Computer screens against skyscraper backdrop

Should Bar Associations Vet Technology Service Providers for Attorneys?

[Originally published in GPSOLO, Vol. 36, No. 6, November/December 2019, by the American Bar Association. Reproduced with permission. All rights reserved.]

Bar associations across the country have similar goals: advance the rule of law, serve the legal profession, and promote equal access to justice. Technology can easily support these goals. From online research and billing software, to virtual receptionist and SEO services, technology vendors improve the efficiency and accessibility of attorneys. It is no wonder then that bar associations around the country are promoting technology solutions for their members.

Despite the obvious benefits, bar associations need to be diligent about vetting technology vendors. By promoting one technology provider over another, bar associations could run afoul of advertising laws, tax requirements, and software agreements. In addition, bar associations and their members need to pay close attention to technology vendors’ cybersecurity safeguards to protect client confidences.

This article will briefly address each of these issues in turn and provide a non-exhaustive checklist of considerations before choosing a legal technology provider.

Bar Associations as Influencers

When we think of product endorsements today, we think of social media influencers, bloggers, and vloggers—not bar associations. Yet, bar associations wield incredible influence over the purchasing decisions of their members. Given this influence, bar associations should stay mindful of laws addressing unfair and deceptive advertising, such as Section 5 of the Federal Trade Commission Act (FTC Act), state false advertising laws, and state unfair trade practices acts (little FTC acts).

Section 5(a) of the FTC Act (15 USC §45), for example, prohibits “unfair or deceptive acts or practices in or affecting commerce.” This includes online advertising and product endorsements. The FTC has issued several guidance documents addressing “unfair or deceptive acts” in online advertising, such as its 2013 revised guidance “Dot Com Disclosures, a guide to online advertising” and online “FAQs” for “Endorsement Guidelines”.

These guidance documents all highlight the same basic principles:

1.     Endorsers should substantiate all product claims.

2.     Endorsers should disclose whether they receive compensation for their endorsement from a sponsor.

3.     Disclosures should be included in the endorsement itself, through hashtags on social media posts (#ad) or direct disclosures next to the product image or review.

4.     Simply disclosing a connection to the sponsor on a website or profile page is not enough—the connection between sponsor and endorser must be displayed as close to the advertisement as possible.

Applying this logic, bar associations should substantiate all claims regarding technology service products. Bar associations should also disclose any consideration received for positive reviews and product endorsements—as close to the review and endorsement as possible—and not on a separate webpage, newsletter, or bulletin. Finally, bar associations should consider disclosing other non-monetary connections to technology service providers (e.g., shared board or leadership positions, exclusive arrangements) that may affect consumer perception of a review or endorsement.

Liability for False and Deceptive Advertising?

Though bar associations are generally 501(c)(3) or 501(c)(6) organizations, they cannot rely solely on their tax-exempt status to avoid potential liability under the FTC Act and similarly written little FTC acts. In California Dental Assn. v. FTC, 526 U.S. 756 (1999), the Supreme Court found that the FTC had jurisdiction over a nonprofit association of local dental societies. The Court highlighted that the nonprofit provided substantial economic benefits to their for-profit members, through desirable insurance and preferential financing arrangements, and lobbying, litigation, marketing, and public relations services. These “commercial” activities were enough to trigger FTC jurisdiction, despite the California Dental Association’s nonprofit status.

Furthermore, bar associations must be careful about offering advertising services to any service providers (technology vendor or not), if they wish to maintain their 501(c)(3) or 501(c)(6) status. By receiving compensation for advertising services—beyond ordinary charitable sponsorships—bar associations risk corporate tax treatment for “unrelated business income” or the loss of their tax-exempt status altogether.

Keeping the Click-Through

“Terms of Use” or “Terms and Conditions” (“terms”) generally govern the relationship between consumers and online service providers. These terms usually disclaim implied warranties, set limitations on the liability of the technology provider, and set other boundaries on consumer expectations. In situations where consumers “assent” to the terms, either through a click-through agreement, expiration of a return period, or some conspicuous disclosure of the terms prior to agreement, court will generally enforce these disclaimers (see Scott v. Bell Atlantic Corp., 282 A.D.2d 180 (1st Dept 2001) (warranty disclaimer in the terms and conditions governed, even when advertisements for DSL Internet promised fast and reliable service)).

