Pennsylvania Supreme Court Reiterates that Zoning Must Be Precise

Gorsline Strongly Reminds That Municipalities Must Protect the Rights of All Property Owners

On June 1, 2018, the Pennsylvania Supreme Court sent another wake-up call to municipalities. In Gorsline vs. Fairfield Township, the Pennsylvania Supreme Court held that local municipalities cannot play fast-and-loose with the definitions in a zoning ordinance, especially for uses not expressly provided for, and cannot ipse dixit (because we say so) grant uses not provided for in a zoning ordinance. So-called “catch-all provisions” now may fail under the recent Supreme Court guidance. The message: define, define, define.

In  part,the Supreme Court reminded:

[t]he governing body must, however, actually amend its zoning ordinances to permit drilling in designated areas, setting forth whatever limitations and conditions it decides are appropriate for the protection of its citizenry. What a governing body may not do, however, and what the Fairfield Township Board of Supervisors did in this case, is to permit oil and gas development in residential/agricultural districts without first enacting the necessary [zoning] amendments, based upon a clearly inadequate evidentiary record and no meaningful interpretative analysis of the language of its existing zoning laws. Gorsline at 23-24.

Gorsline, while not decided on constitutional grounds, sends yet another strong message to municipalities that a municipality must follow the law intended to protect the rights of all property owners, not just those of an applicant. The opinion also shows that municipalities cannot just go-through-the-motions when applying the law to specific projects or when drafting zoning ordinances.

Gorsline Sharply Limits On-the-Fly, De Facto “Amendments” to Zoning

Gorsline arose from yet another fracking company trying to shoe-horn fracking gas drilling operations near a residential community by exploiting alleged vagueness in zoning ordinances. In Fairfield Township, the zoning ordinance did not permit fracking (or other gas operations) in the residential-agricultural zoning district (R-A). The R-A Zoning District provided:

The purpose of the regulations for this [R-A] district is to foster a quiet, medium-density residential environment while encouraging the continuation of agricultural activities and the preservation of prime farmland. Gorsline at 2.

Inflection Energy, the fracker behind the case, argued that a 300 foot by 350 foot fracking pad with a separate, two million gallon fracking waste retention impoundment was “similar to” other uses in the farming and residential area. Gorsline at 4-5. Inflection also argued that the fracking pad was a “public service facility,” Gorsline at 4-5.

The Fairfield Township Board, without substantial evidence according to the court, granted the fracking application. Multiple appeals ensued. The Court of Common Pleas reversed the Township Board (now disallowing the fracking). The Commonwealth Court then reversed the Court of Common Pleas (then allowing the fracking) by relying on the troubling MarkWest Liberty Midstream & Resources, LLC v. Cecil Twp. Zoning Hrg. Bd., 102 A.3d 549 (Pa. Commw. 2014).

Finally, in a detailed opinion, the Supreme Court overturned the Fairfield Township and disallowed the permit application while holding:

  • in its hearings, Fairfield Township failed to find specific and substantial evidence that the fracking pad was “substantially similar” to other uses based on specific facts (not just conclusions of an applicant) Gorsline at 15-17;
  • references in an ordinance, unless expressly defined, carry the ordinary meaning within context of the ordinance therefore “public service facility” and “essential services” mean structures used for servicing local residential needs and not a generalized, public-benefit, as the fracking applicant argued Gorsline at 17-20; and
  • even if a municipality previously granted similar conditional uses, those grants, without specific analysis by the municipality on the record and supported by substantial evidence, do not and cannot constitute a waiver of the zoning requirements and do not constitute a de facto, zone-wide “amendment” Gorsline at 20-23

As Gorsline emphasizes, the municipality must use substantial and demonstrable evidence when making decisions; must define terms precisely; cannot rely on catch-all provisions on one-the-fly “zoning;” and must carefully follow the MPC and law—arbitrary or conclusive statements do not meet legal standards.

Gorsline Dissent Subtly Reveals a Growing, Fundamental Constitutional Conflict in Pennsylvania

Three justice dissented in Gorsline. The Dissent argue that Fairfield Township properly granted the application, Gorsline Dissent at 13. The alternate conclusion relies heavily on a rote and permissive interpretation of language and zoning law and deference to the municipality.

The Dissent also cites the quantity of materials supplied by the applicant as constituting supporting evidence rather than quality of the materials as the Majority requires. Gorsline Dissent at 5. As anyone familiar with municipal zoning and planning understands, sophisticated applicants often submit binders full of “studies” and data along with an application. However, as the Majority suggests, perhaps going-through-the-motions and supplying copious paper does not constitute relevant evidence. (And the Dissent, with respect, does not explain how the material supported the application, was even relevant,  or addressed the questions at hand. The fact that is was there at all along with deference to the muncipality seems enough for the Dissent.)

Nevertheless, the dissenting opinion also raises, albeit not expressly, an increasing conflict in Pennsylvania law. Pennsylvania law continues to labor under a self-imposed limitation of deciding cases on non-Constitutional grounds, Gorsline at 12, even when fundamental constitutional issues arise.

The differences between the Majority and the Dissent reflect the growing discord arising from ignoring the Constitutional rights of all parties. That is, the Dissent cites 53 P.S. §10603.1, which statutorily requires interpretation of zoning law, when ambiguous or unclear, “against extension of the restriction.”

What rote adherence to 53 P.S. §10603.1 fails to address are the constitutional rights of others affected by the zoning decision—that is, limiting the restriction on the applicant to validate its rights does not address the procedural and substantive rights of those affected by a poorly drafted or interpreted law under, for example, takings or Pennsylvania Constitutional law. Those questions, according to Gorsline, remain painfully open but will need to be decided.

Brown Appointed to Scranton-Abingtons Planning Association (SAPA)

Clarks Summit Borough appointed attorney Shannon Brown to serve as the Borough’s representative to the Scranton-Abingtons Planning Association (SAPA). This summer, SAPA will launch the second phase of a multi-year initiative to help each member community update its zoning ordinances to comply with current state laws and to implement the previously adopted, SAPA Regional Plan.

SAPA involves cooperative community planning between nine, contiguous, municipalities in Lackawanna County including Clarks Summit Borough. Cooperative community planning in Pennsylvania helps municipalities to plan for better futures and to stabilize communities. Through cooperation, municipalities can minimize costly  sprawl, limit conflicting land-uses, enhance community services, retain agricultural land and natural spaces, enhance community centers, and stabilize taxes.

Attorney Brown also serves as a Commissioner with the Clarks Summit Borough Planning Commission.

Pennsylvania Living Will and Durable Medical Power of Attorney Example

If you become incapacitated and cannot make healthcare decisions, who makes those decisions? Such an event can be extremely stressful without the added stress of trying to determine “what mom or dad would want?” Who makes decisions when you are incapacitated? How do you express your wishes? How do you make decisions about end-of-life prior to a catastrophic event or terminal diagnosis?

Pennsylvania law provides two important documents to address these situations:

  1. the Durable Medical Power of Attorney (Healthcare Power of Attorney) and
  2. the Living Will (or Advance Health Care Directive).

Pennsylvanians can have one or both of these documents in effect. (See example Medical Power of Attorney and Living Will.)

What Is a Pennsylvania Durable Medical Power of Attorney?

The Durable Medical Power of Attorney legally designates another person to act as your Health Care Agent when you become incapacitated (cannot make your own decisions). The Health Care Agent makes decisions about your medical care by “standing in your shoes.” He or she must faithfully carry out all of the powers defined in the Durable Medical Power of Attorney according to your written wishes.

Typically, the Health Care Agent can authorize medical procedures, hire caregivers, take legal action related to medical care, speak with doctors, and authorize admissions to medical facilities.

You can provide legally binding guidance to the Health Care Agent in the Durable Medical Power of Attorney. For example you can provide binding instructions to the Health Care Agent, regarding terminal illness, permanent disability, severe brain damage, resuscitation, etc.

Think of the Durable Medical Power of Attorney as the legal power to carry out your wishes related to medical care any time you become incapacitated—the durable medical power of attorney automatically “kicks-in” upon incapacity.

Some may hear the term, power-of-attorney, and grow concerned (usually because they heard a story that so-and-so had a power of attorney and someone stole all her money). The Durable Medical Power of Attorney is a specialized document addressing only medical issues. To generally pay bills, access checkbooks, or make other non-medical decisions, someone would also need a general power of attorney (a different document).

What Is a Pennsylvania Living Will?

While the Durable Medical Power of Attorney applies generally to any medical situation upon your incapacity, a Living Will (or Advance Health Care Directive)  addresses a specific situation: end-stage medical conditions. End-stage medical conditions involve terminal illness, persistent vegetative states, resuscitation, tube feeding, hospice, etc.

The Living Will provides specific instructions for how you want the end-stage situation handled by the Health Care Agent. The Living Will, in concept, eases the burden of making very hard decisions about your loved ones at end-of-life. Rather than struggle with making family decisions at a very emotional and stressful time, the Living Will expresses your wishes ahead of time. Put simply, the Health Care Agent can point to the written document regarding your wishes, which can help de-fuse family disputes and ease remorse (these times are not easy if someone needs to be the decision-maker, without the Living Will, about “pulling the plug”).

What Is a Combined Pennsylvania Durable Medical Power of Attorney and Living Will?

Pennsylvania Law (54 Pa.C.S. § 5471) provides for a combined document. The combined document can be convenient especially in rapidly changing medical conditions.

Planning for Those Moments That You Would Prefer to Not Think About

A Combined Durable Medical Power of Attorney and Living Will is one part of what is called estate planning (no, you do not need the white column house, horse farm, and Rolls Royce for an estate plan). Estate planning, in legal terms, addresses developing a plan your property, healthcare, family structure, etc. An estate plan may include a will, general power of attorney, medical power of attorney/living will, or a special-purpose power of attorney.

Few relish talking about such difficult issues. However, delaying or not planning can place significant burdens on your loved ones at times when stress, sadness, and loss may be heightened.

A person adopting a Durable Medical Power of Attorney and Living Will should consult with:

  1. faith leader,
  2. the designated Health Care Agent,
  3. family,
  4. an attorney, and
  5. your medical provider.

