April 15, 2011 Can You Spell Security Overkill? Try I-L-T-S-O Earlier this week at TechShow, a new group, the International Legal Technical Standards Organization (ILTSO)announced the publication of the 2011 Standards for public review and comment. Initially, I was excited at the prospect of guidelines that would enable non-techie, resource-constrained solo and small firm lawyers to make smart, safe technology choices. But both the standards recommended and the overall implementation of this effort are so ill-conceived, that I cannot possibly endorse this project as it stands. Before I begin my critique, I must insert this caveat right up front. I admire Stephanie Kimbro of VLOTech, Richard Granat of DirectLaw and Jack Newton of Clio who sit on the ILTSO Advisory Board and respect their views on security, ethics and the professional products that they have developed for solo practitioners. My criticism here represents a professional disagreement about the approach taken by the ILTSO; it should in no way be construed as a criticism of VLOTech, Clio or DirectLaw products or a personal attack on the great work that Stephanie, Richard and Jack have done for solos and the greater legal profession. Still, there is so much wrong with the ITLSO initiative that I scarcely know where to begin. The potential the costs of complying with this sledgehammer-of-a-security document are enormous and will inevitably be passed on by solos to their clients, thereby wiping out any benefits that these technologies of tomorrow may bring. The paper lumps large and small firms together, irrespective of practice areas or level of data sensitivity, instead, requiring Fort Knox level security even where the consequences of disclosure are insignificant. Indeed, this proposal is onerous enough to scare paper-loving solos into the arms of Dunder-Mifflin instead of incorporating technology into their practices. I've divided my critiques into two parts: substance and procedure. In Part I, I've addressed the substantive aspects of the proposed standards that in my view represent sheer overkill. In Part II, I've addressed the procedural defects, including (1) the self-certification money-grab; (2) lack of disclosure of potential conflicts by the executive board (for example, Jeff Goens is head of Dialawg, a secure protocol for communicating with clients that stands to benefit directly from the standards that hold that services like gmail are unacceptable; (3) the departure from accepted international protocols for setting international standards and (4) the Board's composition and lack of participation by work-a-day solos in different practice areas (except for Stephanie); I've got deadlines on all fronts, so this will be pretty cursory, but here goes. PART I: SUBSTANTIVE COMMENTS General Comment: The proposed report establishes four levels of compliance: bronze, silver and gold. The bronze standard is appropriate for all levels including solos, and silver is appropriate for firms of more than one attorney or where "circumstances or resources dictate." [Report at 8] My comments focus only on the bronze and silver requirements. Two problems with this approach. First, it suggests that solo and small firms are second class citizens. If ILTSO succeeds in implementing its certification requirement, a solo firm that fully complies with what's expected for its size will achieve bronze and therefore, appear less security-smart than the large firms who qualify for gold. Second - and far more seriously, lumping all solo and small firms together for security purposes makes absolutely no sense. There are solos who run volume social-security or consumer debt practices who collect substantial amounts of personally-identifiable information from clients. Solos who retain personally identifiable information (including SS numbers, credit card numbers, etc…) pose a far greater threat than, for example, a three-person firm that handles exclusively appellate and regulatory matters where the bulk of "client data" resides in the public record. Though solos ought not be burdened with excessive, onerous requirements, they shouldn't get a pass either. If solos are handling information where there's a substantial risk that disclosure will give rise to identity theft, then they've got to comply with whatever standards apply under federal and state law for that given situation. To treat solos differently for security purposes based on size rather than substance of their practice areas puts clients at risk. (For more about the preferred approach of risk assessment, see my letter to the NC Bar here. Specific Mark-Up For the record, I don't disagree with all of the ILTSO standards. Some do make sense, as my discussion below points out: LOCAL NETWORKS Data Room Access, Edge planning [ILTSO 9-10] - I don't know enough about this to comment one way or another. Hardware Firewalls [ILTSO 10-11] - agree with need for password protected firewalls OnSite Data Storage [ILTSO 12-13] - encrypt client data once a day with a log. I'm mixed here. Once a day really isn't necessary in my practice, but at the same time, if you use TimeMachine or other auto-back up, the once a day requirement isn't a big deal either. Not sure why a log should be maintained - just looking at my OS and Time Machine icon tells me when I last backed up. As for encryption, again, it's the overkill problem. At least 70 percent of my data includes publicly-filed materials where encryption isn't needed. And even for my client communications, really - even in a worst case scenario where someone were to steal my machine and read all the client documents, my clients probably wouldn't be prejudiced unless the docs got back to my opposing counsel. The only reason I see for encryption is to protect data that if released can give rise to identity theft. Offsite Data Back-Up - Daily requirement and encryption - see comments above. [ILTSO 12] File Servers [ILTSO 13-14] - Can't comment, don't know enough. Connection Redundancy [ILTSO 15-16] The standards say that "it is imperative to retain a second Internet connection for redundancy." This is the most idiotic idea I've ever heard. First, the cost of two ISP services can be significant, particularly for solo and small firms. Second, I don't know how the ILTSO authors' ISPs work, but in my house, when the power goes down, everything goes down; presumably the ISPs would all go down as