Category Archives: Electronically Stored Information

Information Security for Lawyers – Passwords reconsidered

On 26 February 2013 I wrote about Information Security for Lawyers. In that blog I suggested a password protocol recommended by StaySmartOnline.gov.au. Two readers were kind enough to post comments providing criticism that that recommendation. David referred me to two 2 cartoons from xkcd.com, one of which I reproduce below

Alex Muentz more directly said

“Good advice, except for the passwords. Passwords like these end up on stickynotes.

Why not multi-word passwords? Easier for language oriented folks like lawyers to remember and a large enough password-space to make brute-forcing inefficient. Tools like hashcat permit 2 dictionaries, but doing 3 or 4 word passphrases is a lot of entropy”.

While I am not sure how the thermodynamic concept of entropy has become a measure of password strength, multiword password protocols are a viable alternative and should be considered.

Any password policy is a compromise between complexity and ease of use:

  • A 24 character multiword password can be difficult to type correctly, particularly as the password is often hidden and where your typing skills could be less than perfect.
  • Whilst it may be easy to remember multiword passwords, it may not be that easy to remember many multiple multiword passwords you will need for different websites.

Cartoons can be very informative. My son Alex referred me to another very relevant XKCD cartoon on “Password Reuse”. I reproduce it below.

.

Even if the website is not evil, not all websites, even highly respected websites do not always store passwords and other private information securely. See Sean Buckley’s article Microsoft Store hacked in India, passwords stored in plain text, and Michael Lee’s article Qld govt department stores credit card recordings unencrypted.

The same password should not reused to logon onto different websites. Unless you are a lot smarter than I, you should use a password manager to record and store passwords. I use eWallet from Ilium Software, Inc. Versions are available for Windows PC, iPhone, iPad, Windows 8 Metro, Android and Blackberry. It is not available on the Windows Phone 8, (Ilium Software Please Fix:eWallet to Go, just does not get there) l The data file is encrypted and can be synced between devices. The file can also stored to dropbox or skydrive to make syncing irrelevant between devices.

Internet Facing Devices

Password strength is more important for internet facing devices and websites. Most law firms may not be as concerned to securely protect network access from locally connected workstations. Microsoft’s Windows 8 Operating system recognises this and provides the option for a 4 digit pin code alternative to password logons. Whilst some may consider this could reduce security, I do not believe that to be the case. Pin Code Logons can provide convenient network access for devices known to be secure and simultaneously requiring complicated passwords when external access is required.

Another alternative could be to use Two Factor Authentication. This is become very popular for a lot of websites. It can be introduced very inexpensively. Phone Factor, a company which has been purchased by Microsoft, offers free (if you are small) or relatively inexpensive solutions (if you are larger). You can learn more about them here. I will talk more about Two Factor Authentication in a future post.

JDC 10 June 2013.

Information Security for Lawyers

On 22 January 2013 I wrote about Practice Guidelines for the use of Cloud Computing by Lawyers. In preparing that blog I became concerned about security in my office. I recorded in that blog, many instances of security breaches to highly prominent organisations (Apple and Amazon Security Flaws, Blizzard suffers security breach, encrypted passwords and authenticator data compromised, Yahoo confirms server breach, over 400k accounts compromised, Dropbox confirms user info was stolen, Microsoft Store hacked in India, passwords stored in plain text, LinkedIn confirms security breach, ‘some passwords’ affected, and Chinese hackers target U.S. Chamber of Commerce, sensitive data stolen). Just last week Microsoft says it was also attacked by hackers, small number of PCs infected with malware | The Verge. Today the Asian Lawyer reports China Hacking Report Raises Alarm at Firms Whilst in Australia cases of cyber breaches may be less reported. Michael Lee reported on 18 February that Australian Law Enforcement laid charges in only 8% of reported cases when referring to a report issued by CERT Australia The Cyber Crime and Security Survey Report..That report also noted

255 of 450 organisations invited to complete the Survey responded (page 8).

The key findings for this survey include (page 5):

  • over 90% of respondents deployed firewalls, anti-spam filters and anti-virus software
  • two-thirds of respondents had documented incident management plans, however only 12% had a forensic plan
  • nearly two-thirds of organisations used IT security related standards
  • over two-thirds of respondents had staff with tertiary level IT security qualifications. Over half had vendor IT security certifications, whilst just under half had non-vendor IT security certifications
  • over 20% of organisations know they experienced a cyber incident in the previous 12 months, with 20% of these organisations experiencing more than 10 incidents.

