Rent-to-Spy Highlights Need for Diligence

Seal of the United States Federal Trade Commis...

(Photo Wikipedia)

Aaron’s Inc. a leading franchisee in the rent-to-own retail market has agreed to settle FTC complaints[1] that allowed Aaron’s franchisees to install and use software to spy on customers.

In announcing the proposed settlement, the FTC explained that “Aaron’s franchisees used the software, which surreptitiously tracked consumers’ locations, captured images through the computers’ webcams – including those of adults engaged in intimate activities – and activated keyloggers that captured users’ login credentials for email accounts and financial and social media sites.”

Aaron’s, Inc. is a leading rent-to-own retailer focusing on “residential furniture, consumer electronics, home appliances and accessories with more than 2,000 Company-operated and franchised stores in 48 states and Canada.” Aaron’s reports 1,190 Company-operated Aaron’s Sales and Lease Ownership stores, 717 Aaron’s Sales & Lease Ownership franchised stores, 78 HomeSmart stores, one franchised HomeSmart store, 17 Company-operated RIMCO stores, and six franchised RIMCO stores.

The allegations focus on the franchisees rather than Aaron’s own operations. Nonetheless, the complaint highlights that Aaron’s “allowed its franchisees to access and use the software, known as PC Rental Agent. In addition, Aaron’s stored data collected by the software for its franchisees and also transmitted messages from the software to its franchisees. In addition, Aaron’s provided franchisees with instructions on how to install and use the software.”

A proposed consent agreement with the FTC has been approved 4-0 by the Commission. Aaron’s will be prohibited from using monitoring technology that captures keystrokes or screenshots, or activates the camera or microphone on a consumer’s computer, except to provide technical support requested by the consumer.

Unfortunately the consent agreement still allows Aaron’s to install tracking technology, provided the customer gives consent. Given the history of such abuse, Aaron’s should be prohibited from using tracking software at all. Consent does little or nothing to affect consumer behavior; companies who have violated the public trust should be prohibited from seeking such illusory permission to continue to abuse their customers.

The risks of allowing opt-in consent are highlighted from another provision of the proposed consent decree:

The agreement will also prevent Aaron’s from using any information it obtained through improper means in connection with the collection of any debt, money or property as part of a rent-to-own transaction. The company must delete or destroy any information it has improperly collected and transmit in an encrypted format any location or tracking data it collects properly.

Under the agreement, Aaron’s will also be required to conduct annual monitoring and oversight of its franchisees and hold them to the requirements in the agreement that apply to Aaron’s and its corporate stores, and to terminate the franchise agreements of franchises that do not meet those requirements.

The proposed agreement will be subject to public comment through Nov. 21, 2013.[2] If opt-in consent is insufficient, the perhaps the Commission can be convinced.


[1] The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.

[2] Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments in electronic form should be submitted online by following the instructions on the web-based form. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.

COPPA updates go into effect today, if anyone is watching

The FTC revised the Children’s Online Privacy Protection Rule (COPPA) in December 2012 to take into account the rapidly expanding move to mobile applications, social media and the evolving nature of personally identifiable information. Those rules go into effect July 1, 2013.

COPPA is supposed to inform parents of data being collected about their children and provide opportunities for the parents to consent or opt out of the service.[1] Unfortunately, in application, COPPA has been applied as an either/or test – a site either caters to children and therefore complies with COPPA or prohibits use of services by children and therefore takes no steps to comply with parental notification and consent rules.

Many operators provide non-children services but do nothing to discourage use by children under 13, a practice which has obviated the impact of COPPA. Social media sites, in particular, tend to avoid compliance with COPPA and instead post disclaimers requiring that the users are over 13. But these sites have no verification procedures as to identity or age.

The FTC hopes to change this with the new rules. The amendments to COPPA are intended to minimize this gamesmanship by reducing the ability for a company to ignore actual usage by under-age customers and hide behind age disclaimers. Only time will tell whether the new rules will have that effect.

A second aspect of the new rule will likely have more impact. Self-regulatory associations can submit their certification program to the FTC for pre-approval. Provided members remain within compliance of the certified program, the approval serves as a safe-harbor, protecting members of the association from FTC enforcement actions. Examples of those applications include the following:

The self-regulatory associations, particularly the ESRB, take member enforcement very seriously. The multi-billion dollar gaming industry has become the model for differentiating products based on market segment. It has a strong incentive to segregate its under-13 products from the other products. Of course, it remains to be seen whether this will result in fewer 10-year-olds sneaking onto 15+ (or 18+) platforms, but the video game industry has been more effective than most in reducing the casual avoidance of the age restrictions.

