you would like to use for the post.
 
 
 

Search Blog


Recent Posts

Categories

Authors

Blogroll



Staff Login