Computer screens against skyscraper backdrop

Should Bar Associations Vet Technology Service Providers for Attorneys?

[Originally published in GPSOLO, Vol. 36, No. 6, November/December 2019, by the American Bar Association. Reproduced with permission. All rights reserved.]

Bar associations across the country have similar goals: advance the rule of law, serve the legal profession, and promote equal access to justice. Technology can easily support these goals. From online research and billing software, to virtual receptionist and SEO services, technology vendors improve the efficiency and accessibility of attorneys. It is no wonder then that bar associations around the country are promoting technology solutions for their members.

Despite the obvious benefits, bar associations need to be diligent about vetting technology vendors. By promoting one technology provider over another, bar associations could run afoul of advertising laws, tax requirements, and software agreements. In addition, bar associations and their members need to pay close attention to technology vendors’ cybersecurity safeguards to protect client confidences.

This article will briefly address each of these issues in turn and provide a non-exhaustive checklist of considerations before choosing a legal technology provider.

Bar Associations as Influencers

When we think of product endorsements today, we think of social media influencers, bloggers, and vloggers—not bar associations. Yet, bar associations wield incredible influence over the purchasing decisions of their members. Given this influence, bar associations should stay mindful of laws addressing unfair and deceptive advertising, such as Section 5 of the Federal Trade Commission Act (FTC Act), state false advertising laws, and state unfair trade practices acts (little FTC acts).

Section 5(a) of the FTC Act (15 USC §45), for example, prohibits “unfair or deceptive acts or practices in or affecting commerce.” This includes online advertising and product endorsements. The FTC has issued several guidance documents addressing “unfair or deceptive acts” in online advertising, such as its 2013 revised guidance “Dot Com Disclosures, a guide to online advertising” and online “FAQs” for “Endorsement Guidelines”.

These guidance documents all highlight the same basic principles:

1.     Endorsers should substantiate all product claims.

2.     Endorsers should disclose whether they receive compensation for their endorsement from a sponsor.

3.     Disclosures should be included in the endorsement itself, through hashtags on social media posts (#ad) or direct disclosures next to the product image or review.

4.     Simply disclosing a connection to the sponsor on a website or profile page is not enough—the connection between sponsor and endorser must be displayed as close to the advertisement as possible.

Applying this logic, bar associations should substantiate all claims regarding technology service products. Bar associations should also disclose any consideration received for positive reviews and product endorsements—as close to the review and endorsement as possible—and not on a separate webpage, newsletter, or bulletin. Finally, bar associations should consider disclosing other non-monetary connections to technology service providers (e.g., shared board or leadership positions, exclusive arrangements) that may affect consumer perception of a review or endorsement.

Liability for False and Deceptive Advertising?

Though bar associations are generally 501(c)(3) or 501(c)(6) organizations, they cannot rely solely on their tax-exempt status to avoid potential liability under the FTC Act and similarly written little FTC acts. In California Dental Assn. v. FTC, 526 U.S. 756 (1999), the Supreme Court found that the FTC had jurisdiction over a nonprofit association of local dental societies. The Court highlighted that the nonprofit provided substantial economic benefits to their for-profit members, through desirable insurance and preferential financing arrangements, and lobbying, litigation, marketing, and public relations services. These “commercial” activities were enough to trigger FTC jurisdiction, despite the California Dental Association’s nonprofit status.

Furthermore, bar associations must be careful about offering advertising services to any service providers (technology vendor or not), if they wish to maintain their 501(c)(3) or 501(c)(6) status. By receiving compensation for advertising services—beyond ordinary charitable sponsorships—bar associations risk corporate tax treatment for “unrelated business income” or the loss of their tax-exempt status altogether.

Keeping the Click-Through

“Terms of Use” or “Terms and Conditions” (“terms”) generally govern the relationship between consumers and online service providers. These terms usually disclaim implied warranties, set limitations on the liability of the technology provider, and set other boundaries on consumer expectations. In situations where consumers “assent” to the terms, either through a click-through agreement, expiration of a return period, or some conspicuous disclosure of the terms prior to agreement, court will generally enforce these disclaimers (see Scott v. Bell Atlantic Corp., 282 A.D.2d 180 (1st Dept 2001) (warranty disclaimer in the terms and conditions governed, even when advertisements for DSL Internet promised fast and reliable service)).

In contrast, courts have been reluctant to enforce terms that are unreadable or hidden on an online platform (see Specht v. Netscape Commc’ns Corp., 306 F.3d 17, 23 (2d Cir. 2002) (terms unenforceable where they “would have become visible to plaintiffs only if they had scrolled down to the next screen”); In re Zappos.com, Inc., Customer Data Sec. Breach Litig., 893 F. Supp. 2d 1058, 1064 (D. Nev. 2012) (“The Terms of Use is inconspicuous, buried in the middle to bottom of every Zappos.com webpage among many other links, and the website never directs a user to the Terms of Use”)).