Of the organisations which know they experienced cyber incidents:

  • 17% suffered from loss of confidential or proprietary information, 16% encountered a denial-of-service attack, and 10% financial fraud
  • 44% reported the incident to a law enforcement agency, whereas only 13% sought a civil remedy through action from legal counsel
  • 20% chose not to report the matter to a law enforcement agency because of the fear of negative publicity
  • the most common responses as to why incidents were successful, were that they used powerful automated attack tools, or exploited unpatched or unprotected software vulnerabilities or misconfigured operating systems, applications or network devices
  • over half of all organisations have increased their expenditure on IT security in the previous 12 months.

Number of incidents experienced (page 17)

When asked if their organisation had experienced a cyber security incident in the previous 12 months:

  • 69% of respondents reported ‘no’
  • 22% of respondents reported ‘yes’, and
  • 9% of respondents reported they ‘did not know’.

While these results indicate the majority of organisations did not experience a cyber incident in the previous 12 months, this may more accurately reflect that a number of cyber intrusions have gone undetected by some organisations. Anecdotal evidence available to the CERT suggests that some businesses are unaware of the full scope of unauthorised activity on their networks.

The CERT is also aware of hesitation from organisations to report a cyber security incident. This may be for a variety of reasons – some are concerned that the information they report may lead to negative publicity and/or regulatory scrutiny, others don’t consider reporting to be worthwhile.

Of the respondents who reported their organisation had experienced an incident in the previous 12 months:

  • 65% reported experiencing one to five incidents
  • 21% reported experiencing more than 10 incidents
  • 9% reported experiencing six to 10 incidents, and
  • 5% did not know how many incidents had been experienced.

Types of incidents experienced (Page 18)

Of the respondents who reported their organisation had experienced a cyber incident in the previous 12 months, the main types reported were:

  • theft of a notebook, tablet or mobile devices – 32%
  • virus or worm infection – 28%
  • trojan or rootkit malware – 21%
  • unauthorised access – 18%
  • theft or breach of confidential information – 17%, and
  • denial-of-service attack – 16%.

Contributing factors to the attacks (page 24)

Respondents were asked what factors they thought may have contributed to the incidents. The highest rated reason was the use of powerful automated attack tools (14%), followed by exploitation of unpatched or unprotected software vulnerabilities (11%), and exploitation of misconfigured operating systems, applications or network devices (10%).

These findings highlight the need for organisations to stay vigilant to vulnerabilities and apply appropriate mitigations – specifically where misconfigured systems are the reason an attack was successful.

Further The Australian Defence Signals Directorate (“the DSD“), noted in the Executive Companion to the Australian Government Information Systems Manual:

  • In 2010, 88% of Fortune 500 companies had botnet activity connected to their Internet domains, and 60%had business email addresses compromised by malware (Page 3)
  • After Wikileaks released a large amount of classified US State Department cables in November 2010, online payment service provider PayPal terminated WikiLeaks’ account, thereby closing its principal method for receiving financial donations from supporters. Claiming to support transparency and counter-censorship, Anonymous organised a Distributed Denial of Service attack that shut down PayPal’s website, as well as those for Mastercard and Visa (page 4).
  • The Australian Competition and Consumer Commission reported a loss of around $63 million from cyber crime and scams in 2010 [page 5).
  • 41% of Employees use the same password for multiple accounts (page 12).

In the DSD further noted in the in the Principles Manual to the Australian Government Information Systems Manual:

