Still Too Big to Sue

November 4, 2013


Class Action suits are one avenue to harass Big Data over its ever expanding ways to violate consumers’ privacy. But the potential for a settlement that rivals our national debt is not out of the realm, when most of the suits have millions or even hundreds of millions of plaintiffs and are based upon violations of the Wire Tap Act which allow for statutory damages of $10,000 per illegal wire tap.


The cases usually end up being settled by the violators agreeing to a cy pres award: a fund to give to organizations that educate consumers on privacy.  Cy pres awards have been coming under fire as not being true to their name, which means “as close as possible”. In class actions, they are used to allow the court to make an award that promotes the interests of the class members instead of giving an award to the class itself – which means that the plaintiffs get maybe $10 and some (questionable?) organizations get millions. The US Supreme Court had the opportunity to review a recent Facebook class action settlement but declined it today. The court’s reasoning indicates they might still be interested in addressing the issue, but that this was bad case to use because it had such bad facts: the injured plaintiffs didn’t like that the organization getting $9 million is controlled by Facebook. What could be wrong with that? To read more, see Online Powerhouses – Too Big to Sue.

Wake Up US Cloud Computing Providers!

photo by Terry Robinson

August 8, 2013

The European press is eating your lunch! They are literally capitalizing on the PRISM scandal and they have no reason to be so smug. While a recent US based study by ITIF highlights that 10% of non-US residents had already cancelled a project with a US based cloud provider and that the US industry stands to lose up to $35 billion in the next three years, the Guardian and Irish Times are busily reporting on the secret surveillance programs in place abroad.

Yes, through its secret program, Tempora, the British are collecting telephone and online data from the 7 major telecoms running the undersea fiber-optics that form the backbone of the Internet. And as also highlighted in the study, most European governments can and do gather electronic data on their citizens without warrants. For more, please see The Dangers of European Clouds.

Arbitration in China Still in Flux – But Improving


June 25, 2013

Arbitration is the favored approach to legal dispute resolution for foreign investors doing business in China. Until recently, the only arbitration tribunal available was CIETAC, the China International Economic and Trade Arbitration Commission. Without much fanfare, CIETAC adopted new rules just over a year ago. While the international legal community didn’t react too much (and they should have) the Shanghai and Shenzhen sub commissions revolted as a consequence and formed new organizations.

This wouldn’t be so revolutionary elsewhere, but in China, an arbitration tribunal must be established under municipal law, registered with the provincial justice bureau and if administering cases related to foreign interests, further established under the China Chamber of International Commerce. Otherwise, local courts don’t have to recognize their awards. And, why go through an arbitration process only to get an award that a court may or may not enforce?

The revolutions happened last August leaving another big question unanswered: how to interpret existing contract clauses that require CIETAC arbitration in one of the wayward cities. But, in the meantime, the new commissions, Shanghai International Economic and Trade Arbitration Commission (SHIAC) and Shenzhen Court of International Arbitration (SCIA) (also called South China International Economic and Trade Arbitration Commission (SCIETAC)) have issued rules, engaged panels of arbitrators and are working their way through the legal approvals. And CIETAC has opened new offices in Shanghai and Shenzhen. One issue is resolved: existing contract clauses using CIETAC in Shanghai and Shenzhen can be enforced. And new tribunals are coming on line.

So which is the best tribunal? All three, CIETAC, SCIA and SCIETAC, have adopted a rule that is good news for foreigners. The parties can now agree to use their own arbitration rules – as long as they are reasonable. Anyone who has experienced a CIETAC arbitration in the past would jump at the opportunity to use another tribunal’s set of rules. SCIA and SCIETAC didn’t like CIETAC’s modernization, so don’t look there.

Remember that a foreign investor is typically only going to choose CIETAC if it has to because it is a WFOE (Wholly Foreign-Owned Chinese Entity) and the other party is also a Chinese company. See my earlier post: Resolving Disputes in China. This new rule gives a foreign investor operating under a WFOE most of the same flexibility regarding arbitration proceedings as if it were a foreign company.