In contrast, courts have been reluctant to enforce terms that are unreadable or hidden on an online platform (see Specht v. Netscape Commc’ns Corp., 306 F.3d 17, 23 (2d Cir. 2002) (terms unenforceable where they “would have become visible to plaintiffs only if they had scrolled down to the next screen”); In re Zappos.com, Inc., Customer Data Sec. Breach Litig., 893 F. Supp. 2d 1058, 1064 (D. Nev. 2012) (“The Terms of Use is inconspicuous, buried in the middle to bottom of every Zappos.com webpage among many other links, and the website never directs a user to the Terms of Use”)).

Liability for the Terms?

Bar associations may be tempted to “uberize” their online presence and create web-based portals for legal service providers. This runs the risk, however, of creating implied warranties that the technology vendor is suitable and appropriate for attorneys. Though terms generally disclaim such implied warranties, as noted above, the bar association may inadvertently modify or hide third-party terms, making these disclaimers unenforceable. This creates a potential liability risk for the bar association and technology vendor.

In addition, if bar associations contract to use, distribute, or resell technology services (through group licenses or otherwise)—they may be required by contract to pass on third-party terms to their membership. Failure to incorporate these terms may constitute a breach of contract with the technology vendor. Furthermore, the vendor may try to seek indemnity from the bar association, if the bar association’s actions led to third-party claims against the vendor.

Consequently, it is up to bar associations to either direct attorneys to third-party vendor terms before attorneys use their services, or appropriately incorporate these terms into their agreements with members. Bar associations may look to several American Bar Association (ABA) resources to create valid online agreements (see, e.g., Christina L. Kunz, Heather Thayer, Maureen F. Del Duca, and Jennifer Debrow, “Click-Through Agreements: Strategies for Avoiding Disputes on Validity of Assent,” Business Lawyer, November 2001 (57:1), at 401).

Cybersecurity and Confidentiality

When it comes to cybersecurity, ignorance is no excuse for attorneys. In 2017, DLA Piper was hit with a “wiper-ware” attack, following previous e-mail hacks of Cravath and Weil Gotshal. Last year, a UK-based cybersecurity firm reported that almost 800,000 UK and global law firm e-mail addresses and affiliated passwords were available on the dark web.

To respond to the growing specter of law firm data breaches, the ABA has issued Formal Opinion 477R concerning the security of confidential client information, and Formal Opinion 483 concerning attorneys’ ethical obligations following a data breach. In addition, Comment [8] to ABA Model Rule of Professional Conduct 1.1 Duty of Competence states that a lawyer “should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”

At their core, these opinions and ethics rules require attorneys to implement “reasonable” administrative, technical, and physical security measures to protect client confidentiality and monitor attorney networks and systems. This includes ongoing risk assessments of an attorney’s exposure to cyber incidents and business interruptions, in light of the sensitivity of client data, existing technical safeguards, and the cost and difficulty of implementing new safeguards (ABA Formal Opinion 483).

The ABA recognizes, however, that attorneys may need assistance with evaluating and implementing technology solutions. According to ABA Formal Opinion 477R, “[a]ny lack of individual competence by a lawyer to evaluate and employ safeguards to protect client confidences may be addressed through association with another lawyer or expert, or by education.” Bar associations can fulfill their natural role of training lawyers by providing CLEs and written materials from members and third-party IT and security experts on technology competence. Bar associations may also provide similar guidance to Formal Opinion 477R on basic cybersecurity hygiene for attorneys, such as the use of encryption for sensitive files, VPNs, multifactor authentication, antivirus software, and firewalls.

To protect their members—and the public at large—bar associations should also conduct cybersecurity due diligence for all technology service providers before promoting, offering, or otherwise displaying the services of these providers on bar websites and other media. Ideally, this due diligence would occur on an ongoing basis, or at least annually, to account for changing cybersecurity risks. It should be clear to all parties involved, however, that the bar association’s role in cybersecurity due diligence is limited to screening for minimum security requirements, and that these minimum requirements do not necessarily meet the “reasonable security” requirements of the Model Rules.