  • A new piece of malware is created every 1.5 seconds (page 2)
  • Over 2010-2011, the number of mass, indiscriminate email-based attacks declined by more than half, but highly-personalised targeted attacks tripled. Cost-benefit decision-making is driving this trend, as although targeted attacks are estimated to cost five times more than mass attacks, the average value per victim can be forty times higher (page 2).
  • There was a 46% surge in malicious software targeting mobile devices between late 2009 and late 2010 (page 5)
  • In 2011, 41% of data breaches were caused by a third party, namely outsourcers, cloud providers or business partners that handled or accessed the organisation’s information (page 15)
  • Three out of four companies across ten countries – including Australia – have security policies in place. However, 40% of employees and 20% of IT professionals did not know that the security policies existed
    (page 16)
  • During a 2011 information systems audit, 14 out of 15 Western Australian government agencies failed to detect, prevent or respond to suspicious scans of their Internet sites seeking to identify security weaknesses (page 21)
  • 19 Australian companies in a 2010 study lost between 3,200 and 65,000 individual records from data breach incidents, with an average organisation cost per breach of $2 million (page 23)
  • 85% of data breaches in 2011 took weeks or more to discover. In fact, over half of the breaches took months to discover (page 23)
  • 32% of Australian data breaches in 2010 were caused by employee negligence, representing a 3% increase since 2009 (page 24).
  • In early 2011, the City of York Council in the United Kingdom was penalised by the Information Commissioner’s Office after papers containing sensitive personal data were mistakenly collected from a shared printer and posted to the wrong person (page 30).
  • In a research experiment, the Sophos Australia office discovered that 66% of the 50 USB drives they purchased from a public transport provider were infected with malicious software. They were able to uncover information about many of the former owners of the devices, as well as their family, friends and colleagues (page 34).
  • Web applications are the third most common intrusion vector and are associated with over a third of total data loss. (page 36)
  • An 8 character password with mixed case letters, numbers and symbols takes approximately 5 days to crack using a graphics processing unit in a standard home computer; however if the password was extended to 9 characters or more it would take over 18 months to crack.(page 40)
  • 18% of Employees share their workstation passwords with co-workers (page 40).
  • 44% of data breaches were a result of exploitation of default or guessable credentials (page 41).
  • Mobile devices and laptops are the most likely endpoint from which serious cyber attacks are unleashed against an organisation. Over 2010-2011, 63% of attacks had an employee laptop or mobile device as their endpoint (page 45) and
  • More than 200,000 mobile phones are reported lost or stolen each year in Australia. This equates to 4,000 each week, or one mobile phone every 3 minutes (page 48).

WHAT SHOULD A LAW FIRM DO TO ENSURE its INFORMATION SECURITY? Information Security does not just mean Cyber Security. It must address security for all information media including hard copy, USB Sticks, inadvertent posting of faxing of material. It also need to address the preservation of that information, not merely protecting it from outside intrusion. I went to seminar just last week, where it was suggested that any law firm that catastrophically lost data stored on its server, without adequate backup, would most likely cease to exist in 18 months. That speaker also told of a situation where the company’s servers and primary backup media were both destroyed due water damage arising from a floor above. That company fortunately had external backup and was up and running within 8 hours. On 6 February 2013, Joe Patrice at Above the Law wrote an article When Luddites Handle Cyber Security, You End Up With American Law Firms. If I am a lawyer, and when it comes to the cyber security technology I am a luddite, the purpose of this blog is to not explain to you how to handle Cyber Security. That is far a too specialist area. However, that it important for law firms to treat Information Security systematically. Fortunately, there is a lot of information available to lawyers to assist them in developing those systems. International Standards for Information Security Management Systems have been available since about 1995. Most Security Information Guides appear to adopt the ISO/IEC 27000 Family of Standards which includes ISO/IEC/AS 27001 last published in 2005. There is new draft in preparation. Easier to understand are various guidelines, including the following freely available to review:

Simpler guidelines, not adopting the rigour of ISO/IEC/AS 27001 but more closely related to the legal profession can be found in the following guidelines:

although those guidelines are more concerned with receipt of handling of information by barristers/counsel and predominantly to ensure the confidentiality of client information.

A further and very practical resource, but restricted to On Line Security is the Australian Government StaySmartOnLine Site.

That useful site provides very practical information. It makes very useful recommendations. Some of the important principles expressed in the 27001 standard are recommended but explained with less rigour and are easily put into practice. If a legal practice must adopt the 27001 Standards will depend upon its size, client base and sometimes client requirements. I expect it is more likely in future, that some clients, particularly government departments will require legal practices to have an Accredited Information Security Management System in place. Whether formal accreditation is required, or whether a formal or informal information security policy is needed, the law practice needs to at least consider the following matters