Adopting another tribunal’s rules, say the International Chamber of Commerce (ICC) or the Hong Kong International Arbitration Centre (HKIAC) rules, takes the dispute completely out of the restrictions of CIETAC concerning choice of arbitrators, venue, evidentiary hurdles, etc. Voila! An efficient, modern arbitration proceeding is now possible.

Granted, it may be difficult to convince a Chinese party to go that far. But even under the new CIETAC rules, the parties may agree to a venue outside of China as long as one party is foreign. So far CIETAC has only set up one arbitration center outside of China – in Hong Kong. The irony is rich, except Hong Kong has long been considered a friendlier place for foreigners and it has a well established legal and arbitration community of good reputation. If Hong Kong is agreeable as a venue, perhaps the Chinese company can be persuaded to accept some of the more modern HKIAC rules as well.

While reconsidering your standard arbitration clauses, remember that under Chinese law, an arbitration clause is not enforceable unless it defines the tribunal, rules and venue. That is why the absence of Shanghai and Shenzhen sub commissions of CIETAC was such a problem. CIETAC issued an interim rule stating parties in that situation should use their Beijing office, but a party seeking to avoid arbitration could use the situation to do so.

It remains to be seen how the commissions will interpret the new rules. What is considered reasonable? For example, if the parties can choose their own rules, does that extend to a rule about venue? Will the tribunals still insist the parties use their panels of arbitrators even if they are unfamiliar with other tribunals’ rules? And if a chosen venue or rule is invalidated, is the whole arbitration agreement unenforceable?

Some drafting tips include:

  • When designating an alternative tribunal’s rules, be clear that all the rules, including those on venue, choice of arbitrators and any others of concern apply;
  • State that the parties consider all the alternate rules to be reasonable. The commission has the final word, but it can’t hurt to state that the parties think so.
  • Include a severability clause that requires the arbitrator or commission to reform an unenforceable clause to an enforceable one which most closely reflects the intent of the parties.

NSA Surveillance – All Perfectly Legal

Image by Setreset

Image by Setreset

June 18, 2013

Does anyone really think they know what the NSA is doing with all the data they can access? We only know what they feel is appropriate to tell us. But regardless of your comfort with the current state of secret government surveillance, it’s nothing new. In fact, FISA, the Foreign Intelligence Surveillance Act, officially hit middle age turning 35 years old this year. And managing government requests for customer information is a regular issue for cloud providers, telephone companies and ISPs. How do they get away with it? See Government Intrusion into the Cloud

Director Nightmare #2: Cybersecurity


May 31, 2013

It’s no wonder cybersecurity is the #2 issue that keeps corporate directors up at night. The news abounds with stories about Chinese cyber espionage, overzealous Department of Justice probes, multi-million dollar ATM thefts, crippling denial of service attacks and leaks from social media and “rogue” employees. In some respects the public is numb to all this (unless that was your credit card number that was broadcast). But directors are and should be worried. The Internet can be a risky place.

The threats may seem overwhelming. How can a company avoid the global spread of malware? Don’t the Patriot Act and FISA allow the feds access to a company’s records without its knowledge anyway? Won’t overseas companies copy your products somehow no matter what? What is Twitter about?

The reality is that cyber risks can be thwarted and mitigated with good security risk management programs and IP protection programs. These programs aren’t just about having the latest technology. Proper use of technology and company data by people is the key. In fact, employees, not bad technology, are the source of 56% of data breaches, according to a hospital survey. Breathe: employees are trainable.

Changes in technology are a factor, however. The cloud, smartphones and social media are new avenues for company data delivery, access and storage. A company’s internal IT security protocols are important but becoming less relevant as more data moves to the cloud. Yet, another survey showed that only 50% of company IT security professionals reviewed the security practices of the cloud and SaaS providers that their company uses. Like employees, cloud providers have varying levels of sophistication and attention to data security. That’s a lot of unassessed risk.

Next, more employees use their own smartphones and tablets to access the company systems, creating zillions of copies of company data on uncontrolled devices. Well, uncontrolled at 76% of companies’ since only 24% report having BYOD (bring your own device) policies. Even company issued devices don’t necessarily come with security guidelines.