Liability for the Terms?

Bar associations may be tempted to “uberize” their online presence and create web-based portals for legal service providers. This runs the risk, however, of creating implied warranties that the technology vendor is suitable and appropriate for attorneys. Though terms generally disclaim such implied warranties, as noted above, the bar association may inadvertently modify or hide third-party terms, making these disclaimers unenforceable. This creates a potential liability risk for the bar association and technology vendor.

In addition, if bar associations contract to use, distribute, or resell technology services (through group licenses or otherwise)—they may be required by contract to pass on third-party terms to their membership. Failure to incorporate these terms may constitute a breach of contract with the technology vendor. Furthermore, the vendor may try to seek indemnity from the bar association, if the bar association’s actions led to third-party claims against the vendor.

Consequently, it is up to bar associations to either direct attorneys to third-party vendor terms before attorneys use their services, or appropriately incorporate these terms into their agreements with members. Bar associations may look to several American Bar Association (ABA) resources to create valid online agreements (see, e.g., Christina L. Kunz, Heather Thayer, Maureen F. Del Duca, and Jennifer Debrow, “Click-Through Agreements: Strategies for Avoiding Disputes on Validity of Assent,” Business Lawyer, November 2001 (57:1), at 401).

Cybersecurity and Confidentiality

When it comes to cybersecurity, ignorance is no excuse for attorneys. In 2017, DLA Piper was hit with a “wiper-ware” attack, following previous e-mail hacks of Cravath and Weil Gotshal. Last year, a UK-based cybersecurity firm reported that almost 800,000 UK and global law firm e-mail addresses and affiliated passwords were available on the dark web.

To respond to the growing specter of law firm data breaches, the ABA has issued Formal Opinion 477R concerning the security of confidential client information, and Formal Opinion 483 concerning attorneys’ ethical obligations following a data breach. In addition, Comment [8] to ABA Model Rule of Professional Conduct 1.1 Duty of Competence states that a lawyer “should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”

At their core, these opinions and ethics rules require attorneys to implement “reasonable” administrative, technical, and physical security measures to protect client confidentiality and monitor attorney networks and systems. This includes ongoing risk assessments of an attorney’s exposure to cyber incidents and business interruptions, in light of the sensitivity of client data, existing technical safeguards, and the cost and difficulty of implementing new safeguards (ABA Formal Opinion 483).

The ABA recognizes, however, that attorneys may need assistance with evaluating and implementing technology solutions. According to ABA Formal Opinion 477R, “[a]ny lack of individual competence by a lawyer to evaluate and employ safeguards to protect client confidences may be addressed through association with another lawyer or expert, or by education.” Bar associations can fulfill their natural role of training lawyers by providing CLEs and written materials from members and third-party IT and security experts on technology competence. Bar associations may also provide similar guidance to Formal Opinion 477R on basic cybersecurity hygiene for attorneys, such as the use of encryption for sensitive files, VPNs, multifactor authentication, antivirus software, and firewalls.

To protect their members—and the public at large—bar associations should also conduct cybersecurity due diligence for all technology service providers before promoting, offering, or otherwise displaying the services of these providers on bar websites and other media. Ideally, this due diligence would occur on an ongoing basis, or at least annually, to account for changing cybersecurity risks. It should be clear to all parties involved, however, that the bar association’s role in cybersecurity due diligence is limited to screening for minimum security requirements, and that these minimum requirements do not necessarily meet the “reasonable security” requirements of the Model Rules.

This caveat is important. Attorneys cannot completely outsource their cybersecurity obligations, nor can bar associations operate as outsourced IT providers. This is because the “reasonability” standard of the Model Rules is fact-specific, and attorneys bear the responsibility for assessing the sensitivity of their clients’ files, understanding their technological needs, and appropriately training and supervising their staff on client confidentiality. In addition, attorneys need to conduct separate inquiries into their privacy and cybersecurity obligations under new and existing laws—whether it is the General Data Protection Regulation (GDPR) in Europe, the domestic alphabet soup of CCPA, HIPAA, GLBA, or FedRAMP, or laws in other jurisdictions. These laws may impose more stringent standards than what is required by Model Rules 1.1 or 1.6.

As a result, bar associations cannot represent that any particular service provider or technology product has adequate security safeguards for its membership as a whole. And even if such a miracle technology existed, attorneys would still be responsible for properly configuring the technology to their computers and networks, keeping their access credentials secure, and maintaining regular software updates on their systems.

Conclusion

Technology cycles move very quickly, hence the famous catchphrase “move fast and break things.” Bar associations and attorneys alike can easily get caught in the fervor of short product cycles and the next, best product, thinking—all the while—that it will improve the prospects of the legal community and the public at large.