The biggest change under COPPA revisions is the type of information now covered as personally identifiable information. Mobile and social media have transformed the tools available to individually track a customer. Persistent identifiers such as unique IDs, computer or chip serial numbers, unique device identifiers, IP addresses, and geo-location tags all work individually or together to create unique identification. None of those tools include a name or address, yet serve to provide comprehensive, persistent information regarding the identity of each individual. COPPA therefore expands the definition of personally identifiable information to reduce personalized targeting of advertising at children.

As an example of how personally identifiable information has evolved, this paragraph describes the ESRB’s updated guidance on personally identifiable information:

Personally Identifiable Information means any information that can be used to identify an individual or which enables direct contact with an individual. This would include an individual’s name, online contact information (i.e. email addresses or other identifier that permits direct online contact with a person via instant messaging, video, voice over internet protocol or any other means not specifically defined herein), phone number, fax number, home address, social security number, driver’s license number, credit card number, photos, videos, or audio containing the image or voice of a child, persistent identifiers (such as a customer number held in a cookie or a processor serial number, a unique device identifier, or IP address), or geo-location information sufficient to identify a street name and name of town. Demographic information that is combined with personal information (including, but not limited to, gender, educational background, or political affiliation) also becomes Personally Identifiable information. Personally Identifiable Information does not include information that is encoded or rendered anonymous, or publicly available information that has not been combined with non-public Personally Identifiable Information (and has not been previously defined as Personally Identifiable Information.)

The expanded COPPA will take months to truly affect the marketplace. Even then, it will only be effective if companies take the obligations not to track seriously and treat their customers with respect – something missing from the past 15 years of COPPA compliance.

Some and perhaps a majority of people prefer to be served ads that are relevant and interesting, so they don’t mind the outcome of behavioral advertising even if they are squeamish regarding the methods used to select the ads. But Congress assumes that children have fewer defenses to advertising and these techniques can be manipulative and harmful. Targeting individual minors under 13 is therefore prohibited without the parents consent. Hopefully, the COPPA revisions will make this difference begin to matter.

For more information, see the additional guidance provided by the FTC:

The FTC has also released two new pieces designed to help small businesses that operate child-directed websites, mobile applications and plug-ins ensure they are compliant with upcoming changes to the rule.

The first is a document, “The Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business, which is designed especially for small businesses and contains a step-by-step process for companies to determine if they are covered by COPPA, and what steps they are required to take to protect children’s privacy. The FTC also released a video aimed at businesses to help explain their obligations under the revised rule, including an explanation of the changes.

Finally, the FTC has updated a guide for parents, “Protecting Your Child’s Privacy Online,” that explains what COPPA is, how it works and what parents can do to help protect their children’s privacy online.

These new documents provide guidance from the FTC staff that supplements the rule and other COPPA–related material previously published by the FTC, including an updated set of frequently asked questions about the rule. FTC staff will periodically update the FAQs.

In addition to the guidelines and frequently asked questions, FTC staff maintain a “COPPA Hotline” email address, COPPAHotLine@ftc.gov, where industry members can send questions on how to ensure they are compliant with the rule. Comments on the FAQs or suggestions for new FAQs may also be submitted through the COPPA Hotline email address.


[1] The COPPA rule requires that operators of websites or online services that are either directed to children under 13 or have actual knowledge that they are collecting personal information from children under 13 give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information, and keep secure the information they collect from children.

Blame Congress’ Patriot Act not the NSA or FBI

Prism-1When self-proclaimed whistle blower, Edward Snowden disclosed a PowerPoint presentation allegedly detailing the Prism computer system[1] at the heart of foreign data collection program, he set off a firestorm of debate over the role of  clandestine electronic surveillance on individuals outside the United States and the U.S. residents who communicate with them.

In the week that has followed, some clarity has emerged. First, the Prism system is not a code name for a clandestine operation, but the name of the computer system used to collect and store the data. According to the Director of National Intelligence, that computer system operates under Section 702 of the Foreign Intelligence Surveillance Act (FISA) (50 U.S.C. § 1881a).

Section 702 provides that “the Attorney General and the Director of National Intelligence may authorize jointly, for a period of up to 1 year from the effective date of the authorization, the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information.” The reasonable belief focuses on the location of the target, not the threat posed by the target. Most of the other limitations emphasize that this should not be used if the purpose is to target someone inside the U.S.