Social media, meaning Facebook, Twitter, Pinterest and the like, are the electronic versions of newspapers and press releases – except that they are used by lots of employees, reach many more people and are instantaneous. Directors who are used to all company statements being carefully crafted through the PR department may find their company’s use of social media frightening. And, if the company doesn’t have a policy for social media use, it may be at risk for leaks about company strategies or misinformation about products, not to mention embarrassments like photos of drunken staff parties. Social media is a very easy way for employees and customers to spread information which represents the company. It is a great marketing and advertising tool but needs management to avoid damaging a company’s brand or worse.

Net, if a company’s internet use or email policies were written in the nineties, it’s time to give them a fresh look. And policies alone don’t fix things. A full compliance program which includes education, auditing and enforcement is required.

Ultimately all cyberthreats cannot be prevented. Directors sleep better if they know the company is prepared to manage a data security breach. While 63% of the directors surveyed felt comfortable that their company could manage a data security breach, they weren’t so happy with their companies’ crisis management plans. Those plans encompass such catastrophes as cyberattacks and natural disasters that shut down operations and corporate disgraces like tainted products, oil spills or executive fraud. 57% of board members said that they had reviewed their company’s crisis management plan within the last year, but only 34% said that they were very comfortable with the plan. 30% said they were not at all comfortable with the plan, the company had no plan, or they didn’t know if the company had a plan.

Corporate boards aren’t responsible for the day to day risk management of the company. But, when they hear about the cyber theft and cyber crises around the globe, they must know their company is prepared. A modern data security program, IP protection program and crisis management plan can significantly reduce threats from lazy or malicious employees, unsafe devices and rogue cloud installations.

Directors should be leading the charge when it comes to acknowledging cybersecurity.  Regardless of their technical backgrounds, Directors should be asking the right questions of their leadership to ensure key company threats are addressed.  If the company isn’t able to address these issues internally then it needs to bring in resources to take an objective look and implement best practices in the industry.  Proactive risk management should result in a boring outcome, meaning, there are no cybersecurity crises.  It definitely beats the alternative.

Silly Contracts Impede Adoption of Cloud Computing


May 8, 2013

I love British understatement. In a recent article on British cloud blog,, a CIO pronounces cloud contracts “silly” when they don’t address customers’ requirements around privacy and compliance. Terms that overreach on limitations of liability and give providers rights to mine customer data are also deemed “silly”. His point isn’t silly though. Those silly terms keep customers from buying. My interpretation is more direct. I think they’re scary. See my Cloud Tweaks article on the issue: 5 Reasons Why Cloud Contracts Should Scare You

I Won!

Photo by Search Engine People Blog

Photo by Search Engine People Blog

April 19, 2013

Facebook, Twitter and Pinterest now make it even easier to run contests and sweepstakes online. But some of us still remember the days of Publisher’s Clearinghouse scams and when Powerball was the hot new thing. What do they have in common? They spawned the mail fraud and illegal lottery laws which govern how companies and charities can run drawings, contests and raffles. Don’t run a risky marketing program. Understand what you’re getting into by reading: “You may already be a winner!

Temporary Agency or Independent Contractor?


February 21, 2013

Freelance help can be found through Craiglist, an employment agency or a management consulting firm, just to name a few ways. What’s the best way to hire them? Is a contract necessary? What kind of fees are involved? This article describes the key considerations you should think about: Freelancers to the Rescue – Part II.

Are You Taking Advantage of Freelance Help?

Photo by ADL999

February 6, 2013

The recession has been hard on a lot of people, not the least of which are those employees who are trying to do the work of all the ones that were laid off. Employers may be still nervous about adding employees, but they can take advantage of the burgeoning number of freelancers out there – to do anything from data entry to high level strategic planning – and take some pressure off their overworked staff. See: Freelancers to the Rescue – Part I

Got Rogue Clouds? Yes, It Does Really Matter

Photo by Eve Livesey

Photo by Eve Livesey

January 22, 2013

Rogue Clouds: the myriad of Dropbox accounts, implementations, media sharing apps, etc. that various parts of your business signup for without thinking twice and definitely without consulting IT or Legal. They happen everywhere, more often in large enterprises (83%) but also in small to medium size companies (70%) according to a recent global survey of over 3000 companies commissioned by Symantec.

