In a world where we must rely on technology to continue the practice of law, attorneys are ethically bound to keep up with relevant tech and necessary security. A panel discussion at the 2020 State Bar of Texas Annual Meeting On Demand focused on helping lawyers understand how to maintain technology competence and put security practices in place to protect their clients. Podcast host Rocky Dhir talks with panelist Elizabeth Rogers about session highlights, including their focus on risk management for web-based tools.
Elizabeth A. Rogers is a partner at the nationwide law firm Michael Best & Friedrich based in Austin, Texas.
State Bar of Texas
2020 Annual Meeting On Demand: Privacy Issues Related to Video Conferencing and Cloud-Based Programs
Intro: Welcome to the State Bar of Texas Podcast, your monthly source for conversations and curated content to improve your law practice, with your host Rocky Dhir.
Rocky Dhir: Hi and welcome to the State Bar of Texas Podcast. You know I’ve been hosting this podcast for a little over two years now before COVID-19 entered our lives. I used to look forward to opportunities to record episodes in person with the guests sitting across from me so that you could be part of a real honest-to-goodness conversation. More often than not however we recorded episodes remotely, the guest and I in our respective locations sight unseen. Then one fine day the amazing folks at Legal Talk Network informed me that we’d be using Zoom to record our sessions, mind you this was before COVID or the ‘Rona as the cooler kids amongst us might say. But now when we record an episode the guest and I can see each other albeit remotely no matter where we are located. I love it. I love it because you get to participate in a real honest-to-goodness conversation again as lawyers we should do everything remotely, we should use tools like Zoom, Teams, Google Hangouts, Cisco Webex, the list goes on. We should use them all the time don’t you think I mean yes not seeing people is kind of a drag but this this is a whole new world, what could possibly go wrong? Elizabeth Rogers knows what can go wrong. She along with William Smith and Lisa Angelo participated in a panel discussion on June 25, 2020 for the State Bar of Texas annual meeting on demand the title of their panel Privacy Issues related to Video Conferencing and Cloud-Based Programs. It was an hour-long panel that included a quarter hour of ethics, in case you missed the discussion, Elizabeth here will give you some insights and some highlights from that very informative panel. Elizabeth is a partner at Michael Best & Friedrich in Austin. She practices privacy and cyber security law. Elizabeth has tons of street cred when it comes to cyber security law but here’s a fun fact, she was the very first chief privacy officer in Texas State Government, having served in that capacity for the controller of public accounts. Elizabeth is no miser with her knowledge either she’s an adjunct professor at the University of Texas School of Information management where she teaches in UTs, brand spanking new master’s degree program in identity management and security. Elizabeth you’ve got your hands full so an extra special thank you for joining us, welcome.
Elizabeth Rogers: Thank you it’s my pleasure to be here Rocky.
Rocky Dhir: Well as you know we don’t have much time for these episodes and this is a very deep topic so I’m going to jump right into it, if you don’t mind and so you know I’m just a lawyer who loves to practice law and I don’t understand all this kind of technobabble stuff you guys talk about, is that an acceptable mindset now from an ethical standpoint?
Elizabeth Rogers: Not anymore, ever since February of 2019 the Texas Supreme Court adopted the ABA model rule for the ethical duty of technology competence so even before COVID-19, lawyers had a brand new duty that now exposed them to potential ethical violations in the State of Texas for not keeping up with “relevant technology”. So the question becomes back then and even more so today what is relevant? What is relevant technology that we need to be aware of from an ethical viewpoint?
Rocky Dhir: So let’s just say I’m a small town solo practitioner, right and I’ve you know I grew up in the era of fax machines, I don’t know if you’re old enough to remember fax machines I certainly am you know and so we grew up in the era of fax machines and certified mail return receipt requested, how do I go about educating myself, what are the steps that I should take?
Elizabeth Rogers: Absolutely that’s a great question. So well the first I can’t help but direct any attorney whether they’re a solo practitioner or otherwise to the State Bar of Texas Computer and Technology Section.
Rocky Dhir: You’re good, you’ve done this before, I feel like Robert De Niro from analyze this, I’m like you’re good you you’re good you.