Because these documents potentially address end-of-life situations, consulting with your pastor may provide guidance regarding your faith tradition’s handling of such issues. Consulting with the designated Health Care Agent, even informally, can help the agent to understand his or her role. (Your attorney can help facilitate this dialogue.) Consulting with family may be helpful so that they know the documents exist (and where they are located) and understand your general wishes. Consulting with your medical provider can help to understand the medical options, understand treatment, and understand how the medical profession makes determinations. Consulting with an attorney becomes important to assure that the documents are properly drafted and properly executed (all the t’s-crossed and i’s dotted). The attorney can also help assure that the Durable Medical Power of Attorney and Living Will are consistent with the rest of your estate planning documents (the latter is important as inconsistencies can cause problems).

What Happens If You Don’t Have a Medical Power of Attorney or Living Will in Pennsylvania?

If you do not have a Durable Medical Power of Attorney, you may limit or forfeit your ability to express your wishes. You have a legal right to make such determinations ahead of time. But by not acting, you may limit or forfeit that right.

Not having a Durable Medial Power of Attorney, can also lead to unintended or unwanted consequences regarding who gets to decide your medical care. For example, the situation can become complex depending on the family situation. You may be in a long-term relationship with a person who is not your spouse. However, generally, if you do not have a Durable Medical Power of Attorney, default legal rules apply to appoint a temporary Health Care Representative (54 Pa.C.S. § 5461) who possesses powers similar to a Health Care Agent. A spouse (unless divorce pending), adult child, parent, adult sibling, adult grandchild, or another adult with a relationship to you may be appointed but in that specific order. For some people, the default appointment order can lead to unintended consequences (for example, an  adult step-child with close connection being excluded or a long-time partner being excluded).

Also, by not having these documents ahead of time, a court may also need to appoint a guardian requiring a court proceeding (this process goes beyond this article).

The simple answer is: if you do not have a Durable Medical Power of Attorney, default statutory rules apply, which might not be what you wanted.

If I am Still Young, Do I Need a Medical Power of Attorney or Living Will in Pennsylvania? Aren’t they for old people?

Pennsylvania, generally, allows persons 18 years of age or older to execute a Durable Medical Power of Attorney and Living Will. 54 Pa.C.S. § 5462. Thus, these documents apply to young people just as they apply to older individuals. Sadly, catastrophic events or terminal conditions can occur to anyone—young or old.

Example Pennsylvania Combined Durable Medical Power of Attorney and Living Will

Pennsylvania law (54 Pa.C.S. § 5471) provides a sample Durable Medical Power of Attorney and Living Will. I include a formatted sample. See sample Pennsylvania Durable Medical Power of Attorney and Living Will. The sample shows some of the options available and helps initiate discussion. I ask clients to review a sample, make notes, and list questions before meeting about drafting the Durable Medical Power of Attorney and Living Will. The final document should be reviewed by your attorney.

(Why do attorneys always caution to have documents reviewed by an attorney? I get this question from time-to-time.

The attorney review becomes important because the attorney can guide you through drafting the final document, assure that the document was executed (“signed”) correctly, make sure that you follow the formalities required for the document to be truly effective, answer questions about special situations (children with disabilities, blended families, family conflicts, etc.), guide you regarding using the document, evaluate business ramifications, help facilitate delicate discussion with family, and review other documents for consistency.

Certainly, any reasonably competent person can fill-out-the-form. That is not the issue. The issues may be things that you did not think about or did not realize were even material. These are important documents; you want them done right.)

Concluding Thoughts on Pennsylvania Durable Medical Power of Attorney and Living Wills

The Durable Medical Power of Attorney and Living Will serve as important documents in your estate plan. They “spring forth” to help and “speak for you” when you need help most. They can also ease part of the burden for family during the stressful time during a medical emergency.

Drafting these documents by an attorney is usually fairly straight-forward. Your thoughts, prayers, discussions-with-family, and consultation with professionals should go into the process.

Sample Pennsylvania Living Will and Healthcare Power of Attorney

See sample Pennsylvania Durable Medical Power of Attorney and Living Will

Author Note

The above relies, in part, on a community presentation that I delivered in 2012. This posting was authored in February 2018.

This posting provides general legal information and does not replace legal advice. You should consult an attorney before signing a legal document including when considering a Durable Medical Power of Attorney and Living Will.

 

Other Resources

The Allegheny Bar Association also provides sample documents for Pennsylvanians. Any documents  should also be reviewed by an attorney.

 

Government May Compel Disclosure of Encryption Passwords in Pennsylvania

The Pennsylvania Superior Court issued another troubling, computer-related opinion in late November 2017. Commonwealth v. Davis holds that the Pennsylvania government can compel an individual to disclose a computer password for an encrypted computer. Commonwealth v. Davis, 2017 PA Super 376 (Nov. 30, 2017).

The Superior Court stated that constitutional protections against no-compelled-testimony and no-self-incrimination, under the federal Fifth Amendment and Pennsylvania Article 1, Section 9, do not apply to encrypted computers on the facts in Davis.

To reach the conclusion, the Superior Court looked to problematic opinions in other jurisdictions—which may be outdated or that may improperly analogize to otherwise incompatible technologies.

A Troubling Application of the Foregone-Conclusion Exception to the Fifth Amendment

The Superior Court held that the foregone-conclusion “exception” to the Fifth Amendment applies to the password itself. Compare Davis, 2017 PA Super at 10-13, (the password) with Davis, 2017 PA Super at 14-15 (underlying documents) and, e.g., Fisher v. US, 425 US 391, 409-410 (1976).  That is, the foregone-conclusion analysis no longer applies to the foregone-conclusion of access to the materials sought (here allegedly criminal images) but to the password itself that allegedly gives access to those materials. See Davis, 2017 PA Super at 10-14.

As the Court suggests, to compel, the government need only prove:

(1) the existence of the evidence demanded;
(2) the possession or control of that evidence by the
defendant; and
(3) the authenticity of the evidence. Id. at 11.

Those elements assume application to the documentary evidence. See Fisher v. US, 425 US 391, 409-410 (1976)

Yet, according to the Superior Court, that becomes, :

(1) the existence of a password;
(2) the [apparent] possession or control of the password by the defendant; and
(3) the authenticity of the password is assumed and does not need to be proven (because if the password opens the device, it must be authentic). Id. at 12-14.

Thus, the Superior Court holds that the government can now compel the password to an encrypted hard drive by using the “foregone-conclusion exception” applied to the password itself—not to the underlying, alleged, evidence.

Applying the foregone-conclusion “exception,” which previously applied to the underlying documents, see Fisher v. US, 425 US 391, 409-410 (1976), appears a breathtaking conflation of Constitutional issues. Unfortunately, a case like this might be used to support more generalized demands for access to encrypted information.

Troubling Bootstrapping By Assuming that Technology Self-Authenticates

A party admitting evidence must demonstrate that the proposed evidence is authentic. Pa. R.E. 901 et seq. Authentication means “the item is what the proponent claims it is.”  Pa. R.E. 901. Notably, technology does not appear on the list of self-authenticating evidence. See Pa.R.E. 902.

Nevertheless, the Pennsylvania Superior Court in Davis claims:

“technology is self-authenticating.” … Namely, if appellant’s encrypted computer is accessible once its password has been entered, it is clearly authentic.

Davis, 2017 PA Super at 14 (internal citation removed, quotes in original).

The Court assumes, without any technical support, that entering a password self-authenticates the password merely because the password makes the computer accessible.

The Court’s recitation of the facts in Davis show why making this assumption is not accurate. The Court mentions the use of TrueCrypt to encrypt the hard drive at issue. Id. at 2. However, prior to the alleged acts at issue in Davis, the developers of TrueCrypt shut down that project due to alleged problems with the encryption technology.

TrueCrypt was an open source, community-developed software package that could be used to encrypt hard drives or file containers. TrueCrypt was legitimate software similar to widely-used Microsoft’s Bitlocker, Apple’s FileVault, or Linux’s encrypted file systems.

In early 2014, the developers of TrueCrypt suddenly and immediately shutdown the project. The shutdown was highly controversial in the technology community and was surrounded in mystery in the post-Snowden era. The developers simply stated: “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues” TrueCrypt Website (former). The terse comment raised even more speculation about national security implications and vulnerabilities.

The technical history may become material in a case like Davis. At minimum, the Superior Court’s assumption that “technology is self-authenticating” requires serious revision. TrueCrypt could have been shutdown due to cryptographic hash collisions, errors in the encryption algorithm, side-channel attacks, or any number of other technical deficiencies. The point is: having a password does not necessarily mean authentication because, for example, the algorithm (or algorithms) themselves may be defective or manipulated.

Bootstrapping for Compelled Disclosure of Encryption Passwords

And this goes back to the Davis bootstrapping problem. The electronic materials (files) are at issue in Davis. The government sought access to the alleged criminal materials (files). The encryption allegedly limited such access. Therefore, the Court held that the Court can compel the disclosure of the encryption password to provide access to the allegedly criminal materials by bootstrapping the foregone-conclusion “exception” as applied to the password to affect the access to the allegedly, criminal materials. Perhaps on the very narrow facts in Davis, such a conclusion makes sense. But, the bootstrapping is deeply troubling for future cases.

 


Original: 1/9/2018

This is not legal advice.


F1 Discussion of the inherent problems with Fisher v. US, 425 US 391 (1976), which developed the so-called “exception” to a fundamental constitutional right, and inconsistencies with applying this “exception” more broadly goes beyond this article.

Attorney Brown Re-appointed to Planning Commission

In January 2018, the Clarks Summit Borough Council unanimously re-appointed Attorney Shannon Brown to the Clarks Summit Borough Planning Commission.

In addition to being a consulting attorney, Shannon brings experience as a professor of community and economic development and prior experience serving as a planning commission member in Lancaster County and in New York State. He brings specific legal training in Land Use Law, Environmental Law, and Business Law with academic publication on the intersection of local land use law and federal environmental regulations.

Shannon has family in Clarks Summit and has been visiting the area for 28 years.

Equifax Data Breach

On 7 September 2017, Equifax announced a data breach of 143 million Equifax customers involving the compromise of names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. A subset of victims, apparently, also had credit card numbers and “dispute documents” compromised. Strikingly, the breach occurred over several months, apparently from May to July 2017.

Equifax released very little technical information about the breach itself other than to state that the perpetrators “exploited a U.S. website application vulnerability.” The lack of information during such incidents increases concern.