Should you care? Only if you are concerned about maintaining the confidentiality of your sensitive data or worry about theft and the integrity of your websites. 40% of the companies surveyed reported disclosure of confidential information through rogue clouds. Over 25% reported account takeover issues, defacement of their web properties and other stolen property and services – all through the use of rogue clouds.

The cloud hype is relentless. It’s secure, it’s cheap, it’s the best way to store data. Even when the clouds weren’t rogue (meaning they were part of the companies’ IT strategies), the survey debunked many of those claims as well. 43% of the companies reported that they had lost data in the cloud. And what’s worse, 68% said that their data recovery operations failed. Of those that did recover their data, 22% said it took over 3 days. Hope you can operate without your data for that long – or forever.

Next, the survey showed that companies didn’t take advantage of the savings they might have gotten from their cloud storage. Companies typically pay for 6 times as much storage as they need. Plus, organizations must use additional solutions to backup their cloud data, which adds cost and inefficiencies to IT operations – and apparently doesn’t work very well.

And then there are the other risks related to how and where data is stored.

One challenge for cloud data storage is eDiscovery, pulling out the required information when a company is in litigation. 34% of the surveyed companies had eDiscovery requests for cloud data in the last 12 months, so this is why lawyers ask a few specific questions. They want to know about whether data is comingled (is your data easy to separate from other customers’ data or in other ways easy to search and retrieve only specific types of data); where the servers are located (jurisdictional issues when dealing with clouds in multi-national data centers are a nightmare); and data retention (data destruction schedules for litigation related data must be suspended until the case is resolved). The vast majority (2/3) of the companies missed their court ordered deadlines to deliver the information. 41% were never able to find or deliver the requested information. Companies reported paying fines and lost advantage in their cases as a result.

Finally, the survey also asked about privacy concerns. In the last 12 months, 23% of the respondents had been fined for privacy violations related to data stored in the cloud and over half of the companies were worried about their ability to prove they meet their privacy obligations when their data was in the cloud.

So, the potential risks that IT and the lawyers bring up about the cloud are real (isn’t it nice to know we aren’t just paranoid?). On the other hand, except for a few risk areas, about half of the cloud services worked well. So doing due diligence and choosing a good vendor are still very important.

Cindy Wolf is a Colorado lawyer with more than 25 years experience representing large and small domestic and multinational companies. Her expertise is in corporate law and commercial contracting, with an emphasis on international issues,  technology licensing and the Internet. She can be reached at

This publication is provided for informational purposes only. It does not constitute legal advice. There is no implicit guarantee that this information is correct, complete, or up to date. This publication is not intended to and does not create an attorney-client relationship between you and the author.

When Vendors Drive You Crazy

Photo by Evil Erin

Photo by Evil Erin

January 8, 2013

Not all vendors are good at what they do – but then again, not everyone is a good customer either. When a vendor relationship goes sour, good communications become even more important. What works and what is guaranteed to make it worse? See this for the five mistakes you don’t want to make: How Not to Handle Vendor Disputes.

Intern or Slave?


December 10, 2012

In the current job market it seems that some people, young ones more often, will do anything to get a job – even an unpaid internship. This could seem like a real boon for cash strapped employers. Instead of hiring someone, just call them an intern and you won’t have to pay. Fortunately (or unfortunately, depending upon which side you’re on) the Department of Labor and state laws have stepped in to stop intern abuse. See this post for the basics on how to do it right: Doing Anything for Nothing.

Colorado Secretary of State Throws a Bone

December 3, 2012

Colorado was one of the states that made a frantic search for illegal voters, turning up about ten, maybe, and scaring thousands (we went blue anyway). And our Secretary of State  is now under investigation for spending state funds to go to the Republican National Convention. Now, whatever his motive, he has temporarily dropped the online filing fees for all state business filings to $1 (with a few minor exceptions). Can’t argue with that one. See more details here: A gift for business from the SOS .

Resolving Disputes in China – CIETAC Implodes

November 26, 2012

An annoying side effect of doing business anywhere is having a dispute. At some point, most businesses end up in court, arbitration, mediation and/or protracted settlement negotiations about some matter. One of the considerations about doing business in China, or any country, is whether there are efficient tribunals available to allow your matter to be resolved fairly.

