- Chi Eng, CEO of NeuLexa Corp. (www.neulexa.com), says:
Meaningfully
utilizing our social and business networks to gather information could both optimize
and monetize our valuable networking resources.
In the course of the day, we often reach out to members of our various
networks on various projects. But work
is generally done elsewhere – disconnected from the point of contact – and the
value of the network remains largely unseen to one another, behind a veil.
In this new virtual reality, information sharing
is not just instantaneous and omnipresent, but a necessary component of
workflow. We blur the lines between our business
and personal lives, ushering in the era of BYOD and the consumerization of IT; IT
departments are now under tremendous pressure to provide collaborative access
to data without compromising security requirements.
To date, there have been no complete secure solutions
at the enterprise level for on-demand collaboration and networking--with
clients and other out-of-network professionals including law firms, assistants,
paralegals, and consultants--beyond the firewalls of that enterprise’s IT
network. Moreover, there is a perceived
drawback concerning online portals, that they provide a reduced level of
confidentiality, security and control.
For law professionals, there is the additional worry that it could mean
a loss of attorney-client privilege.
It
behooves us to review some of the important requirements an online portal should
meet in order to comply with the security and confidentiality concerns for any firm:
Data Privacy
Privacy
issues arise when personally identifiable information is collected and stored. Depending upon the geographical scope of
data, the applicable data protection laws and regulations must be
observed. At the federal level, there
are Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability
Act, etc. At the state level, there are,
for example, Massachusetts 201 CMR 17.00 and Nevada Revised Statutes Chapter
603(A), etc. In Europe, EU Data
Protection Directive (Directive 95/46/EC) regulates, among others, cross-border
data transfer.
Thus,
compliance of the applicable laws is driven in part by the residence of the
data subjects and where the data is stored or transferred.
Data Access Control
One of
the important factors in determining compliance with the applicable privacy law
is an organization’s effective control over access to the data. Such control is manifested in the
organization’s policy and procedure restricting access to only those individuals
in the organization who require such access to perform their job duties.
Data Security
Most
data security laws and regulations require an organization to “[t]ak[e]
reasonable steps to select and retain third-party service providers that are
capable of maintaining appropriate security measures to protect such personal
information consistent with” those regulations, and “[r]equir[e] such
third-party service providers by contract to implement and maintain such
appropriate security measures for personal information” Massachusetts 201 CMR
17.03(2)(f). See also, GLB Act
Safeguards Rule, 16 C.F.R. §314.4(d) (“[t]ak[e] reasonable steps to select and
retain service providers that are capable of maintaining appropriate safeguards
for the customer information at issue; and … [r]equir[e] your service providers
by contract to implement and maintain such safeguards).
Reporting in the Event of a
Breach
In the
event of a breach, an organization is required by the applicable laws to notify
a data owner of such breach in a reasonable or defined time period.
Understandably,
given these legal requirements, IT departments are reluctant to explore the use
of an online portal to facilitate collaboration among their clients, law firms
and outsource teams. However, providing
clients and outsource team access to the firm’s secure data storage conversely poses
security challenges.
What is
needed is a cost-effective, secure online platform that complies with these
data privacy and security requirements. Here is how that would look:
- The platform is configured to maximize the advantages offered by a cloud provider such as Amazon AWS (or otherwise known as the Amazon cloud).
- In order to maintain control over user data, an authorized administrator would initially be required to open an account with the cloud provider.
- The platform is then installed on computing resources under the firm’s account. Thereafter, the firm administrator restricts access to the computing resources pursuant to the firm’s control policy and procedure.
- In this manner, data security requirements are complied with by (i) the underlying cloud infrastructure (which, in the case of Amazon, is compliant with various federal and state data security protocols) and (ii) the platform’s proprietary data encryption and storage features.
- Enable organizations to comply with applicable data privacy and security laws by providing users the ability to selectively store data in one of several data centers of the cloud provider.
- The platform performs data encryption for data in transit and storage.
- To facilitate networking and collaboration, the platform enables users to view and comment on shared documents and to communicate in project rooms or interest groups via mobile devices.
A secure
online platform, outside of an enterprise’s firewalls, can be used to
facilitate networking and collaboration among clients, outsource team members,
and law firm personnel. In order to be
compliant, the platform should be operated and controlled by the enterprise and
the underlying cloud resources are complaint with the applicable data security
and data privacy protocols.
About Chi Eng, Esq.
Chi Eng
is a practicing IP attorney, former AT&T Bell Labs engineer, former general
counsel, and current CEO of NeuLexa Corp. (www.neulexa.com). NeuLexa uniquely combines an enterprise-grade
document collaboration platform with project management features, transactional
capabilities and team building social tools which leverage the legal team knowledge
base. Built upon its proprietary,
patent-pending algorithm, NeuLexa’s on demand platform employs military-grade
encryption of data, messages and files during transit and in storage.
No comments:
Post a Comment