  1. Identify All information Assets for example
    1. Electronically stored information and data
    2. Paper documents.
    3. Physical equipment, computers, facsimile machines, telephone communications;
    4. On line services, cloud services, etc.
  2. Identify the value of all Information Asset Values and assess the potential impact of loss or breach:
    1. For a legal practice the most economically valuable information asset will not be client information, but information stored on its practice management and trust accounting system. Second would be the knowledge stored in precedents and in other information systems.
    2. The preservation of the confidentiality of client information is similarly very important, particularly if it has high commercial value, or may be socially or media sensitive. As I have mentioned in my earlier post referred to above, the NSW Revised Professional Conduct and Practice Rules 1995 (“the Solicitor Rules”) s mandate both the retention of, and the preservation of the confidentiality of client information (rules 2 and 8).
  3. Ascertain the Threat to the Information Assets. Identify possible sources of threats.
    1. Hackers and Activists
    2. Inadvertent release of information by incorrect addressing of email, facsimile or post
    3. Employee sabotage
    4. Thieves
    5. Fraudsters
    6. Environment
    7. Fire and force majeure
    8. Employee negligence
    9. Inadvertent loss o
  4. Assess Vulnerabilities
    1. Password Weakness
    2. Remote Access
    3. Firewalls
    4. Shared Offices
    5. Social Engineering (staff inadvertently releasing information upon telephone enquiry)
    6. Office and building security
    7. Back up procedures
  5. Determine safeguard and policies, monitoring and reporting procedures.

Information security requires genuine commitment from all staff members. A documented and enforced policy is almost essential for all but the smallest practice. Staff must understand the need to report data breaches even those in which they were responsible, so the breach can be mitigated or otherwise responded. The Australian Government StaySmartOnline Site for Businesses referred to above provides very useful guidance in to address the vulnerabilities and could become the basis of a legal practices security policy.

A sample Information Security Policy, prepared primarily from the above site could be:

