Privacy and Technology in Your Practice: Why it Matters & Where is the Risk
1. Privacy andTechnology
inYour Practice:
Written and Presented By:
Craig C. Carpenter
Thompson & Knight LLP
Charles M. Hosch
Hosch & Morris PLLC
T. Hunter Lewis
Duffee + Eitzen LLP
Honorable Emily Miskel
District Judge, 470th Judicial District Court
Collin County
Additional Research and Compilation:
George Shake
Joshua Dossey
Duffee + Eitzen LLP
Why it matters and where is the
risk
5. What’s a
breach?
Breaches are a Privacy and Security
Issue
• Privacy:
• Duty to maintain confidentiality
• “We will keep your information secure and make
sure it is not accessed by unauthorized parties.”
• Cyber Security:
• Physical, technical, administrative safeguards
• Criminal act
• 18 U.S. Code § 1030 – Computer Fraud and Abuse Act
• Tex. Penal Code § 33.02 – Texas Breach of Computer
Security
6. Law Firms are Not Immune
• Mandiant reported that at least
80 of the top 100 law firms in
the country, by revenue, had
been hacked by 2011.
• Logicforce has reported that
about 2/3 of law firms have
experienced some sort of data
breach.
“law
firm”
7. In Fact, Law Firms are LucrativeTargets
• Corporate Deals
• Trade Secrets
• Financial Data
• Privileged
Communications/Information
• Personal Data
• Health Data
• Export-ControlledTechnology
8. Types of Attacks
• InsiderThreat
• VendorThreat
• Phishing
• Spear Phishing
• Ransomware
• Wire transfer fraud
9. Compliance
• Rules of Professional Responsibility
• State notification regulations
• Data subject
• AGs
• Credit Agencies
• International notification regulations
• Industry-specific data
10. Compliance Issues for Law Firms
• Is it a “breach”?
• Who owns the data?
• Law firm?
• Client?
• Other law firm?
• Other law firm’s client?
• Is it subject to a protective order?
• Privileged information
How does it
impact your
practice?
11. Costs
What are the
practical
implications?
• Breach investigation
• Breach mitigation
• Regulatory responses
• Breach notification
• Customer Relations
• Reputational damage
• Down time
12. InitialTakeaways from the Recent Capital One
Breach
1. Having a plan and contacts in place makes a huge
difference
2. Know what data you have and where it is located
3. Understand your vendor/third party vulnerabilities
4. “Hacking” has been a crime for a while now
5. Post-breach communication is critical
6. Lawsuits quick to follow
13. Capital One Breach Lawsuit
1. Negligence
2. Negligence Per Se
3. Breach of Implied Contract
17. At a Glance:
Cybersecurity
• Asks, “How do I secure
my data and keep it
from being ‘hacked,’
breached,’ stolen, lost,
or fumbled?”
• Applies to: All data,
including both
commercial and
personal information.
Privacy
• Asks, “Assuming I can keep
my data secure (a huge ‘if’),
how can I use the “personal
information” within my
data?”
Applies to: “Personal” or
“personally identifiable”
information. (Definitions
vary. May extend to data that
can be linked to households,
and/or include inferences you
draw from raw data.)
18. Sources of
Law:
Cybersecurity
• Trade Secret Law: Uniform Trade
Secrets Act, Tex. Civ. Prac. & Rem.
Code, Ch. 134A; Defend Trade Secrets
Act, 18 U.S.C. §1836, et seq.;
• State-based “Breach Response”
statutes – All 50 States – e.g. Tex.
Bus. Comm. Code §§ 521.002,
521.053;
• Regulatory requirements in specific
industries, e.g. NYS DFS; HIPAA
Security Rule; GLBA; FTC Safeguards
Rule; MA and CA Information Security
Laws; UCC Article 4A; NAIC Insurance
Data Security Model Law; City of
Chicago (Ordinance, MCC § 2-25-090);
PCI-DSS;
• Requirements in privacy statutes,
e.g. CCPA;
• FTC Act, 15 U.S.C. Sec. 5.
