My Shingle: Can You Spell Security Overkill by carolynelefant


									                                             April 15, 2011

               Can You Spell Security Overkill? Try I-L-T-S-O

Earlier this week at TechShow, a new group, the International Legal Technical Standards
Organization (ILTSO)announced the publication of the 2011 Standards for public review and comment.
Initially, I was excited at the prospect of guidelines that would enable non-techie, resource-constrained
solo and small firm lawyers to make smart, safe technology choices. But both the standards recommended
and the overall implementation of this effort are so ill-conceived, that I cannot possibly endorse this
project as it stands.

Before I begin my critique, I must insert this caveat right up front. I admire Stephanie Kimbro
of VLOTech, Richard Granat of DirectLaw and Jack Newton of Clio who sit on the ILTSO Advisory Board
and respect their views on security, ethics and the professional products that they have developed for solo
practitioners. My criticism here represents a professional disagreement about the approach taken by the
ILTSO; it should in no way be construed as a criticism of VLOTech, Clio or DirectLaw products or a
personal attack on the great work that Stephanie, Richard and Jack have done for solos and the greater
legal profession.

Still, there is so much wrong with the ITLSO initiative that I scarcely know where to begin. The potential
the costs of complying with this sledgehammer-of-a-security document are enormous and will inevitably
be passed on by solos to their clients, thereby wiping out any benefits that these technologies of tomorrow
may bring. The paper lumps large and small firms together, irrespective of practice areas or level of data
sensitivity, instead, requiring Fort Knox level security even where the consequences of disclosure are
insignificant. Indeed, this proposal is onerous enough to scare paper-loving solos into the arms
of Dunder-Mifflin instead of incorporating technology into their practices.

I've divided my critiques into two parts: substance and procedure. In Part I, I've addressed the substantive
aspects of the proposed standards that in my view represent sheer overkill. In Part II, I've addressed the
procedural defects, including (1) the self-certification money-grab; (2) lack of disclosure of potential
conflicts by the executive board (for example, Jeff Goens is head of Dialawg, a secure protocol for
communicating with clients that stands to benefit directly from the standards that hold that services like
gmail are unacceptable; (3) the departure from accepted international protocols for setting international
standards and (4) the Board's composition and lack of participation by work-a-day solos in different
practice areas (except for Stephanie); I've got deadlines on all fronts, so this will be pretty cursory, but
here goes.

General Comment:
The proposed report establishes four levels of compliance: bronze, silver and gold. The bronze standard is
appropriate for all levels including solos, and silver is appropriate for firms of more than one attorney or
where "circumstances or resources dictate." [Report at 8] My comments focus only on the bronze and
silver requirements.

Two problems with this approach. First, it suggests that solo and small firms are second class citizens. If
ILTSO succeeds in implementing its certification requirement, a solo firm that fully complies with what's
expected for its size will achieve bronze and therefore, appear less security-smart than the large firms who
qualify for gold.
Second - and far more seriously, lumping all solo and small firms together for security purposes makes
absolutely no sense. There are solos who run volume social-security or consumer debt practices who
collect substantial amounts of personally-identifiable information from clients. Solos who retain
personally identifiable information (including SS numbers, credit card numbers, etc…) pose a far greater
threat than, for example, a three-person firm that handles exclusively appellate and regulatory matters
where the bulk of "client data" resides in the public record. Though solos ought not be burdened with
excessive, onerous requirements, they shouldn't get a pass either. If solos are handling information where
there's a substantial risk that disclosure will give rise to identity theft, then they've got to comply with
whatever standards apply under federal and state law for that given situation. To treat solos differently for
security purposes based on size rather than substance of their practice areas puts clients at risk. (For more
about the preferred approach of risk assessment, see my letter to the NC Bar here.

Specific Mark-Up
For the record, I don't disagree with all of the ILTSO standards. Some do make sense, as my discussion
below points out:
Data Room Access, Edge planning [ILTSO 9-10] - I don't know enough about this to comment one way or

Hardware Firewalls [ILTSO 10-11] - agree with need for password protected firewalls

OnSite Data Storage [ILTSO 12-13] - encrypt client data once a day with a log. I'm mixed here. Once a day
really isn't necessary in my practice, but at the same time, if you use TimeMachine or other auto-back up,
the once a day requirement isn't a big deal either. Not sure why a log should be maintained - just looking
at my OS and Time Machine icon tells me when I last backed up.
As for encryption, again, it's the overkill problem. At least 70 percent of my data includes publicly-filed
materials where encryption isn't needed. And even for my client communications, really - even in a worst
case scenario where someone were to steal my machine and read all the client documents, my clients
probably wouldn't be prejudiced unless the docs got back to my opposing counsel. The only reason I see
for encryption is to protect data that if released can give rise to identity theft.

Offsite Data Back-Up - Daily requirement and encryption - see comments above. [ILTSO 12]

File Servers [ILTSO 13-14] - Can't comment, don't know enough.

