Attorney – Client in the cloud

Over the past few months I’ve been asked several times about the status of attorney-client privilege when attorneys use cloud technology.  It is an interesting question and there are a couple concepts that need to be explained about A-C.  So buckle up, this is a long one.

First (and very broadly speaking), A-C is lost when disclosed to a third party intentionally or inadvertently.  So an attorney and client discussing a case in a busy coffee shop could potentially lose A-C since a third party could overhear the communications.  I know the attorneys reading this post will likely come out of their chairs with exceptions, but I’m trying to paint a high level picture.

This loss of A-C does not mean that attorneys have to hide everything in locked safes buried in concrete.  The comments on the model rules of professional conduct state:

“…unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. ” (emphasis added).

So, this brings us to Harleysville Insurance Company v. Holding Funeral Home, No. 1:15cv00057, memorandum op. (WD Va. Feb. 9, 2017).  In Harleysville, an investigator for the parent company of Harleysville uploaded surveillance video of the underlying event to a file sharing site.  He then emailed a link to the video to another party.  The same investigator later placed the case file in the share.

The share was not password protected or otherwise protected.  In fact anyone with the link or anyone who found the share could see the information.  Remember the language of the model rule above?  The Virginia court echoed this language in their opinion stating that inadvertent disclosure can be caused “by failing to implement sufficient precautions to maintain its confidentiality.” (emphasis added)  The court continued “With regard to the reasonableness of the precautions taken to prevent the disclosure, the court has no evidence before it that any precautions were taken to prevent this disclosure.” (emphasis added).

The court concluded that A-C had been waived by posting the information to a publically available website.

As I’ve counseled clients in the past, whether A-C will survive in the world of cloud usage depends on the steps taken to prevent disclosure.  Encryption, access control, and logging are your friends.

Breach notification laws: Better privacy or the 10th circle?

Today (April 19th) New Mexico became the 48th state to enact a data breach notification law.  Only Alabama and South Dakota do not have a notification law on the books.

On the one hand this is good news for the privacy on New Mexicans.  They are now ensured they will have notice of a breach of their personally identifying information.  They will have the opportunity to mitigate the damage resulting from such a personal exposure.

For security and privacy folks, though, there is a different perspective.  We now have 48 distinct regulations to track.  If I have a client that does business across the country, I have to ensure I am able to help them comply with 48 different (and sometimes contradictory) regulations.  As an example, assume I have a client doing business in Texas, Oklahoma, and Colorado:

  • In Texas and Oklahoma consider a drivers license an element of personally identifying information; Colorado does not.
  • Colorado requires notification to the credit reporting agencies (CRA) if more than 1000 records are breached.  CRA reporting is required in Texas if more than 10,000 records are breached.  Oklahoma does not require CRA reporting at all.
  • Oklahoma allows for electronic communications if the cost of written communication exceeds $50,000; in Texas and Colorado it is only allowable if the costs exceed $250,000.

Add the other 45 states to the mix and the mapping becomes complex.  I won’t comment on whether there is a “better” rule, but the hodgepodge of requirements makes it more difficult for everyone.   This is the type of conflict that is ripe for a federal rule to unify requirements.  Unfortunately the attempts to do so over the past few years have failed to garner much attention.

BTW:  For the curious, there are at least 89 different counties with breach or privacy laws.  A breach at a multi-national corporation can be very complex.

You’ve heard about the GDPR, right?

As I’ve spoken with people (security people and “civilians”), I’ve found many who had no idea that the GDPR was a thing.  I know Americans tend to have a very US-centric view of the world, but the GDPR is critical for any business with a presence, customers, or clients in or from the EU.

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC with an effective date of 25 May 2018 (so about a year to get ready).

The GDPR clearly expresses the central difference between the views of American and EU.  The GDPR “[p]rotects [the] fundamental rights and freedoms of natural persons and in particular their right to protection of personal data.”

In the US, personal data is typically seen as the property of the holder of the data.  The EU expressly views personal data as the property of the person.  This difference makes the GDPR distinct from US data breach notification laws.

There are a number of key items to review in the GDPR:

  • Increases extra-territorial applicability
  • Conditions for consent strengthened
  • Privacy policies may “no longer be able to use long illegible terms and conditions full of legalese . . . the request for consent must be given in an intelligible and easily accessible form. . .”
  • Breach notification must be made within 72 hours

The GDPR guarantees the Data Subjects’ Right to Access.  The Data Subject may:

  • “Obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. . .
  • Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.”

The GDPR also formalizes the “Right to be Forgotten”

“Data Subjects have the right to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.”

Non EU companies that do business in the EU or have customers that are citizens of the EU or live in the EU will have to comply with these regulations for their EU data subject.  Any non-compliant organizations will face heavy fines.

So, get ready folks.  You don’t have much time to explore and internalize the GDPR.

InfoSec SouthWest and other conference

It has been an interesting few months.  Since joining Gardere last November I’ve presented more than I can remember doing so in the past.  Now, in general I don’t really like presenting.  It isn’t one of my greatest fears, but it also isn’t a big deal.

What I do enjoy about the past few months of presentations, though, is the audiences.  I’ve been lucky enough to present to CIOs, clients, college students, and numerous lawyers through internal and external Continuing Legal Education (CLE) events.

Now, I’m a security guy right?  Why not present to security people?  Because it is less important to present to people that already “get it”.

The technology world, and specifically the security world need to be exposed to people outside of security.  The lawyers need to understand how to protect their clients and firms.  CIOs need to hear that security is important from someone other than their CISO.

Normal human beings need to understand how to protect themselves.

It has been very rewarding.

This weekend (in Austin) is the InfoSec SouthWest (ISSW) conference.  This will bring together some amazing security professionals.  I’m not presenting at ISSW but really looking forward to hearing people smarter than me educate me about security philosophy and technology.  There is always room to learn and grow.