Archive for October, 2013

Draft EU Privacy Regulation Amendments Approved

Posted by fgilbert on October 22nd, 2013

 

The European Union Committee on Civil Liberties, Justice, and Home Affairs, also known as the “LIBE Committee” approved amendments to the draft of the EU Data Protection Regulation on October 21, 2013.

The good news is that the “right to be forgotten” has been replaced with a “right of erasure” which is more narrowly phrased.

The bad news is … most of the other amendments. The revised draft would define a stronger and more stringent data protection regime, which is likely to create additional hurdles for US companies doing business in the European Union, or in need of transferring data out of the EU/EEA to the United States or to subsidiaries worldwide.

In particular, the revised draft increases significantly the maximum fine that might result from violation of the new law. The 2012 draft regulation set a maximum fine of 1,000,000 Euros or 2% of a company’s worldwide income and adopted a tiered approach. With the revised draft, fines could reach up to 100,000,000 Euros or up to 5% of a company’s annual worldwide income, whichever is greater.  This is a significant jump.

The next step is the review and approval of the amended text by the European Union Council and the European Commission. After that, the final text of the proposed Regulation would be submitted to the European Parliament for a final discussion and vote. This vote is not likely to take place before May 2014. If an agreement is not reached before the Parliament closes down for the election of new MPs, the negotiation over the Regulation could continue in the next session of the EU Parliament. In this case, more delay might be likely if there were a change in the composition of the Parliament.

The text of the approved amendment is available here.

Francoise Gilbert named 2014 Lawyer of the Year

Posted by jgilbert on October 15th, 2013

 



Thank you for your vote!

We are proud to announce that our very own Francoise Gilbert was recently named the Best Lawyers® 2014 San Francisco Information Technology Law “Lawyer of the Year!” Additionally, Francoise celebrates her 7th year inclusion with Best Lawyers’ 2014 edition of The Best Lawyers of America as well as her 6th year inclusion with Chambers USA’s Leading Individuals!

We would like to take this moment to thank you all for your votes. We are so very grateful for this honor and look forward to the opportunity to working with you all!

About Best Lawyers:

Since it was first published in 1983, Best Lawyers® has become universally regarded as the definitive guide to legal excellence. Because Best Lawyers is based on an exhaustive peer-review survey in which almost 50,000 leading attorneys cast nearly five million votes on the legal abilities of other lawyers in their practice areas, and because lawyers are not required or allowed to pay a fee to be listed, inclusion in Best Lawyers is considered a singular honor. Corporate Counsel magazine has called Best Lawyers “the most respected referral list of attorneys in practice.”*

Further information on Francoise Gilbert’s practice and publications are available at:

Brochure | Blog | Global Privacy Book 

IT Law Group

555 Bryant Street #603 | Palo Alto, CA 94301 | USA

*© 2013 The Best Lawyers in America, Woodward/White, Inc., Aiken, SC

 

 

Posted in Uncategorized

Use of Cloud Computing in a Law Office

Posted by fgilbert on October 10th, 2013

 

Attorney and law firms are increasingly interested in taking advantage of the proliferation of cloud computing services in their law practice. For example, they might wish to use web-based email to interact with their clients, subscribe to customer relationship management (CRM) services that are offered as Software as a Service (SaaS) to manage their customer and prospect lists. They may be tempted to store documents in the many storage services that are offered at no charge. New options are emerging every day, as more applications are developed and marketed.

However, while cloud services present significant advantages, the use of cloud computing services by attorneys and law firms present unique challenges due to the ethical rules to which attorneys are subject. In addition to ethical concerns, services provided in a cloud computing environment present a number of technical, physical, and contractual risks. Cloud computing agreements should be reviewed carefully before venturing into this new, complex form of outsourcing.

The Advantages of Cloud Computing

Cloud computing offers so many advantages that it is difficult to resist the temptation. Many services can be obtained at a significantly low cost; in many cases, they may be offered free of charge. Thus, it may be less expensive for the law firm to acquire these services from a cloud provider rather than running and maintaining an application using one’s own server on one’s premises. The maintenance is usually included in the offering, so there may be no need to worry about keeping up with updates, as they are installed automatically. The services are accessible from anywhere, a feature of great interest to attorneys who work long hours and may take advantage of the remote access capability to telecommute if needed. Altogether, cloud computing requires less in-house expertise and capability and less infrastructure, which may result in significant savings.

