Category Archives: Technology

Data Network Security Breaches and Notification Laws

Data Network Security Breaches and Notification Laws
Data Network Security Breaches and Notification Laws

Ever gotten a notice in the mail that read, something to the effect of, “by law, we’re required to inform you that since our infrastructure passwords were extremely weak, such as “password” and “123456,” a data breach has occurred and your personal information may or may not be in the hands of Russian hackers for sale somewhere in the deep web?”

Well, maybe not that forthcoming, but you know what I’m talking about. When it comes to data network security breaches, there are laws which specifically require an organization to disclose to its customers whenever there has been such a data breach. These laws go  far beyond the ubiquitous Health Insurance Portability and Accountability Act, better known as HIPPA.

For instance, here in Arizona, under Revised Statute § 44-7501, (Conditionally Rpld.) it requires a person that conducts business in this state who becomes aware of a data breach shall conduct a reasonable investigation and after determining a breach in the security system shall notify all individuals affected.[1] Simply put, organizations are required, by law, to disclose the breach, make remedies to resolve it, and can be held responsible for any damages thereof.

Oftentimes, these data network security breaches and subsequent notifications will be accompanied with a free offer for credit monitoring. As a consumer, you should absolutely take it, if you aren’t’ already monitoring your credit through some other third party.

First and foremost, if you discover a data network security breach within your firm, promptly notify your clients and provide measures to protect their interests. More importantly, as an organization, there are several steps you can take to avoid such data network security breaches. Some are as simple as requiring strong password policy. Others include keeping your data stored in a secured, locked environment with very restricted access.

Password Policies

As both an end-user and as an administrator, I know how frustrating complex password policies can be. Yes it’s pain to have a password that must contain 1 uppercase letter, 1 lowercase letter, 1 symbol, 1 number, that cannot be anything you’ve ever used before and cannot have successive numerical values. However, that complexity exists for a reason. Hackers are well aware of the most commonly used password, such as “123456” followed by “password.”[2]

The folks at Microsoft recommend you “set password policy to require complex passwords, which contain a combination of uppercase and lowercase letters, numbers, and symbols, and are typically a minimum of seven characters long or more for all accounts, including administrative accounts, such as local administrator, domain administrator, and enterprise administrator.”[3]

However, consequently, when employees are required to change passwords often, meet minimum complexity requirements, and not repeat a password for a minimum amount of time, they may begin to break the rules and start writing passwords down simply because they cannot remember passwords that change so often.[4] Bottom line, design a password policy that is secure but doesn’t comprise functionality.

Data Network Security Breaches and Notification Laws
Data Network Security Breaches and Notification Laws

End-User Training

Many folks within an organization, while balking at having to change passwords regularly, simply do not understand the reasons behind it or the risks they attempt to advert. To that end, it would be wise for your IT staff to train end-users on why and how to keep their passwords unique and safe. Once employees discover their organization can be levied a hefty fine which may result in cutbacks as a consequence thereof, I’m sure the loudest of the balkers will begin to change their tune.

End-user training can be as simple as memo sent to employees requiring  them to read, sign, and return to management. Alternatively, a once a year run-down presented by IT staff during a mandatory meeting should suffice for larger organizations.

Restricting Access

Your organizations most sensitive client data should be restricted to a need-to-know basis. If there is no need for the receptionist to access client information, then by all means create a security clearance group policy that only allows access to sensitive drives to those who truly require it.

Is your server room open to anyone at the firm? If so, quite frankly, you’re doing it wrong! I don’t care if there are 2 people in your firm, if one doesn’t need access to drives containing sensitive data, then by all means keep that access restricted. Unfortunately, many organizations have the “it’ll never happen to us” mentality that ultimately comes back to bite them in the end. Remember Target? Ever heard of the Panama papers?

Data Network Security Breaches and Notification Laws
Data Network Security Breaches and Notification Laws


Data security is your responsibility. Be not only aware of the legal obligations for your firm’s clients, but for anyone who does business with your organization. Develop corresponding IT policies and procedures to avoid liability that can possibly be the death knell of your organization.

[1] Arizona Revised Statutes, , (last visited May 16, 2016).

[2] The 25 Most Popular Passwords of 2015: We’re All Such Idiots, , (last visited May 16, 2016).

[3] Creating a Strong Password Policy: Logon and Authentication, , (last visited May 16, 2016).

[4] Password Policy, , (last visited May 16, 2016).

How Our Law Firm Survived a CryptoWall Ransomware Attack

How one Law Firm Survived a CryptoWall Ransomware Attack
How Our Law Firm Survived a CryptoWall Ransomware Attack

It started with an early Sunday morning phone call. A senior equity partner who writes whenever and wherever inspired complained, “I’m getting an error whenever I try to open Word or PDF documents.” Two hours, and a trip into the office later, we erroneously concluded our case file folder had been corrupted from an unsuccessful backup and a simple scan/repair job would have us back up and running.

Unfortunately, while the scan/repair utility sifted its way through 1.5 terabytes of files, a more destructive tool was worming its way through our network shares as well. It wasn’t until another partner emailed late Sunday evening to inquire about strange file names like “HELP_DECRYPT” saved in his case directory  did we realize we had a more serious problem on our hands. We’d been struck by the CryptoWall 3.0 ransomware virus! (Que Scary Music!)

What is CryptoWall 3.0?