This caveat is important. Attorneys cannot completely outsource their cybersecurity obligations, nor can bar associations operate as outsourced IT providers. This is because the “reasonability” standard of the Model Rules is fact-specific, and attorneys bear the responsibility for assessing the sensitivity of their clients’ files, understanding their technological needs, and appropriately training and supervising their staff on client confidentiality. In addition, attorneys need to conduct separate inquiries into their privacy and cybersecurity obligations under new and existing laws—whether it is the General Data Protection Regulation (GDPR) in Europe, the domestic alphabet soup of CCPA, HIPAA, GLBA, or FedRAMP, or laws in other jurisdictions. These laws may impose more stringent standards than what is required by Model Rules 1.1 or 1.6.

As a result, bar associations cannot represent that any particular service provider or technology product has adequate security safeguards for its membership as a whole. And even if such a miracle technology existed, attorneys would still be responsible for properly configuring the technology to their computers and networks, keeping their access credentials secure, and maintaining regular software updates on their systems.

Conclusion

Technology cycles move very quickly, hence the famous catchphrase “move fast and break things.” Bar associations and attorneys alike can easily get caught in the fervor of short product cycles and the next, best product, thinking—all the while—that it will improve the prospects of the legal community and the public at large.

While technology can improve the public’s access to justice, not all technology vendors are equal. Bar associations need to remember that their guidance on technology may impact the decision making of an entire generation of lawyers. So before proceeding, their motto should be—for lack of a better phrase—“move slowly and fix things.”

Technology Vendor Due Diligence Checklist

Security and Internet standards to protect client confidentiality

o   Encryption (in transit and at rest, where appropriate to the sensitivity of data)

o   Access controls (including multi-factor authentication and strong passwords)

o   Backup and disaster recovery systems

o   Antivirus

o   Firewall

Contractual obligations

o   Notification of security breaches

o   Confidentiality of client data and/or limitations on service provider’s ability to share or use data

o   Check for incorporation of third-party terms or requirements to provide notice of third-party terms

o   Check for indemnity and limitation of liability clauses

Service-level commitments to prevent business interruption

o   Service-level availability/uptime commitments

o   Provision of regular updates/software patches

o   Integrations with popular operating systems and software

Trust accounting capabilities for any billing provider, or disclosures concerning whether attorneys will need to do separate configurations for trust accounting–Lily Li
Owner of Metaverse Law, CIPP/US, CIPP/E, CIPM
https://www.metaverselaw.com

CONFIDENTIALITY NOTICE: This e-mail has been sent by a lawyer. It may contain information that is confidential, privileged, or proprietary. If you are not an intended recipient of this email, do not read, copy, use, forward or disclose the email or any of its attachments to others, and notify us immediately at info@metaverselaw.com.

WSJPro Cybersecurity Symposium

Metaverse Law to Speak at WSJ Cybersecurity Symposium

Metaverse Law will be one of the speakers at the Wall Street Journal’s Cybersecurity Symposium and will focus on the applicable laws and regulations per business type.

It is a two day event in San Diego, CA from Thursday, January 9 to Friday January 10, 2020. The agenda for both days includes breakfast and registration, several speakers, networking breaks, lunch, a cocktail reception on the ninth, and a cybersecurity stragey development bootcamp on the tenth.

A detailed itinerary as well as registration details can be found at https://cybersecurity.wsj.com/symposium/san-diego/#schedule

Lock on a computer screen held to edges by chains

What Is Happening in Children’s Online Privacy?