Nowhere in Section 702 is there a requirement that the information is relevant to an investigation at some level – “specific articulable facts giving reason to believe,” or “reasonable suspicion.” Probable cause is likely not within the realm of possibility. The law allows and even encourages broad, general sweeping of data, which can then be analyzed for patterns and anomalies.

The Section 702 directives are the subject of quasi-judicial review. The FISA Court is comprised of 11 federal judges assigned this additional duty by the Chief Justice of the Supreme Court. This internally appointed judicial panel has operated since 1979. In that time, according to the Wall Street Journal, it has rejected 11 applications for various surveillance requests. During that time, the number of approved surveillance requests has been in excess of 33,900 or an approval rate of  99.97 percent. Without knowing anything more, it is inconceivable that any review process with over 99 percent approvals can constitute a meaningful review.

Harvard Law Professor and former U.S. District Judge Nancy Gertner highlighted the structural problem of the FISA Court.

It’s an anointment process. It’s not a selection process. But you know, it’s not boat rockers. So you have a [federal] bench which is way more conservative than before. This is a subset of that. And it’s a subset of that who are operating under privacy, confidentiality, and national security. To suggest that there is meaningful review it seems to me is an illusion.

The problem, therefore, is not a secret or rogue NSA plot but instead a widely supported provision of the Patriot Act designed to be used precisely as the NSA has been doing. It has executive, legislative and judicial support. But because it is operated by a close-knit association, the separation of powers has proven irrelevant as a limitation on its operation.

Moreover, the Patriot Act has other sections equally potent at eavesdropping on private information. As summarized by the ACLU, FISA Section 215 “allows the FBI to order any person or entity to turn over ‘any tangible things,’ so long as the FBI ‘specif[ies]’ that the order is ‘for an authorized investigation . . . to protect against international terrorism or clandestine intelligence activities.’” Section 215 (50 U.S.C. 1801 et seq.)

A secret NSA phone wiretapping order was also released last week highlighting the scope of metadata collection within the U.S. under Section 215.

This FISA Court Order targeting Verizon, required Verizon on an “ongoing, daily basis” to give the NSA information on all telephone metadata in its systems. Since the Section 702 orders deal with foreign data, this Section 215 court order excluded “telephony metadata for communications wholly originating and terminating in foreign countries.” The court order explains the scope of the request:

Telephony metadata includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) number, International Mobile station Equipment Identity (IMEI) number, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony metadata does not include the substantive content of any communication, as defined by 18 U.S.C. [Sec.] 2510(8), or the name, address, or financial information of a subscriber or customer.

Essentially this means that all of us with Verizon phones can be tracked anywhere in the U.S., our interaction with any other parties triangulated, our First Amendment rights of Association violated, and our notion of privacy eliminated. Non-Verizon subscribers likely are subject to identical orders. There is no reason to doubt that these orders are not routinely issued to track all phone and cell phone movement data.

Mary DeRosa summarizes the changes to Section 215 which led to the Verizon court order.

Previously, FISA required the FBI to present the [FISA Court] “specific articulable facts giving reason to believe” that the subject of an investigation was a “foreign power or the agent of a foreign power.” After section 215, the government is required only to assert that the records or things are sought for a foreign intelligence investigation or to protect against international terrorism or clandestine intelligence activities, although the investigation of a United States person may not be “solely upon the basis of activities protected by the first amendment to the Constitution.” There is no requirement for an evidentiary or factual showing and the judge has little discretion in reviewing an application. If the judge finds that “the application meets the requirements” of the section, he or she must issue an order as requested “or as modified.”

Neither the NSA nor the FBI are doing anything other than that approved by Congress. Indeed, were these departments found not to be using the authority granted by Congress, there would be outrage on Capitol Hill. Instead it is the law that has vastly over-extended the government’s reach into the movements and activities of the public, both domestic and foreign.

Moreover, the sweep of the law is growing broader by the day as more and more devices and technologies use remote communications to share information. While it might require a warrant to track a vehicle, the Internet enabled Pandora music player, the self-adjusting oil change settings, and the many other connected technologies are not subject to that warrant requirement. The movement of such cars will be routinely swept into the FBI’s database as part of the Section 215 orders.