However, research suggests that the breach may have included the Equifax credit report dispute system and possibly an application affected by the Apache STRUTS vulnerability (or vulnerabilities).

  1. The announcement noted “no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases,” suggesting that the breach occurred in a related, not the main, Equifax system.
  2. “Only” 143 million victims were affected, thus suggesting a subset of all Equifax customers.
  3. An Equifax job posting seeks Apache STRUTS experience, suggesting the use of a web application platform.
  4. US CERT released two, security-vulnerability notices in 2017 related to Apache STRUTS (VU#112992 in September and VU#834067 in March).
  5. The compromise included, in part, “dispute documents.”

Equifax will likely reveal more over the next few weeks. But initial research raises questions about the extent of the breach and the systems affected.

Pennsylvania Court’s ‘Cest la Vie’ View of Data Breach Damages

The Pennsylvania Superior Court recently held in Dittman v. UPMC, that employees cannot sue employers after a data breach involving the employer’s computer systems even if the employee’s sensitive, personal information such as names, birth dates, social security numbers, tax information, addresses, salaries, and bank information is compromised. employees cannot sue even if employee tax refunds are stolen. The Plaintiffs showed that sensitive personal information was stolen from employees of UPMC (at least 27,000 employees) and at least 788 of the employees were victims of tax fraud.

Court Holds No Alleged Legal Duty to Protect Employee Sensitive Data

Effectively, the Court concludes that an employer owes no legal duty to protect confidential and sensitive personal information of employees because … well, apparently, these things just happen.

As the trial court correctly noted, “data breaches are widespread” and “there is not a safe harbor for entities storing confidential information.” No judicially created duty of care is needed to incentivize companies to protect their confidential information…. We find it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether. Employers strive to run their businesses efficiently and they have an incentive to protect employee information and prevent these types of occurrences.

Sadly, the Court demonstrates a minimal understanding of cybersecurity or data protection. The issue is not whether there is “no true way to prevent data breaches altogether” (emphasis added) as the Court suggests. The issue is whether a business, in this case a large, highly-sophisticated, medical entity in a highly-regulated industry, adequately protected the employees’ data. The opinion provides no analysis of what allegedly “significant costs” are (and compared to what), whether the entity failed to use best practices to secure data (negligence), analyze whether this was a hit-and-run or a sustained breach, assess how long the entity took to determine the breach, determine whether encryption was used, whether data segregation was used, etc.

Instead, the Court simply held that no legal duty exists. The Court left the alleged “creation of” any legal duty to the legislature despite Althaus v. Cohen, 756 A.2d 1166 (Pa. 2000)–the very judicial blueprint for evaluating legal duties of care.

An Ephemeral “Incentive” to Protect Data

Even more disturbing is the crabbed argument suggesting that some type of incentive exists for employers to protect data.  The Court fails to logically explain why an employer has an “incentive” when the employee has little or no recourse to hold the employer legally accountable to their duty of care. Instead, the Court cites to computer-related laws as apparent support.

The Court implies that employees are somehow “protected” from data breach damages by, for example, 73 P.S. § 2301 et seq. But even a cursory reading of that statute, the Pennsylvania Data Breach Reporting Law, shows that an employee has no private cause of action or remedy–see 73 P.S. § 2308 (“The Office of Attorney General shall have exclusive authority to bring an action under the Unfair Trade Practices and Consumer Protection Law for a violation of this act.”). The Court then cites Pennsylvania’s Privacy of Social Security Numbers Law–74 P.S. § 201. 74 P.S. § 201 plainly states: “Fines under this section shall be distributed equally between the Crime Victim’s Compensation Fund administered by the Pennsylvania Commission on Crime and Delinquency and the Office of Attorney General for future identity theft prevention.” The Court then cites the federal, Stored Communications Act–18 U.S.C. §§ 2701-2712. The Stored Communications Act is a criminal statute protecting electronic communications, not data breaches.

Opinion Does Not Maintain Protections for Employee Personal Data

The assumption that “gee, data breaches will occur, cest la vie” without any analysis of why data breaches occur,  accounting for how to prevent or mitigate the breaches, and the potential failures of a business to take adequate precautions because they effectively have no liability from lawsuits, is staggering–especially in 2017. Unfortunately, Pennsylvanians continue place their most sensitive personal information at risk because they punch-the-clock.

 

What is Zoning in Pennsylvania?

In Pennsylvania, the Pennsylvania Municipal Planning Code (often referred to as “the MPC”) defines the legal requirements of zoning. While addressing the legal requirements, the MPC does not do a great job of explaining what zoning is. In simplest terms, zoning

  1. helps protect your property value and property investment;
  2. helps minimize or mitigate legal nuisances*;
  3. addresses issues of public safety, welfare, and health such as drinking water, storm water run-off, traffic, and compatible land uses (such as not dumping heavy equipment manufacturing in a residential neighborhood); and
  4. helps the community to coordinate development projects.

As detailed below, some criticize zoning as “the government telling me what I can do with my land” or as “a money-making racket for local government.” First, zoning is not the government telling you what you can do with your land. Zoning protects everyone’s investment in real property. Thus zoning is your community and your neighbors reminding community members to “not be a jerk.” Second, the fees associated with zoning are highly unlikely to be money-makers for a local government considering the time and resources required to evaluated zoning issues. The fees simply defray some of the costs.

The Pennsylvania Municipal Planning Code

Article VI of the Pennsylvania Municipal Planning Code (often referred to as “the MPC” or Act 247 of 1968 as amended) provides details about zoning and the purpose for zoning in Pennsylvania. Section 604 specifically addresses the stated purposes of a zoning ordinance which largely involve proper population densities, compatible land uses, coordinated development, public safety, parking, transportation, infrastructure, adequate housing, and preservation.

While implicit, zoning thus helps on many levels to protect individual investments in property as well as protecting the community (and taxpayers) from unfair cost-shifting by developers for specific projects or wasteful problems (higher taxes) arising from uncoordinated development.

Zoning Protects Property Value

Zoning divides communities into zoning districts based on a community plan (called a comprehensive plan). Each zoning district defines the compatible uses permitted in the zoning district. With each district the regulations must be uniform and uniformly applied. See Pa. MPC § 605.

For individuals, zoning protects your investment in your property by managing uses that may interfere with the quiet enjoyment of your property and by managing development to avoid expensive infrastructure and services for taxpayers.

Assume that you purchased a home in a typical residential neighborhood. You renovated the kitchen. You spent weekends landscaping. You enjoy sitting on the back porch watching the birds. Unfortunately, a neighbor decides to launch a trucking business and starts parking an 18-wheeler with a refrigeration trailer adjacent to your property. The truck runs early in the morning, and the refrigeration generator kicks on every 20 minutes keeping you awake at night. The neighbor refuses to do anything about the problems.

This scenario illustrates the value of zoning. In most cases, zoning bars the interference from the incompatible trucking business located in the residential neighborhood (trucking businesses might be permitted in a highway commercial zoning district away from residences). Therefore, rather than you needing to take the neighbor to court (costing you a lot of money), the neighbor can be asked to cease the disruption or be cited for a zoning violation. Thus, zoning protects your property investment and helps mediate tense situations.

Zoning Constitutional

For almost a 100 years now, Euclid v. Ambler Realty, and Nectow v. Cambridge, allow zoning as an exercise of the government power to protect health, safety, convenience or general welfare. These U.S. Supreme Court cases agree that a community has a bona fide interest in maintaining community character and in separating land uses. The cases recognize the practical aspects of living in a community and recognizes that bad actors and bad neighbors should not be able to interfere with the property of decent people. In fact, Euclid specifically states that the basis of zoning is to minimize nuisances and to assure that all persons “sic utere tuo ut alienum non laedas (so use your own property as not to injure another’s property).” Euclid, 272 U.S. at 387-88.

Unfortunately, some still claim that zoning amounts to the government telling you what to do with your property (Euclid was decided in 1926!). That’s simply not true or accurate. Zoning is public, and thus anyone can check the zoning requirements before buying a property. Second, zoning protects everyone’s investment in a property from incompatible uses and unreasonable interference. Third, zoning implements part of the comprehensive community plan—a community-focused document that helps the community plan for the future.

Zoning Must be Uniform

Importantly, Euclid justified zoning because the zoning regulations applied generally and uniformly to the zoning district. Euclid, 272 U.S. at 395-97. That is, the same regulations and standards apply to all property owners within the district—thus, fairness. The MPC echoes this federal Constitutional standard by requiring that zoning be uniform and uniformly applied within each district.

Where zoning districts are created, all provisions shall be uniform for each class of uses or structures, within each
district….

See Pa. MPC § 605.

These two considerations, generality and uniformity, become critical when addressing “exceptions” to the zoning ordinance such as variances. Variances grant a limited exception to the zoning requirements for a specific property. Variances are an extraordinary remedy (rare) because a variance by definition undermines the Constitutional basis of zoning. Thus, one cannot simply acquire variances to avoid compliance with the zoning requirements without triggering unconstitutionality. The uniformity also addresses issues such as impermissible “spot zoning” where an applicant seeks “re-zoning” (or a zoning amendment) for a specific property that is inconsistent with the surrounding uses. (Additional articles will address the inherently problematic “exceptions” to uniform zoning ordinances.) Thus, uniformity is a Constitutional standard.

Also, zoning regulations must be related to “public health, safety, morals, or general welfare.Nectow, 277 U.S. at 276.This is also reflected in the Pennsylvania MPC. See § 604. In other words, zoning cannot be arbitrary, individualized, or for just any reason. The rational must be community-focused.

Zoning Serves Important Objectives

In Pennsylvania, the MPC defines the statutory requirements for zoning (but be careful because this document only addresses the statutes, not federal laws nor Pennsylvania court cases). In simplest terms, zoning serves an important purpose in your community because it helps to protect your property investment, helps to minimize legal nuisances, and helps to manage taxes by coordinating development activities.

As noted above, zoning must be uniformly applied and consistent with a community plan. Therefore, obtaining “exceptions” to zoning such as variances, “re-zoning”, or even special exceptions or conditional uses are weighty tasks. These tasks are not government “telling people what to do” or money-making enterprises for local government. They are a reasonable balancing of the interest of the whole community (as defined in the comprehensive plan and zoning ordinance) with the interest of an individual seeking a special exception or a special status.