“CryptoWall is “the largest and most destructive ransomware threat on the Internet “at the moment and will likely continue to grow.[1] Essentially, CryptoWall, an evolution from CryptoLocker, uses malware to copy and encrypt commonly used office file extensions, then deletes the original, leaving victims little or no options beyond paying a ransom or losing the ability to recover their files. In a law firm, losing client data, past and present, simply isn’t an option. In our case, the ransomers wanted $700 to supply the key to decrypt our files! Though we had roughly triple that amount in lost productivity and billable hours fixing this mess, negotiating with terrorist simply wasn’t an option! However, fortunately, if your organization has a cold backup the likelihood of recovery drastically increases.

When we investigated just how much the virus purveyed through our network, we noticed it was centralized in the heart of our operation, client case files, and law firm application data shares. Though we knew we had cold back-ups to restore from, we didn’t know if the virus had stopped spreading or even know where it originated. The last thing we wanted to do was to restore our files only to have them encrypted all over again!

$700 Ransom only doubles with time!
$700 Ransom only doubles with time!

Identifying the Source of the Virus

Once you notice your organization has been affected by CryptoWall, some engineers suggest you power down your network switch to prevent spreading. While this works for smaller networks, it may not be feasible, especially for larger organizations. I would simply suggest modifying share permissions to critical shared drives to prevent infected machines from writing to those drives and further spreading. Unfortunately, there is no administrator level method to determine which machine the virus originated from. I had to walk around to each and every machine in the law firm, install, and run applications such as MalwareBytes, Hitman Pro and ListCWall to scan, identify, and remove any locally infected files. Once we identified the source of the virus (HELP_DECRYPT files will appear locally), I scrubbed it clean and proceeded to delete and restore our files.

Restoring the Infected Files

There is something unnerving about deleting 1.5 terabytes of client files even when you know there is a backup, but it was necessary. Besides, all of it was utterly useless encrypted garbage at this point. After deleting, we used an application called Karen’s Replicator to replicate the cold backup drive to the previously infected share drive. It took approximately 2 days to restore 1.5 terabytes worth of data, but it worked, and so far, so good.

We also noticed that QuickBook files, both current, and backups were affected as well. Luckily, we were able to restore company files from previous routine bare metal Windows Server Backup.

How You Can Protect Your Network

The bottom line is this can happen to anyone. One erroneous click on the Internet, opening an attachment from even a trusted source whose email contacts have been compromised can unleash a world of hurt on law firms who increasingly rely on sensitive client data to operate. The more we embrace technology, the more vulnerable we become to it. Keeping end-users up-to-date with safe browsing practices is a start. TechRepublic has some great tips for keeping your network safe and avoiding the likes of CryptoWall 3.0.

[1] CryptoWall ransomware held over 600K computers hostage, encrypted 5 billion files, PCWorld (2014), (last visited Sep 22, 2015).

Windows 10 vs. Rule 1.6

Is Windows 10 Ethically Compliant?

Is Windows 10 MRPC Compatible?

Apparently, from the feedback I’m getting, Microsoft® finally got it right with Windows 10! As a legal technology professional I have been inundated with inquiries from attorneys on whether Windows 10 is worth the upgrade (even though it’s free), and if they should think about making the switch. My response has consistently been to wait.

First, like any new product I always suggest letting the manufacturer work out the kinks before jumping aboard. Similarly, like purchasing a new model year car, you never really want the first batch rolling off the assembly line. That said, after digging further under the hood, it appears there are other potential pitfalls with Windows 10 that could specifically leave attorneys on the wrong side of the rules of professional conduct!


What Windows 10 End User License Agreement Says

Apparently, Microsoft is following the footsteps of other “Big Data” mining companies and has gotten creative in their user terms and conditions. How creative you ask, well apparently creative enough to give Microsoft ingress to virtually any and all data you may have or had access to while using their operating system! This ingress gives Microsoft permission to track your location, activities, browser history, and more importantly, READ YOUR EMAILS! Further, there does not appear to be a way for less sophisticated users to disable these settings. This is why it’s so important to be aware of what’s in that End User License Agreement.

Moreover, as pointed out by Daily Kos, Microsoft’s privacy policy specifically states the following:

Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to:

  1. comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies;

  2. protect our customers, for example to prevent spam or attempts to defraud users of the services, or to help prevent the loss of life or serious injury of anyone;

  3. operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or

  4. protect the rights or property of Microsoft, including enforcing the terms governing the use of the services – however, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property of Microsoft, we will not inspect a customer’s private content ourselves, but we may refer the matter to law enforcement.[1]


What the Model Rules of Professional Conduct Say

Generally, under Model Rules of Professional Conduct (MRPC) Rule 1.6, a lawyer is prohibited from revealing any information related to the representation of a client. Either voluntarily or involuntarily, unless informed consent is given by his/her client.[2] Recently, the New York State Bar specifically addressed this very conceivable dilemma in its Opinion 782, which addressed inadvertent confidential data disclosures through email, opining in part that, “a lawyer must exercise reasonable care to ensure that he or she does not inadvertently disclose his or her client’s confidential information.”[3]

Though some disclosures are unavoidable, under MRPC 1.6, where “the disclosure is impliedly authorized to advance the best interest of the client and is either reasonable under the circumstances or customary in the professional community,” is permitted, however an attorney should always know what the data is, where it’s located, and who has access to it. Granted these rules were designed to regulate traditional vendors such as storage facilities or copy services, they are also relevant to any form of data transmission. One could arguably say that since there is little control over the settings that control the data sharing in Windows 10, or since the data mining is customary a lawyer should be in the clear, right? Wrong. The model rules consistently say attorneys should take reasonable steps to protect a client’s data at all times. This includes everything from choosing to forgo using Windows 10 all together, to familiarizing yourself with ways to prevent data ingress.