Information Security Policy

  1. Awareness by all Staff and Enforcement
    1. Information Security is a basic obligation of all employees and practitioners. This policy specifies procedures and rules that must be followed to ensure that the information retained by the firm is secure from loss and intrusion or disclosure.
      1. This firm holds information which if lost could be catastrophic for the firm, and also sensitive and commercial valuable information belonging to clients who lost of disclosure could cause substantial loss and damage.
    2. A wilful breach of the policies will lead to disciplinary action.
  2. Social Engineering challenges
    1. Staff must know social engineering attempts for external parties to obtain the disclosure of information. It is the practice of misleading and misdirecting a person in such a way as to attain information through social interaction. The hallmark of a successful social engineer is that they receive the information they request without raising any suspicion.
    2. Employees should not to give information over the phone or email without identifying the requestor.
    3. All requests for information should be funnelled through a partner or solicitor who can verify the authenticity of the caller.
  3. Office Security
    1. The Office should not remain unattended during office hours.
  4. Surveillance
    1. Closed Circuit Television Cameras should be installed in the reception area and in areas where sensitive information is stored.
  5. Pass Cards
    1. Pass Cards are issued to each employee individually. They provide a record of when that employee enters premises out of hours.
    2. Pass Cards should not be shared with other employees except for special circumstances and for limited periods.
    3. Pass cards should not be copied or duplicated.
    4. If a Pass Card is lost or stolen, the employee must immediately notify a partner.
    5. Pass Cards must be returned on the employee leaving the practice.
  6. Keys
    1. Keys be kept safe at all time.
    2. No address or other information identifying the firm or the employee should be attached to the key.
    3. A lost key service identification may be attached to the key.
    4. Employees must have no keys issued to them copied.
    5. If a key is lost, its loss may be reported immediately to the office management
    6. Keys must be returned on the employee leaving the practice.
  7. Alarm Pins (Personal Identification Numbers)
    1. Individual and distinct Alarm Pins to employees who need access out of hours.
    2. Those employees should keep their PIN confidential and not shared with other employees.
    3. Once an employee leaves, that employee’s PIN should not be recycled, but removed from the pool of available PIN numbers.
  8. Computer Equipment, Printers and Facsimile Machines
    1. Computers, Printers and Facsimile Machines may contain confidential information. All confidential information must be scrubbed before disposing of the machine. Including the removal of any hard disk in printers or facsimile machines.
  9. Mobile Device Security
    1. Mobile Devices may contain confidential information. All phones should be registered so they can be GPS located, or remotely swiped in the worst case.
    2. All remote devices must only be accessed by a PIN code.
    3. Any loss should be immediately reported.
  10. Employee Errors
    1. It is recognised that staff may make mistakes resulting in the loss or disclosure of information. Those mistakes may result from mistakenly sending and email or facsimile to the wrong recipient misaddressing a letter, or inadvertently including in a correspondence material that should not have been sent.
    2. If a mistake is recognised immediately after it has occurred, attempts should be made to immediately retrieve the material. Where the incorrect recipient is another legal practitioner, this may only require a telephone call to the wrong recipient requesting recipient permanently delete the incorrect addressed email or destroy the incorrectly addressed facsimile. In other cases a formal letter may be required, and a report made to a partner.
    3. With incorrectly addressed mail attempts should be made to have the material returned.
  11. Email
    1. In the case of email, practitioners should be wary of using Blind Copy (BCC). This is often very convenient, to send to a client communication between the legal practitioner and the opposing client. Problems can arise when the client mistakenly sends a reply “to all” with confidential instructions.
  12. Firewalls, Antivirus and Spam Filters
    1. The legal practice with advice from the Information Technology advisers:
      1. install appropriate fire walls, antivirus and spam filters;
      2. Install monitor and reporting software to ensure the adequacy of the cyber security software.
  13. Monitoring
    1. The Legal Practice with the assistance of its IT advisors must ensure that All firewalls and other security measures are continually monitored for effectiveness and to identify attempted attacks and data breaches.
  14. Passwords
    1. All employees should maintain strong passwords.
    2. All employees must not use the same password to access other websites or cloud services.
    3. StaySmartOnline.gov.au makes the following recommendations
  • A strong password has the following attributes:
    • a minimum length of eight (8) characters; and
    • a mix of upper and lower case letters; and
    • at least one numeral; and
    • at least one non-alphanumeric character; and
    • does not include a dictionary word in any language
  • The password does not literally have to be a single word. To make a password easy to remember, think of a pass phrase and then change some of the characters to make it a strong password:
  • June School Holidays can be modified to: 7un3Schoo1Ho!id@ys
  • Some where over the rainbow, blue birds fly can be modified to 5w0tR,Bbf}
  • I like Australian red wine can be modified to: IL077ieR3dw!ne*
  • Be good, be wise can be modified to: B3g00db3wi5e$
  • Please don’t use these examples.
  1. Remote Access
    1. Employees who have remote access to the legal practices computer system should have very strong passwords of at least 9 characters.
    2. The Practice should give consideration when appropriate to Dual Token based Authentication flor remote access. Whilst this may previously be considered to be too inconvenient, Microsoft Windows 8 Operating System with the appropriate hardware (such as the Surface RT and Surface Pro) allow for virtual token based authentication.
  2. Cloud Services
    1. The practice must confirm that the information security policies of any cloud based services exceed this policy.
  3. Website Access
    1. The legal practice should prevent access to inappropriate web sites.
  4. Portable Media
    1. Employees may only copy material to portable media (USB Drives, CDROMs) for limited purposes.
    2. The Legal Practice with the assistance of its IT advisors should maintain monitoring and reporting systems to report unusual copying of files.
  5. Operating System Updates
    1. The Legal Practice with the assistance of its IT advisors must ensure that all operating and security software updates are routinely installed.
  6. Backup
    1. The Legal Practice with the assistance of its IT advisors must ensure adequate back procedures are in place. Including having off site back up that is securely stored.
    2. The Legal Practice should consider multiple backup of essential information including on line remote back up of practice management information.
  7. Response Plans
    1. The legal practice shall have I place plans for the recovery of the data if a loss has occurred. .
    2. If confidential information has been lost, affected clients and authorities must be notified immediately.
  8. Revise
    1. The Legal practice must review this policy annually.

JDC 26 February 2013

Updated 21 March 2013 and 31 March 2013

Practice Guidelines for the use of Cloud Computing by Lawyers

The NSW Office of Legal Services Commissioner (“the OLSC”) recently (January 2013) issued a “Guide on Practice Issues: Cloud Computing” (“the OLSC guidelines“*). Given the increased use of cloud services such as Microsoft Office 365, SkyDrive, Dropbox, Google Drive, and new services such as Leap Office Cloud, a review of the OLSC guidelines by legal practitioners is prudent. Recently there have been other papers or discussions published discussing the same issues:

It is clear from a review of the above discussions, and as a practical matter, the legal practitioner must take reasonable steps to ensure that the cloud service provider has adequate guards in place to:

  1. preserve the confidentiality of the stored material; and
  2. the retention of that material (particularly if it is the primary store of that material).