Elizabeth Rogers: Well that’s mission accomplished. My goal is to enrich our membership, just because everyone has a different perspective, you’re right there are those attorneys who did not grow up in the world of just the internet highway, the internet super highway and so for them it’s really a steep climb, it’s a vertical learning curve but there’s so many resources available now through the state bar to help with law practice management and those courses are available in the CLE On-Demand, so it’s very apropos that you ask that question I think even going to the session that Lisa and Will and I spoke about will help someone get up to speed pretty fast about what issues they need to spot.
Rocky Dhir: So the title of your program talked about the Cloud. Tell us what the Cloud is I mean I think there’s for lawyers especially and I think the technology folks will probably laugh at us as a profession but there’s a lot of us that either don’t know what the Cloud is or are very skeptical of this term called the Cloud, so can you explain what that is?
Elizabeth Rogers: Absolutely, so basically the Cloud is a software invention, a software creation versus a hardware storage mechanism. So the Cloud is something that anyone can access via their browser, their web browser mainly and they usually have an account they can log in, they can upload documents, they download documents, so a good example for the attorney who is solo or in a small firm is a box or dropbox, a place where they can store all kinds of data hopefully separated, they can separate their books their quick books from their actual client matters that are confidential, all the way up to separating even their email applications, so things live on the Cloud databases, live on the Cloud versus an actual server that’s in a closet that someone locks up. So even though it may seem mysterious and in obtuse and sort of unobtainable, it’s actually more secure there the options to secure the data in a Cloud are often better than securing the data in on-premises hardware server.
Rocky Dhir: So I’m trying to think of this, again just trying to think of this from the perspective of somebody who’s maybe new to all this or is just unfamiliar or maybe honestly in in the case of people like me it’s maybe a little trepidatious about what all this means you know, there’s a certain amount of fear and skepticism when it comes to something you can’t feel and touch. So when I store something on my laptop, I know it’s in the laptop on my hard drive, what you just said a second ago is that it’s often safer and more secure to put stuff in a software platform that I can’t see and touch. So ethically for a lot of lawyers we feel like well if I’ve got something physically that I’ve got control and custody over I feel much better versus something that I can’t see that’s more intangible. Can you kind of — talk me through this why is it safer to put something on a Cloud over something that is in my physical custody and control?
Elizabeth Rogers: Sure that’s a great question that the difference is that some hardware is not encrypted for example your laptop, not every laptop is encrypted, the options for security in the Cloud are much greater in many respects than the hardware, the actual server on the ground or your laptop, you might accidentally leave your laptop in your car under the passenger side seat and by the time you get out of some place you have stopped your car window is broken and your laptop is gone. In the Cloud there are encryption options you can have a private Cloud versus a public Cloud depending on the data you’re storing, so if it’s not confidential data you can have a hybrid Cloud and put part of your public information in the public Cloud and then have a separate Cloud only that belongs to you know Elizabeth Rogers, law office in the private Cloud with encryption options, only you would have the you know, the owner would have the key, the actual Cloud provider would have the key and also the advantage to that Rocky quite frankly is a lot of law offices that are small don’t have the resources to maintain either, right, now there’s a huge cottage industry of managed security services that are available to help small firms to keep the security controls in place for the Cloud. So all you know, we have to worry about is being a lawyer while we can outsource this function and it does help with regard to our ethical duty, there’s no obligation for us as lawyers to discharge this ethical duty of technology competence on our own, we can delegate that and hire somebody to do that for us so.
Rocky Dhir: So it’s interesting, what you’re describing sounds to me kind of like I see those on the highway all the time mini storage units, you can go and buy either a big storage unit and if you’re a rich highfalutin lawyer, you can store your boat there, if you’re like me you can get a small box for you know for keys or something like that I think or passports I guess.
But it sounds like what we’re talking about here is like a storage unit that each law office would get their own storage unit but it’s located in this non-physical realm called the Cloud, in a server someplace else, is that?
Elizabeth Rogers: Sure, a virtual environment yeah.
