This page contains a Flash digital edition of a book.
by David Fenster, Esq.


PRESIDENT’S COLUMN Changing Tools


It seems that almost every day there is an article in the news about computer se- curity. Often, the story is about a security breach. As I read these articles, I cannot help but think about how computer securi- ty has changed the practice of law.1


Stories


about computer security problems are no longer confined to the technology section of the news. Most recently, I read that one company suffered a data breach involving an estimated forty million credit card ac- counts. Another security breach exposed personal information, including credit card information, and encrypted passwords for 2.9 million customers.2


A police depart-


ment was the victim of “ransomware” and had to pay $750 to restore access to their own data.3


Attorneys


The FTC took action against a tech support scam involving people be- ing billed for fake tech support to remove non-existent computer viruses.4


and law firms can be (and may already have been) the victim of these very same kinds of attacks.


Once, this topic would have been solely the domain of dedicated information tech- nology staff. Now, we must all be aware of these threats because they touch us all as individuals and as attorneys. Computer se- curity issues can have significant financial and ethical implications for us as lawyers. Attorneys, especially attorneys in small and solo firms, have always needed to manage all the duties of running a law firm in ad- dition to the actual practice of law. Tradi- tionally, attorneys needed to understand business administration, human resources, accounting, and so forth. Now, attorneys need also to understand computers and information technology. Even in large firms and government offices, there are attor- neys who are responsible for implementing or overseeing some or all of these dispa- rate disciplines. Not long ago, the fax ma- chine was a novel communication device. Now, all attorneys are required by court to have an email address and many attorneys have access to that email on a combination of desktop computers, laptop computers, smart phones, and tablet devices. Before, only large firms and government entities had access to sophisticated computer in- frastructure. Now, solo practitioners and small firms can access some of the most advanced systems, thanks to a combina- tion of the falling cost of technology and the use of cloud computing applications. This democratization of computing re-


www.vtbar.org


sources has opened the door for a broader range of practitioners to take advantage of the latest and most powerful technologies. It has also placed the burden of managing this technology infrastructure squarely on our shoulders. At the same time, the num- ber and sophistication of threats to that infrastructure appears to have kept pace with those advances. Most people are generally familiar with


the threat of computer viruses or “mal- ware.” Computer viruses can do many dif- ferent things. Some viruses give someone else access to or control over your comput- er. Sometimes people use that control over your computer to attack other computers or networks. Some viruses may even delete all of the information on a computer or net- work. “Ransomware” is a term used to de- scribe one category of virus. Typically, this computer virus will deny you access to your computer or your data in some fashion. In order to restore access to your system or data, a ransom will have to be paid. Cryp- tolocker is one such application, and the po- lice department mentioned earlier appears to have been the victim of such an attack. The Cryptolocker virus denies a user access to their data by encrypting the data while leaving it in place on the computer. Often encrypting data is a good thing. However, in this case, the owner of the data does not have the password for the encryption. The entity that sent the virus has set the password, and the data owner has to pay the ransom to have the data unencrypted. Consider the implications if this were to oc- cur at a law firm. What if a law firm suffered such an attack shortly before an important filing deadline? This would certainly cause a substantial amount of anxiety. Are there other implications? What if a virus encrypt- ed a client’s data and the attorney could not access the client’s data. A client’s data is a form of client property and Rule 1.15 of the Vermont Rules of Professional Conduct requires that an attorney safeguard their client’s property. Therefore, in addition to the obvious practical concerns, we must recognize that there are also ethical con- cerns. In November, the VBA posted a link on its website to an article that described how this has already happened to an attor- ney in Arizona.5 The process employed to safeguard the data will influence the answer to the ethi- cal question. Rule 1.15 requires that client property be “appropriately safeguarded.”6


THE VERMONT BAR JOURNAL • WINTER 2014


Rule 1.1 requires that a lawyer provide competent representation to a client.7


The


comment to Rule 1.15 states that attorneys should use the “care required of a profes- sional fiduciary” and that, for example, se- curities “should be kept is a safe deposit box.” The Rule does not provide any spe- cific recommendation to the practitioner about how to safeguard digital property. Given the pace of technological change, any specific recommendations provided in the rule would quickly become obsolete. In 2010, the Vermont Bar Association


Professional Responsibility Section au- thored an ethics opinion that addressed the ethical implications of cloud comput- ing or Software as a Service (“SaaS”).8


The


opinion noted, as have others, that outlin- ing specific requirements regarding cloud computing requirements is problematic because of the rapidly changing nature of the technologies.


Vermont lawyers’ obligations in this area include providing competent rep- resentation, maintaining confidentiali- ty of client information, and protecting client property in their possession. As new technologies emerge, the mean- ing of “competent representation” may change, and lawyers may be called upon to employ new tools to represent their clients. Given the potential for technology to grow and change rap- idly, this Opinion concurs with the views expressed in other States, that establishment


of specific conditions


precedent to using SaaS would not be prudent. Rather, Vermont lawyers must exercise due diligence when us- ing new technologies, including Cloud Computing.9


These same principles are true when imple- menting technologies that are not related to the cloud. While the opinion does not provide specific recommendations, the opinion points to a number of areas that an attorney needs to consider when evaluat-


5


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36