Cloud computing services may provide flexibility. As these services are often sold on demand, a law firm may take advantage of the elasticity to purchase as little as it needs on a regular basis, knowing that it can quickly ramp up and add storage, computing capability, or a few new features if the need arises.

Cloud computing may also provide increased stability and security. Reputable cloud providers usually employ the most up-to-date, sophisticated security measures. Their experienced, adequately trained staff excels at implementing security measures that take into account the current trends. They have access to sophisticated tools to monitor unauthorized access to the systems or manage permissions. These entities also have the ability to put in place sophisticated disaster recovery and business continuity features that are likely to be more powerful and effective than those that a small or lean law practice could implement.

However, entrusting data to cloud providers is not without danger. For instance, a large cloud provider that is known for servicing prestigious customers might also be the target of cyber attacks aimed at disrupting these customers’ operation or accessing their critical data. In addition, attorneys are subject to stringent ethical rules that may hamper their ability to use certain types of cloud services for certain purposes or with certain categories of data.

Ethical Rules

Before starting a search for cloud services that would make your practice so much more efficient, you should first determine whether the Ethical Rules that apply to your profession would allow your law firm to use cloud services. Ethical rules vary from one jurisdiction to another, but they tend to follow some common general principles.

Competence, Confidentiality

Most Ethical Rules that apply to attorneys contain a duty of competence and a duty of confidentiality. Will the professionals who will use the new cloud based program be sufficiently proficient, and able to log in and out of a system, save or annotate documents, in a manner that does not put at risk the confidentiality or the integrity of the data?

Duty to Supervise

The Ethical Rules may also contain a duty to supervise and may require an attorney who assigns work or responsibilities to a non-attorney (e.g., the cloud provider) to make reasonable efforts to ensure that the third party’s conduct is compatible with the attorney’s professional obligations.

Duty to Safeguard Client Data

Attorneys are also generally required to keep client property, such as files, information, and documents appropriately safeguarded. Would a law firm be able to ensure proper safekeeping of the clients file if these files were stored in a cloud? Certain cloud services may host the data or several customers on the same server. Would this co-location be deemed “appropriate safeguard?

Further, the cloud provider may have structured its network so that the servers are spread throughout the world. Keep in mind that a foreign country would be likely to assert jurisdiction over any server located within its territory. These countries are also likely to have adopted different laws or standards with respect to third party or government access to data, confidentiality, or data ownership.

Duty to Communicate with Client

Finally, Ethical Rules for attorneys may contain a duty to communicate with clients. Would this duty require a attorney or law firm to promptly inform clients of any decision to store the client’s data in a third party’s cloud and to seek their consent?

Given the potential application of these and other ethical rules it would be prudent for attorneys and law firms that contemplate the use of cloud computing services to review carefully the ethical rules that apply to their profession, in their region, and review, as applicable, any opinion or guidance that may have been published by the applicable authority that regulates their profession.

How to Manage Cloud Computing Risk

Numerous precautions and measures can be taken by attorneys to reduce their exposure to legal, commercial, and reputational risk in connection with the use of cloud services.

Internal Due Diligence

Before stepping into the cloud, you should conduct an internal due diligence in order to determine the potential obstacles or constraints that might prohibit or restrict the use of cloud services by your law firm. For example, you should review the ethical rules that might apply to your organization, as discussed above. You should also determine whether the law firm or any of its professionals has entered in a confidential agreement or data use agreement that might restrict the transfer of data to third parties, even if these third parties are service providers. You should also determine whether the proposed plan to use a cloud service or host would require the prior consent of your clients.

Keep in mind, as well, that some data might be so sensitive or confidential that they should not be transferred to cloud, or the transfer might require significant precautions. This might be the case, for example, for files that pertain to high stakes mergers or acquisitions.

External Due Diligence; Contracts

Make sure that you understand the particular application or service you are contemplating to purchase. How will the servers be used to process your data? While it is important to involve your information technology team, you should understand how the service will operate, where the servers will be located, whether your data will be collocated with others customers’ data, and how your data will be protected from intrusion or disasters. Ensure that the service will be reliable and easy to use by everyone at the law firm. Conduct appropriate due diligence of the proposed vendor and the proposed applications. Check references. Conduct online searches and/or call current clients to evaluate the vendor’s reputation.