Privacy
• -In US, mostly “sector-specific,” e.g.
HIPAA for healthcare; Gramm-Leach-
Bliley for financial institutions; FERPA for
education; FCRA for credit reports and
background checks, etc.;
• Most privacy statutes are not
preemptive, so states and state industry
regulators can overlap;
• For Europe (including tracking Europeans
from US), comprehensive privacy
regulation under GDPR;
• Movement toward comprehensive state
statutes, e.g. California Consumer
Privacy Act (“CCPA”) taking effect in
2020
• FTC Act, 15 U.S.C. Sec. 5.
• Key Regulators:
• Federal: FTC, OCR, and SEC
• State: State AGs
• Individual: Class Action Lawyers
19. General
Principles
and
Standards
Cybersecurity
• Use reasonable measures
to protect the
confidentiality, security,
and integrity of data;
• Note that what is enough
to be “reasonable” varies
according to how sensitive
the particular data is;
• What is “reasonable”
evolves over time;
• There is no such thing as
perfect security – good
information security
program documentation is
critical.
Privacy
FTC Fair Information Principles:
• Notice/Awareness: Tell people
what data you’re going to collect,
and why;
• Choice/Consent: Get their
consent;
• Access/Participation: Let people
see their data, correct mistakes in
it, have it back or move it if they
wish;
• Integrity/Security: You and your
vendors use it only for the
consented purpose, keep it secure,
dispose of it responsibly;
• Enforcement/Redress: (Think $5
20. Cloud
Computing
and Legal
Technology
Q: What are cloud services?
A: Third-party services to which you can outsource some or all of your
IT requirements.
Q: What types of requirements can you outsource (partial list)?
A: Top-level “Infrastructure” (e.g. to AWS or Microsoft);
Middle-level “Platforms” (e.g. SalesForce or SQL Server);
and/or
User-friendly “Applications” (e.g. Abacus, Practice Panther,
Clio).
*You’ll have different responsibilities, and different contracts, for
each “layer.”
(
Q: What do I most need to know about Legal Tech?
A: Most legal-tech services:
(i) Are running on a cloud platform hosted by a third-party,
(ii) Present their own security and privacy risks, and are
(iii) probably relying on other vendors to provide aspects of their
services to your firm.
21. Contracting
Key Topics (partial list)
PRIVACY PERFORMANCE Automatic Renewal?
SECURITY Confidentiality Copyright Infringement
Cost Third-Party Issues Inappropriate/Illegal Use
Scalability Data Ownership Modifications/Changes
Accessibility Geolocation Governing Law/Venue
Data Recovery WARRANTIES SERVICE LEVEL AGREEMENTS
Storage Term TERMINATION RIGHTS
Compliance Training Breach Notification
Audits VENDOR CONTROL SCOPE OF RIGHTS
22. Vendor
Control
Q: What does “vendor control” mean?
A: Prudent Selection – Contracting – Monitoring – Management of vendors
and service providers.
Q: What are the keys to selecting and contracting with a
vendor?
A: Ethics/reputation; functionality; performance/service commitment;
confidentiality; security; data control; and ownership.
Q: Is this required, or just best practice?
A: Increasingly required. GDPR and CCPA effectively require Data
Processing and Security Addenda, where your vendors pledge to require
their vendors not to use personal data for anything except the purpose
for which they’re hired; to require the same of their vendors; to keep
personal information secure; etc.
(TRANSLATION: don’t let your vendors’ vendors do a side hustle with
your clients’ data – or with yours.)
26. Technological
Competence
Requirements
In The Beginning….
• In 2012 ABA revised Model Rules of Professional
Conduct, Rule 1.1, comment 8 to include the
requirement for attorneys to maintain
technological competence.