While technology can improve the public’s access to justice, not all technology vendors are equal. Bar associations need to remember that their guidance on technology may impact the decision making of an entire generation of lawyers. So before proceeding, their motto should be—for lack of a better phrase—“move slowly and fix things.”

Technology Vendor Due Diligence Checklist

Security and Internet standards to protect client confidentiality

o   Encryption (in transit and at rest, where appropriate to the sensitivity of data)

o   Access controls (including multi-factor authentication and strong passwords)

o   Backup and disaster recovery systems

o   Antivirus

o   Firewall

Contractual obligations

o   Notification of security breaches

o   Confidentiality of client data and/or limitations on service provider’s ability to share or use data

o   Check for incorporation of third-party terms or requirements to provide notice of third-party terms

o   Check for indemnity and limitation of liability clauses

Service-level commitments to prevent business interruption

o   Service-level availability/uptime commitments

o   Provision of regular updates/software patches

o   Integrations with popular operating systems and software

Trust accounting capabilities for any billing provider, or disclosures concerning whether attorneys will need to do separate configurations for trust accounting–Lily Li
Owner of Metaverse Law, CIPP/US, CIPP/E, CIPM
https://www.metaverselaw.com

CONFIDENTIALITY NOTICE: This e-mail has been sent by a lawyer. It may contain information that is confidential, privileged, or proprietary. If you are not an intended recipient of this email, do not read, copy, use, forward or disclose the email or any of its attachments to others, and notify us immediately at info@metaverselaw.com.

WSJPro Cybersecurity Symposium

Metaverse Law to Speak at WSJ Cybersecurity Symposium

Metaverse Law will be one of the speakers at the Wall Street Journal’s Cybersecurity Symposium and will focus on the applicable laws and regulations per business type.

It is a two day event in San Diego, CA from Thursday, January 9 to Friday January 10, 2020. The agenda for both days includes breakfast and registration, several speakers, networking breaks, lunch, a cocktail reception on the ninth, and a cybersecurity stragey development bootcamp on the tenth.

A detailed itinerary as well as registration details can be found at https://cybersecurity.wsj.com/symposium/san-diego/#schedule

Postal Customer Council Flyer - Data Protection Lunch and Learn on November 14

Metaverse Law to Speak at Postal Customer Council Lunch and Learn

Metaverse Law will be giving a zip talk and participating in a Q&A panel on Thursday, November 14 at the Phoenix Club in Anaheim, CA about Data Protection and Cyber Security.

The event itinerary includes registration at 11:00AM – 11:45AM, followed by lunch and a seminar which conclude at 1:30PM.

Registration details can be found at http://www.socalpcc.org/lock-it-or-lose-it.html.

Gold gavel on platform

Searching for the One Ring to Rule Them All: A Look at 8 U.S. Federal Privacy Bills

Image Credit: 3D Animation Production Company from Pixabay

This article is Part 1 of 2 in a series exploring proposed federal privacy laws in the United States. Part 2 will discuss the constitutional challenges facing not only a proposed federal privacy law but those facing existing state privacy laws as well.

As predicted in our Privacy Law Forecast for 2019, legislators have raced to introduce national privacy regulation in both the House and Senate this year.

In contrast to the European Union’s GDPR, a hodgepodge of sectoral laws govern privacy in specific industries: medical, financial, educational, and marketing sectors, among others. States have enacted laws to protect their residents. And on top of that, Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45) grants authority to the FTC to enforce against unfair and deceptive acts and practices.

This all results in a confusing and burdensome “patchwork” of national, state and sectoral rules. (For more in-depth discussion on the current U.S. privacy regulatory landscape, please see American Privacy Laws in a Global Context.)

Given this regulatory environment, legislators are keen to put forth a single federal privacy law to standardize this “patchwork” and forestall the passage of dozens more state privacy bills. Some have set a deadline, hoping to pass a federal privacy law before the CCPA comes into effect on January 1, 2020. Since the start of 2019, lawmakers have introduced about 230 bills that regulate privacy in some way in either the House or Senate.