For more information, the Pennsylvania DCED publishes a good Planning Series of ten documents and are available for free. See Planning Series (scroll about 2/3 of the way down the page), Planning Series 04 is the Zoning book.

Note—Not Legal Advice

While written by an attorney, the above represents general legal information as a public service and not legal advice. Seek legal advice from an attorney for specific projects and situations.

Legal Nuisances

* A legal nuisance differs from the common usage of the word nuisance. The common word describes many annoyances. A legal nuisance is a nuisance for which the law provides a potential remedy. Usually, legal nuisances require some type of objective unreasonableness to the annoyance or nuisance behavior and usually some type of repetitive behavior.

Overview of Pennsylvania’s Data Breach Reporting Law

Many ask what a business should do when uncovering a suspected data breach in Pennsylvania. Unfortunately, the answer can be quite complex depending on the business, the nature of the suspected breach, and the data involved. The legal consequences of a data breach, not to mention the business consequences, can be startling to the unwary.

Foremost, response to a data breach should start before the data breach even begins. A business should have a data security assessment conducted by a qualified cybersecurity attorney to create a baseline and to create a data breach action plan—see The Unwitting Cybersecurity Trap: The Risks of Relying on Technology Consultants article for why simply having a tech firm perform these tasks might not be good enough and might create even more problems for the business. The data breach response plan typically outlines who must be contacted, what forensic information should be collected, risk profiles depending on the data, an inventory of data types, data storage locations, backups, and other action items. With a data breach response plan, the business can contact the data breach attorney and start implementing the data breach response plan when a data breach occurs.

OK, let’s just say you are not in this ideal situation, are a Pennsylvanian business, and have no data breach response plan.

Pennsylvania Requirements After a Data Breach

Foremost, a patchwork of laws, regulations, and industry standards govern data breaches. Laws and regulations might issue from federal authorities or from state authorities. There is also a difference between criminal and civil obligations. Typically, a business must comply with applicable federal and state data breach requirements. This is why data breaches are a legal issue, not just a technical issue.

For example, in Pennsylvania, the general data breach law is 73 P.S. §§ 2301 et seq. (Other states may have different, state-specific data breach reporting laws.) Essentially, the Pennsylvania law specifies that a business must generally provide notification to individuals if a breach of personal information occurs without unreasonable delay.

First, Pennsylvania defines personal information as

  • first name (or initial) and last name along with
    • social security number,
    • driver’s license number (or state ID), or
    • bank information along with the access code or similar codes.

73 P.S. § 2302.

Second, the business must provide notification. The business may also need to notify credit reporting agencies under some circumstances. 73 P.S. § 2305. However, the use of encryption or data redaction may modify the general notification rules. Having an internally defined and maintained data breach notification plan might also limit the effect of the general state requirements in some cases. 73 P.S. § 2307

Finally, the required notifications must issue “without unreasonable delay.” 73 P.S. § 2303. Unfortunately, the statute does not define “unreasonable delay” and, to the best of my knowledge, no court has yet analyzed that requirement.

While the notification requirements seem straight-forward, what the requirements mean is defined legally. This can be a real “gotcha” for some businesses. That is, for example, it is not your personal opinion regarding “unreasonable delay,” what you think sufficient notification means, or whether you need to notify credit reporting agencies (and which ones). These are legal questions, and thus, legal standards apply. What needs to be done requires a legal analysis of the circumstances (and this is usually far easier and far more complete when done ahead of time).

Penalties for Failure to Follow the Data Breach Reporting Law

Failure to follow the data breach reporting law may, at minimum, result in a legal action by the Attorney General. Interestingly, the attorney general’s action falls under unfair and deceptive trade practices. In other words, data security is an implied duty of the business and failure to protect data is viewed as a deceptive or unfair trade practice. Thus, not only does your business potentially suffer the stigma of a data breach, but it may also be sued by the Commonwealth for unfair and deceptive trade practices. (This is yet another reason why a business should contact a data breach lawyer before  a breach occurs to begin setting up a legally defensible due diligence plan and to check insurance contract coverage.) There also could be civil liability from vendors, subcontractors, banks, credit card companies, etc.

Pennsylvania Computer Crimes Law

Computer crimes laws relate to data breaches but are not the same. Pennsylvania has several computer crimes laws. See 18 Pa. C.S. 7601 §§ et seq.

The Pennsylvania Computer Crimes laws may sound like an easy-out for unwary businesses—with a business mistakenly assuming that you just call the police, and the police will “handle it.” But data breach reporting requirements and the criminal prosecution of alleged computer crimes are distinct obligations. Furthermore, data breach reporting and computer crimes prosecution may require coordination with law enforcement but may require protections for the business from government overreaching or government errors. See 73 P.S. § 2304 (requiring cooperation with law enforcement but providing no statutorily defined protections for the business). Again, all is not as simple as it seems.

Summary of the Pennsylvania Data Breach Reporting Law

The above provides general information about Pennsylvania data breach reporting laws. Pennsylvania, as most states, has had a data breach reporting law for over a decade. But Pennsylvania law is not the only law that a Pennsylvania business needs to consider.

As noted, there is an even more complex series of general and industry-specific federal laws that may apply. And even those federal laws may have Pennsylvania-specific permutations. For example, the federal Third Circuit covering Pennsylvania currently recognizes that the FTC may regulate data breaches as “unfair and deceptive” trade practices. See FTC v. Wyndham Worldwide Corp., 799 F. 3d 236 (3d Cir. 2015) or
Cybersecurity as an Unfair Practice: FTC Enforcement under Section 5 of the FTC Act. Other states, even under federal law, might not have such requirements causing confusion. Special data reporting may be required in medical and banking data breaches or in other industries. A data breach might also trigger contractual, professional licensure, or vendor obligations (requiring notification of contractors or subcontractors).

Often forgotten, Pennsylvania businesses may need to comply with out-of-state reporting requirements under some circumstances depending on the business’ customers.

Navigating data breach reporting can be daunting and is fraught with traps for the unwary.

eDiscovery Technologies Article Published

The Suffolk Journal of Trial and Appellate Advocacy law journal published Peeking Inside the Black Box: A Preliminary Survey of Technology Assisted Review (TAR) and Predictive Coding Algorithms for eDiscovery (21 Suffolk J. Trial & App. Advoc. 221, 221-286 (2016)). The article explores the sometimes complex and arcane technical language of predictive coding, keyword search, and technology assisted review (TAR). As a lawyer and experienced technology professional, the article explores how these new-to-the-legal-community technologies work along with the limitations and benefits of the technologies. With extensive notations (300+ citations), the well-cited article imports academic literature from machine learning, natural language processing, information retrieval, and statistics to explain how predictive coding and machine learning work in an eDiscovery context.

Shannon Brown teaches eDiscovery technologies at Widener School of Law. The teaching provides insights into the educational needs of the legal community. Shannon Brown is also the author of open source eDiscovery software (Prolorem eDi) used for law school classes and by legal community members.

The abstract for the article summarizes:

This article fills a troubling gap in the legal literature related to e-Discovery software systems. Lawyers, law students, and law school professors have no concise resource for learning about or teaching about e-Discovery technologies such as technology assisted review (TAR), “predictive coding,” and older keyword search systems.

Peeking Inside the Black Box provides the legal community with a preliminary overview of some of the algorithms and methods used in keyword search, TAR, and “predictive coding” software. The article first illustrates the ethical duties and strategic or practical reasons for knowing how these technologies work. The objective is to reduce reliance on non-lawyer experts—who may misunderstand the legal implications of applying technical systems.

Before delving into the algorithms, the article then addresses how these computer algorithms translate human-readable documents into computer-understandable “language”—called preprocessing. Surprisingly, preprocessing has not been addressed in legal literature even though this step defines what the algorithms “see” and thus the potential effectiveness of the algorithm output.

The article then explains the critical distinction between keyword search systems and TAR or predictive coding systems. This distinction, hinted at in case law and articles, finally reveals the source of the Go Fish Problem—where lawyers blindly select keywords in hope of identifying relevant materials. However, the explanation requires a basic technical understanding of how keyword search algorithms fundamentally differ from TAR or predictive coding algorithms. Once understood, lawyers gain additional insights into when and how to deploy these tools in litigation.

Attorney Brown Appointed to the Clarks Summit Borough Planning Commission

In August 2016, the Clarks Summit Borough Council selected Attorney Shannon Brown to fill an open seat on the Clarks Summit Borough Planning Commission.

Along with legal training, Shannon brings experience as a professor of community and economic development and prior experience servingd as a planning commission member in Lancaster County and in New York State. He brings specific legal training in Land Use Law, Environmental Law, and Business Law with academic publication on the intersection of local land use law and federal environmental regulations.

Shannon has close family in Clarks Summit and 27 years of familiarity with the area.

Article on eDiscovery Technologies Pending Law Journal Publication

The Suffolk Journal of Trial and Appellate Advocacy law journal will publish Peeking Inside the Black Box: A Preliminary Survey of Technology Assisted Review (TAR) and Predictive Coding Algorithms for eDiscovery. Shannon Brown is excited about the law journal publication. He taught eDiscovery technologies at Widener School of Law in 2015. The teaching provided insights into the educational needs of the legal community related to the complex issues associated with eDiscovery technologies. Shannon Brown is also the author of open source eDiscovery software (Prolorem eDi) used for law school classes and by legal community members.

The abstract for the pending article summarizes:

This article fills a troubling gap in the legal literature related to e-Discovery software systems. Lawyers, law students, and law school professors have no concise resource for learning about or teaching about e-Discovery technologies such as technology assisted review (TAR), “predictive coding,” and older keyword search systems.

Peeking Inside the Black Box provides the legal community with a preliminary overview of some of the algorithms and methods used in keyword search, TAR, and “predictive coding” software. The article first illustrates the ethical duties and strategic or practical reasons for knowing how these technologies work. The objective is to reduce reliance on non-lawyer experts—who may misunderstand the legal implications of applying technical systems.

Before delving into the algorithms, the article then addresses how these computer algorithms translate human-readable documents into computer-understandable “language”—called preprocessing. Surprisingly, preprocessing has not been addressed in legal literature even though this step defines what the algorithms “see” and thus the potential effectiveness of the algorithm output.