Connection Redundancy [ILTSO 15-16] The standards say that "it is imperative to retain a second Internet
connection for redundancy." This is the most idiotic idea I've ever heard. First, the cost of two ISP services
can be significant, particularly for solo and small firms. Second, I don't know how the ILTSO authors' ISPs
work, but in my house, when the power goes down, everything goes down; presumably the ISPs would all
go down as well. Third, there are parts of the country that still don't have internet access from one
company, let alone two. How is someone in a remote part of the country going to find two ISPs? If a solo's
ISP goes down, there are ways to deal with it. Most solos have mifi or smartphones with 3G access.
There's also Kinkos and public libraries and Starbucks which granted, while not ideal will do in a pinch.

Section 11 (Connection Redundancy) also says that it is imperative to understand the TOS for each ISP to
ensure that data monitoring is not permitted, except in accordance with law. Why just for ISPs? Why not
for the phone service? What about the postal service - are they holding my envelopes up to the light to
peak in? Again, this is just silly overkill that will give technophobes and luddites one more excuse to avoid
the Internet.

AntiVirus Scanning [15-16] Absolutely should be standard practice.

Wired Connections [16-17] The ILTSO Standards state that "despite the convenience of WIFI networks,
wired ethernet based networks provide certain advantages and should be used wherever possible, since
connections are manually hardwired]
This is another completely ludicrous and onerous requirement that fails to take account of how many
solos - and lawyers generally work. First, many lawyers, women in particular, often work from home.
Even with a home-office, however, they may rely on a wireless system in the house rather than a static
connection just for more flexibility. Second, many lawyers who do not have full time offices work from
public libraries or virtual office space where they can tap into a wireless service. What's the problem with
that? Essentially, this wired-connection nonsense effectively makes a full-time office a requirement - and
thus eliminates the flexibility and mobility that technology provides to lawyers.

There's been much written about the cloud already and what appears in this section seems consistent with
evolving best practices. Here, I take issue only with the requirement for 24/7 encryption for everything
(again, much of what I maintain in the cloud is already public or not personally identifiable)
Here, the ILTSO standards state plainly that "it is ensure that scanning or republication of
client data for delivery of ad content or other purpose…is prohibited." Interesting - the standards are
apparently referring to systems like Gmail which impose this. Even more interesting, Jeff Goens,
executive board head of ILTSO also founded Dialawg, a secure portal for client communication that is
supposed to replace email. (Can you say conflict of interest?) What's curious is that Google itself uses
gmail in-house - a fact that's publicized here and was confirmed by my husband who formerly worked
there. If Google is willing to entrust a multi-billion dollar company and secret search algorithm to gmail,
why isn't it good enough for lawyers?

Single User Access [22-23] ILTSO says that access to systems should have one user and passwords should
not be shared. I freely share my passwords with a trusted virtual assistant - I couldn't function if I didn't.
Again, no recognition here of the realities of many law practices.
Device Tracking [22-23] - recommends geo-tracking for devices, which isn't a bad idea - makes them
easier to recover if stolen. I can also live with encryption of client data on devices like flashdrives, just
because they're so easy to lose.

WiFi Connectivity [25-27] Private wifi is generally considered secure, public hotspots are not. This is also
a reasonable requirement.

Section 25.2 [29] takes the position that cloud providers are vendors that require oversight. Can we
please, please move away from this erroneous conception? If we classify cloud providers even as passive
vendors, why not the bank (which holds my IOLTA trust accounts), my cell phone service and the copy
store? Let's just not go down this path. Lawyers are not stupid. We know that when we put money in a
bank account, a passive vendor is involved and when we hire someone to manage it, there's an active
vendor. It goes without saying that we have oversight obligations over humans, not over services. Creating
categories of active and passive vendors is going to have longer term implications and potentially trigger
oversight duties where none should exist.

Confidentiality - lawyer should not reveal client data (30-31) Kind of obvious.

Shared obligation of Client (30-31) - Yes, clients always have a shared obligation to keep data confidential.
But that doesn't stop 'em from emailing their lawyers' emails to their friends and relations, even when
cautioned not to. Not sure of the point of this provision?
Don't communicate client data on social media (31) - OK fair enough. But why the gratuitous reminder to
be familiar with ethics rules on social media advertising in a security document? (ILTSO at 31) Goes
without saying that we need to follow all ethics rules. Or are ethics rules on social media somehow more
important or special?

Client Engagement Letter (31-32) - These provisions require lawyers to disclose to clients how lawyers will
communicate with and store client data. Sorry, not happening. Ever. There is no point to this provision.
My clients have enough on their minds when they come to me. They've got enormous problems and I want
to make their life easy with a seamless experience, not a retainer letter that goes on and on with
disclaimers and explanations about how I run my practice behind the scenes. What is the point of this

Personal identifiable information (PII) (32-33) - Yes, lawyers need to comply with federal and state law on
PII. It's a statutory issue, not an ethical issue.

Notification of Mistake (33) - seems to mimic existing obligations

Breach Notification (33-34) The requirement directs lawyers to notify clients of a security breach. I'm not
so sure that this is necessary if clients aren't harmed. Federal and state law impose requirements on
breach notification and in my view, these are adequate. Sure, if a client's ex-spouse comes into your office
and steals the case file your client ought to know. But if it appears that a machine that doesn't have any
PII on it may have been compromised, is it necessary to tell every single client? I'm not sure on this one.
Records preservation and document retention (34-36) sensible enough.