Rocky Dhir: And then when you’re talking about public and private, the public is kind of like, all right I’m leaving this out on a table somewhere for people to see versus private is, it’s like a locked file cabinet or a locked box that’s?
Elizabeth Rogers: Correct.
Rocky Dhir: Is that kind of how it is? Okay, now one thing that I did not hear in your session was whether it is advisable to look for services whose servers are located strictly in the United States versus ones that might be overseas, this is something I I come across sometimes right, where somebody says, well where are your servers located and I know you guys only had an hour and this is a huge topic so I’m not criticizing, I’m not criticizing the panel at all but now that we have a chance to kind of talk afterwards, do you think lawyers need to be cognizant of the locations of their servers or is it, are you strictly concerned about the security of the servers themselves regardless of location?
Elizabeth Rogers: It depends on what kind of law and clients you have because there are many countries that do not allow copying of data for example in Russia is a great example, no one is allowed to copy data and then transfer it back to a server in any other country including the United States. So if your clients are or you have multiple locations that are out of country then the jurisdictions of those other countries really determine whether it’s acceptable to have a US server only or whether you must subscribe to an out of country servers. So for example Amazon web service, in the US has various locations but many companies, your clients included may insist that you have a server in the EU, so that any data that relates to your activities and you know legal services in the EU are stored in servers in that location especially now since that actual, since that taping Rocky, the court of justice and the EU invalidated the EU-US privacy shield. So transfers from the EU to the US are more complicated, so it’s really even better to have a server over there now if you relied on the privacy shield before.
Rocky Dhir: Oh that’s interesting okay, so going strictly American on some of this may not always be the best thing, I guess you have to look at that, you have to talk to your clients first before you really make a decision and so it’s possible you may need to get Cloud space in various servers in various countries depending on the type of practice you have.
Elizabeth Rogers: Correct, Microsoft is located everywhere, there is zero servers in Ireland, you know are available.
Rocky Dhir: I want to go to Ireland that sounds fun. But now look, I know. So let’s talk for a second about these video conferencing platforms, you know, I know we could keep talking about the Cloud and it’s a fascinating topic in and of itself but then there was this other segment which is video conferencing. So you and I are talking over Zoom which as many of us know is a web-based platform you know it’s been in the it’s been in the news in the vernacular of late but many lawyers might not understand the nuances of these platforms and Cloud-based storage for that example so I know in your panel we talked a lot about video conferencing, can you walk us through, of course the benefits because as lawyers we’re always talking about risk and, oh this is bad, let’s talk about the benefits and then let’s also talk about the risks and what we as lawyers need to be aware of when using these types of platforms and I’m not just talking Zoom it’s all of these, so yeah Elizabeth if he could just kind of walk us through the good and the bad on both of those.
Elizabeth Rogers: Absolutely, so yes it’s great to start out with the benefits and I think that you framed the discussion of what the benefits are, when you made your introduction. Basically the legal industry in a virtual setting, in a remote environment is probably here to stay for the foreseeable future law firms have already made a migration to hoteling, realizing that attorneys are not yet comfortable going in but when, and if they do they’re checking in just like they would check into a hotel so for all those other hours of their work time, they’re going to be actually doing that remotely and the Zoom platform or any video conferencing platform is a huge benefit for us to connect to clients, to courts and to various other components of the legal system so to speak.
The risk of having this incredible populated environment of attorneys using video conferencing, is it not everyone is at the same maturity level that they need to be in order to have secure data being discussed on a video conferencing platform it’s everything from needing to know the settings on your video conferencing platform, which ones are encrypted in the actual video conference, which ones are not, just taking a crash course will help most attorneys eliminate those risks to look at the settings, become intimately familiar with them, read updates to privacy policies when a video conferencing platform changes, so that they can adapt to making their device as secure as possible during the conference.
Rocky Dhir: Are there specific steps or packages or things like that attorneys need to ask for when they’re signing up for, and it’s not just Zoom , it’s Microsoft Teams or Cisco Webex any of these, are there specific packages or specific questions we should be asking, or things that we should be looking for? Because you know I can see a lot of us saying, I don’t even know what encryption is, I don’t know how to find it, you know is there kind of a cut and dried easy way to do it? So I know there’s free-versions of software there’s the paid-versions and then there’s different tiers, so what should we as lawyers kind of be gravitating towards?