The FTC has initiated a review of the ever-growing “Internet of Things,” which is to mean the “growing connectivity of consumer devices, such as cars, appliances, and medical devices.” Combine the power of the FBI and NSA to order metadata and tracking information on all digital data with the interconnectivity of medical devices, RFID-tagged products, installed devices on vehicles, and smart phone apps, a digital map emerges. Like ants in an ant-farm, every person’s digital trail will be on display before the government. Increasingly sophisticated data analytics will eventually enable the path of each individual ant to be highlighted and sorted from among the swarm.

The growing connectivity that has extended the Patriot Act’s reach into more and more aspects of our daily lives require that we revise the laws to reign in the power of government and create a meaningful, statutory right of privacy. These revelations add attention to the problem and highlight the lack of transparency over this tracking. Congress is not shocked at these revelations because they voted to create the programs and have been repeatedly brief on their use. It is the people who have been left in the dark. Given the growth of the programs and the power of the technology they employ, it is time for a more thoughtful, balanced statutory approach.


[1] Reddit.com provided the link to the 2002 New York Times article first describing what is now the Prism computer system. See http://www.reddit.com/r/technology/comments/1g3zqz/the_roots_of_prism_a_new_york_times_article_from/.

Beyond Google’s Looking Glass – The Internet of Things is Already Here

Seal of the United States Federal Trade Commis...

(photo: Wikipedia)

Perhaps triggered by the New York Times coverage of Google Glass, The FTC announced both a call for submissions and a workshop related to the Internet of Things and its implications on privacy, fair trade practice, and security implications for both data and people. The FTC announcement highlights both the benefits and risks of device connectivity.

Connected devices can communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, healthcare providers, or even other consumers, who can measure how their product usage compares with that of their neighbors.  The devices can provide important benefits to consumers:  they can handle tasks on a consumer’s behalf, improve efficiency, and enable consumers to control elements of their home or work environment from a distance. At the same time, the data collection and sharing that smart devices and greater connectivity enable, pose privacy and security risks.

The issue is not new. The ITU released a 2005 study discussing the implications of the Internet of Things. The ITU described a near, technological future in which “industrial products and everyday objects will take on smart characteristics and capabilities. … Such developments will turn the merely static objects of today into newly dynamic things, embedding intelligence in our environment, and stimulating the creation of innovative products and entirely new services.”

I have previously described some of these concerns in an article, Mortgaging the Meme.[1]

In each of these situations, an automated and consumer-defined relationship will replace the pre-existing activities. In many situations, this will create efficiency and convenience for the consumer, but it will also reduce the opportunities for human interaction and subtly rewrite the engagement between customer and company. Those that understand this change will adjust their technologies to improve the service and increase the customer‘s reliance on its systems. Companies that do not understand how this engagement will occur, risk alienating customers and losing markets quickly.

Beyond consumer interactions, other uses may arise. Ethical and privacy concerns regarding misuse tend to focus on government, business and organized crime. These include unwarranted surveillance, profiling, behavioral advertising and target pricing campaigns. As a result, as companies increasingly rely on these tools, they also bear a responsibility to do so in a socially positive manner that increases the public‘s estimation of the company.

Timing for the FTC submissions and workshop are overdue. Reading the New York Times quote regarding app developers, there is a sense that unlike the technology giants such as Microsoft and Google, the developers are thinking more about the technology’s potential than its potential impact. One such example from the Times: “‘You don’t carry your laptop in the bathroom, but with Glass, you’re wearing it,’ said Chad Sahlhoff, a freelance software developer in San Francisco. ‘That’s a funny issue we haven’t dealt with as software developers.’”

Many fields will benefit from increased device connectivity. Just a few:

  • Public transportation systems designed around real-time usage and traffic patterns.
  • Prescription monitoring to help patients take the right medications at the correct time.
  • Fresher, healthier produce.
  • Protection of pets and children.
  • Social connectivity, with photo-tagging and group-meeting moving into the real world.
  • Interactive games played on a real-world landscape.

There are also law enforcement uses that must be carefully considered. After the Boston Marathon attack, for example, calls for public surveillance will undoubtedly increase, including calls for adding seismic devices and real-time echo-location. Gunshots, explosions, and even loud arguments could become self-reporting.

Common household products sometimes become deadly in large quantities. RFID technology could be used to monitor quantity concentration of potentially lethal materials and provide that data to the authorities.

The consumer use, public use, and law enforcement use must be thoughtfully reviewed to balance the benefits of the technology with the intrusions into privacy and the legacy of retrievable information that such technology creates.

