UPDATE: Can You Spell I Went Overboard? Try I-L-T-S-O
Update [May 3, 2011 – I’ve made a few more cuts to the post]
Update [April 17, 2011]: Last Friday, I posted the entry below, which was critical of the newly formed International Legal Technical Standards Organization and its proposed tech standards. There, I argued that the proposed standards as overkill, and the entire effort as a way to make money and adopt standards to favor certain technologies. Though I still think that the proposed standards are too stringent and I disagree with the ethics analysis, I was wrong about the ILTSO’s purpose because I lacked the proper context for understanding its importance.
Having spoken with ILTSO’s director and communicated with other board members, I now realize that ILTSO is undertaking this enormous effort of developing standards or best practices in order to get out in front of the states – which might develop 50 different standards for technology use (something which would be detrimental for both lawyers and the nascent legal cloud industry). As I understand the effort, ILTSO seeks to develop uniform standards that states could readily adopt. In addition, the ILTSO standards serve a more immediate purpose right now: whether you agree with them or not, they lay out a guide to the types of security issues that solo and small firm lawyers should be thinking about.
Thus, I’ve come to realize that the ILTSO initiative is very important – but it is also one that requires input from solo and small firm lawyers, so that the standards are supported by a general consensus. Therefore, I urge solo and small firm lawyers to take the time to review ILTSO’s2011 Standards and offer feedback on how they would work in your practice and for your clients. Most of all, please make clear to your respective state bars that you support the overall concept of uniformity and urge them to participate in this initiative as well.
Because it is my policy not to delete posts, I will leave my original post here after the jump. My substantive comments on some of the specifics are the same, but my once negative opinion of ILTSO has changed.
Earlier this week at TechShow, a new group, the International Legal Technical Standards Organization (ILTSO) announced the publication of the 2011 Standards for public review and comment. Initially, I was excited at the prospect of guidelines that would enable non-techie, resource-constrained solo and small firm lawyers to make smart, safe technology choices. [DELETED]
Still, there is much wrong that I disagree with. The potential the costs of complying with this sledgehammer-of-a-security document are enormous and will inevitably be passed on by solos to their clients, thereby wiping out any benefits that these technologies of tomorrow may bring. The paper lumps large and small firms together, irrespective of practice areas or level of data sensitivity, instead, requiring Fort Knox level security even where the consequences of disclosure are insignificant. Indeed, this proposal is onerous enough to scare paper-loving solos into the arms of Dunder-Mifflin instead of incorporating technology into their practices.
[DELETED]
PART I: SUBSTANTIVE COMMENTS
General Comment:
The proposed report establishes four levels of compliance: bronze, silver and gold. The bronze standard is appropriate for all levels including solos, and silver is appropriate for firms of more than one attorney or where “circumstances or resources dictate.” [Report at 8] My comments focus only on the bronze and silver requirements.
Two problems with this approach. First, it suggests that solo and small firms are second class citizens. If ILTSO succeeds in implementing its certification requirement, a solo firm that fully complies with what’s expected for its size will achieve bronze and therefore, appear less security-smart than the large firms who qualify for gold.
Second – and far more seriously, lumping all solo and small firms together for security purposes makes absolutely no sense. There are solos who run volume social-security or consumer debt practices who collect substantial amounts of personally-identifiable information from clients. Solos who retain personally identifiable information (including SS numbers, credit card numbers, etc…) pose a far greater threat than, for example, a three-person firm that handles exclusively appellate and regulatory matters where the bulk of “client data” resides in the public record. Though solos ought not be burdened with excessive, onerous requirements, they shouldn’t get a pass either. If solos are handling information where there’s a substantial risk that disclosure will give rise to identity theft, then they’ve got to comply with whatever standards apply under federal and state law for that given situation. To treat solos differently for security purposes based on size rather than substance of their practice areas puts clients at risk. (For more about the preferred approach of risk assessment, see my letter to the NC Bar here.
Specific Mark-Up
For the record, I don’t disagree with all of the ILTSO standards. Some do make sense, as my discussion below points out:
LOCAL NETWORKS
Data Room Access, Edge planning [ILTSO 9-10] – I don’t know enough about this to comment one way or another.
Hardware Firewalls [ILTSO 10-11] – agree with need for password protected firewalls
OnSite Data Storage [ILTSO 12-13] – encrypt client data once a day with a log. I’m mixed here. Once a day really isn’t necessary in my practice, but at the same time, if you use TimeMachine or other auto-back up, the once a day requirement isn’t a big deal either. Not sure why a log should be maintained – just looking at my OS and Time Machine icon tells me when I last backed up.