Children’s online privacy has always been an important topic, but a number of recent developments around the world have many businesses taking it more seriously. In September, Google agreed to pay a record $170 million fine to the U.S. Federal Trade Commission for violating the Children’s Online Privacy Protection Act (COPPA) by illegally collecting personal information from children without parental consent and using it to profit through targeted ads. A few weeks later, China’s own version of COPPA called the “Measures on Online Protection of Children’s Personal Data,” came into force, providing further clarity on protecting children’s personal data online under China’s Cyber Security Law. On October 7, the FTC hosted a public workshop to explore whether to update COPPA, which is over 20 years old and in need of a refresh due to the emergence of new technologies. (Just think of all those smart devices, social media platforms and educational apps and technologies that were not around in 1998). Finally, the California Attorney General recently released proposed regulations to the California Consumer Protection Act, which goes into effect in January 2020, that would require a business that knowingly collects the personal information of children under the age of 13 to establish, document and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information about the child is the parent or guardian of that child.

Many children start using the Internet at an early age, raising privacy issues distinct from those for adults. First, children may not understand what data is being collected about them and how it is used. Second, children can easily fall victim to criminal behavior online by providing seemingly innocuous information to web users who can appropriate such information for malicious purposes. Third, children cannot give the same meaningful consent to data collection and use activities as an adult. 

In the U.S., Congress passed COPPA in 1998 to protect children’s use of the Internet—particularly websites and services targeted toward children. COPPA requires website operators to provide clear and conspicuous notice of the data collection methods employed by the website, including functioning hyperlinks to the website privacy policy on every web page where personal information is collected. It also requires affirmative consent by parents prior to collection of personal information for children under the age of 13. Recognizing that teenagers between the ages of 13 and 18 are not protected under COPPA, many individual states have made efforts to address privacy issues for this age group.

Recognizing the need to update COPPA to keep up with the times, the FTC considered the following topics at the October workshop, among others:

  • How the development of new technologies, the evolving nature of privacy harms, and changes in the way parents and children use websites and online services, affect children’s privacy today;
  • Whether COPPA should permit general audience platforms to rebut the presumption that all users of child-directed content are children, and if so, under what circumstances;
  • Whether COPPA should be amended to better address websites and online services that do not include traditionally child-oriented activities, but that have large numbers of child users.

It remains unclear how these issues and others will be resolved. Eager to tap into the new revenue streams that children represent, many tech companies will try to carve out exceptions to COPPA—openly or not. On the other side, child advocates and politicians such as Senator Edward Markey, one of the original authors of COPPA, are pushing back and even trying to tighten restrictions related to children’s online privacy. 

Sometimes the issues are not so black and white. For instance, many well-intentioned companies—tech and otherwise—that have no interest in marketing to children might still be unable to verify the age of users that visit their websites, resulting in inadvertent marketing to minors. Even those that attempt to verify the age of users may face challenges, given the thousands of websites dedicated to helping users bypass age gates and parental controls. Finally, some age verification techniques may run counter to data minimization and privacy concerns – e.g. the collection of credit card data to verify age, when it is not necessary for the provision of the service. Regardless of what happens with COPPA at the FTC and with new privacy laws that are springing up across the world, companies will need to be extra-cautious about how they approach children’s online privacy—continually reviewing their practices and policies to ensure that they are not running afoul of the multitude of laws and regulations out there. Those that do not run the risk of becoming subject to both regulatory and legal action.

AL, Cybersecurity + Privacy event flyer

Metaverse Law to Speak at Artificial Intelligence Los Angeles Seminar

Metaverse Law will be one of the speakers at the AI LA Community’s seminar focused on cyber security and privacy. The seminar will be held at The Cedars-Sinai Accelerator in West Hollywood on Thursday, November 21st.

The event is from 6:30PM to 10:00PM and includes networking, a panel of speakers followed by a Q&A, and concludes with another round of networking.

Tickets and further event details can be found at https://www.eventbrite.com/e/ai-cybersecurity-and-privacy-tickets-80204145759

Postal Customer Council Flyer - Data Protection Lunch and Learn on November 14

Metaverse Law to Speak at Postal Customer Council Lunch and Learn

Metaverse Law will be giving a zip talk and participating in a Q&A panel on Thursday, November 14 at the Phoenix Club in Anaheim, CA about Data Protection and Cyber Security.

The event itinerary includes registration at 11:00AM – 11:45AM, followed by lunch and a seminar which conclude at 1:30PM.

Registration details can be found at http://www.socalpcc.org/lock-it-or-lose-it.html.

1 2 3 6