You should also review the proposed contract carefully, even if you are told that it is not negotiable. First, it might actually be possible to negotiate changes. And even if it is not, you should understand the consequences and implications of the engagement you are making. Pay special attention to the disclaimers of liability, confidentiality, intellectual property, and security provisions.

Continuous Access to Data

Service outages happen regularly. It is important to ensure that the cloud service will provide alternative access to data, such as by switching to a server located in a different region if an outage affects a specific data center. The service provider should have in place a robust disaster recovery plan that alleviates the effect of outages.

Consider backing-up your data to an alternative system or a second cloud provider, to ensure that you will be able to access the data in the event of an outage in the vendor’s facility or network, or in the event of a natural or other disaster.

Ensure that you have the ability to change providers when it becomes necessary or desirable to do so. Keep in mind, however, that while it may be feasible to move from one hosting service to another, changing applications, such as a customer relationship management, is likely to be impossible, or very costly.

Many cloud contracts provide that in the event of an outage the customer will be refunded that portion of their monthly fee that corresponds to the duration of the outage. Be realistic about the actual effect of such provision. The refund might be insignificant compared to the huge inconvenience and loss of business and loss of data availability. For example, what would you do if you are in the middle of a trial or closing an acquisition, and suddenly the needed data are not available due to an outage or other force majeure event?

Security, Security Breaches

Ensure that the data will be appropriately protected from unauthorized access or modification. Specific steps that may be required such as installation of firewall, access limitations, encryption, strong passwords or other authentication measures, and electronic audit trail to monitor access to data. Ensure that you are informed of the security breaches that affect the data that your law firm uploads to the cloud. You may have a legal and/or ethical obligation to inform your clients and the regulators about an incident affecting these data. Negotiate compensation or indemnification by the service provider if the breach is caused by the cloud provider either affirmatively or through its own negligence/failure to maintain agreed-upon safeguards or reasonable security measures.

Data Ownership

Beware of obscure or confusing clauses that might give the cloud provider ownership of data stored in its services, or the metadata associated with the access to or processing of your law firm’s or clients’ data. Ensure that the contracts with the service provider(s) acknowledge that the data are owned by the law firm and/or its client, and not by the cloud provider.

Termination

Anticipate the need to terminate the service. Have an exit strategy in place so that the law firm may change its provider when it becomes necessary or desirable to do so.

Implementation

Train your own staff and professionals who will use the cloud service or products, and obtain their written agreement to comply with your security measures and those that are recommended by the cloud provider such as the use of strong passwords, and the prohibition of sharing passwords.

Conclusion

There is no doubt that cloud computing is here to stay and that gradually companies will move most of their data to the cloud. However, switching the physical custody of one’s data to a third party does not relieve an organization from its legal obligations to protect these data, ensure adequate security and integrity, limit its use to specific purposes, or ensure its availability. Thus, any company should carefully consider the pros and cons, as well as the consequences of the use of cloud services. For lawyers and law firms, these concerns are compounded with other concerns that come from the specific ethical rules that govern the profession. Before venturing in the cloud, lawyers and law firms must evaluate the effect of the relevant rules of ethics to which they are subject, identify the categories of data that may be processed or stored in the cloud, and take other necessary measures to ensure that they will be able to fulfill all of their legal and ethical duties to their clients.

Global Privacy and Security Law treatise, Supplement #12

Posted by fgilbert on October 4th, 2013

Supplement #12 to our two-volume treatise Global Privacy and Security Law has been shipped to our subscribers!!

29 chapters have been updated. The most significant changes are described below.

Americas

  • Chapter 17 – Canada: The Federal Privacy Commissioner of Canada has issued several reports, including reports requesting amendments to PIPEDAs. The update also provides information regarding several court cases and decisions that affect data privacy and security.
  • Chapter 24 – Dominican Republic: In the Dominican Republic, the Constitutional Court has issued a decision on the publication of criminal records in public access registers.
  • Chapter 65 – United States of America: The United States chapter has been significantly reorganized and supplemented to take into account the evolution of the American legal and regulatory landscape since the first publication of the Global Privacy and Security Law treatise in 2009, the driving role played by the Federal Trade Commission, and the recent interest in the laws that regulate US government access to data. In addition, the chapter includes an analysis of the new Health Information Rules (developed under HIPAA and the HITECH Act), which came into force at the end of September 2013, and the new Children’s Online Information Protection Rule (developed under COPPA), which came into effect on July 1, 2013.