What Can You Do About It?

By now, I’m sure you’re thinking, it’s probably just not worth using Window’s 10 if you want to remain MRPC 1.6 compliant. I would tend to agree, especially at this stage when little is known about the vastness of Microsoft’s data mining. However, for those who have already made the switch, there are some options. As Jacob Siegal noted, a simple program called “The Windows Club” allows users to tweak Windows 10 in order to disable some pervasive features such as user tracking, telemetry, and hiding your network from others.[4] Additionally, I would not recommend integrating the same email address used for client data with the operating systems if prompted. Simply put, keep your business email separate from Windows 10 operating system. Of course, if you use an email client such as Outlook, this may be unavoidable. However, I’m specifically referring to the prompt for your email address when initially setting up the operating system. Either avoid supplying an email address all together, or if unavoidable, use an email address not associated with clients. Alternatively, to completely protect your neck, consider weaving in the possibility of ostensible third party data disclosures through the use of operating systems or cloud based data into your fee agreement.


The bottom line, use caution when implementing a new operating system, and use your best judgment when integrating your firm’s email with your operating system. Even with Windows 8, Microsoft wanted to link your email address to your operating system. Personally, I use Outlook Web App (OWA) for sending/receiving email to avoid using native programs such as Outlook. With today’s web (cloud) based email, virtually all the functionality of an email client is built right in. Of course, Ethical Compliance and Cloud Services for Law Firms is a whole other issue, but this generally means that one has taken reasonable steps to protect client data from being shared. This is really all you can do in order to be MRPC Rule 1.6 compliant.

[1] Windows 10 comes with built-in spyware. If your work requires confidentiality, DO NOT INSTALL., , (last visited Aug 31, 2015).

[2] New York City Bar Association – Ethics Overview – Ethics Panel, , (last visited Nov 18, 2014).

[3] Id.

[4] Windows 10: Modify your OS with Ultimate Windows Tweaker 4 | BGR, , (last visited Aug 31, 2015).

Ethical Compliance and Cloud Services for Law Firms

Ethical Compliance and Cloud Services for Law Firms
Photo courtesy of LegalInk Magazine

Chances are, if you haven’t heard of the cloud, your head is probably in it! Today, cloud computing is becoming an essential element of personal and professional technology use. From our smartphones to our computers, both are increasingly becoming synchronized with cloud backup systems. From solo attorneys to big-box law firms, many are embracing cloud-based applications and backup options as a way of doing business. Here, we’ll discuss ethical compliance and cloud services for law firms.

You should be aware there are different platforms of cloud computing. Specifically, cloud computing is characterized as “large groups of remote servers networked to allow centralized data storage and online access to computer services or resources.”[1] The two main components of cloud based services boil down to data storage and applications that run locally but are processed in the cloud. It’s what those in the business refer to as Infrastructure as a Service (IaaS) and Software as a Service (SaaS)respectively . The history of cloud computing dates back to 1969 but “since the internet only started to offer significant bandwidth in the nineties, cloud computing for the masses has been something of a late developer.”[2] The concept gained industry notoriety in 2006 when Amazon first developed its Elastic Compute Cloud (EC2) model as the first commercial internet service allowing small businesses and individuals alike the ability to rent computers to run their own computer applications.[3]

Cloud Computing for Law Firms

For the most part, most cloud based application services offered to solo and small firms fall in the SaaS category. [4] Think of Clio, Rocket Matter, My Case, and Amicus cloud based case management platforms. However, many law firms and solo’s alike who don’t use SaaS based platforms have begun to use IaaS based platforms whether they know it or not. For instance, most iPhone users use iCloud to back up their devices even if not specifically intending to do so. Often times, when setting up a newly purchased iDevice, the setup steps require an iTunes log-in info. By doing so, iUsers inadvertently agree to have their digital content backed-up to Apples Cloud based storage. Don’t get me wrong, having a backup of your device’s content can be a Godsend if your device is lost or stolen. However, if you’re a lawyer who receives client related email or text messages on your phone, you just put confidential client information in a medium you neither are aware of, nor have control over.

Ethics Rules Possibly Affected by Cloud Computing

Under rule 1.1 of the Model Rules of Professional Conduct, the duty to “provide competent representation to a client” includes the duty to comprehend the cloud based technology services being used along with the duty to obtain client consent, and some cases the duty to counsel the client with regards to the use of cloud services in connection to representation. [5] Many states bar ethics committees have released opinions which generally permit attorneys to use “web-based storage services (like Google Docs and Dropbox) provided that the attorneys take reasonable steps to ensure their information is secure and not shared with third-parties.”[6] Given recent data breaches involving celebrity photos, cloud data security vulnerability is a very real possibility and should be paid close attention to. Moreover, if you aren’t even aware your client’s confidential information is being stored in the cloud, you certainly cannot claim to have taken reasonable steps to ensure their information is secure. To avoid any uncertainty, attorneys should be cognizant of what data is being backed up and where. Reasonable steps would include; routinely monitoring End User License Agreements, ascertaining where cloud providers store data, and keeping abreast of their retention policies.

