Evaluating ethical technology use by outside (law) firms

Automakers vet suppliers exhaustively. One faulty part in a vehicle can cost the automaker dearly, and not just in cash.

This need to vet applies to any vendor relationships, including those between companies and law firms. Outside legal help functions as an extension of in-house legal departments. In-house lawyers need reassurance that outside lawyers perform to the same ethical standards.

Ethical lapses may be most likely in how lawyers (mis)use technology. But how do in-house lawyers evaluate ethical use of technology by outside firms?

Protecting confidential information

The Association of Corporate Counsel recently published the Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information. This document offers a high-level list of “baseline security measures and controls” legal departments can look for when evaluating outside counsel.

Esoteric pitfalls

Unfortunately, this document isn’t granular enough. Lawyers need more guidance.

Lawyer Suzanne Deliscar of Brampton, Ont., was quoted in an article telling the story of how a lawyer used a “free” online translation service and leaked privileged information as a result. “You have to find out whether the online service you are using aggregates the information it translates,” she said. “[Some services] mine the translation to add to their database of translated words so the service is constantly building its terminology database.”

In their book Google for Lawyers: Essential Search Tips and Productivity Tools, Carole A. Levitt and Mark E. Rosch discuss the sharing of data using URLs. “Unlisted albums are not completely private” the authors wrote. “They only require a long URL (that includes an authentication code) to access them.”

Levitt and Rosch wrote this passage about Picasa, a Google photo management application since retired and replaced by Google Photos, but many applications use such URLs. If the original (authorized) recipient forwards the link to an unauthorized third party, that confidential data isn’t confidential anymore.

Software as a service (SaaS)

Legal-focused cloud services are here to stay. They are also a likely source of ethical breaches.

Some firms use only services that keep data on Canadian soil. Other lawyers may explain to clients up front that they use SaaS and that client data may reside in jurisdictions outside Canada. If the client doesn’t flinch, the lawyer carries on.

Some clients may accept this “up front” tactic, but big clients won’t. Many must comply with data regulations, and may have to heed the May 2018 version of the Global Data Protection Regulation (GDPR), a European Union framework that affects non-EU companies that handle the data of EU residents.

How could GDPR give SaaS-using firms pause? What if a SaaS provider uses third parties who outsource parts of their operations to reduce costs? Does that outsourcing mean data leaves approved jurisdictions?

Dominic Jaar suggested a more thorough setup. “Before using any technology, you must have good information governance, so you know you won’t put privileged information into the cloud,” said KPMG Canada’s partner and national leader, forensic technology services. “If you have that level of data governance sophistication, you might use an overseas data centre.”

Data encryption a must

SaaS providers can offer four layers of encryption, each with its pros and cons.

For data in motion, service providers can:

•    secure the “pipe” between the law firm and the data centre;
•    encrypt the data that passes through that pipe.

For data at rest, service providers can encrypt:

•    the entire server;
•    the data on that server.

“Different solutions offer one or two different layers, rarely the four, because then the technology becomes burdensome to use,” Jaar explained.

Red flags in the cloud

Counsel must scan SaaS terms and conditions for practices like:

•    indexing of all data;
•    inability to determine when or how business data is destroyed;
•    lack of methods to migrate data out of the environment;
•    no identifiable contact person to serve the firm.

“These are all signs that you shouldn’t use that service for your business,” Jaar said.

Compliance by design

Leaving ethical compliance in the hands of busy lawyers may not be the best way to ensure their compliance with ethical obligations.

Fortunately, an emerging paradigm may simplify compliance for law firms, even more so than international standards like ISO 27002. This paradigm may even greatly shorten the checklist inside counsel uses to evaluate compliance.

Jaar notes that several Canadian professional organizations, including the Quebec bar, have launched a joint RFI to obtain quotes from Canadian cloud providers (text in French only). That gets Jaar pondering the possibilities. “By providing their professionals with an ‘order-sanctioned’ environment, these organizations can provide compliance by design,” he said.

“Rather than let members make bad decisions because they don’t know better, they want to propagate environments that help them meet their ethical obligations.”

Jaar figures using “order-sanctioned” infrastructure as a service (IaaS) ought to shorten that checklist. “Compliance by design is a lot easier.”

This article originally appeared on The Lawyer’s Daily website, published by LexisNexis Canada Inc.

Leave a Reply