China’s court system has yet to be considered competent and efficient by foreign investors.  By western standards, Chinese judges don’t like to judge. At the end of the day in court, the judge usually tells the parties to go work it out on their own instead of making a decision. And even many Chinese lawyers recognize that the majority of judges outside the more sophisticated large cities can be biased and incompetent.

So, foreign investors take their cue from the locals and try to avoid going to court if at all possible. When negotiations aren’t working, the recommended alternative is arbitration. The New York Convention, signed by 147 countries, allows arbitration awards to be enforced in any court of a participating country.  The theory is that parties can get their dispute resolved by a competent and unbiased arbitrator (or panel of arbitrators), and take it to the appropriate court to be enforced if necessary.

When the goal is to get a competent and unbiased arbitrator, the choice of arbitration tribunal is paramount. In China, the premier arbitration body is CIETAC (China International Economic and Trade Arbitration Commission). Most foreign investors would rather use anything but CIETAC for multiple reasons, including competency issues and anti-foreigner bias, but may get stuck there. If the foreign investor forms a company in China, which is typically required to do business there, and the dispute is with another Chinese company, Chinese law must apply. International and offshore arbitration forums won’t decide a case under Chinese law between two Chinese companies, the same as CIETAC won’t decide a case under New York law between two American companies.(i)

Having to use CIETAC is bad enough, but now CIETAC itself is fracturing. CIETAC is based in Beijing and has sub commissions and branch offices around the country. In August, CIETAC-Shanghai declared its independence from CIETAC-China and CIETAC-China responded by booting both the Shanghai and Shenzhen sub commissions. It would be like the American Arbitration Association decertifying its chapters in New York and San Francisco – with the major exception that we have many other options for arbitration in the US. And what is also discouraging is that Shanghai and Shenzhen revolted because CIETAC-China pushed out rule changes they didn’t like. The new rules provide the tribunal with more flexibility in how it handles cases and brings the rules more in line with international standards.

What does this all mean? If you are unlucky enough to have a dispute about a contract that states your disputes will be resolved by CIETAC-Shanghai or CIETAC-Shenzhen, you’ve chosen now non-existent forums. Instead of preparing your case under pre-agreed rules, your first order of business is to reach agreement with your antagonist about how to resolve your dispute. Will you use CIETAC-Beijing, the new CIETAC Shanghai Commission or new South-China Commission, or will one of you race the other to the People’s Court in your jurisdiction (hmm, wonder which side would consider that?).

Travelling to Beijing may be quite inconvenient for both parties, yet the new Commissions both exist in contravention to PRC law and are completely unknown quantities. Their status as arbitration tribunals might be revoked by the government or they might be reunited with CIETAC-China under new rules at any point in the process. None of these are good choices.

The CIETAC split occurred in early August. It’s now four months later, and nothing has happened except that the new tribunals are working on setting up shop. Will they be allowed to continue? If you were putting together a new deal in Shanghai, what dispute resolution process should you choose? If you choose nothing, you aren’t prohibited from using an arbitration tribunal if you want to, the problem will be getting an agreement to do so with your opponent at the time. What if the new tribunals get a reputation for being more foreigner friendly? Or less competent? Frankly, your choices stink. Your only option is to make your deals work. Guanxi anyone?

[i] For a short time, mainland China said its courts would recognize rulings issued by the Hong Kong International Arbitration Center, but that did not prove true. Hong Kong’s legal system has not been fully integrated with the rest of China.

Cindy Wolf is a Colorado lawyer with more than 25 years experience representing large and small domestic and multinational companies. Her expertise is in corporate law and commercial contracting, with an emphasis on technology licensing and the Internet. She can be reached at

This publication is provided for informational purposes only. It does not constitute legal advice. There is no implicit guarantee that this information is correct, complete, or up to date. This publication is not intended to and does not create an attorney-client relationship between you and the author.

Confusion and Lies about the Cloud

November 15, 2012

The cloud (as far as the computing version) is still a mystery to most Americans. What I found most amusing about this survey from Wakefield Research is that people who don’t know what it is (which is a majority) try to fake it – and believe that the people they are talking to don’t know what they are talking about either. 17% even pretended to know what it was on a first date – must be something we think will be impressive since no one really understands it. I guess it’s not too surprising considering the technical definitions which include concepts many have never heard of, but that some people actually thought it was related to weather, pillows, drugs and toilet paper is rather shocking. See Forbes’ take on it here: Americans Unclear.