Under, Rule 1.6, which includes an attorney’s duty to “exercise reasonable care to prevent . . . others whose services are utilized by the lawyer from disclosing or using confidential information of a client, comes another set of cloud related responsibility. “[7] Though some disclosure is permitted under RPC 1.6 where “the disclosure is impliedly authorized to advance the best interest of the client and is either reasonable under the circumstances or customary in the professional community,” an attorney should always know what the data is, where it’s located, and who has access to it. Granted these rules were designed to regulate traditional vendors such as storage facilities or copy services, they are also relevant to cloud computing as well.[8] Bottom line, cloud data storage is ethical so long as attorneys take “reasonable care to ensure the system is secure and the client confidentiality is maintained.”[9]

Under Rule 1.15, a lawyer has a duty to maintain and preserve client records and deliver them promptly upon request. Consequently, this applies to digital records kept locally and those maintained in the cloud, and making sure those files aren’t lost, stolen, or destroyed. Presumably, by using cloud-based backup services, you’re more than likely exercising the requisite reasonable efforts to maintain and preserve client records. Delivering client records upon request may be a sticking point for lawyers who use cloud based storage providers as we’ll get into next.

Pursuant to Rule 1.16, a lawyer has the “duty, upon termination of representation, to promptly deliver all papers and property to which the client is entitled,” which includes the work of cloud service providers.[10] Simply put, you must give the client all their files back after representation. However, if the cloud provider now legally owns the client’s digital content you uploaded, you can be in ethical violation of this rule. For instance, Google docs has a provision in their terms of service that states “when you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones.” To a layman it may appear that Google is seeking an ownership interest in the information you upload, however such licensing rights allow Google the ability store, transfer, and rewrite the data between multitudes of servers for backup purposes. To avoid RPC 1.16 pitfalls, I suggest understanding the terms of service between you and cloud providers.

Reasonable Precautions Attorneys Can Take to Ensure Client Info is Protected

There is a general consensus among ethic committees around the country that lawyers are ethically permitted to use cloud computing, however it should be noted that certain cases involving HIPAA, GLBA or FRCA may have additional restrictions. Overall, the general requirement is that lawyers take “reasonable precautions to ensure client information is protected from disclosure.”[11] Furthermore, the opinions all generally summate that attorneys will not be held as the guarantors of cloud based services. [12] As the New York State Bar Association put it, “the applicable standard is reasonable care, not strict liability,” and provided the following relevant guidelines attorneys should follow in exercising reasonable precautions. [13]

  1. Stay on top of emerging technologies to ensure client information is safeguarded.

  2. Research any cloud providers they are considering using to ensure the providers are well established, reputable, and have appropriate policies and practices to ensure that information is secure, properly handled, and backed up.

  3. Take steps to ensure that the vendor and its personnel are competent to perform the tasks required.

  4. Review all contracts and terms of service to ensure they comply with all ethical requirements.

  5. Take steps to ensure that service contracts: (a) require the cloud provider to safeguard client information; (b) have appropriate provisions about the ownership of data, handling of subpoenas and other legal process, and notification of data breaches; and (c) have appropriate end-of-contract or termination provisions, including the ability to retrieve data regardless of the reason for termination and proper procedures for deleting data from the cloud.

  6. Take steps to determine the geographical location of servers to ensure they are located in jurisdictions with adequate legal protections for data.

  7. Take steps to ensure that data stored in the cloud is accessible when needed, even if the contract is terminated or the vendor goes out of business.

  8. Protect against “end -user” vulnerabilities, such as the failure to use strong passwords or the use of unsecured Internet connections.

  9. Notify clients in the event of a significant data security breach.[14]


If ever unclear about a potential ethical dilemma involving client data or otherwise, simply pick up the phone and call your state bar for guidance. After all, it’s what you pay yearly membership fees for. For those who lack the time to scour end user license agreements the makers of EULAlyzer have created free software that will scan end user license agreements specifically in search of inconspicuous language which unfairly binds users to unfair terms. Bottom line, if you can document that you’ve taken reasonable steps to safeguard your clients data you should be fine.


[1] Cloud computing – Wikipedia, the free encyclopedia, , (last visited Nov 18, 2014).

[2] A history of cloud computing, , (last visited Nov 18, 2014).

[3] Id.

[4] New York City Bar Association – Ethics Overview – Ethics Panel, , (last visited Nov 18, 2014).

[5] Id.

[6] The Best Law Firm Case Management Software – An In-Depth Comparison, , (last visited Nov 18, 2014).

[7] New York City Bar Association – Ethics Overview – Ethics Panel, supra note4.

[8] Id.

[9] Id.

[10] Id.

[11] Id.

[12] Id.

[13] Id.

[14] Id.

Law Firm Information Rights Management & Electronic Signatures

Information Rights Management and Electronic Signatures
Protecting Email Signatures

Can my email signature be forged? How about using an electronic signature on legally recognized documents? Both issues were recently presented to me by our senior equity partner at the law firm. My answers, yes & yes, but let me explain. It boils down to understanding Information Rights Management (IRM) and meeting the statutory requirements for using a legally recognized electronic signature.

Issue #1 Information Rights Management

When it comes to preventing email signatures from being altered, copied, or forwarded without authorization, an IRM policy must be implemented. Assuming we’re using an email client such as Outlook 2010 or newer, additional third party Microsoft credentials are required. Here’s how it works.