An Unfortunate History of Security Beaches Regrettably, as Terrence O’Brien reports there have been many reports where there have been breaches of online services in the last twelve months. A legal practitioner cannot ignore that those beaches occur. The reports include:

Despite, the many instances where breaches have occurred, are cloud services any less secure than the data stored locally? Most legal practitioners need to access local data remotely. Microsoft to there credit make that access extremely easy and depends solely upon having a secure password. If the practitioner uses the same password for other sites the local data may become quite vulnerable (for example see the poor position that Mat Honan found himself in). Some of the services above will no doubt have learned from their mistakes. Despite these security breaches any of the cloud service providers that a legal practitioner are likely to use would have security features far more advanced than safeguards maintained in the local office. Most overseas cloud providers are also required to comply with EU and US directives of Data Protection (for an introduction in to this area please sees Welcome to the U.S.-EU & U.S.-Swiss Safe Harbor Frameworks). McCauley’s Cloud Service Best Practices McCauley’s Paper suggest that the legal practitioner should look for the following practices in a legal cloud provider (“the Wish List“)

  • Transparency: Cloud computing platforms should explain their information handling practices and disclose the performance and reliability of their services on their public web sites.
  • Use limitation: A cloud provider should claim no ownership rights in customer data and should use customer data only as its customers instruct or to fulfil contractual or legal obligations.
  • Disclosure: A cloud provider should disclose customer data only if required by law and should provide affected customers prior notice of any compelled disclosure.
  • Security management system: A cloud provider should maintain a robust security management system that is based on an internationally accepted security framework (such as ISO 27001) to protect customer data.
  • Customer security features: A cloud provider should provide customers with configurable security features to implement in their usage of the cloud computing services.
  • Data location: A cloud provider should tell customers the countries in which customer data is hosted.
  • Breach notification: A cloud provider should notify customers of known security breaches that affect the confidentiality or security of the customer data.
  • Audit: A cloud provider should use third-party auditors to ensure compliance with its security management system.
  • Data portability: A cloud provider should make available to customers their data in an industry-standard, downloadable format.
  • Accountability: A cloud provider should work with customers to designate appropriate roles for privacy and security accountability.

Inherent in the above, is the obligation that the cloud service provider maintains the confidentiality of the documents and limits the purpose and access to the stored material. Preferably processing of the stored data and information should be restricted to automated services. Not all of McCauley’s wish list will be needed in all cases. The casual use of Dropbox or SkyDrive to forward a large document to an opposing party or client is far less critical then use of the cloud services which is the primary storage medium for a firms practice. In the latter situation, data portability, and back up become much more important. An example of Cloud Service Providers Service Agreement is Microsoft Service Agreement relevantly makes the following provision regarding privacy

5. Privacy

5.1. Does Microsoft collect my personal information? Your privacy is important to us. We use certain information that we collect from you to operate and provide the services. Additionally, as part of the services, we may also automatically upload information about your machine, your use of the services, and services performance. We may use technologies, such as placing cookies on your machine, to help us gather such information. Please read the Microsoft Online Privacy Statement (http://go.microsoft.com/fwlink/p/?LinkId=253457) to learn how we use and protect your information.

5.2. Does Microsoft disclose my personal information outside of Microsoft?
You consent and agree that Microsoft may access, disclose, or preserve information associated with your use of the services, including (without limitation) your personal information and content, or information that Microsoft acquires about you through your use of the services (such as Internet Protocol address or other third-party information) when Microsoft forms a good faith belief that doing so is necessary (a) to comply with applicable law or to respond to legal process from competent authorities; (b) to enforce this agreement or protect the rights or property of Microsoft or our customers; or (c) to help prevent a loss of life or serious physical injury to anyone.

5.3. How does Microsoft respond to legal process? Similar to other providers of Internet services, Microsoft is served with legal demands and requests from law enforcement, government entities, and private litigants for content stored on our network. This information may relate to an alleged crime or civil matter and is usually requested pursuant to the normal legal process of the country or locality where the activity occurred. Microsoft may be obligated to comply with requests for your information or your content as part of such investigations or legal proceedings.