Why Corporations Behave Badly

November 14, 2012

I once worked for a company whose slogan was “Working for Shareholders”. As an employee, I thought it was a callous motto but at least they didn’t pay us lip service with such platitudes as “Our employees are our greatest assets” or “Customer satisfaction is our number one goal.”

In fact, as a public company they were only restating their legal obligations. Any company’s foremost obligation is to its shareholders. The directors and managers are assigned the task of creating value for them by law. So, does this mean that companies have the obligation to cut corners, pollute and take advantage of their employees if it creates more “value” for the shareholders?

Of course, companies also have the obligation to comply with other laws which limit those bad acts. But these are the regulations that bring out the free market radicals. According to this philosophy, the free market will punish those companies that pollute, produce dangerous or shoddy products or abuse their employees. Unfortunately for them, history has not supported this approach. Unfettered corporate greed has created some bad consequences for some actors no doubt, thinking back (not so very far) to several market crashes. But workers, customers and society usually pay the price.

So it’s this requirement to create value for the owners that makes corporations resist new health care mandates, environmental regulation, safety precautions, employment rules and all those other “nanny state” traits – and which is exactly why we need them. Prior to the rise of unions and wage and hour laws, companies used to hire children, make them work 12-15 hour days under dangerous and unhealthy conditions and pay them pennies. Adults weren’t treated much better. Companies who did not take that approach had a hard time competing (and employees didn’t have better choices), so the market wasn’t going to correct them. It took laws to make them stop, despite the efforts of union busting Pinkerton agents.  Unions have lost relevance to most of us, but we should remember that they did us all a great service once upon a time – that is unless you are only an investor and have never worked for a living.

The loudest corporate defiance since the election has been about Obamacare, where a few companies (e.g., Papa John’s Pizza and Applebee’s) have already announced that they will have to fire employees instead of provide them with the required health insurance (or pay the measly fine). If this is really what they need to do to create value for their shareholders, then this is what their corporate charter requires. So far, it doesn’t seem to be affecting Domino’s, Denny’s and other large restaurant chains. And for those of us who would rather frequent a locally-owned restaurant, the 50 employee threshold on the health insurance requirement will actually make them more competitive.

Environmental regulation is often cited as a reason that Democrats are bad for business. Making companies take expensive steps to keep waste from polluting the earth is in contradiction to creating the most wealth for shareholders. But, some companies have learned that creating less waste decreases production costs thereby increasing net profits – too bad finding the ways to decrease waste wasn’t important until waste disposal became a legal issue. And, it took a lot of damage to the earth before most people became aware that something needed to be done about stewardship to our planet.

The recent announcement by Murray Energy that the Obama administration’s “war on coal” is forcing that company to lay off employees misses the bigger picture – the market impact that cheaper, cleaner natural gas has had on the coal industry and the fact that the Clean Air Act was signed into law by Richard Nixon. The first rules regulating mercury emissions from coal fired power plants were issued in the 1960s, which led to development of far more power stations fueled by alternatives to coal. This has been coming for fifty years. It appears Charles E. Murray was literally banking on Romney bailing out his already failing industry. Maybe we should appreciate that Murray Energy has hung on so long under these market conditions.

And the list goes on with other regulatory categories. The tension is built into our corporate code when “value” is only interpreted to mean monetary wealth. However, if shareholders accept that “value” includes social responsibility, corporations don’t have to behave badly to create value.

Cindy Wolf is a Colorado lawyer with more than 25 years experience representing large and small domestic and multinational companies. Her expertise is in corporate law and commercial contracting, with an emphasis on technology licensing and the Internet. She can be reached at

This publication is provided for informational purposes only. It does not constitute legal advice. There is no implicit guarantee that this information is correct, complete, or up to date. This publication is not intended to and does not create an attorney-client relationship between you and the author.

Lawyers – Do You Encrypt Your Email?

April 26, 2012

Please answer this one question!