Information Rights Management (IRM) allows you to specify access permissions to email messages. IRM helps prevent sensitive information from being read, printed, forwarded, or copied by unauthorized people. After permission for a message is restricted by using IRM, the access and usage restrictions are enforced regardless of where the message goes, because the permissions to access an email message are stored in the message file itself.

IRM is generally implemented at the server level using Microsoft Exchange software. Alternatively, IRM is hosted on Microsoft servers by Microsoft for free, but requires a Microsoft Live ID ( email) to use. In order to utilize IRM internally, for example, a law firm would need one of the following: (1) running their own Microsoft Exchange server and managing it in-house, or (2) use a new or existing Microsoft Live ID ( ID) in conjunction with a firms existing hosted email to take advantage of IRM hosted for free on Microsoft servers. Clearly the latter is the most cost effective; however it would require several additional steps in sending an IRM equipped email.

Information rights management and electronic signatures
Legally Recognized Electronic Signatures

Issue #2 Using Electronic Signature

Here in Arizona, under Arizona Revised Statutes, an electronic signature is defined as an electronic process that is attached to or logically associated with a record that is executed or adopted by an individual with the intent to sign the record. A.R.S § 44-7002
Furthermore, a signature is considered secure if, at the time it was made, and applied through a security procedure it is; (1) unique to the person using it, (2) capable of verification (3) under the sole control of the person using it, and (4) linked to the electronic record to which it relates in such a manner that if the record were changed the electronic signature would be invalidated. A.R.S § 44-7003

Generally speaking, an electronic signature can be any electronic means of indicating that a person adopts the contents of an electronic message. However, under A.R.S. § 44-7003, to qualify as a secure electronic signature, the operative requirement is element (4), the necessity to have ones identity validated through a third-party security certificate service. Such services are seemingly analogous to credit reporting agencies however solely for electronic identity. Currently, there are seven credentialing services customarily used throughout the industry. Those seven services include ARX CoSign, Avoco secure2trust, ChosenSecurity, Comodo, GlobalSign, My Credential, and VeriSign.

If your firm decides to implement a secure electronic signature digital ID, it is recommended you use a platform you may already be using. For instance, at our firm, we use Norton for anti-virus protection. It just so happens Norton is who issues VeriSign electronic signatures. A yearly subscription is required however, with a digital ID, a possessor would not only be able to securely sign electronic documents, but also send digitally signed emails which, in and of itself, constitutes a secure verified document. The process is fairly simple; a YouTube video explaining the process can be viewed here.


In conclusion, to protect email signatures from alteration, unauthorized copying and forwarding, a law firm has the option to implement Microsoft IRM services through the use of Microsoft Live ID accounts in lieu of costly in-house Exchange server management. Furthermore, secure electronic signatures pursuant to A.R.S § 44-7031, can be achieved through the use of digital ID’s validated through third-party security certificate services.


What’s in that End User License Agreement?


I recently updated my iPhone to the new iOS and  like any other software update, new service or application there was a lengthy user agreement that required me to click “OK” before proceeding. Not unlike just about everybody else on the planet, I agreed without actually reading the user agreement in order to proceed. It got me wondering, what exactly is this, and more importantly, what’s in that End User License Agreement (EULA) i just agreed to? Unfortunately, the former is easier to answer than the latter. Specifically, an End User License Agreement is a legal contract between a software application author or publisher and the end user of the software. Just to be clear, a contact is a legally binding agreement which creates an enforceable obligation by law, and a license is simply a grant by the holder of intellectual property to another to exercise a certain privilege.

So What the Hell’s In It?

On the most basic level, an end user license agreement is somewhat similar to a rental agreement where the user agrees to pay for the privilege of using the software. Additionally, in most cases, the end user is also agreeing not to inappropriately copy, alter, or disseminate the software without proper permission. Although, under 17 U.S.C. § 117, an end user is absolutely free to use, archive, re-sale and make backups of any proprietary software he or she has purchased.

More commonly, end user license agreements serve to limit the liability of the application developer in case the software essentially damages your computer, loses your data, or results in your iPhone being “bricked.” Speaking of Apple, it seems to be well settled among actual EULA readers that Apple’s end user license agreements tend to be some of the most far reaching over-broad agreements that exist. For example, Apples EULA for its eBook authoring software contains language restricting an author’s use of any and all content produced using Apple’s software! Huh? Yea, that means Apple essentially dictates what you can and cannot do with your content created by using their software! As Ed Bott noted, “[i]t’s akin to Microsoft trying to restrict what people can do with Word documents, or Adobe declaring that if you use Photoshop to export a JPEG, you can’t freely sell it.”

devil in the details

Everything but the Kitchen Sink!

Like my mother always said, “the devil is in the details,” however application developers and attorneys alike realize no one is likely to sift through those details which results in EULA’s containing so much content and legal jargon that end users simply won’t bother to read it. Often times a company’s end user license agreement is contrary to existing law. For instance, a EULA that restricts a user to making only one back up copy is clearly inconsistent with the rights granted under 17 U.S.C. § 117. Presumably, the lawyers who draft these agreements are fully aware of these conflicts; however, they choose to be cautiously over-broad than restrictively narrow. Take Apple iTunes end user agreement that prohibits “creating nuclear weapons!” Or other notoriously ridiculous EULA clauses like Google Chrome’s insanely pervasive EULA that essentially gives Google ownership rights over everything up to and including your first born child! Read ” …you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services.”