well. Third, there are parts of the country that still don't have internet access from one company, let alone two. How is someone in a remote part of the country going to find two ISPs? If a solo's ISP goes down, there are ways to deal with it. Most solos have mifi or smartphones with 3G access. There's also Kinkos and public libraries and Starbucks which granted, while not ideal will do in a pinch. Section 11 (Connection Redundancy) also says that it is imperative to understand the TOS for each ISP to ensure that data monitoring is not permitted, except in accordance with law. Why just for ISPs? Why not for the phone service? What about the postal service - are they holding my envelopes up to the light to peak in? Again, this is just silly overkill that will give technophobes and luddites one more excuse to avoid the Internet. AntiVirus Scanning [15-16] Absolutely should be standard practice. Wired Connections [16-17] The ILTSO Standards state that "despite the convenience of WIFI networks, wired ethernet based networks provide certain advantages and should be used wherever possible, since connections are manually hardwired] This is another completely ludicrous and onerous requirement that fails to take account of how many solos - and lawyers generally work. First, many lawyers, women in particular, often work from home. Even with a home-office, however, they may rely on a wireless system in the house rather than a static connection just for more flexibility. Second, many lawyers who do not have full time offices work from public libraries or virtual office space where they can tap into a wireless service. What's the problem with that? Essentially, this wired-connection nonsense effectively makes a full-time office a requirement - and thus eliminates the flexibility and mobility that technology provides to lawyers. CLOUD SERVICES [17-21] There's been much written about the cloud already and what appears in this section seems consistent with evolving best practices. Here, I take issue only with the requirement for 24/7 encryption for everything (again, much of what I maintain in the cloud is already public or not personally identifiable) Here, the ILTSO standards state plainly that "it is critical..to ensure that scanning or republication of client data for delivery of ad content or other purpose…is prohibited." Interesting - the standards are apparently referring to systems like Gmail which impose this. Even more interesting, Jeff Goens, executive board head of ILTSO also founded Dialawg, a secure portal for client communication that is supposed to replace email. (Can you say conflict of interest?) What's curious is that Google itself uses gmail in-house - a fact that's publicized here and was confirmed by my husband who formerly worked there. If Google is willing to entrust a multi-billion dollar company and secret search algorithm to gmail, why isn't it good enough for lawyers? ACCESS DEVICES Single User Access [22-23] ILTSO says that access to systems should have one user and passwords should not be shared. I freely share my passwords with a trusted virtual assistant - I couldn't function if I didn't. Again, no recognition here of the realities of many law practices. Device Tracking [22-23] - recommends geo-tracking for devices, which isn't a bad idea - makes them easier to recover if stolen. I can also live with encryption of client data on devices like flashdrives, just because they're so easy to lose. WiFi Connectivity [25-27] Private wifi is generally considered secure, public hotspots are not. This is also a reasonable requirement. ETHICS CONSIDERATIONS Section 25.2  takes the position that cloud providers are vendors that require oversight. Can we please, please move away from this erroneous conception? If we classify cloud providers even as passive vendors, why not the bank (which holds my IOLTA trust accounts), my cell phone service and the copy store? Let's just not go down this path. Lawyers are not stupid. We know that when we put money in a bank account, a passive vendor is involved and when we hire someone to manage it, there's an active vendor. It goes without saying that we have oversight obligations over humans, not over services. Creating categories of active and passive vendors is going to have longer term implications and potentially trigger oversight duties where none should exist. Confidentiality - lawyer should not reveal client data (30-31) Kind of obvious. Shared obligation of Client (30-31) - Yes, clients always have a shared obligation to keep data confidential. But that doesn't stop 'em from emailing their lawyers' emails to their friends and relations, even when cautioned not to. Not sure of the point of this provision? Don't communicate client data on social media (31) - OK fair enough. But why the gratuitous reminder to be familiar with ethics rules on social media advertising in a security document? (ILTSO at 31) Goes without saying that we need to follow all ethics rules. Or are ethics rules on social media somehow more important or special? Client Engagement Letter (31-32) - These provisions require lawyers to disclose to clients how lawyers will communicate with and store client data. Sorry, not happening. Ever. There is no point to this provision. My clients have enough on their minds when they come to me. They've got enormous problems and I want to make their life easy with a seamless experience, not a retainer letter that goes on and on with disclaimers and explanations about how I run my practice behind the scenes. What is the point of this nonsense? Personal identifiable information (PII) (32-33) - Yes, lawyers need to comply with federal and state law on PII. It's a statutory issue, not an ethical issue. Notification of Mistake (33) - seems to mimic existing obligations Breach Notification (33-34) The requirement directs lawyers to notify clients of a security breach. I'm not so sure that this is necessary if clients aren't harmed. Federal and state law impose requirements on breach notification and in my view, these are adequate. Sure, if a client's ex-spouse comes into your office and steals the case file your client ought to know. But if it appears that a machine that doesn't have any PII on it may have been compromised, is it necessary to tell every single client? I'm not sure on this one. Records preservation and document retention (34-36) sensible enough. Third party monitoring and