The article then explains the critical distinction between keyword search systems and TAR or predictive coding systems. This distinction, hinted at in case law and articles, finally reveals the source of the Go Fish Problem—where lawyers blindly select keywords in hope of identifying relevant materials. However, the explanation requires a basic technical understanding of how keyword search algorithms fundamentally differ from TAR or predictive coding algorithms. Once understood, lawyers gain additional insights into when and how to deploy these tools in litigation.

FAA Finally Requires Drone UAS Registration

The FAA now requires registration and labeling of all outdoor drones (unmanned aircraft systems or UAS) by February 19, 2016. According to the FAA UAS Website, electronic registration is available for hobbyists, as defined by law, fro drones weighing less than 55 lbs. and paper registration must be used for all other drone registrations including commercial uses. Registrations for hobbyists using the electronic system last for three years and cost a nominal $5.00.

Registered drones must be labeled with the registration number to facilitate easy identification of the aircraft. As the labeling instructions show, the UAS/drone must be marked by

  • engraving,
  • a permanently affixed label, or
  • by permanent marker.

The registration number must be visible (although, labeling in the the battery compartment is apparently permitted if, and only if, the battery is accessible without a tool.)

The long over-due registrations arose due to numerous complaints and dangerous incidents—many where tracing the offending operator is difficult or impossible due to the lack of registrations. On December 11, 2015, the Center for the Study of the Drone at Bard College released a disturbing report showing 921 drone incidents  from December 2013 to September 2015. An astounding 327 of those drone incidents presented “some level of hazard” to manned aircraft and 594 other cases where drones were spotted “near or within” aircraft flight paths. According to the BBC, an 18 month-old child in the UK recently lost an eye to a drone.

The renewed effort by the FAA to hold drone operators responsible appears reasonable and proportionate considering the known dangers. I have publicly called for such measures since at least February 22, 2014, due to the clear danger and need for accountability (when a drone takes down a passenger aircraft or your child loses an eye, who will pay for the losses?). The FAA has now implemented many of those suggestions including the much-needed No Drone Zone. The FAA provides a helpful FAQ for reliable information on drone (UAS) use.

Non-hobbyist uses, such as commercial and government use, still require additional approvals prior to operation of the drone. Note that the FAA alone defines model aircraft, hobbyist, and recreational uses. According to the FAA, other uses require special permission and possibly a pilot certificate.

 

 

Brown Appointed to Rapho Township Planning Commission

Rapho Township appointed Shannon Brown to serve a four-year term on the Rapho Township Planning Commission. The appointment occurred in January 2015. The Planning Commission reviews subdivision and land use applications in Rapho Township and makes recommendations to the Rapho Township Supervisors.

Attorney Brown brings past experience in land use law, sustainable agriculture (former farmer), sustainable community development, real estate law, and environmental law—with academic publication on environmental law and local land use regulations. Prior to becoming an attorney, Shannon served on a county Planning Board and completed training in land use, subdivision, and storm water regulations.

The Unwitting Cybersecurity Trap: The Risks of Relying on Technology Consultants

Considering the increasing number of data breaches, “hacking” episodes, and cybersecurity incidents over the past few years, businesses are finally starting to take cybersecurity and data security seriously. Businesses also realize that responsibility for data security is shifting from the IT staff to the Board and senior leadership.* However, some businesses still do not realize that data security is primarily a legal issue for business, not just as IT issue. Therefore, relying on technical consultants for legal problems may unwittingly create problems for a business.

Cybersecurity is a Legal Issue

Almost all states now require some form of data breach reporting. Businesses, so far, have ducked liability in the courts from data breach damages. But, victims continue to put forward novel theories and liability lurks.** The costs of defending against such a lawsuit can be significant. Furthermore, damages from a cybersecurity incident, such as recovery costs, mitigation costs, notification expenses, monitoring fees, lost business (about 50% of cybersecurity victims abandon the business), and consultant costs, may lead to legal action from shareholders. Businesses also face a myriad regulatory and compliance requirements. For example, the FCC recently levied a $10 million fine against two businesses for failing to protect data—and more actions are coming from both federal and state agencies including new unfair-trade-practices claims.*** The take-away: cybersecurity raises important legal issues.

The Risks of Only Using Cybersecurity Consultants

Direct Hire Problem
Typical Cybersecurity Consulting Arrangement–Risky for the Business & Potentially Waives Protections

Many cybersecurity consulting firms provide an important technology service by implementing and monitoring or addressing the technology aspects of cybersecurity. But, cybersecurity technology consultants either

  1. offering regulatory compliance services or
  2. implying that the technical services somehow meet legal requirements

might place the hiring businesses at significant risk—albeit often not obvious until a problem later arises.

Risks with hiring a cybersecurity consulting firm are:

  • the technical consultants cannot provide binding opinions regarding either regulatory compliance or legal compliance (negligence, due diligence, etc.) and thus reliance on such opinions may place the business at risk (and even offering such opinions may be illegal in most states under criminal and civil unauthorized practice of law statues or unfair trade practices); and
  • all of the work done by the technical consultants, including reports, network diagrams, infrastructure diagrams, personnel involved, observations, analyses, and decisions made, becomes fully discoverable (exposed) in a subsequent lawsuit—meaning the business will likely need to turn-over all this information to the opposing side.

Thus, a business relying on assurances by the cybersecurity consulting firm regarding regulatory compliance or due diligence may place the business in a legal predicament as these assurances may mean little or nothing. (Sometimes people think that the nod-and-wink “I’m not a lawyer but…” disclaimers somehow make these risks go away. That is mistaken.)

Addressing the Cybersecurity Consulting Trap

Hiring Law Firm
Adding a Legal Team

Addressing the cybersecurity trap involves a simple readjustment of the relationship between the business, consultant, and attorney. The business first engages an attorney knowledgeable in cybersecurity. Under the direct supervision of the attorney, the business hires a cybersecurity law firm. The cybersecurity lawyer then mitigates between the cybersecurity technical team and the business.

How does this arrangement potentially mitigate the trap and risks? In this arrangement, the business

  • gains defensible legal opinions on cybersecurity from the attorney including defensible opinions on regulatory compliance (providing reasonable reliance defenses);
  • receives technical work by the cybersecurity consultant, but under direction and advising of the attorney, to address the cybersecurity technical concerns; and
  • gains potential protection from disclosure because the work was conducted under the direction of an attorney (the business and attorney can assert attorney-client privilege and attorney-work-product doctrine in the event a incident occurs later).

The organization and timing are important to potentially benefit from the arrangement. Before any work is done, the business hires the law firm (cybersecurity lawyer) who in turn hires or oversees the cybersecurity firm. (Other arrangements may waive the potential benefits even though they may sound similar. )

Conclusion

Businesses trying to do-the-right-thing might unwittingly waive some important, potential benefits from cybersecurity analysis. When direct hiring a cybersecurity consultant to address legal issues related to technology, the business likely waives the potential benefits of attorney-client privilege and attorney-work-product protections. These protections may become important should a data breach, “hacking,” or cybersecurity incident occur later.

Furthermore, an attorney can provide valid legal opinions on regulatory compliance and due diligence so businesses can assert reasonable-reliance defenses. In contrast, regulatory compliance “opinions”  by technology consultants likely have little or no weight because they are not legal opinions (and regulations are legal issues, for example HIPAA).****

Cybersecurity and data security increasingly becomes a hot-button issue for most businesses. Unfortunately, technology consulting firms offering cybersecurity services might be placing businesses at risk or reduce the benefit of such services. Reducing that risk simply involves seeking competent legal advice from an attorney.

 

 

 

Notes

* See, for example, Todd Sexton, CEO responsibilities for data breach, Homeland Security Wire (Feb. 13., 2015) ; David Geer, Why the Board of Directors Will Go Off on Security in 2015, CIO Magazine (Dec. 10, 2014); or Shannon Brown, The Next Battleground for Data Breaches…Shareholder Lawsuits? (Apr. 11, 2014).

** But this is quickly changing as companies, not individuals, bring the lawsuits. Meagan Geuss, Judge rules that banks can sue Target for 2013 credit card hack, Ars Technica (Dec. 4, 2014).

*** Brian Fung, With a $10 million fine, the FCC is leaping into data security for the first time, Washington Post (Oct. 24, 2014).

**** One exception may be PCI compliance because PCI compliance is an industry standard and not necessarily a legal regulation per se. But because related issues may be at stake, this quickly becomes a slippery-slope.

 

Attorney Brown Teaches Law School Course on eDiscovery Technologies

Attorney and Adjunct Professor Shannon Brown taught a course on eDiscovery technologies such as keyword search, technology assisted review (TAR), predictive analytics, and predictive coding.

Unlike typical eDiscovery courses, which often gloss-over the technologies, law students became deeply engaged in the technical aspects of eDiscovery including completing a hands-on, simulated eDiscovery project using a freely available, predictive coding, reference platform and parts of the Enron dataset.

Students also learned in the law school course about the technical progression in eDiscovery from early TIFF load files, to keyword search, to technology assisted review (TAR) to predictive coding. Importantly, the law school course introduced the students to how some of the primary algorithms work–including keyword search indexing, Support Vector Machines (SVMs), logistic regression, clustering technologies (basic k-Means and k-Nearest-Neighbors), and Bayesian decision systems.

Students learned about several metrics used to evaluate eDiscovery software performance such as accuracy, recall, precision, F-scores, and probabilities.

A significant part of the law school course on eDiscovery also addressed predicate preprocessing issues, which have legal consequences, such as de-NISTing, understanding the difference between forensics and eDiscovery, feature selection, data matrices, stemming, natural language processing, latent semantic indexing, and generalization (overfitting and underfitting).

At the conclusion of the law school course, students were expected to be able to identify the types of technologies used in TAR, predictive coding, keyword, or other tools and be able to apply them to eDiscovery technical problems.

Other class topics included eDiscovery project management, understanding Big Data, basic case law, and eDiscovery best practices.

Widener School of Law-Harrisburg held the 16-hour, intensive program. The program is believed to be the first of its kind in the country–a course intensively focusing on understanding and applying the technologies and a notable simulated case using predictive coding.

Pirker Decision Fails: Drones Subject to FAA Rules

As predicted, the NTSB reversed an earlier administrative law decision in Pirker and held that drones (UAS) are aircraft according to law and thus subject to FAA regulation.