Click Here and You’re Ours!

Interestingly enough, the creepiness of mysterious end user license agreements appears to be so ubiquitous that the creators of South Park did a skit on the perils of not reading  end user license agreements and the rights you inadvertently relinquish when you “Click Here to Accept!“

Bottom line, unless you’re insanely board or have infinite amounts of time on your hands, chances are you’re unlikely to carve 15 minutes to an hour out of your day to painstakingly analyze EULA’s before enjoying the brand new toy you just downloaded. I would suggest following Ed Bott’s blog who reads EULA’s so the rest of us won’t have to. Additionally, the makers of EULAlyzer have created free software that will scan end user license agreements specifically in search of inconspicuous language which unfairly binds users to unfair terms. Good luck!

Who Really Owns that Picture You Don’t Want Anyone to See?

Who Owns that Picture You Don’t Want Anyone to See
Who Really Owns that Picture You Don’t Want Anyone to See

Who Really Owns that Picture You Don’t Want Anyone to See? In the wake of the recent iCloud private celebrity pictures posted on 4chan, an image-based bulletin board, let us discuss the true ownership and recourse of posting pictures you don’t want anyone to see. Generally, under United States Copy Right law, the owner of a photograph is classified as the person who took the picture. Along with that ownership, comes certain rights to the photograph. Specifically, under U.S Copyright Act at 17 U.S.C 106, the owner has the right to (1) reproduce the photograph, (2) prevent any derivative works based on the photograph, (3) distribute copies to the public by sale, lease or lending, and (4) display the image to public.

So if the picture you don’t want anyone to see is the result of a “selfie” then you have the sole right to prevent any unauthorized distribution, public viewing and display of your work. However, on the other hand, if a third party took the picture, even with your camera, technically they would be considered the true owner of the picture you don’t want anyone to see. As a result, they could potentially release, transfer, lend, or display to the public the picture you don’t want anyone to see.

If You took the Picture You Don’t Want Anyone to See

Under the Digital Millennium Copyright Act (DCMA), enacted in 1998, there exists what’s called a “Safe Harbor” provision. The “safe harbor” provision allows the owner (you) of pictures you don’t want anyone to see, the ability to issue a takedown notice to digital content platforms such as Reddit, YouTube, FaceBook, etc. to remove the content you’d like to prevent anyone else from viewing. A digital content provider could be found contributorily liable for copyright infringement if they do not quickly adhere to your takedown notice.

If You Didn’t Take the Picture You Don’t Want Anyone to See

Who Really Owns that Picture You Don’t Want Anyone to See

Well, unfortunately, you fall under the distinct legal category of S.O.L, and I’m not talking about statute of limitations. There may be some alternative legal recourse such as intentional infliction of emotional distress, or invasion of privacy, however strong affirmative defenses exist to these claims lending to costly litigation. Bottom line; know who you’re engaging with when it comes to sensitive photographic subject matter. Not everyone will have your best interest at heart when things turn for the worse. If you must take pictures you don’t want anyone to see, enjoy the pictures for the time being, then destroy them would be the best advice I could give.

Digital Estate Planning in a Digital Age

Digital Estate Planning in a Digital Age

digital estate planning in a digital age
Don’t get locked out of digital assets

In more recent history, a news story circulated through social-media spheres involving a lawsuit by Bruce Willis against Apple Inc. involving his right to transfer ownership of his vast iTunes collection to his heirs. Though the story was debunked by his representatives, it raised an interesting dilemma surrounding the ownership of digital assets and the transferability of those assets posthumously. Digital estate planning in a digital age has become increasingly relevant.

In our increasingly digital world there is a greater need to protect the digital assets we increasingly amass over time. Digital content is referred to “any information that is published or distributed in a digital form, including text, data, sound recordings, photographs and images, motion pictures, and software.” [1] Digital assets include such digital content as one’s online persona, passwords to the likes of Facebook, Twitter, Linked In, and blogs. [2] Currently, there are only five states that have laws governing digital estate planning. [3] As a result, an overwhelming majority of jurisdictions lack statutory guidelines governing digital asset bequeathment leaving loved ones lacking legal recourse. Traditional estate planning plays a major role in protecting both tangible and intangible assets alike, however has been slow to evolve with emerging technology.

Traditional Estate Planning

Digital Estate Planning in a Digital Age
Digital & Traditional Estate Planning

Essentially, one’s estate amounts to anything a person owns, tangible or intangible. Traditional estates are defined as a person’s interest in land or other property. [4] Generally, a person’s estate consists of traditional assets defined as items that are owned and have value. [5] Accordingly, traditional estate planning primarily involves the posthumous disposition of property typically involving a three step process. [6] First, there is a consultation to consider an individual’s present and lifetime needs. [7] Second, and most importantly, a thorough plan designed around meeting those needs during the client’s lifetime. [8] Last but not least, traditional estate planning involves the creation of a unified estate plan, which balances the client’s needs during his/her lifetime with the needs of his estate after death. [9] Nonetheless, our increasingly digital world has created a whole new class of assets that traditional estate-planning tools may not be equipped to handle, including the ability to legally transfer a decedent’s ownership of digital assets. As such, digital estate planning in a digital age is evermore important.