outsourcing (36-37) - Offshoring to other countries gets a pass because presumably, it's done with client consent. DEFINITIONS Section 42. Client Data (41)- Client data is "everything pertaining to representation of the client - schedules, emails, attorney work product and PII." This may be true. But not all client data requires or even deserves the same level of protection. Practicing lawyers know what to treat as confidential and not - and need ample discretion to make these judgment calls. These standards apply an onerous one size fits all requirement and sap lawyers of our ability to make decisions about the type of protection required for client data. This is not the right direction to take. 42- Oh - encryption should be at least 128-bit. (ILTSO at 42) I'd always thought that 256-bit was standard practice - and indeed, this article suggests that 256 is better, but that if you're on a budget, 128 bit is fine. Guess which companyhappens to use 128 bit? 43-45 - some good advice about setting passwords PART II: PROCEDURAL DEFECTS A. Self-Certification As I said at the outset, standards for non-tech lawyers can be helpful, and to the extent that the ITLSO project is intended to do so, I'm all for it. Even more, I support a certification system where certain vendors are "approved" by an independent board (as IOLTA banks are by the bar) - and solos choosing those vendors would know that they were ethically compliant. (Solos seeking to do their own due diligence would have flexibility to choose their own provider so long as doing so was consistent with best practices). But that's not what's happening here. As a purely informational document, the ILTSO standards are fine, albeit overkill as I've already described. But this project goes much further and may potentially do more harm than good. That's because according to its website, the ILTSO is creating a certification process which will: publish the usage guidelines in Q2 2011, which will permit ILTSO subscribers to pay for the display of the ILTSO mark to represent self-compliance. In other words, any company that pays can hold itself out as complying with these standards. And because it's an "honor" system and ILTSO has no responsibility, anyone who can pay can play. If I'm wrong, please correct me. Solos have already fallen prey to unscrupulous marketing schemes - but at the end of the day, it's our licenses that are on the line. Let's say that a rogue company self-certifies with ILTSO and it turns out that it's selling data. Solos who signed up to use that company may still find themselves subject to discipline. Of course, perhaps the certification process is intended for law firms. If that's the case, it's just as bad. That's because at most, solos will achieve the lower-regarded "bronze" compliance while big firms can boast a gold-certification. Though this may not matter for all solos, those of us (myself included) who compete with big firms stand at a distinct disadvantage in competing for clients, yet lacking the ability to make the same claims regarding security - even when the protection that we afford data is equally sound. My second question is why should we trust the ILTSO standards as a basis for independence when they're not transparent? The Executive Board is headed by a company that stands to benefit personally from the certification procedure and hasn't disclosed potential conflicts. Is 128-bit encryption really considered a best practice - or was it adopted because that's what is used by Dialawg? Is email scanning really a security violation that endangers data when multi-billion dollar companies like Google use it on a day to day basis to protect their internal data? I don't know the answers to this, but I'd sure feel a lot more comfortable if the Board disclosed its interest in this project. Even if there's no direct conflict, this presents enough of an appearance of impropriety to make me nervous. The ILTSO purports to establish international standards - but if that's the case, why didn't it follow the appropriate protocol set forth here. Setting standards is a serious business for industry (something that I know because I've tracked standards-setting in the marine renewables industry). There's a set development process that includes engaging stakeholders, consumers, regulators and others. Here, the ILTSO didn't engage work-a-day lawyers or even the bar associations (though that might have been an exercise in futility). It's simply proclaimed that these are standards - without even demonstrating real expertise. Are the folks on this committee bonafide security experts - or merely self-proclaimed? These are answers that need to be provided. Finally - these standards show no recognition of how solo and small firm lawyers work in practice. They assume that solos are all alike with the same security needs - when in reality, each solo's needs are practice specific. The standards also impose onerous requirements with no justification whatsoever - calling for two ISP providers, prohibiting an assistant from accessing an attorney's accounts and requiring the highest level security for all client data even if disclosure would not result in any harm, or if the data is largely public. The rules require us to open up our back office to our clients and burden them with how we keep documents when they just want us to handle their case. Technology has been a savior to me in my practice. With it, I can serve clients more effectively and efficiently. I can take on cases that I could not otherwise afford to manage simply because of the cost reductions that I've enjoyed from technology. This misguided ILTSO effort will require solos and small firms to hire outside security experts (full-employment for those near-obsolete consultants!) or to adopt expensive and duplicative systems whose costs will inevitably be passed on to clients. Worst of all, I have yet to see a real assessment of the risks involved in using gmail - or even (horrors!) Google apps or similar systems (though lately, it dos appear that Dropbox's security system has some serious issues. We have an opportunity to make sensible rules that will enable lawyers to enjoy technology and keep our clients' confidences secure. But to do so, we need to engage people from across different fields - technology, finance and healthcare - who are actually knowledgeable with security and who don't have a dog in this fight.