Hint: If you think you need to ask IT, the answer is no.


Earlier this week I got into a bit of a tiff with another writer about whether lawyers should be to encrypting their email to meet their ethical obligations. The writer works for Zix Corporation, an encryption service company, and his article was published by Attorney at Work, who often publishes information about new technologies provided by the vendors. But this article wasn’t clearly pitching Zix’s services, it was cautionary tale about the security requirements lawyers should be using to meet ethical requirements.  A colleague even called the article to my attention because she was concerned that she wasn’t encrypting her email – she missed the author’s bio at the end.

While the Zix article posits that lawyers risk ethical violations by sending unencrypted email, my reading of the few related ethics opinions doesn’t go so far. In fact, while two states, California and North Carolina, bring up that encryption might be something lawyers should consider using, they fall very short of stating that unencrypted email is dangerously insecure and that lawyers must encrypt. In fact, the ABA hasn’t changed its opinion from 1999 which is that there is a reasonable expectation of privacy in unencrypted email.

On the other hand, the ILTSO, the International Legal Technical Standards Organization, has definite opinions on technical security and they not only say that encryption is required for client data being communicated through the public internet, but they recommend encryption bit thresholds, verification by unexpired third party certificates and making sure that encryption is truly end-to-end.

In this action packed week, I went to a CLE program this morning put on by a prominent Denver law firm entitled “Privilege and Preservation in the Corporate Setting; Practical Tips for Avoiding Communication Pitfalls in the Digital Age.” Fantastic, I thought. I’ll find out what the latest law really is on this subject. When it became clear that the speaker wasn’t going to address encryption in her talk, I asked the question: “Should email be encrypted to preserve the attorney-client privilege?” I didn’t mean to throw the speaker but I did. She said she didn’t know of any court using it to declare whether a communication was privileged or not but didn’t believe a court would invalidate the privilege because a lawyer failed to encrypt an email (and I would trust Zix to point out those cases if there were any). Then I asked whether she knew if many lawyers encrypted their email and she didn’t.

But, I would still like to know! I invite you to comment. Please answer the following questions:

  1. Do you regularly send or receive encrypted email to your clients or outside counsel?
  2. If you do not, have you considered it and why did you decide not to?
  3. If you do, what do your clients think about it?

Promise: If you say no, I will not send your contact data to any ethical committees or encryption providers.

The Cloud, Security and Legal Ethics – Whom Can I Trust?

April 12, 2012

As I’ve been looking into the issues around lawyers putting client data in the cloud, I’ve run into a fair amount of (quasi?) scholarly work on the issue. There are several organizations that have published advice on the subject, including  ILTSO, ILTA and ISACA. The primary source materials come from the ABA and various state bar Ethics Committees. So far, case law is very limited, dealing more with maintaining the attorney-client privilege with email and the discoverability of client data that someone else put in the cloud. Your malpractice insurance provider may have something to say about it. And then law practice management vendors publish “White Papers” that describe why their product is a great solution for your practice.

It’s a lot of fairly complex data and it doesn’t all agree. I’ve written a couple of articles for local Colorado legal publications on how the Ethics Committees are approaching the issue. But, so far their advice has been vague and unrealistic. Clearly the users of the many law practice management systems out there (not to mention gmail, Dropbox or Docs to Go users) haven’t been paying attention to them. And until one of them has a big security breach and clients start grieving, no one will – which doesn’t mean lawyers shouldn’t care what the Ethics Committees think. It’s just that the committees aren’t very helpful for lawyers trying to make an educated decision, or use “reasonable precautions” as the opinions require.

I’ve found that some of the organizations give more practical advice. But, the reader still needs to appreciate who is involved in giving that advice. ILTA, the International Legal Technology Association, has some informative publications. It’s important to know, however, that they are provided or sponsored by the vendors of the services they are evaluating. It’s a trade organization, or as it describes itself, a ‘networking organization’.

In contrast, ILTSO, the International Legal Technical Standards Organization, has some of the same membership as the ILTA, but is focused on providing lawyers with standards that they can use to self assess their security compliance. Their standards for client data security are specific and clear, if perhaps beyond what most lawyers are doing today.

