– Chi Eng, CEO of NeuLexa Corp. (www.neulexa.com), says:
Meaningfully utilizing our social and business networks to gather information could both optimize and monetize our valuable networking resources. In the course of the day, we often reach out to members of our various networks on various projects. But work is generally done elsewhere – disconnected from the point of contact – and the value of the network remains largely unseen to one another, behind a veil.
In this new virtual reality, information sharing is not just instantaneous and omnipresent, but a necessary component of workflow. We blur the lines between our business and personal lives, ushering in the era of BYOD and the consumerization of IT; IT departments are now under tremendous pressure to provide collaborative access to data without compromising security requirements.
To date, there have been no complete secure solutions at the enterprise level for on-demand collaboration and networking–with clients and other out-of-network professionals including law firms, assistants, paralegals, and consultants–beyond the firewalls of that enterprise’s IT network. Moreover, there is a perceived drawback concerning online portals, that they provide a reduced level of confidentiality, security and control. For law professionals, there is the additional worry that it could mean a loss of attorney-client privilege.
It behooves us to review some of the important requirements an online portal should meet in order to comply with the security and confidentiality concerns for any firm:
Privacy issues arise when personally identifiable information is collected and stored. Depending upon the geographical scope of data, the applicable data protection laws and regulations must be observed. At the federal level, there are Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act, etc. At the state level, there are, for example, Massachusetts 201 CMR 17.00 and Nevada Revised Statutes Chapter 603(A), etc. In Europe, EU Data Protection Directive (Directive 95/46/EC) regulates, among others, cross-border data transfer.
Thus, compliance of the applicable laws is driven in part by the residence of the data subjects and where the data is stored or transferred.
Data Access Control
One of the important factors in determining compliance with the applicable privacy law is an organization’s effective control over access to the data. Such control is manifested in the organization’s policy and procedure restricting access to only those individuals in the organization who require such access to perform their job duties.
Most data security laws and regulations require an organization to “[t]ak[e] reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with” those regulations, and “[r]equir[e] such third-party service providers by contract to implement and maintain such appropriate security measures for personal information” Massachusetts 201 CMR 17.03(2)(f). See also, GLB Act Safeguards Rule, 16 C.F.R. §314.4(d) (“[t]ak[e] reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and … [r]equir[e] your service providers by contract to implement and maintain such safeguards).
Reporting in the Event of a Breach
In the event of a breach, an organization is required by the applicable laws to notify a data owner of such breach in a reasonable or defined time period.
Understandably, given these legal requirements, IT departments are reluctant to explore the use of an online portal to facilitate collaboration among their clients, law firms and outsource teams. However, providing clients and outsource team access to the firm’s secure data storage conversely poses security challenges.
What is needed is a cost-effective, secure online platform that complies with these data privacy and security requirements. Here is how that would look:
- The platform is configured to maximize the advantages offered by a cloud provider such as Amazon AWS (or otherwise known as the Amazon cloud).
- In order to maintain control over user data, an authorized administrator would initially be required to open an account with the cloud provider.
- The platform is then installed on computing resources under the firm’s account. Thereafter, the firm administrator restricts access to the computing resources pursuant to the firm’s control policy and procedure.
- In this manner, data security requirements are complied with by (i) the underlying cloud infrastructure (which, in the case of Amazon, is compliant with various federal and state data security protocols) and (ii) the platform’s proprietary data encryption and storage features.
- Enable organizations to comply with applicable data privacy and security laws by providing users the ability to selectively store data in one of several data centers of the cloud provider.
- The platform performs data encryption for data in transit and storage.
- To facilitate networking and collaboration, the platform enables users to view and comment on shared documents and to communicate in project rooms or interest groups via mobile devices.
A secure online platform, outside of an enterprise’s firewalls, can be used to facilitate networking and collaboration among clients, outsource team members, and law firm personnel. In order to be compliant, the platform should be operated and controlled by the enterprise and the underlying cloud resources are complaint with the applicable data security and data privacy protocols.
About Chi Eng, Esq.
Chi Eng is a practicing IP attorney, former AT&T Bell Labs engineer, former general counsel, and current CEO of NeuLexa Corp. (www.neulexa.com). NeuLexa uniquely combines an enterprise-grade document collaboration platform with project management features, transactional capabilities and team building social tools which leverage the legal team knowledge base. Built upon its proprietary, patent-pending algorithm, NeuLexa’s on demand platform employs military-grade encryption of data, messages and files during transit and in storage.