The FAA accused Pirker of “reckless operation of an aircraft” and imposed a civil fine of $10,000. The FAA alleged that Pirker:

  • “deliberately operat[ed] [] an aircraft at extremely low altitudes over vehicles, building, people, streets, and structures;”
  • operated a drone over active streets,
  • caused a pedestrian on the ground to take evasive maneuvers to avoid the drone,
  • operated a drone near “numerous individuals,”
  • operated a drone near a heliport,
  • flew directly towards a building at less than roof-top level, and
  • operated the drone inside a “tunnel with moving vehicles.”

Pirker moved to dismiss the allegations by claiming that drones were not FAA-type aircraft and not subject to FAA regulations (thus, Pirker claimed there was no violation because he was just allegedly operating a drone, not an aircraft).

In a very puzzling opinion and despite decades of administrative law, the administrative law judge nevertheless dismissed the FAA allegations and claimed that the FAA did not have authority to regulate drones (UAS) because drones were not “aircraft.” Pro-drone advocates trumpeted the questionable opinion. However, as I cautioned at the time, the law plainly gave the FAA regulatory power over drones.

The FAA appealed the dismissal. On November 17, 2014, the NTSB sitting on appeal corrected the administrative law judge and reversed the dismissal. In an opinion largely echoing prior comments and consistent with administrate law procedure, the NTSB Appellate Division clarified that drones, UAS, are aircraft within the statutory definition of aircraft and are thus subject to FAA regulations including prohibitions on “reckless operation.” The court stated:

We must look no further than the clear, unambiguous plain language of 49 U.S.C. § 40102(a)(6) and 14 C.F.R. § 1.1: an “aircraft” is any “device” “used for flight in the air.” This definition includes any aircraft, manned or unmanned, large or small. The prohibition on careless and reckless operation in § 91.13(a) applies with respect to the operation of any “aircraft” other than those subject to parts 101 and 103. Pirker II, Page 12

The NTSB Appellate Court did not decide whether Pirker was liable but instead remanded (sent back to the lower court) for additional proceedings.

Pirker II, while disappointing to some drone zealots, illustrates proper administrative law interpretation. With the interplay of statutes, regulations, opinions, definitions, and other factors, interpreting administrative law can be complex. But as Pirker II shows, the law means exactly what it says. It is up to Congress to redefine definitions if they are incorrect or no longer applicable.

 

Is PCI Compliance Enough?

CIO Magazine recently ran an insightful article about PCI compliance. The article emphasizes that PCI “compliance” is a credit card industry minimum set of standards to protect data and to minimize data breaches. However, as the numerous data breaches over the past year attest, something appears wrong.

Yes, something is wrong. First, cybercriminals possess a level of sophistication that most businesses simply do not comprehend. Professional cybercriminal networks and state actors launched the recent data breaches—not a couple of teenage “hackers.” Second, businesses must understand that data itself, not just credit card numbers, has significant value in a well-developed, global market for data. Medical information, address information, employment information, legal information, company trade secrets, intellectual property, business acquisitions, financials, manufacturing systems, geolocation information, CAD drawings, etc. all have marketable value.

Once the sophistication and capabilities of the cybercriminals are understood, businesses must then understand that just adherence to minimum industry “compliance” standards no longer adequately protect company reputation, company property, or customer data. As I noted earlier this year, shareholder lawsuits against officers and board members loom. Unfortunately, a company will soon be the poster child for such suits. With high-profile companies losing millions in sales after data breaches, boards and officers have a defined duty to protect the company and its data and systems assets. (Target’s profits fell by about 40% or $441 million.)

Addressing Data Security, Cybersecurity, and Data Breach Issues for Business—A New Paradigm

But another issue often goes overlooked. Businesses continue to myopically view data breaches as simply a technical or IT issue. Thus, business leadership (and even many attorneys unfamiliar with technology) might simply require the “IT people” to come up with a data policy, implement that policy, and monitor that policy. The problems with such an approach should be evident—and recent events should show that this strategy does not work.

Businesses must adopt a new paradigm for addressing cybersecurity, data breach, and data protection issues.

  1. Data breaches and data protection are legal (including compliance), business, financial, and technical issues for a company. Thus, all elements must be directly involved in any policy-making, procedures, and implementation programs.
  2. Simply delegating the issues to an IT department provides a recipe for failure—not because IT lacks professionalism or skill, but because this is not an IT problem alone.
  3. Simply relying on a minimal “industry standard” might not be enough to protect a business from the spectrum of threats and duties—financially, reputation-wise, procedurally, legally, or legal-compliance-wise.
  4. Businesses should seek legal help with developing proactive policies and procedures to handle data retention, legal compliance, data breach preparedness, data breach response, eDiscovery, and cybersecurity incidents.  Legal counsel can advise board and officers on compliance issues and the sufficiency of an organization’s efforts.
  5. Businesses may increasingly need to consider cybersecurity insurance to help cover the costs of data breaches.
  6. Auditing should be done by outside legal counsel (lawyers) because only legal counsel can confidentially advise an organization on the legal sufficiency of cybersecurity, data security, data retention, disaster recovery, or data breach programs. (And increasingly, the protection of confidentiality may become very important in litigation.)

 

 

Pennsylvania CLE Board Adds Technology Ethics Category

In October 2014, the Pennsylvania CLE Board Website added a new category for lawyer CLE programs called Ethics–Technology (new ETH10).

Attorney Shannon Brown requested the additional category in light of the Pennsylvania Supreme Court’s changes to the Pennsylvania Rules of Professional Conduct effective November 2013. The 2013 updates to the Pennsylvania Rules of Professional Conduct specifically require Pennsylvania  lawyers to possess personal knowledge of  the “benefits and risks associated with relevant technology.” Thus, technology stands as an ethics issue for lawyers.

The same changes also notably affect Rules Rule 5.1 (Responsibilities of Partners, Managers and Supervisory Lawyers) and 5.3 (Responsibilities Regarding Nonlawyer Assistance). Lawyers can no longer merely “delegate” technology issues to non-lawyer staff or to outsourcing providers—see Comments 1-5 to Rule 1.1 which indicate that the lawyer, if faced with a competence issue, must associate with a lawyer with the requisite knowledge. Note that the issue of lawyer competence and experts now clearly diverge although many lawyers confuse the two. Technology is a lawyer competence duty and thus cannot be delegated as attorneys do when acquiring simply advice from experts on specific, non-lawyer, issues.

Ethics programs will need to increasingly address issues such as data breach, information security, risks of  cloud computing, encryption, information security law, information technology law (as distinct from “intellectual property,” eDiscovery, technology assisted review (TAR), and security audits.

 

Attorney Brown Receives Cybersecurity Technical Certification

Attorney Shannon Brown passed the new, performance-based, CompTIA Security+™ certification exam on September 16, 2014. CompTIA Security+™ certification provides an industry-recognized method to objectively demonstrate technical skills in computer security, data security, or cybersecurity. The new cybersecurity certification is believed to be a first for an attorney in Pennsylvania.

The CompTIA Security+™ (Sy0-401) Certification is approved by U.S. Department of Defense to meet information assurance technical and management certification requirements and tests on a broad range of information security topics including data security policies, general regulatory compliance, secured computer networking, secured mobile computing, malware, “hacking,” disaster recovery, cryptography, encrypted communications, cloud computing, basic computer forensics, event response, and physical systems security.

While Attorney Shannon Brown demonstrates years of technical experience, the certification provides further evidence of proven technical skills in addition to legal knowledge in the cybersecurity and information technology fields.

About Attorney Shannon Brown—Consulting Attorney on Cybersecurity, Data Compliance, Information Governance, Data Privacy, eDiscovery Technologies, and Security Policies

An experienced technology professional foremost, Attorney Shannon Brown brings over 15 years of technology industry experience including developing artificial intelligence software (see www.prolorem.com), developing web applications, developing mobile applications, providing systems administration in Linux or Windows, and implementing computer security. Shannon has owned information technology businesses and has served as a senior technology consultant, a Chief Information Officer (CIO), web hosting provider, and senior software architect.

More recently, Attorney Shannon Brown completed his law degree, cum laude and with published law review membership, and offers a unique combination of deep technology consulting and legal advising on data security, data breach, cybersecurity policies, information governance, eDiscovery, disaster recovery planning, data breach response planning, technology audits, and regulatory compliance. He has presented programs on technologies and law at the local, state, and national level and frequently writes on emerging technologies issues. In 2015, he will begin adjunct law school teaching on legal technology issues.

Attorney Shannon Brown Teaching eDiscovery Technologies Course

Attorney Shannon Brown will teach a course on eDiscovery technologies at Widener University School of Law on January 5 and 6, 2015. The new course, taught by a lawyer with direct technology knowledge, explores the critical, technical aspects of eDiscovery. Most discussions of eDiscovery gloss-over the technical issues. But as this course will demonstrate, the implementation of the technologies themselves carry significant and surprising legal consequences and thus are part of a lawyers legal duty to clients—that is, the lawyer cannot just “outsource” the “technical”aspects to non-lawyers.

The course gains added importance in the wake of the 2013 updates to the Pennsylvania Rules of Professional Conduct which specifically addressed the lawyer’s duty to personally know technology as part of the lawyer’s duty of competence (Rule 1.1) and to personally supervise both associates, internal personnel, and outside personnel (Rule 5.3) on technology issues. (If you are a lawyer practicing in Pennsylvania and have not read these changes, see the 2013 updates to the Pennsylvania Rules of Professional Conduct.)

eDiscovery Technologies Course Summary—Widener Law

Today’s law practice deeply involves competence with information technologies. Lawyers must be familiar with information technologies as part of a lawyer’s ethical duty to clients. Clients also increasingly demand that attorneys manage legal costs by properly applying technological efficiencies.

But at the same time, lawyers face a deluge of electronically stored information (ESI) unlike anything seen before and occurring in even simple litigation. Manually weeding through gigabytes of emails, texts, tweets, geolocation data, social media content, corporate ERP systems data, database content, and document management systems output to respond to eDiscovery requests or to analyze materials received from opponents can quickly overwhelm—or even be impracticable.

Fortunately, artificial intelligence and machine learning software tools now exist that may permit lawyers, in appropriate cases, to efficiently leverage technology to

  1. significantly reduce legal analysis time
  2. while quantifying performance and
  3. maintaining, or enhancing accuracy and integrity.