As for encryption, again, it’s the overkill problem. At least 70 percent of my data includes publicly-filed materials where encryption isn’t needed. And even for my client communications, really – even in a worst case scenario where someone were to steal my machine and read all the client documents, my clients probably wouldn’t be prejudiced unless the docs got back to my opposing counsel. The only reason I see for encryption is to protect data that if released can give rise to identity theft.
Offsite Data Back-Up – Daily requirement and encryption – see comments above. [ILTSO 12]
File Servers [ILTSO 13-14] – Can’t comment, don’t know enough.
Connection Redundancy [ILTSO 15-16] The standards say that “it is imperative to retain a second Internet connection for redundancy.” This is the most idiotic idea I’ve ever heard. First, the cost of two ISP services can be significant, particularly for solo and small firms. Second, I don’t know how the ILTSO authors’ ISPs work, but in my house, when the power goes down, everything goes down; presumably the ISPs would all go down as well. Third, there are parts of the country that still don’t have internet access from one company, let alone two. How is someone in a remote part of the country going to find two ISPs? If a solo’s ISP goes down, there are ways to deal with it. Most solos have mifi or smartphones with 3G access. There’s also Kinkos and public libraries and Starbucks which granted, while not ideal will do in a pinch.
Section 11 (Connection Redundancy) also says that it is imperative to understand the TOS for each ISP to ensure that data monitoring is not permitted, except in accordance with law. Why just for ISPs? Why not for the phone service? What about the postal service – are they holding my envelopes up to the light to peak in? Again, this is just silly overkill that will give technophobes and luddites one more excuse to avoid the Internet.
AntiVirus Scanning [15-16] Absolutely should be standard practice.
Wired Connections [16-17] The ILTSO Standards state that “despite the convenience of WIFI networks, wired ethernet based networks provide certain advantages and should be used wherever possible, since connections are manually hardwired]
This is another completely ludicrous and onerous requirement that fails to take account of how many solos – and lawyers generally work. First, many lawyers, women in particular, often work from home. Even with a home-office, however, they may rely on a wireless system in the house rather than a static connection just for more flexibility. Second, many lawyers who do not have full time offices work from public libraries or virtual office space where they can tap into a wireless service. What’s the problem with that? Essentially, this wired-connection nonsense effectively makes a full-time office a requirement – and thus eliminates the flexibility and mobility that technology provides to lawyers.
CLOUD SERVICES [17-21]
There’s been much written about the cloud already and what appears in this section seems consistent with evolving best practices. Here, I take issue only with the requirement for 24/7 encryption for everything (again, much of what I maintain in the cloud is already public or not personally identifiable)
[delete]
ACCESS DEVICES
Single User Access [22-23] ILTSO says that access to systems should have one user and passwords should not be shared. I freely share my passwords with a trusted virtual assistant – I couldn’t function if I didn’t. Again, no recognition here of the realities of many law practices.
Device Tracking [22-23] – recommends geo-tracking for devices, which isn’t a bad idea – makes them easier to recover if stolen. I can also live with encryption of client data on devices like flashdrives, just because they’re so easy to lose.
WiFi Connectivity [25-27] Private wifi is generally considered secure, public hotspots are not. This is also a reasonable requirement.
ETHICS CONSIDERATIONS
Section 25.2 [29] takes the position that cloud providers are vendors that require oversight. Can we please, please move away from this erroneous conception? If we classify cloud providers even as passive vendors, why not the bank (which holds my IOLTA trust accounts), my cell phone service and the copy store? Let’s just not go down this path. Lawyers are not stupid. We know that when we put money in a bank account, a passive vendor is involved and when we hire someone to manage it, there’s an active vendor. It goes without saying that we have oversight obligations over humans, not over services. Creating categories of active and passive vendors is going to have longer term implications and potentially trigger oversight duties where none should exist.
Confidentiality – lawyer should not reveal client data (30-31) Kind of obvious.
Shared obligation of Client (30-31) – Yes, clients always have a shared obligation to keep data confidential. But that doesn’t stop ’em from emailing their lawyers’ emails to their friends and relations, even when cautioned not to. Not sure of the point of this provision?
Don’t communicate client data on social media (31) – OK fair enough. But why the gratuitous reminder to be familiar with ethics rules on social media advertising in a security document? (ILTSO at 31) Goes without saying that we need to follow all ethics rules. Or are ethics rules on social media somehow more important or special?