Third party monitoring and outsourcing (36-37) - Offshoring to other countries gets a pass because
presumably, it's done with client consent.

Section 42. Client Data (41)- Client data is "everything pertaining to representation of the client -
schedules, emails, attorney work product and PII." This may be true. But not all client data requires or
even deserves the same level of protection. Practicing lawyers know what to treat as confidential and not -
and need ample discretion to make these judgment calls. These standards apply an onerous one size fits
all requirement and sap lawyers of our ability to make decisions about the type of protection required for
client data. This is not the right direction to take.

42- Oh - encryption should be at least 128-bit. (ILTSO at 42) I'd always thought that 256-bit was standard
practice - and indeed, this article suggests that 256 is better, but that if you're on a budget, 128 bit is fine.
Guess which companyhappens to use 128 bit?

43-45 - some good advice about setting passwords

A. Self-Certification
As I said at the outset, standards for non-tech lawyers can be helpful, and to the extent that the ITLSO
project is intended to do so, I'm all for it. Even more, I support a certification system where certain
vendors are "approved" by an independent board (as IOLTA banks are by the bar) - and solos choosing
those vendors would know that they were ethically compliant. (Solos seeking to do their own due diligence
would have flexibility to choose their own provider so long as doing so was consistent with best practices).
But that's not what's happening here. As a purely informational document, the ILTSO standards are fine,
albeit overkill as I've already described. But this project goes much further and may potentially do more
harm than good. That's because according to its website, the ILTSO is creating a certification process
which will:

publish the usage guidelines in Q2 2011, which will permit ILTSO subscribers to pay for the display of the
ILTSO mark to represent self-compliance.

In other words, any company that pays can hold itself out as complying with these standards. And because
it's an "honor" system and ILTSO has no responsibility, anyone who can pay can play. If I'm wrong, please
correct me.

Solos have already fallen prey to unscrupulous marketing schemes - but at the end of the day, it's our
licenses that are on the line. Let's say that a rogue company self-certifies with ILTSO and it turns out that
it's selling data. Solos who signed up to use that company may still find themselves subject to discipline.

Of course, perhaps the certification process is intended for law firms. If that's the case, it's just as bad.
That's because at most, solos will achieve the lower-regarded "bronze" compliance while big firms can
boast a gold-certification. Though this may not matter for all solos, those of us (myself included) who
compete with big firms stand at a distinct disadvantage in competing for clients, yet lacking the ability to
make the same claims regarding security - even when the protection that we afford data is equally sound.

My second question is why should we trust the ILTSO standards as a basis for independence when they're
not transparent? The Executive Board is headed by a company that stands to benefit personally from the
certification procedure and hasn't disclosed potential conflicts. Is 128-bit encryption really considered a
best practice - or was it adopted because that's what is used by Dialawg? Is email scanning really a
security violation that endangers data when multi-billion dollar companies like Google use it on a day to
day basis to protect their internal data? I don't know the answers to this, but I'd sure feel a lot more
comfortable if the Board disclosed its interest in this project. Even if there's no direct conflict, this
presents enough of an appearance of impropriety to make me nervous.

The ILTSO purports to establish international standards - but if that's the case, why didn't it follow the
appropriate protocol set forth here. Setting standards is a serious business for industry (something that I
know because I've tracked standards-setting in the marine renewables industry). There's a set
development process that includes engaging stakeholders, consumers, regulators and others. Here, the
ILTSO didn't engage work-a-day lawyers or even the bar associations (though that might have been an
exercise in futility). It's simply proclaimed that these are standards - without even demonstrating real
expertise. Are the folks on this committee bonafide security experts - or merely self-proclaimed? These are
answers that need to be provided.

Finally - these standards show no recognition of how solo and small firm lawyers work in practice. They
assume that solos are all alike with the same security needs - when in reality, each solo's needs are
practice specific. The standards also impose onerous requirements with no justification whatsoever -
calling for two ISP providers, prohibiting an assistant from accessing an attorney's accounts and requiring
the highest level security for all client data even if disclosure would not result in any harm, or if the data is
largely public. The rules require us to open up our back office to our clients and burden them with how we
keep documents when they just want us to handle their case.

Technology has been a savior to me in my practice. With it, I can serve clients more effectively and
efficiently. I can take on cases that I could not otherwise afford to manage simply because of the cost
reductions that I've enjoyed from technology. This misguided ILTSO effort will require solos and small
firms to hire outside security experts (full-employment for those near-obsolete consultants!) or to adopt
expensive and duplicative systems whose costs will inevitably be passed on to clients. Worst of all, I have
yet to see a real assessment of the risks involved in using gmail - or even (horrors!) Google apps or similar
systems (though lately, it dos appear that Dropbox's security system has some serious issues.

We have an opportunity to make sensible rules that will enable lawyers to enjoy technology and keep our
clients' confidences secure. But to do so, we need to engage people from across different fields -
technology, finance and healthcare - who are actually knowledgeable with security and who don't have a
dog in this fight.

To top