Knowing what these technologies are, how they work, what the limitations and pitfalls are, and how to deploy them is what this course is all about.

eDiscovery Technologies Course Objectives

This course introduces students to the technical aspects of emerging technology assisted review (TAR) in eDiscovery. TAR includes several technologies such as Boolean keyword search, probability systems, and “predictive coding”/predictive analytics tools. (I, however, prefer the term computer augmented legal analysis (CALA) as the most accurate term.) Students will gain

  • practical, law practice insights into the data deluge that drives the need for more efficient legal analysis tools including discussion of data sources, data types, and data collection issues;
  • basic project management insights related to the technical aspects of TAR;
  • a basic understanding of the primary types of TAR-related tools available including traditional Boolean keyword search, general TAR tools, often confused document management systems, and newer “predictive coding”/predictive analytics / CALA tools;
  • ability to distinguish TAR-related tool types, how to select tools, and how to address the strengths and weaknesses of each type;
    a technical understanding of how predictive analytics/CALA tools work;
  • insights into the metrics used to measure the performance of TAR systems;
  • insights into the types of computer equipment currently needed to run the newer TAR tools; and
  • hands-on use of a predictive analytics tool while performing a simulated eDiscovery task (to apply the theory discussed in class).

Thus, at the conclusion of the course, the student will be able to evaluate whether eDiscovery tools are appropriate for a case, understand the various types of tools, be able to discuss the strengths or weaknesses of each type, be able to apply the primary metrics associated with TAR, and understand the project flow for a basic case.

 

Texas Bar Opinion 642 and Today’s Legal Profession

In May 2014, the Texas Bar Association’s Professional Ethics Committee released Opinion 642 barring law firms from using the title “officer” or “principal” in non-lawyer job titles such as Chief Information Officer. Shockingly, the opinion unleashed a howl of protest from lawyers—even some who should know better. My comments are not  specifically about the Texas Bar’s opinion but about the broader implications of such opinions on a changed profession.

Texas Bar Opinion 642 Merely Re-states the Obvious (Under Current Legal Rules)

Opinion 642 merely states that because the organizational terms “officer” or “principal” imply an ownership interest in a business and because legal ethics rules prohibit non-lawyer ownership of law firms, using such titles misleads. See Opinion 642 at 1-2. This seems logical and obvious considering the current legal rules prohibiting non-lawyer ownership of law firms.

Yet, the surprising protests seem to be arising, at least in part, from the misguided perception of somehow “demoting” law firm CIOs or of viewing non-lawyers as somehow “unprofessional”—the latter confusing the term-of-art “professional” with the common adjective professional or common noun professional. But the former requires more discussion—using non-lawyer CIOs.

I have seen no one questioning in the legal community in general whether the profession needs or should still be using non-lawyer CIOs. The Texas Bar Opinion indirectly sheds light on this general challenge for the profession.

Lawyers Can No Longer Delegate Technology to Non-lawyers

The 2012 revisions to the Model Rules of Professional Conduct (as states such as Pennsylvania adopted—see the ABA Policy Implementation Committee’s list of adopting jurisdictions) fundamentally recognized the changes evident in the legal profession. The 2012 revisions expressly make technology awareness a lawyer competence issue (Rule 1.1).

To maintain the requisite knowledge and skill [lawyer competence], a lawyer should keep abreast of changes in the law and its practice including the benefits and risks associated with relevant technology….

Note that the lawyer must be personally competent with technology or associate with an attorney who is (note the emphasis on with an attorney). For example, Comment 1 to Rule 1.1 in the Pennsylvania version of the revised Rules reads:

whether it is feasible to … associate or consult with, a lawyer of established competence in the field in question. (emphasis added)

Furthermore, the same Rule revisions also updated Rules 5.1 (supervising attorney duties) and 5.3 regarding supervision of non-lawyer personnel. The natural implication of these revisions fundamentally transforms law practice duties. Law firms can no longer just outsource that “technology stuff” to non-lawyers because “that technology stuff” is fundamentally law practice (via Rule 1.1), and Rule 5.3 enhances duties for supervising non-lawyers. See Pennsylvania’s New, Technology-related, Ethics Rule Changes for Lawyers for more details.

Law Firm CIOs Need to be Lawyers with Deep Technology Experience and Training

Thus, law firm CIOs should be lawyers with deep technology skills to properly both 1) advise lawyers on lawyer duties of legal competence and 2) importantly to properly supervise the IT staff (via Rule 5.3). But, we still seem to have lawyers with out-dated perceptions on technology that apparently claim that technology can merely be outsourced—wrongly assuming, after all, that technology “isn’t” law practice. If the lawyer simply delegates the “technology issues” to a non-lawyer because the delegating lawyer doesn’t have the skills, how is the lawyer fulfilling Rule 5.3 supervisory duties or Rule 1.1 competence?

I often get the feeling that many lawyers still think of technology as they do experts. That somehow, one can simply delegate to an expert. But, experts play a very different role in the legal community and in the legal process than the ongoing, daily operations of a law firm and the revised requirements of lawyer competence. Experts do not be run cases; lawyers do. In the same way, lawyers must be familiar with the technologies, not simply delegate those core legal functions to others unless the delegating lawyer has the personal knowledge and skills to properly supervise the delegation per Rule 5.3. That also means that senior partners cannot just delegate technology issues to office staff, paralegals, or junior associates.

Legal Services Companies

To further illustrate the problem, consider the “legal services” companies which have sprung-up to offer technology-related “legal services” to law firms and often by non-lawyers—work with a technology-related character such as eDiscovery, cybersecurity audits, and compliance. To date, only the Washington DC Bar Association has taken on this issue  and correctly holding that these “technology” services companies provide legal services and thus must be run by lawyers. Other jurisdictions will follow.

But, these types of services raise precisely the same issues as the Texas Bar Opinion 642 title issues—lawyers improperly deeming something as “technology” and thus not law practice. The problems compound because not only do we have potentially improper delegation of legal services (violating Rules 1.1 and 5.3) to the outsource company, but the outsourcing lawyers also might be supporting unauthorized practice of law and sharing of legal fees because the lawyers do not understand the technologies “outsourced”  well enough to even understand that these services might be law practice itself. (There is a fundamental difference between outsourcing a high-volume OCR job of ten years ago and outsourcing a predictive coding project.)

Conclusion: Times Changed

Times changed (past tense intended). Yet, as the protests related to Texas Opinion 642 indirectly reveal, many in the profession remain stuck in out-dated thinking and avoidance of the reality of today’s legal profession. The officer-title-issue in Bar Opinion 642 unveils a much wider crisis in the profession. The profession also suffers a serious crisis in training lawyers to be today’s lawyers—training which must include solid technology skills and technology understanding (not just the same old, out-dated, law practice management schtick which simply doesn’t cut-it any more). Hopefully, the Texas Bar Opinion will raise awareness of the troubling assumptions made by some of the protestors and will illustrate the broader implications that opinions like this one reveal about a changed profession.

 

Cybersecurity Resolution Adopted

The American Bar Association (ABA) adopted a startling resolution on cybersecurity at its August 2014 meeting. The ABA resolution urges all businesses, law firms, government agencies, and organizations to take cybersecurity seriously and to conduct regular reviews of security posture. But, the most import aspect of the resolution is, finally, the formal recognition that cybersecurity is not just a technology issue but fundamentally a legal, business leadership, management, and technical issue.

Through this Resolution, the ABA stresses the importance of security programs for all organizations as a matter of sound governance and risk management…. Cybersecurity has moved beyond the realm of technical personnel; the maintenance of a security program, including the components stressed in this Resolution, is a responsibility that all senior executives, business owners, attorneys, general counsels, compliance officers , and government officials should embrace. ABA Cybersecurity Legal Task Force, Cybersecurity Resolution 109, American Bar Association, 13 (Aug.2014), available at  http://www.americanbar.org/content/dam/aba/administrative/house_of_delegates/resolutions/2014_hod_annual_meeting_109.authcheckdam.pdf (emphasis added)

The Cybersecurity Resolution also summaries the recommendations for organizations.

It is imperative that all organizations—private sector companies and other organizations, government departments and agencies, and professional firms such as legal, accounting, engineering, and consulting entities—develop, implement, and maintain an organization-wide security program in accordance with accepted security frameworks and standards. Today, too many organizations and entities—including critical infrastructure companies—have completed some activities within a security program, but not all, making them easy targets for sophisticated cyber-criminals. The lack of a disciplined process for the selection of security controls and ongoing reviews are two of the most serious gaps in security programs. Likewise, many organizations do not devote adequate funding to address known gaps and deficiencies in their security programs or to ensure that their organizations have well-developed plans to enable them to respond adequately to incidents and maintain continuity of business operations. Id. at 13.

Attorney Shannon Brown, as a cybersecurity lawyer and long-time information technology professional with real, hands-on technology skills, welcomes the Resolution—albeit perhaps long overdue. Cybersecurity, information security,  information governance, data breach, disaster recovery planning, and overall data protection fundamentally require a new-breed of data lawyers who can address the business, technology, and legal aspects of these complex issues. Developing solid cybersecurity policies and procedures, implementing BYOD policies, evaluating systems for compliance with legal regulations (such as HIPPA), performing cybersecurity audits, and performing cybersecurity evaluations all require legal guidance, not just technical measures—as the ABA now attests and as Attorney Shannon Brown has argued before.

Today’s business owners and officers, as part of their fiduciary duties, will need obtain competent legal advice from a data attorney / cybersecurity attorney to assure that the business owner meets his duties to protect data and to properly address issues.

Attorney Brown Files Drone Aircraft Comments

Attorney Shannon Brown filed official comments on the FAA’s proposed, drone aircraft (UAS) regulations and explanations. The FAA printed the Interpretation of the Special Rule for
Model Aircraft (79 FR 36172) in the Federal Register on  June 25, 2014. (The FAA extended the comment period until September 23, 2014.)

My comments urge the FAA to uphold Congress’ definition that limits model aircraft use to “visual line of site” according to the FAA Modernization and Reform Act of 2012 § 336. The comments also challenge claims that limiting hobbyist uses of goggles, telescopes, binoculars, spotters, and other artifices somehow “damages” businesses providing these devices.

The full text of the comments is below.

FAA– 2014–0396
79 FR 36172

14 August 2014

Dear the Honorable Michael P. Huerta, FAA Administrator:

I submit the following comments to 79 FR 36172 (FAA– 2014–0396).