Client Engagement Letter (31-32) – These provisions require lawyers to disclose to clients how lawyers will communicate with and store client data. Sorry, not happening. Ever. There is no point to this provision. My clients have enough on their minds when they come to me. They’ve got enormous problems and I want to make their life easy with a seamless experience, not a retainer letter that goes on and on with disclaimers and explanations about how I run my practice behind the scenes. What is the point of this nonsense?
Personal identifiable information (PII) (32-33) – Yes, lawyers need to comply with federal and state law on PII. It’s a statutory issue, not an ethical issue.
Notification of Mistake (33) – seems to mimic existing obligations
Breach Notification (33-34) The requirement directs lawyers to notify clients of a security breach. I’m not so sure that this is necessary if clients aren’t harmed. Federal and state law impose requirements on breach notification and in my view, these are adequate. Sure, if a client’s ex-spouse comes into your office and steals the case file your client ought to know. But if it appears that a machine that doesn’t have any PII on it may have been compromised, is it necessary to tell every single client? I’m not sure on this one.
Records preservation and document retention (34-36) sensible enough.
Third party monitoring and outsourcing (36-37) – Offshoring to other countries gets a pass because presumably, it’s done with client consent.
DEFINITIONS
Section 42. Client Data (41)- Client data is “everything pertaining to representation of the client – schedules, emails, attorney work product and PII.” This may be true. But not all client data requires or even deserves the same level of protection. Practicing lawyers know what to treat as confidential and not – and need ample discretion to make these judgment calls. These standards apply an onerous one size fits all requirement and sap lawyers of our ability to make decisions about the type of protection required for client data. This is not the right direction to take.
42- Oh – encryption should be at least 128-bit. (ILTSO at 42) I’d always thought that 256-bit was standard practice – and indeed, this article suggests that 256 is better, but that if you’re on a budget, 128 bit is fine. Guess which company happens to use 128 bit?
43-45 – some good advice about setting passwords
PART II: PROCEDURAL DEFECTS
A. Self-Certification
As I said at the outset, standards for non-tech lawyers can be helpful, and to the extent that the ITLSO project is intended to do so, I’m all for it. Even more, I support a certification system where certain vendors are “approved” by an independent board (as IOLTA banks are by the bar) – and solos choosing those vendors would know that they were ethically compliant. (Solos seeking to do their own due diligence would have flexibility to choose their own provider so long as doing so was consistent with best practices).
But that’s not what’s happening here. As a purely informational document, the ILTSO standards are fine…[DELETE]
The ILTSO purports to establish international standards – but if that’s the case, why didn’t it follow the appropriate protocol set forth here. Setting standards is a serious business for industry (something that I know because I’ve tracked standards-setting in the marine renewables industry). There’s a set development process that includes engaging stakeholders, consumers, regulators and others. Here, the ILTSO didn’t engage work-a-day lawyers or even the bar associations (though that might have been an exercise in futility). It’s simply proclaimed that these are standards – without even demonstrating real expertise. Are the folks on this committee bonafide security experts – or merely self-proclaimed? These are answers that need to be provided.
Finally – these standards show no recognition of how solo and small firm lawyers work in practice. They assume that solos are all alike with the same security needs – when in reality, each solo’s needs are practice specific. The standards also impose onerous requirements with no justification whatsoever – calling for two ISP providers, prohibiting an assistant from accessing an attorney’s accounts and requiring the highest level security for all client data even if disclosure would not result in any harm, or if the data is largely public. The rules require us to open up our back office to our clients and burden them with how we keep documents when they just want us to handle their case.
Technology has been a savior to me in my practice. With it, I can serve clients more effectively and efficiently. I can take on cases that I could not otherwise afford to manage simply because of the cost reductions that I’ve enjoyed from technology. This misguided ILTSO effort will require solos and small firms to hire outside security experts (full-employment for those near-obsolete consultants!) or to adopt expensive and duplicative systems whose costs will inevitably be passed on to clients. Worst of all, I have yet to see a real assessment of the risks involved in using gmail – or even (horrors!) Google apps or similar systems (though lately, it dos appear that Dropbox’s security system has some serious issues.
We have an opportunity to make sensible rules that will enable lawyers to enjoy technology and keep our clients’ confidences secure. But to do so, we need to engage people from across different fields – technology, finance and healthcare – and continue to move forward. ILTSO offers a framework for doing so.
Carolyn — it was good to speak with you a few minutes ago. Since ILTSO is in the comment gathering phase, we welcome your (and all of your reader’s) feedback on the newly published document. Thank you for taking the time to articulate your concerns, and to hear some of ours!