ISACA, the Information Systems Audit and Control Association, has a broader audience than just the legal profession. And think about it, other types of businesses, including health care and financial services, have many more technical security requirements to follow than lawyers. It is an independent organization that provides certification in auditing and security. ISACA has issued guidelines on adopting cloud use that lawyers can apply to the business of practicing law which shed light on the risks and rewards of this advanced technology.

Finally, a few words about white papers. The purpose of a white paper is to help you make a decision, so the author is important. They are rarely impartial. A commercial white paper is written to persuade you to choose that vendor’s product. They aren’t false, or they would be prohibited by the FTC rules on false advertising. But they are marketing materials. Think of it like a brief. It may cite cases and ethics opinions. It may also conveniently ignore various issues. Trade associations and standards organizations also have agendas. To the extent their white papers help prod vendors and users towards better practices, I trust them more. If ethics committees considered the advice of the standards organizations when they issue their opinions (and maybe they did, but it’s not apparent), they would be more practical and helpful.

Working and Playing in the Cloud – A Review of What’s Cool, Useful and Scary Up There

March 28, 2012

Tech Issues for  Lawyers, Non-Techies and Others Who Like Their Privacy

Have you soared into the cloud? Chances are you have tried this advanced technology, whether for work or personal use. The cloud, as the term is used today, has been around for general consumption since the mid 90s – were you an early yahoo or hotmail email account user? Today, the cloud refers to anything that involves delivering hosted service over the Internet. This can include a myriad of common computer services, like email, document and photo storage, computer backup and also more specialized, work-based systems for financials, sales, law practice management, employee performance management, expense management and customer service. If you need an Internet connection to get to it, it’s most likely in the cloud.

I’m a lawyer. Many of my colleagues have barely gotten to the email age, while others have virtual practices taking advantage of many of these services. The purpose of this blog is to help lawyers and other privacy-minded individuals without technical backgrounds understand what it means to put their documents, their business, their personal lives and their trust in the cloud.

While email has been a part of life for long enough now that most people understand it, the other cloud based systems are new enough that many people don’t know anything about how they work.  One type of cloud service that is appealing to lawyers is free – or cheap – document storage. Introduced only in the last few years, there’s Google Docs (2010), iCloud (2011), Dropbox (2007), Amazon Cloud Drive (2011), SugarSync (2006), SkyDrive (2007) and Mozy (2006), just to name a few.  They all provide a certain amount of storage for free and allow access to your documents anywhere you can catch a WiFi connection. They are very attractive for solo practitioners of any profession, small businesses trying to avoid building their own network, students, travelers, you name it. They all work pretty well too, although some have more features than others. But are they a good solution for you?

As lawyers, we have ethical requirements to keep our clients’ information confidential and to preserve the attorney-client privilege. Our governing bodies are struggling with giving guidance on whether any cloud based service satisfies ethical requirements. In contrast, the medical and financial fields are way ahead of us in dictating appropriate use of electronic media. HIPAA and HITECH proscribe many rules regarding storage and security of protected patient information. Financial services are subject to a complex array of legal, regulatory, interchange and payment processing rules governing electronic financial data. Somehow lawyers have resisted regulation here – but is that a blessing or a curse?

The guidance from the ABA and various state Ethics Committees is vague and impractical. They give an initial thumbs up to the cloud but then expect a relationship with a vendor that doesn’t exist (like unlimited liability and guaranteed confidentiality). There are some practical issues too. A simple review of the terms for these omnipresent document storage offerings reveals some flaws. The providers:

  • don’t promise to keep your data confidential;
  • don’t promise reliability;
  • can shut you off at any time;
  • can discontinue the service at any time;
  • can change their terms of service at any time;
  • may send your data anywhere in the world they have a server; and
  • may disclose your data without your knowledge to third parties because they deem it necessary

If you were my client, would you want your confidential information there?

But not all cloud offerings are alike. There are other cloud offerings that meet higher security standards and which can be used by even medical and financial professions. Lawyers have more targeted cloud offerings too, including Clio, Citrix, Law Loop, Livia, Lextranet, MyCase, Nextpoint, and Rocket Matter. Their websites will tell you not to be afraid of the cloud, but will they guarantee it? That’s a topic for future posts.