Asia

  • Chapter 19 – China: In March 2012, China’s Ministry of Industry and Information Technology issued “Several Provisions” that regulate the telecommunications market, these provisions supersede the Administrative Provisions on Internet Information Services for soliciting public opinions (issued on July 2011). The chapter has been updated with information regarding definitions, rules, and regulations for ISP’s under “Several Provisions.”
  • Chapter 38 – Japan: The update provides a status of the enforcement of the Data Protection Law.
  • Chapter 10 – APEC: Asia continues its progress in the development of a privacy framework that is less stringent than the one currently in effect in the European Union. In the recent months, the Crossborder Privacy Rules, an initiative intended to reduce barriers to information flows, has made progress. The United States has already been approved to participate in the CBPR System, and the Federal Trade Commission as its first enforcement authority. Mexico recently obtained its approval and in June 2013, Japan applied to participate.

Europe

  • Chapter 26 – Estonia: In Estonia, the Employee Information section has been updated to include information on recording telephone calls. Clarification has also been provided regarding the rules for employee consent.
  • Chapter 28 – France: This update provides a brief summary of the CNIL 33rd activity report for 2012. The section on video surveillance is supplemented with information about a recent case in Paris. A new section has also been added regarding Illegal Downloading, which describes the requirements for employers to monitor Internet usage of their employees.
  • Chapter 32 – Hungary: The update describes the recent recommendation by the Hungarian Data Protection and Freedom of Information Agency on video surveillance in the workplace and other developments regarding data processors ability to subcontract work to other processors.  The Agency has also been vested with a new function, that of auditor for data controllers.
  • Chapter 33 – Iceland: Two new sections have been added regarding International Treaties and Agreements to which Iceland is party and about data protection guaranties found in the Constitution of the Republic of Iceland. The chapter has also been supplemented with information regarding the status of implementation of Article 5(3) of the 2009 Directive regarding the use of cookies.
  • Chapter 40 – Liechtenstein: The update includes information regarding International Treaties and Agreements to which Liechtenstein is party and information regarding data protection in the country’s Constitution. The update also provides information regarding the status of implementation of Article 5(3) of the 2009 Directive.
  • Chapter 41 – Lithuania: Two new subsections on the exchange of personal data for evaluation of solvency and debt management and on video surveillance have been added to the Data Protection Law section.
  • Chapter 46 – Netherlands: The update to the Netherlands chapter provides an overview of the Article 29 opinion on the definition of “personal information,” “purpose limitation” and “use limitation.” The chapter also describes the status of the 2009 cookie directive implementation. Netherlands appears to be leaning towards a less strict interpretation of the 2009 provisions. The Netherlands Data Protection Commissioner has published guidelines for the security of personal data, which provides a checklist of appropriate measures. Finally, the chapter provides an in depth analysis of the whistle blowing provisions that apply to civil servants.
  • Chapter 47 – Norway: The 2009 Directive has not yet been implemented but the Norwegian Parliament has submitted a plan on its implementation. A new section on health information has been added, and the section on electronic communications has been supplemented with information regarding traffic data. Also described in this updated is the Supreme Court’s ruling on a case involving the collection of employee GPS location data by a waste company.
  • Chapter 50 – Portugal: An update on the implementation of the 2009 Directive with respect to cookies and security breach disclosure requirements is included in this supplement.
  • Chapter 51 – Romania: The update to the Romania chapter focuses on the implementation of the 2009 amendment to the 2002 e-Privacy Directive into the Data Protection Law regarding the use of cookies.
  • Chapter 54 – Slovakia: The chapter describes recent reports of the Office for Personal Data Protection regarding the processing of biometric data, its investigation of e-shops, and the requirements to notify data subjects when performing video surveillance.
  • Chapter 55 – Slovenia: The Electronic Communications Act came into force, implementing Article 5(3) of the 2009 amendment to the 2002 ePrivacy Directive.
  • Chapter 59 – Sweden: The update to the Sweden chapter describes a 2012 case involving surveillance cameras in a high school. An update on the ePhone case is also included.
  • Croatia: In addition to the above, to take into account the arrival of Croatia in the European Union as its 28th member state, several chapters have been slightly modified.  Supplement # 13 to the Global Privacy and Security Law treatise will contain a new chapter, which will analyze Croatia’s data protection laws in the same way as the other laws of other countries have been described and analyzed.

Middle East – Africa

If you are a subscriber, and you have not yet received your copy please let me know.