FTC staff will accept submissions through June 1, 2013, electronically through iot@ftc.gov or in written form. The workshop will be held on November 21st. These are the questions posed by the FTC thus far:

  • What are the significant developments in services and products that make use of this connectivity (including prevalence and predictions)?
  • What are the various technologies that enable this connectivity (e.g., RFID, barcodes, wired and wireless connections)?
  • What types of companies make up the smart ecosystem?
  • What are the current and future uses of smart technology?
  • How can consumers benefit from the technology?
  • What are the unique privacy and security concerns associated with smart technology and its data?  For example, how can companies implement security patching for smart devices?  What steps can be taken to prevent smart devices from becoming targets of or vectors for malware or adware?
  • How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve healthcare decision making or to promote energy efficiency?
  • Can and should de-identified data from smart devices be used for these purposes, and if so, under what circumstances?

While the FTC has asked some good questions, they are only the beginning. Please submit your thoughts and join the FTC conversation.


[1] Jon M. Garon, Mortgaging the Meme: Financing and Managing Disruptive Innovation, 10 NW. J. TECH. & INTELL. PROP. 441 (2012).

COPPA Rule Supplemental Comments Extended to Sept. 24th

In an earlier post, I discussed the significance of proposed changes to the Children’s Online Privacy Protection Rule (COPPA Rule) recommended by the FTC. The FTC has extended the comment period regarding the revisions to the COPPA Rule until September 24, 2012.

The COPPA Rule is designed to protect children under 13 from unwanted privacy intrusion by providing parents control over what information websites and online services may collect from these children.

The revised rule expands the websites covered by the COPPA Rule, makes clear that targeted or behavioral advertising geared at protected minors is covered and expanded the definition of personal information to include persistent identifiers.

Some comments have already been filed. They can be read online.

According to the FTC, the extension was “in response to requests from several organizations.” The FTC now anticipates that “public comments on the Supplemental Notice of Proposed Rulemaking will now be accepted until September 24, 2012.”

Significant revisions to Children’s Online Privacy Protection Rule triggers supplement review

In 1998 Congress responded to the growing demand for protection from invasions of privacy and the potential for marketers or predators to target young children by passing the Children’s Online Privacy Protection Act (COPPA). The Children’s Online Privacy Protection Rule (16 CFR part 312) provides the rules governing the implantation of the law.

As described in the Federal Register, the COPPA Rule include three key features:

Among other things, the Rule requires that operators provide notice to parents and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under 13 years of age. The Rule also requires operators to keep secure the information they collect from children and prohibits them from conditioning children’s participation in activities on the collection of more personal information than is reasonably necessary to participate in such activities. The Rule contains a ‘‘safe harbor’’ provision enabling industry groups or others to submit to the Commission for approval self-regulatory guidelines that would implement the Rule’s protections.

In April 2010 the FTC began a process to update the Rules. A notice was sent out in September 2011, generating 350 comments regarding the proposed changes. After receiving the comments and reviewing its own proposal, the FTC substantially changed the proposed update to the Rule. As a result, the FTC has issues a Supplemental Notice of Proposed Rulemaking under which comments will be accepted until September 10, 2012.

Instructions for submitting comments are found in the Notice. Comments can be submitted electronically by clicking here.

The FTC explains the changes as follows:

The proposed modifications to the definitions of “operator” and “website or online service directed to children” would allocate and clarify the responsibilities under COPPA when third parties such as advertising networks or downloadable software kits (“plug-ins”) collect personal information from users through child-directed websites or services. The Commission proposes to state within the definition of “operator” that personal information is “collected or maintained on behalf of” an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator. This change would make clear that an operator of a child-directed site or service that chooses to integrate the services of others that collect personal information from its visitors should itself be considered a covered “operator” under the Rule.

The Commission also proposes to modify the definition of “website or online service directed to children” to:

  1. Clarify that a plug-in or ad network is covered by the Rule when it knows or has reason to know that it is collecting personal information through a child-directed website or online service;
  2. Address the reality that some websites that contain child-oriented content are appealing to both young children and others, including parents. Under the current Rule, these sites must treat all visitors as under 13 years of age. The proposed definition would allow these mixed audience websites to age-screen all visitors in order to provide COPPA’s protections only to users under age 13; and,
  3. Clarify that those child-directed sites or services that knowingly target children under 13 as their primary audience or whose overall content is likely to attract children under age 13 as their primary audience must still treat all users as children.