Links to other Service Provider policies and Agreements are

Other Safe Guards A legal practitioner should consider encrypting sensitive data in appropriate circumstances. However, where reasonable security measures are otherwise in place I would only suggest encryption in very special circumstances; it is generally not worth the trouble. More importantly encryption becomes a trade of with maintainability. If you loose the key to unlock the encryption the data is good as lost. The New South Wales Perspective The OLSC guidelines points out that the guideline is not binding and should be read in conjunction with the Legal Profession Act, 2004 (NSW), the Legal Profession Regulations 2005 (NSW) and the Revised Professional Conduct and Practice Rules 1995 (“the Solicitor Rules“). The guidelines as with the other papers referred to above refer to following main issues:

  1. Confidentiality (Rule 2 of the Solicitor Rules)
  2. File Retention (Rule 8 of the Solicitor Rules)
  3. Competence and Diligence (Rule 1 of the Solicitor Rules)

The practitioner’s primary concern is to ensure that cloud services do not compromise the confidentiality of client documents. Solicitor Rule 2.1 provides

2.1 A practitioner must not, during, or after termination of, a retainer, disclose to any person, who is not a partner or employee of the practitioner’s firm, any information, which is confidential to a client of the practitioner, and acquired by the practitioner during the currency of the retainer, unless –

2.1.1 the client authorises disclosure;

2.1.2 the practitioner is permitted or compelled by law to disclose; or

2.1.3 the practitioner discloses information in circumstances in which the law would probably compel its disclosure, despite a client’s claim of legal professional privilege, and for the sole purpose of avoiding the probable commission or concealment of a felony.

I do not consider that a legal practitioner’s use of Cloud computing services will constitute “disclosure of confidential information or documents unless that information could be viewed by others without reasonable security or controls being in place. More relevantly, however, Solicitor Rules 2.2 restates the legal practitioners more general obligation to ensure the confidentiality of client documents. That rule provides:

2.2 A practitioner’s obligation to maintain the confidentiality of a client’s affairs is not limited to information which might be protected by legal professional privilege, and is a duty inherent in the fiduciary relationship between the practitioner and client.

The obligation is again restated in Solicitor Rule 8.2.1 which relevantly provides

8.2.1 A practitioner must retain, securely and confidentially, documents to which a client is entitled, for the duration of the practitioner’s retainer and at least seven (7) years thereafter, or until such time as the practitioner gives them to the client or another person authorised by the client to receive them, or the client instructs the practitioner to deal with them in some other manner.

While Rule 8 is primarily directed at the retention of hard copy document it would also apply to documents whose only record of which is stored electronically (including for example a matter file stored in Leap Office Cloud). The OLSC correctly points out that practitioner to comply with his fiduciary duties to his client must carry out proper diligence to ensure that his use of cloud services does not prejudice his ability to maintain the confidentiality of the client documents. Notwithstanding it seems to me however, that Rule 2.1 of the Solicitors Rule may be unduly restrictive having to normal business practices existing today. A literal interpretation of the rule would prevent the disclosure of any confidential documents to:

  • barristers briefed in the proceedings,
  • staff used by legal practitioners employed by a service company, or
  • staff engaged by the legal practitioner as a sub-contractor.

I note that in McCauley’s Paper (referred to above), the Virginia Rules of Professional Conduct permits the sharing of information “with third parties as needed to perform necessary office management functions, if the lawyer exercises reasonable care in the selection of the third party and secures an agreement that the vendor will safeguard the confidentiality of the information shared“. Similar amendments should be considered to our Solicitor Rules to address changing work practices and advancement in the use of technology. Changes to the Legal Practice Retainer Agreement? The OLSC Guidelines recommend that the legal practitioner obtains the “informed” consent of the client to “disclose client information”, or should consider including clauses in their standard retainers. As stated above, I do not believe that normally the use of cloud services by a legal practice amounts to a disclosure of any of information that is stored on that service, however I would recommend that legal practitioner should consider the inclusion of express provision in their retainers to remove any doubt. The express provisions should specifically state what cloud service providers the practitioner proposes to use.

JDC 22 January 2013

I revised this Post on 16 March 2013 in Practice Guidelines for the use of Cloud Computing by Lawyers – revisited.

I posted a related post on 26 February 2013 Information Security for Lawyers

*Updated 2 October 2013 to fix link to the Guidelines as per Nick’s comment.