Come one, come all. The first issue of Circuits — the famous e-Journal of the Computer & Technology Section — has hit the electronic press. This issue has five full-fledged articles. The Short Circuits section has two more (mini) articles of practical interest. You can download the issue here.
This article is one of a series that caters to small law offices in Texas (e.g., five or fewer attorneys). The articles will cover topics involving technology that small law firms need occasionally, but not often enough to warrant the purchase of a license or a subscription to a service. In other words, something on the cheap for occasional use. We’ll concentrate on those technologies that are less likely to cause a violation of the Disciplinary Rules or cause your client to lose their attorney-client privilege.
Some History
Over the last several years, attorneys have adopted services such as DropBox and Box to store and transfer large numbers of files (or files larger than would fit as an email attachment. While these services are convenient, a recent Virginia case has law firms searching for viable alternatives. The case in question was Harleysville Ins. Co. v. Holding Funeral Home, Inc. (W.D. VA, Feb. 9, 2017). In that case, the client needed to transfer a large number of files — including the all-important claims file — so that an agent with the National Insurance Crime Bureau could access the files. Here, the client chose to use the Box service as the transfer medium. The client uploaded the files to a Box account and then sent an email to the agent with a hyperlink to the storage area. Anyone with access to that hyperlink could access the files. No password or encryption was used to protect the files. In cyber parlance, the plaintiff relied on security through obscurity. Subsequently, the Bureau responded to a subpoena from the defendant and provided the email containing the hyperlink (among other documents) to opposing counsel, the latter of whom proceeded to gain access to the claims file. The plaintiff moved to disqualify all defense counsel. The defendant responded by claiming that the plaintiff had waived privilege.
Magistrate Judge Sargent, using Virginia law, ruled in favor of the defendant and deemed the disclosure of the claims file to be inadvertant, rather than involuntary, and the plaintiff did not “implement sufficient precautions to mainting its confidentiality.” Indeed, in ruling for the defendant, the Judge Sargent noted that the plaintiff didn’t undertake “any precautions” to safeguard the information. Futher, the court noted:
“It does not matter whether this employee believed that this site would function for only a short period of time or that the information uploaded to the site would be accessible for only a short period of time. Because of his previous use of the Box Site, this employee either knew — or should have known — that the information uploaded to the site was not protected in any way and could be accessed by anyone who simply clicked on the hyperlink. Despite this, this employee purposefully uploaded the Claims File to the Box Site, making it accessible to anyone with access to the internet, thus making the extent of the disclosure vast.”
Some More History
Several members of the Computer & Technology Section attended the Legal Tech New York conference that was held in late January, 2017. As with most legal conferences, there were vendors who cater to the needs of large law firms. In fact, by the measure of the conference organizers, small law firms had up to fifty attorneys. Clearly, the organizers of that conference live in a different world.
The vendors that were at the conference were, as usual, after money. We don’t fault them for that, but of 100+ vendors at that conference, only three of them had something of merit for small law firms in Texas.
One of those vendors was a company called TitanFile. As the company name suggests, it enables attorneys to transfer large files to their clients without the use of DropBox or Box. TitanFile has a subscription service that costs at least fifteen dollars per month, a price that is comparable to Box (minimum of three users at $5/month). DropBox has a free option, but the space for that option is capped at 2 GB.
Problems with the Paid Services
One of the problems with Box and DropBox is security, privacy and attorney-client privilege, as the Virginia case attests. In addition to the security concerns is the Texas Disciplinary Rules of Professional Conduct, namely Rule 1.05 regarding Client Confidences, in particular 1.05(b)(1)(ii). Put quite simply, the uploading of client confidences to something like Box or DropBox might be deemded to run afoul of Rule 1.05 because those services are outside the posession or control of the attorney. It should be said at this point that the Bar has not expressly stated that those services run afoul of 1.05, but several attorneys (the author included) have refrained from using Box or DropBox for client information precisely because the attorney cannot completely control who has access to that information, how or where the information is backed up, and who has the keys to any encryption used (or not). This, of course, begs the question…
Is There a Less Expensive Alternative?
Yes! Does that less expensive alternative require the purchase of a software license? No. Does the less expensive alternative require a subscription? No.
Enter OwnCloud.
OwnCloud is an open source replacement for Box and DropBox. Actually, OwnCloud is more than just file storage and file sharing. With OwnCloud, you can sync calendars, contacts, mail and quite a lot more. Even better, OwnCloud uses an authentication mechanism (by default), which is what the Viginia Judge found missing in the plaintiff’s web service.
For you and your client, all that is needed to access the data is a standard web browser and a machine to run OwnCloud that is accessible via the Internet. For most attorneys, however, the requirement of an Internet-accessible machine is a show stopper. However, you shouldn’t let that deter you because…
Enter DigitalOcean.
DigitalOcean is a service that hosts virtual machines that are accessible via the Internet. DigitalOcean offers “Droplets” which are pre-configured machines that you create, use, and then destroy. You pay only for as long as the virtual machine is in existence.
Does DigitalOcean have a pre-configured droplet for OwnCloud? Yes! Which means that you can install and deploy OwnCloud on an Internet-accessible machine in about 55 seconds.
The upside is that the attorney has complete control of the OwnCloud virtual machine. You create a droplet. Tell OwnCloud who can access it, and transfer the data with your client. When you’re finished, simply delete the droplet. Note, from bitter experience, I have learned that once a droplet has been deleted, no one can get it back. The information is gone — permanently. That’s a good thing. Once you delete that droplet, you can honestly say to your client that the data that was on that server is gone for good. Digital Ocean does not make any attempt to back up the data under the standard contract.
If you don’t like DigitalOcean, there are alternatives…
Because OwnCloud is open source software, other companies have adopted it for the same reasons that DigitalOcean has. In fact, one of my aerospace clients routinely uses OwnCloud for data transfers for precisely the reasons noted above. If you don’t want to go to the (minor) inconvenience of setting up a tempoary OwnCloud site, your client might do it for you. Suggest it to them. The cost is minimal, and they will know that you’re looking out for their best interests.
In the most release of Circuits, Pierre Grosdidier and Cassidy Daniels share a thorough article on the Federal Trade Commissions guidelines. Their research and reference to supporting materials sheds light on the FTC guidelines. Just a small sampling of suggestions the FTC’s guidelines offer:
Do not collect unneeded information.
Restrict access to data.
Require secure passwords. “Qwerty” and “121212” are no better than having no password at all.
Suspend or disable users after a certain number of unsuccessful login attempts.
Store and transmit sensitive information securely. Train personnel and use accepted encryption methods—no need to reinvent the wheel.
Segment networks and monitor who is trying to get in and out.
Secure remote network access.
Read the article by Pierre and Cassidy in its entirety here.