Digital Estate Planning

Digital Estate Planning in a Digital Age
Digital assets include online persona’s

Digital estate planning not only promotes alienability of ownership, but it also:

  • Makes life easier for the estate’s executor and family members.
  • Impedes identify theft.
  • Protects decedent’s intellectual property interest.
  • Preserves a decedents digital legacy [10]

Currently, there is no standard to bequeath ones digital estate, however digital estate planning can be something as simple as executory guidelines constituting a letter to one’s executor listing important URLs, usernames, passwords, security codes, and other information needed to access online accounts. [11] Since one of the most common forms of digital assets is licenses which are fully transferable within a trust, author Joseph M. Metrek suggests providing clients with a “Digital Asset Revocable Trust” (DART). [12] Essentially, the DART, like a traditional trust, will retain ownership of digital assets beyond the life of the grantor. Therefore, a trustee would have the authority to manage and transfer authorizing licensing agreements to a client’s heirs based on the needs established when the estate was created.

In addition, an executor or fiduciary can mitigate the amount of personal hardship and grievance associated with digital estate planning by following a simple set of guidelines. [13] Experts recommend fiduciaries implement the following crucial steps when administering a decedent’s digital estate:

  • Seek the assistance of technical help if necessary.
  • Work on consolidating virtual assets to as few “platforms” as possible (e.g. have multiple e-mail accounts set to forward to a single e-mail account.
  • Obtain statements (or data) of the prior twelve months of the decedent‘s important financial accounts.
  • Consider notifying the individual [sic] in the decedent‘s e-mail contact list and other social media contacts.
  • Change passwords to those that the fiduciary can control (and remember).
  • Keep all accounts open for at least a period of time to make sure all relevant or valuable information has been saved and all vendors or other business contacts have been appropriately notified, and so all payables can be paid and accounts receivable have been collected.
  • Remove all private and/or personal data from online shopping accounts (or close them as soon as reasonably possible).
  • The fiduciary should plan on archiving important electronic data for the full duration of the relevant statutes of limitations. [14]
Digital Estate Planning in a Digital Age
Digital Estate Planning in a Digital Age


Sadly, many will not implement traditional or digital estate plans, leaving their loved ones to sort out unfinished details of their lives. Estate planning traditionally has been a service primarily utilized by the elderly, however increasing awareness among tech savvy clients can reduce the ambivalence towards estate planning. Essentially, digital content owners face two distinct issues; (1) do they really own their online digital content and if so, (2) how can they pass that ownership or the use of that content on to their loved ones. One thing is for certain however, without digital estate mechanisms, such as DART’s or executory guidelines, even the likes of Bruce Willis would not be able to ensure his loved ones were legally entitled to his vast collection of Rob Zombie albums. Digital estate planning in a digital age is essential to pass on one’s legacy.


  1. What Happens When We Die: Estate Planning of Digital Assets, (last visited Aug 20, 2014).
  2. Michael Walker & Victoria D. Blachly, Virtual Assets, ST003 A.L.I –A.B.A 177 (2011)
  3. Alissa Skelton, Facebook After Death: What Should the Law Say?, MASHABLE (Jan. 26, 2012), Oklahoma, Idaho, Rhode Island, Indiana and Connecticut have all enacted laws regarding digital estate planning.
  4. BLACK‘S LAW DICTIONARY 626 (9th ed. 2009).
  5. Id. at 134.
  6. Jerome Solkoff, Scott Solkoff, What is elder law—Estate planning –.14 Fla. Prac., Elder Law § 1:3 (2011-12 ed.), FLA. PRAC., ELDER LAW, § 1:3.
  7. Id.
  8. Id.
  9. Id.
  10. Planning for digital assets, (last visited Aug 20, 2014).
  11. Joseph M. Mentrek, Estate Planning in a Digital World. 19 Ohio Prob. L.J. 195 (2009).
  12. Id.
  13. Walker & Blachly, supra note 2, at 182-85.
  14. See generally id. at 184-85


What Happens to Your Facebook Page Upon Death?



Recently, Facebook announced a cool new feature that provides video of your most popular activity since joining the site. It’s actually a pretty cool way to see your accomplishments, life events, and most popular posts in a quick 62 second slideshow. However, for John Berlin and his family, this cool new feature only seemed to exacerbate their existing grief over the passing of their son in 2012. After viewing his own look-back video on Facebook, Mr. Berlin immediately thought of his deceased son and what his look-back video may pay tribute to. However, sadly, Mr. Berlin did not have access to his sons Facebook account, nor his password in order to do so.

Mr. Berlin, after having zero luck with Facebook tech support, desperate and resourceful at the same time, took to YouTube to personally plead to Facebook personnel to let his family have access to their son’s timeline. After the video went viral, Berlin said he got a call from Facebook. “They’re going to send us the video, they’re going to make one themselves and not only that, but take a look at things a bit differently and see how they can help families with lost loved ones,” he told the website BuzzFeed.

While Mr. Berlin and his family succeeded at their request for access to their deceased sons’ digital content, millions of other users do not share the same luck. It has been a growing problem as the growth of social media continues to outpace the laws that enforce its use. Not every family has the ability to generate millions of views and viral shares which seemed necessary to catch the attention of digital content providers in assisting them with accessing their deceased family members online content. Below, we’ll delve into the problems and possible solutions to the digital roadblocks many families face when attempting to retrieve their loved one’s digital assets.