The following is a sample of comprehensive bills from both sides of the aisle. Though these bills are unlikely to pass committee, they indicate what policies lawmakers are considering in the current negotiations:

Title Introduction Date Sponsor Notes
American Data Dissemination Act of 2019 (“ADD Act”) January 16, 2019 Senator Marco Rubio (R-FL) This bill would require the FTC to submit recommended privacy regulations on “covered providers” (defined as any person that provides services over the internet) to Congress. If Congress fails to enact a law based on the FTC’s recommendations, the FTC would promulgate a final rule incorporating its proposed regulations. Only the FTC has powers of enforcement. This bill further allows for the preemption of state law.
Social Media Privacy Protection and Consumer Rights Act of 2019 January 17, 2019 Senator Amy Klobuchar (D-MN) This bill would require online platforms to inform the user of any data collection and use, offer the user a copy of their personal data, and allow the user to opt out of data tracking. The bill also requires breach notification within 72 hours of detection. Only the FTC and state attorneys general have the power to enforce violations.
Digital Accountability and Transparency to Advance Privacy Act (“DATA Privacy Act”) February 27, 2019 Senator Catherine Cortez Masto (D-NV) This bill would require companies to provide users with a fair processing notice and to allow users to access, port, or delete their own records. It would mandate users’ opt-in consent in situations involving sensitive data or data outside the parameters of the business-consumer relationship. Companies that collect data on more than 3,000 people a year and revenues greater than $25 million per year must appoint a Data Protection Officer (DPO). The FTC, state attorneys general, and any other officer authorized by the State to bring civil actions would have the power to enforce this law.
Own Your Own Data Act March 14, 2019 Senator John Kennedy (R-LA) This bill would require social media companies to have a “prominently and conspicuously displayed icon” that a user can click to easily access and port their information. It would characterize user account registration as a “licensing agreement” wherein the user would license the user’s data to the social media company.
Information Transparency & Personal Data Control Act April 1, 2019 Representative Suzan DelBene (D-WA) This bill would require any company to first procure users’ opt-in consent before processing sensitive data. Companies must also provide users with fair processing information. The bill requires companies to obtain third-party privacy audits and to submit the audits to the FTC biannually. Only the FTC would enforce this law. This bill further allows for the preemption of state law.
Balancing the Rights of Web Surfers Equally and Responsibly Act of 2019 (“BROWSER Act”) April 10, 2019 Senator Marsha Blackburn (R-TN) This bill would require providers of broadband internet access service and edge services to notify users of the providers’ privacy policies; obtain users opt-in consent in order to process sensitive information and opt-out consent for non-sensitive information; and prohibits providers from conditioning services on waivers of privacy rights. The bill further allows for the preemption of state law.
Privacy Bill of Rights April 11, 2019 Senator Edward Markey (D-MA) This bill would require companies provide users with fair processing information and the right to access, port, or delete their own records. Companies would be prohibited from offering “take-it-or-leave-it” arrangements or financial incentives in exchange for users’ personal information. Companies would also have to procure users’ opt-in consent before processing personal information. Under this bill, companies must designate an employee in charge of privacy/security compliance, no matter the size or annual revenue of the company. The FTC, state attorneys general, and individuals would be able to sue to enforce the law.
Do Not Track Act May 21, 2019 Senator Josh Hawley (R-MO) This bill would establish a national Do Not Track (DNT) system and require any website or application operator to search for a DNT signal upon connection. The bill would make it illegal to collect data from devices displaying a DNT signal. Only the FTC and state attorneys general have the power to enforce violations.

As we can see, the fault lines are clear and not surprising. Democratic lawmakers generally favor a private right of action for consumers to sue a company that has mishandled consumer data. Republican lawmakers are generally against including such a provision. Republican lawmakers typically favor an express right of preemption, so that a laxer federal privacy law may preempt stringent state laws such as the CCPA. Democratic lawmakers are largely against the inclusion of such provisions, unless the bill provides consumer rights equivalent in scope and depth to the CCPA.

Regardless of whether or not a federal privacy law passes, businesses and the courts have their work cut out for them. Constitutional and interpretive challenges will plague the reach of any state or federal comprehensive privacy law, making it difficult to assess coverage for overlapping sector, state, and federal rules.

Consequently, as we will discuss further in our next article, legislators should consider these constitutional challenges head on prior to passing the “one” best bill to rule them all. Without clearly articulating the scope of any privacy law (e.g. does it extend across state borders and internationally), its preemption over or exclusions for other laws (e.g. GLBA, HIPAA, COPPA), and its relationship to third parties that only touch data incidentally – any comprehensive legislation will just add to the quagmire of current laws.

Pole with sign saying "future".

Privacy Law Forecast for 2019

Image Credit: ID 23689850 © Steve Ball | Dreamstime.com

This past year was quite a whirlwind for privacy and cybersecurity watchers. Just to sum up a few of the top events of last year:

  • Facebook’s Cambridge Analytica scandal rocked political headlines
  • Europe introduced the GDPR, the most comprehensive data protection legislation to date in the world
  • California enacted the California Consumer Privacy Act, becoming the first US state to create GDPR-style rules
  • Google came under fire for allowing app developers to read your email, and track your location (even with location tracking off!)
  • Marriott’s guest reservation system was hacked, exposing the personal information of up to 500 million guests, including passport numbers and payment numbers for some of those hacked

What will happen in 2019? Here are our top 5 predictions:

Continue Reading Privacy Law Forecast for 2019

1 2