• The ABA issues advisory opinions on ethics
questions and can be cited as persuasive
authority – these opinions and rules are not
binding on state disciplinary authorities
27. ABA Model Rules of Professional Conduct
Rule 1.1, comment 8
-Maintaining Competence
[8]To maintain the requisite knowledge and skill, a
lawyer should keep abreast of changes in the law and
its practice, including the benefits and risks associated
with relevant technology, engage in continuing study
and education and comply with all continuing legal
education requirements to which the lawyer is
subject.
28. Texas
Implementatio
n
In The Beginning….
• At the state level, many states began passing
legislation concerning technical updates to
their statutory authority concerning process of
service (to include electronic service),
electronic signatures, electronic
communication/notice, and electronic filing
• In 2013, The Texas Supreme Court mandated
electronic filing in civil cases to begin January
1, 2014, with full implementation by July, 2016.
29. Texas Key Rule Changes
• Texas Rule of Civil Procedure 21
• Filing and Serving Pleadings and Motions
• Texas Rule of Civil Procedure 21a
• Methods of Service
• Texas Rule of Civil Procedure 21c
• Privacy Protection for Filed Documents
30. Texas
Ethics Opinion
Concerning
then Current
Rules
2016 – Texas Ethics Opinion 665
• In December, 2016 The Professional Ethics
Committee For the State Bar of Texas issued
Opinion No. 665.
• This opinion addresses attorney’s responsibilities
related to metadata.
• The opinion reviewed the competency
requirements of the previous version of Rule 1.01,
Texas Disciplinary Rules of Professional Conduct.
• Although this opinion addresses an attorney’s duty
of competence related to technology, this opinion
narrowly deals with metadata.
31. Texas
Ethics Opinion
Concerning
then Current
Rules
2016 – Texas Ethics Opinion 665
The opinion states:
• [A] lawyer’s duty of competence requires
that lawyers who use electronic documents
understand that metadata is created in the
generation of electronic documents, that
transmission of electronic documents will
include transmission of metadata, that the
transmitted metadata may include confidential
information, that recipients of the documents
can access metadata, and that actions can be
taken to prevent or minimize the transmission
of metadata.
32. Florida became
the first state
to require
lawyers to
include
Technology in
their CLE
2017 – The First CLE Requirement in
FloridaRULE 6-10.3 MINIMUM CONTINUING LEGAL
EDUCATION STANDARDS
(b) Minimum Hourly Continuing Legal
Education Requirements. Each member must
complete a minimum of 33 credit hours of approved
continuing legal education activity every 3 years. At
least 5 of the 33 credit hours must be in approved
legal ethics, professionalism, bias elimination,
substance abuse, or mental illness awareness
programs, with at least 1 of the 5 hours in an
approved professionalism program, and at least 3 of
the 33 credit hours must be in approved
technology programs. If a member completes more
than 33 credit hours during any reporting cycle, the
excess credits cannot be carried over to the next
reporting cycle.
33. Texas
Ethics Opinion
Concerning
then Current
Rules
2018 – Texas Ethics Opinion 680
• In September 2018 The Professional Ethics Committee
For the State Bar of Texas issues Opinion No. 680.
• The opinion states:
Rule 1.01(a) requires that lawyers exhibit
“competence” in representing clients. In Opinion 665
(December 2016), the Committee applied Rule 1.01 to a
question involving a lawyer’s inadvertent transmission to
third parties of electronic metadata within client
documents and concluded that the Rule’s “competency”
requirement was applicable to a lawyer’s technological
competence in preserving client confidential information.
The Committee reiterates here the necessity of
competence by lawyers and their staff regarding data
protection considerations of cloud-based systems.
• Again, the opinion addresses an attorney’s duty of
competence related to technology, this opinion focuses
on cloud-based systems, not technology as a broad
issue.
34. 2019Texas Supreme Court Order
February 26, 2019 the Texas Supreme Court orders that
paragraph 8 of the comment to Rule 1.01, Texas Disciplinary
Rules of Professional Conduct, is amended to include the
requirement for attorneys to maintain technological
competence. Thus, becoming the 36th and most recent state
to do so.