Urge FAA to Uphold the Congressional Interpretation of Visual Line of Site

As the FAA recognizes, an administrative explanation of “visual line of site” appears superfluous. Congress plainly specified “visual line of site” as an absolute touchstone for a device falling into the definition of “model aircraft.” See FAA Modernization and Reform Act of 2012 § 336.

While the FAA appears to attempt to be helpful, the explanation may carry no weight according to Chevron U.S.A. v. NRDC, 467 U.S. 837, 842–843 (1984). Chevron plainly outlined a two-step analysis of deference to an administrative agency’s interpretations of law. Step 1 obligates the administrative agency to give effect to the unambiguous Congressional intent. Chevron U.S.A. v. NRDC, 467 U.S. 837, 842–843 (1984). Nothing in the statutory definition of “flown within visual line of sight of the person operating the aircraft” (FAA Modernization and Reform Act of 2012 § 336) appears ambiguous. Certainly, vision enhancing goggles, spotters, and other artifices conflict with Congressional definition and Congressional intent to limit model aircraft to those operating within the term-of-art, “visual line of site.”

The distinction appears necessary looking at recent history regarding UASs (more commonly, drone aircraft). In the FAA’s attempts to be helpful, operators continue to ignore or press-the envelope on a potentially dangerous and problematic activity, without accountability, and then use the FAA’s “help” against the FAA and the public—see the recent Pirker, administrative law decision related to the 91-57 where the FAA’s longstanding, helpful guidelines were used to effectively strip the public of protection (albeit a decision stayed on appeal). Goggles are prohibited from model aircraft operation because Congress, not the FAA, deemed them so.

No “Damage” to Business from Explanation

Several outlets maintain that the new “rule” will “damage” UAS-related businesses—especially those businesses associated with video-feed devices for drone aircraft. First, businesses take risks attempting to be early to market. The public, nor the FAA, must “guarantee” against alleged business “losses” from those risks.

Second, such devices, without testing, hardening, and certification, pose obvious risks to the public and add yet another avenue for failure in UASs. Those risks, as Congress determined, are beyond the needs of hobbyist purposes. The added risks arise from an operator who would need to rely on both the radio frequency communications to the drone aircraft and the radio frequency feed from the camera. Either can fail. And radio frequency interference remains an unanswered issue with these types of aircraft.

Third, the prohibition on goggles and other artifices applies only to “model aircraft”—thus aircraft used for hobbyist and recreational purposes. Nothing appears to limit these businesses from developing such devices or artifices for commercial uses. And commercial uses imply a heightened awareness of risks by a business and then adequate accountability measures (insurance, certifications, testing, etc.) to limit the risks. Thus, Congress’ intent appears to logically address the safety issues associated with such devices by limiting the devices to accountable situations via the indirect pressure of business accountability.

The point here is that businesses cannot seriously argue “damages.” Congress plainly defined the law on model aircraft and that Congressional definition, not FAA explanation, obviates visual artifices in model aircraft.

Respectfully,
Shannon Brown Esq.

Cybersecurity Basics for Pennsylvania Law Firms

Most Pennsylvania law firms either misunderstand cybersecurity [computer and network security] or significantly underestimate the threat of data breaches at law firms. Successful “hacks” can result in the loss of client confidential data or even losses of escrow funds. Considering the November 2013 updates to the Pennsylvania Rules of Professional Conduct, data breaches might now lead to ethics problems—see Pennsylvania’s New, Technology-related, Ethics Rule Changes for Lawyers for a discussion of the recent, information technology-related changes to the ethics rules.

Lawyers in firms of all sizes must start taking cybersecurity seriously. Lawyers should both 1) seek advice on information security compliance from skilled legal-technology experts and 2) perform a law firm security “audit” or law firm information security assessment to see where the firm stands on information security.

Understanding the Reality of the Cybersecurity Threat

Many lawyers labor under outdated perceptions of computer security—”no one would hack me, we are too small of a law firm, we have anti-virus (I think), my nephew looked at that, etc.” Ten years ago, a current anti-virus program, good backup, and perhaps a basic firewall might meet minimal data protection standards. At that time, “computer viruses” were inconvenient but fairly straight-forward to detect. Similarly, a basic and properly configured firewall might have kept many cyber-attackers from improperly accessing law firm computer systems and networks (or at least make attacks harder and encouraging attackers to move on to lower-hanging -fruit).

No more. Cybercrime now rivals the illicit drug trade for criminal activity—with one estimate placing cybercrime costs at $400 billion per year. [See, e.g, Ericka Chickowski, Worldwide Cost of Cybercrime Estimated at $400 Billion, Dark Reading (June 9, 2014)] And law firms are specific targets due to the sensitivity of the data a law firm handles.

Well-established black and grey markets in data now exist and drive today’s cybercrime because data itself has value. These data-markets eagerly pay for social security numbers, bank account information, health care information, credit card data, “social” media information (to target spear-phishing attacks) and a myriad of other data types about anyone. Thus, the new data-markets change the nature of cybersecurity risks.

Cybercriminals no longer just want to smash-and-grab data, steal a credit card to make purchases, or “hack” a law firm’s website (although these types of attacks still occur). The cybercrminals now deploy longer-term and stealthy malware infections that siphon valuable data out of your systems over long periods of time. The latest reports indicate that data breaches, because they are so insidious, now take over 7 months to detect (and that is considering organizations who have information security teams).

Extremely sophisticated and often targeted malware now replaces yesterdays primitive “computer viruses.” The new malware may siphon data from compromised (pwned) systems for months or longer before detection—raising a serious issue for lawyers who must assure the confidentiality and integrity of evidence. To emphasize how bad out-dated advice is, the iconic, anti-virus industry company, Symantec, recently admitted that anti-virus programs alone are now ineffective, [see, e.g., Dan Goodin, Antivirus pioneer Symantec declares AV “dead” and “doomed to failure” ArsTechnica (May 5,2014)], and cybersecurity professionals apply new techniques to avoid dependence on outdated “anti-virus” products [See, e.g., Legacy cybersecurity products failed to protect 97% of organizations, Help Net Security (May 21, 2014)].

Also, recent malware (called ransomware) encrypts the user’s data and then the cybercriminal demands a ransom to unlock the oftentimes not-backed-up data. [See, e.g., Bree Sison, Swansea Police Pay Ransom After Computer System Was Hacked, CBS Boston (Nov. 18, 2013) ] This poses serious issues for law firms falling victim who may lose control of their client’s data—think Rule 1.15 Safekeeping of Client Property issues

Finally, cybersecurity threats now arrive not just from laptops or desktops but also from a myriad of consumer-grade mobile devices—tablets, “smart” phones, and even automobiles—which lawyers are eagerly integrating into law practice without considering the implications.

The take-away here is simply: the game has changed significantly (and continues to change) so don’t rely on ten-year-old assumptions about computer security or underestimate these threats.

General Cybersecurity Guidance for Lawyers

Cybersecurity must be taken seriously but should not breed fear or hopelessness. Generally, law firms and lawyers should think about the following when evaluating information security risks in an organization.

  1. Know-that-you-don’t-know (this can be hard for some lawyers). Cybersecurity issues are complex and should be taken seriously and handled professionally. Old-rules-of-thumb or out-dated “insights” may lull an attorney into a false sense of security. [UPDATE: See Jen Miller, How the Target Breach Has Affected Small Business Data Security, CIO Magazine(July 9,2014)(simple description of how the security threatscape has changed for small businesses).]
  2. Each legal organization, no matter how small, should be analyzed for security issues. The analysis should include a law firm information technology security assessment which can reveal your risk envelope and identify preliminary remediation methods such as an incident response plan, appropriate security procedures, disaster recovery, data retention, and backups policies. (Some refer to law firm security assessments as law firm security “audits” even though an audit presupposes data security policies and practices—which is rarely the case. The preliminary analysis is properly called an assessment and not an audit.)
  3. Information security is a distinct field in computing and requires special skills to do well—skills including technical, business, direct industry expertise, data classification techniques, and compliance. Relying on advice from the first-lawyer-in-town-with-an-iPad (as somehow demonstrating technology competence), your nephew who is a real “computer whiz,” or that corner “computer shop” might be a costly mistake (and with the November 2013 changes to the Pennsylvania Rules of Professional Conduct, might also lead to ethics issues for the firm). Get professional help.
  4. Cybersecurity also implicates other critical areas such as law firm data backups, disaster recovery plans, data retention policies, mobile device (BYOD) policies, computer-use policies, outsourced vendor vetting, data compliance, “cloud” computing, lawyer ethics, and state or federal laws (such as Pennsylvania’s Breach of Personal Data Reporting Act). The point here is that just a sign-off from a “computer person” is not good enough—as the 2013 changes to the Pennsylvania Rules of Professional Conduct imply (see Rule 1.1 and 1.6 and new comments to these sections which require the lawyer, not the delegated third-party, to have competence in these issues or that the lawyer seek a ethically competent associate to assist).
  5. Firms should understand that the current cybersecurity best-practices mentality no longer focuses on keeping the cybercriminals out, as was the case ten years ago, but on taking reasonable actions to mitigate such breaches assuming they occur. This will force law firms to take a “hard look” at their data integrity practices to include correct use of encryption, intrusion detection or intrusion prevention systems, layered-defenses, minimization of data exposed on systems (by adopting legally defensible data retention policies), active firewalls, malware detection systems, limited administrator rights, VPNs for all data connections (including from “smart” phones and mobile devices), proper patch and upgrade management, encrypted email connections (and possibly even emails themselves), limiting outside vendor access to internal systems, and re-evaluating “cloud” computing (which might not be the “deal” that it seems).
  6. Do a thorough hardware and software “inventory” at the organization. Threats can easily originate from what-you-didn’t-know was still lurking at your office. The organization cannot take reasonable actions if the organization doesn’t know what it has. That old WI-FI router, out-dated Windows XP computer (which, in my opinion, is a serious, per se ethics violation if still used in a law firm today), new iPad, or the dusty server sitting in the closet may unknowingly be exposing you to data loss.

In summary, awareness that a data security problem exists is the first step for many lawyers—but only a first step. After recognition, Pennsylvania lawyers can take reasonable steps to better protect both client confidential information and law firm data. While those steps may be alien to some attorneys because they involve technology, those steps have quickly become standard practice for law firms (and businesses).