Elizabeth Rogers: Right so this is, as you point out this is a maturing industry even in the last six months, we’ve seen Zoom morph and evolve into a more secure platform after much scrutiny from regulators and others. So we’ve learned a lot at their expense about where to look for and you know in the profession of law because even data that’s not protected by law is protected by the attorney-client privilege so we have a higher standard right, we also have the ethical duty of technology competence to be aware of “relevant technology” as we pointed out the beginning of our chat, is we have to be aware of the data we have in order to make those choices. So if I am in a practice of law that doesn’t involve let’s say, a highly confidential intellectual property maybe I’m just dealing with names and addresses on pleadings, it’s a very routine practice, that data is going to require less security controls and protections than highly confidential data, HIPAA control data for example, medical malpractice lawsuits, where you know whether I’m defending or on the plaintiff’s side, so it really depends, it requires every lawyer just to examine what data do I have, how much of that data am I going to be talking about on a routine basis when I have these Zoom calls, how secure is my environment and what are the expectations of my client? And so I think making all of those a priority before selecting the package is critical.
Rocky Dhir: So you talked when you were discussing the ethical duties, you were talking about taking reasonable steps and I think that was that was the term we used taking reasonable steps for lawyers when using these platforms. So I’m assuming what you just outlined were those reasonable steps you’ve got to go in and see, do an assessment of the security, what level of security do you need for your practice, I mean is there anything that that we missed when we’re talking about reasonable steps or was that it would you just described?
Elizabeth Rogers: I guess it probably would be best to frame it as a review of all the circumstances that are surrounding you. So if let’s say, I’m in Flatonia, Texas and I have a very small general practice, I’m probating roles, maybe some oil and gas leases sure versus being in a commercial litigation practice where all of my clients are financial services institutions and I have access to all the — this very highly sensitive financial net worth information of the bank customers then I’m going to need, you know if I’m being scrutinized for whether I did the right thing, I’ll be expected to spend more money and then someone who has a smaller practice who doesn’t have the kind of budget you know that my large law firm has. So, I think that what the Texas ethics commission has said is that they do not expect perfect security, they just expect reasonable security.
Rocky Dhir: So many more questions I mean I know your panel was an hour and it flew by and it could have gone on for days and still I’m sure not covered everything. So it should come as no surprise that we’re out of time and we’ve barely scratched the surface of any of this but Elizabeth thank you for being a part of this.
Elizabeth Rogers: No I enjoy it. We’re all learning about this together, we’re all on the same team, on the same side, I’m glad to help.
Rocky Dhir: Absolutely well, again thank you this is an ongoing topic that many lawyers will need to continue learning about and of course I want to thank you for tuning in and encouraging not to miss next year’s annual meeting, you get to hear cool stuff like this and you get to learn new things and hopefully we’ll be able to do it in person and get back to you know “normal”. Now next year’s annual meeting will be June 17 and 18, 2021 in Fort Worth, Texas. Let’s again, let’s hope and pray that we’re in person but before we sign off please stay safe make sure to follow all applicable orders for dealing with COVID-19 and please advise your clients and loved ones to do the same this situation is changing by the day, so please seek out legal counsel if you have a question. Now if you like what you heard today please rate and review us in Apple podcast, Google podcast or your favorite podcast app. Until next time remember, life’s a journey folks, I’m Rocky Dhir, signing off for now.
Outro: If you’d like more information about today’s show please visit legaltalknetwork.com, go to texasbar.com/podcast, subscribe via Apple podcast and RSS. Find both the State Bar of Texas and Legal Talk Network on Twitter, Facebook and Linkedin or download the free app from Legal Talk Network in Google play and iTunes.
The views expressed by the participants of this program are their own and do not represent the views of nor are they endorsed by the State Bar of Texas, Legal Talk Network or their respective officers, director, employees, agents, representatives, shareholders or subsidiaries. None of the content should be considered legal advice, as always consult a lawyer