Finally, the Commission proposes to modify the Rule’s definition of “personal information” to make clear that a persistent identifier will be considered personal information where it can be used to recognize a user over time, or across different sites or services, where it is used for purposes other than support for internal operations. In connection with this change, the Commission proposes to modify the definition of “support for internal operations” in order to explicitly state that activities such as: site maintenance and analysis, performing network communications, use of persistent identifiers for authenticating users, maintaining user preferences, serving contextual advertisements, and protecting against fraud and theft will not be considered collection of “personal information” as long as the information collected is not used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising, or for any other purpose.

Taken together, these changes attempt to deal with the increasing use of cross-platform sign-ins and authentication. They do not, however, deal directly with social media or other websites that have no provisions for compliance with the Rule but instead encourage users under the age of 13 to mis-identify themselves to the benefit of the website operator.

As the Washtington Post noted, “vague language … could allow companies supplying online ads — or even Facebook and Twitter which sometimes appear as little icons on Web sites — to avoid the parental consent process.”

Still, the update addresses at least some of the important changes to the structure of internet communications and the importance of mobile apps as a platform for communications.

September 10th is coming fast. Public comments will be critical in effectively shaping the update to the Rule.

Ethics in Informatics – Assessing ABA’s Ethics 20/20 Commission

May 4, 2012 the NKU Chase Law & Informatics Institute presents an ethics program focusing on the proposed changes to the ABA Model Rules of Professional Responsibility and similar changes to SEC Guidance for disclosure of cybersecurity risk. Dean Dennis Honabach and Professor Jon Garon will lead the conversation.

In 2009, The American Bar Association created the Ethics 20/20 Commission (“Commission”) to “perform a thorough review of the ABA Model Rules of Professional Conduct [(“MRPC”)] and the U.S. system of lawyer regulation in the context of advances in technology and global legal practice developments.”[1] The Commission held hearings and developed draft statements regarding a number of topics, including the effect of technology on a lawyer’s duty of confidentiality and client development.[2]  Having completed its review on several key proposals, they will be brought to the ABA for approval in August 2012:

The ABA Commission on Ethics 20/20 is pleased to release for comment by April 2, 2012, along with a Cover Memo from Co-Chairs Jamie S. Gorelick and Michael Traynor, final revised drafts of Commission Proposals scheduled to go to the ABA House of Delegates in August 2012.  These six revised draft proposals cover the subjects of Technology (Confidentiality), Technology (Client Development), Outsourcing, and Uniformity/Mobility (including Model Rule 5.5 and Practice Pending Admission), Admission by Motion, and Model Rule 1.6 (Duty of Confidentiality).

In addition to the materials provided by the ABA, we have created a Summary Analysis as well as a CLE Powerpoint presentation.

To summarize the program:

The practice of law has largely gone digital in the past decade. Remote access to one’s office, reliance on smart phones to share data, email and social media to communicate with clients, and other emerging technologies to conduct overseas cloud-based outsourcing or operate virtual law offices have transformed the mechanics of practicing law.

The American Bar Association’s Commission on Ethics 20/20 is examining technology’s impact on the legal profession. In proposals recommended for adoption this year, the Commission proposes adoption of a new Rule 1.6(c) which would require that a “lawyer shall make reasonable efforts to prevent the unintended disclosure of, or unauthorized access to, information relating to the representation of a client.” While this duty has existed under the prior rules, the modifications make clear that this affirmative duty extends to data privacy, security and reliability.

These proposals also address issues of screening electronic information accessible to a law firm assure that confidential information known by a personally disqualified lawyer remains protected from inappropriate access by other attorneys; an affirmative duty to “keep abreast of changes in the law and its practice, including the benefits and risks associated with technology;” and many others.

Not to be outdone, the Corporate Finance Division of the Securities and Exchange Commission has taken steps of its own to require greater awareness, disclosure and reporting of issues relating to technological knowledge held by a company – including its lawyers. The guidance identifies that “a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.” Lawyers drafting these disclosures – and lawyers dealing with the risk assessment for their clients – as well as regarding their own practices – have an increasingly external standard of care and responsibility to meet the cyber-risks inherent in the modern digital practice of law.

While it is likely that many of the revised Rules of Professional will be adopted, the changes primarily codify the existing duty to maintain a lawyer’s ongoing duty to remain competent. These materials are intended to assist with that effort by providing an update to the ethical rules and the technologies at the heart of these changes.

The Commission has distributed its recommendations and solicited final comments through April 2, 2012. Final hearings were held April 13-14, 2012 and the Commission will be releasing the final versions of these proposals for approval at the August 2012 ABA Annual Meeting.