35. Texas
Ethics Opinion
Concerning
then Current
Rules
2019 Texas Supreme Court Order
Rule 1.01. Competent and Diligent Representation
Comment:
Maintaining Competence
8. Because of the vital role of lawyers in the legal
process, each lawyer should strive to become and remain
proficient and competent in the practice of law,
including the benefits and risks associated with relevant
technology. To maintain the requisite knowledge and skill
of a competent practitioner, a lawyer should engage in
continuing study and education. If a system of peer
review has been established, the lawyer should consider
making use of it in appropriate circumstances. Isolated
instances of faulty conduct or decision should be
identified for purposes of additional study or instruction.
36. How will Texas
apply this
change?
2019 Texas Supreme Court Order
Rule 1.01. Competent and Diligent
Representation
• As of 9/1/2019, no appellate decisions in Texas
reference the revised comment to the Rule.
• Sister Jurisdictions may give rise to some
guidance for Texas Courts (e.g. Delaware).
37. The Potential Future of the Competence Requirement
James v. Nat’l Fin.LLC, C.A. No. 8931-VCL, 2014 Del. Ch.
LEXIS 254 (Del.Ch. December 5, 2014).
• The Court of Chancery has jurisdiction to hear all matters
relating to equity, largely dealing with corporate issues, has a
national reputation in the business community and is
responsible for developing the case law in Delaware on
corporate matters. Appeals from the Court of Chancery may
be taken to the Supreme Court.
38. James v. Nat’l Fin.LLC
• Delaware’s Lawyer’s Rules of Professional Conduct,
Rule 1.1, Comment 8, was amended to include the
language “including the benefits and risks associated
with relevant technology.”
****(This is the Texas Language)****
Case Background
• Class Action unconscionable loan practices civil lawsuit.
• This opinion deals with a discovery dispute and
sanctions.
• The Plaintiffs propounded discovery requests related to
the bank’s loan practices.
39. James v. Nat’l Fin.LLC
Case Background
• In the deposition of the Defendant bank’s representative
he admitted to making errors in exporting data for the
discovery response.
• Court ordered Defendant bank to utilize an IT expert to
respond to specific discovery requests.
• Court ordered that the IT expert provide an affidavit
describing the procedures it followed in extracting the
data.
• Defendant chatted with an IT expert for 20 minutes who
wrote a letter stating that there was no way to property
and easily convert paper records into an electronic
database.
40. James v. Nat’l Fin.LLC
Case Background
• Plaintiff’s attorney pressed Defendant’s attorney for the
required affidavit.
Wait for it… Wait for it…
• Defendant’s attorney stated that he did not know
anything about it and tried to stay out of the process!
• During the hearing on motion for sanctions (of course)
Defendant’s attorney said…
41. James v. Nat’l Fin.LLC
Case Background
“I have to confess to this Court, I am not
computer literate. I have not found
presence in the cybernetic revolution. I
need a secretary to help me turn on the
computer. This was out of my bailiwick.”
42. James v. Nat’l Fin.LLC
Holding
The Court had some thoughts about this:
• Professed technological incompetence is not an
excuse for discovery misconduct and went on to quote
comment 8 to Rule 1.1 of Delaware’s Lawyer’s Rules of
Professional Conduct with the language “including the
benefits and risks associated with relevant technology.”
• The Court ordered the Defendant to pay Plaintiff’s
attorneys fees and costs related to this discovery dispute.
43. Final Thoughts
• While Texas does not have a specific Technology
requirement for CLE, prioritize at least one CLE or
Lecture concerning technology updates annually.
• Refer to State Bar promulgated seminars concerning
legislative updates and updates concerning e-discovery
and new trends in technology in litigation.
• Know what you don’t know… technology can outpace
even the best of us!