The Evolution of Social Media

The omnipresence of digital content in today’s society is unparalleled. As a result, author Melissa Dolin notes, “[s]ocial media is luring even more people to the internet.” [1] “Social media is a term that encompasses several different types of communication tools. For example, social media can be further broken down into six distinct categories: collaborative projects, blogs, content communities, social networking sites, virtual game worlds, and virtual social worlds.”[2] As early as 2009, social networking sites such as Twitter saw its users increase to over 14 million users while Facebook had achieved over 200 million  users across the globe. [3] A new generation of social media is beginning to change the way the public views information.  With the amount of ever-increasing social media outlets, individual interpersonal online activity has greatly increased. [4] Simply put, more and more people interact with social media and digital content for interpersonal communication reasons as opposed to entertainment.  As Bojorquez & Damien put it, “Facebook is a perfect example of a social media website because it allows users to put up and share content like photos, videos, notes, blogs, web links, and news stories, but it is also an excellent example of a social networking site because users can link to other users, or “friends,” send friends messages, and keep friends updated on the user’s status by updating the user’s profile.”[5] Social interaction through social media is increasingly becoming a large part of individual lives. As author Maria Montagnani highlights, “user-generated content sites such as Facebook are becoming phenomenons [sic] both on the internet and in people’s everyday lives”.[6] She goes on to point out that “[f] rom the perspective of the business model, social networks’ members are both “content providers” and “customers” of the website since their exposure to advertising, while using the platform, produces revenue for the firm.”[7] Basically, social media sites rely on user generated content to survive. Since social media interaction is a mutually beneficial platform it seems natural that a mutual agreement on what happens with that content once a user passes would be beneficial.

Adrienne Garber noted, the internet adds nearly 7.3 million unique pages per day.[8] It is estimated that “Internet users will access, download, and share the information equivalent of the entire Library of Congress more than 64,000 times over, every day.[9]
“Social media is quickly becoming the medium of choice for communication.”[10] As author Jeremy Gelms notes, “[t]hree out of four Americans use social media and millions more are members of social networking sites.”[11] The internet and social media has become as prevalent as any other form of communication.[12] It would then seem natural that as the way people communicate changes, that governmental laws and regulations evolve as well.[13]

iStock_socialmedia lives

The Impact of Social Media on Our Lives

It is becoming increasingly evident that social media affects the personal lives of millions of users.“A recent Nielsen report showed that overall; users spend a quarter of their online time using social media applications.”[14] It is estimated that Facebook alone is fast approaching a billion users.[15] With astounding numbers like those one can easily see how interaction with the internet is becoming synonymous with everyday life for many people not only in the United States, but around the globe. It is inevitable that personal lives will be affected in one form or another by social media; however, increasingly, professional lives are being affected by constant interaction with social media outlets as well.[16]

As a result many individuals have a significant portion of their lives documented online creating a “timeline” if you will of their lives. It would only seem natural that loved ones both in life and in death would want that timeline memorialized.For instance, when Loren Williams from Oregon attending college in Arizona suddenly died in a motorcycle accident his mother Karen, looking for support, tried to access her son’s online account but without his password was unable to.[17]  When she was finally able to access his account after one of her son’s friends found his password she expressed how, “comforting [it was] to read that other people appreciated him and missed him,” she said. She went on to say, “this was an aspect of his life that we didn’t know a whole lot about[.]”[18]

Sadly, even if a loved one has the password, Facebook maintains, “[f]or privacy reasons, [they] do not allow others to access a deceased user’s account.”[19] This sort of resistance only compounds the grief an individual may be going through. In sum, technology has changed the way people live their lives. It has changed the way people interact with one another and has ushered in a new social dynamic never seen before.


Solving These Dilemma’s Without Costly Litigation

Our increasingly digital world has created a whole new class of assets that traditional estate-planning tools may not be equipped to handle. “Many people today have multiple e-mail accounts, online bank and brokerage accounts, digital photo galleries and music collections, online document storage services, blogs, Web sites, and profiles on social networking sites, such as Facebook and LinkedIn.”[20] With new technology there needs to be innovative solutions that bridge the gap between legacy asset preservation and new ways of doing things. The law has a lot of catching up to do with technology. Unfortunately, it is unlikely that digital content providers will simply allow access to deceased accounts because it is the right thing to do. There must be a system in place that facilitates the secure transfer of ownership or licenses to a user’s heirs.

Absent a uniform system for the transfer of ownership or licensing rights to digital content, preventative measures would include legislation that clearly defines exactly what digital assets are and who owns them. With statutory language defining who has rights to what, digital content providers would be obliged to comply with the law wherever they do business.  Often a loved one is required to obtain a court order to get access to online content which only compounds the already painful grief process. Additionally, as Conner noted, “there is no legislation and [with] little case law, estate planners are left without any real advice to give their current clients and without a compass to guide them when this issue arises in their daily practice.”[21]

State and federal legislatures can eliminate this step by clearly defining property right definitions and guidelines. For instance, model legislation enacted that would extend power of attorney rights to digital online content and access to it. This way, executors could distribute whatever online digital assets that have accrued to appropriate devisees. Moreover, state or even federal legislation could be drafted making it mandatory for all digital content providers or repositories to have provisions to designate an alternative authority in case of a user’s demise. Since there remains a lack of clarity, Congress should ultimately intervene and establish guidelines for digital content providers to abide by individual state probate laws.

Consequently, there remains the uncertainty of whether the use of someone else’s password without acknowledgement constitutes fraud under current laws. Clearly, the law has not caught up with the pace of technology, however with streamline language and regulations promulgating the needs of individuals and content providers alike these issues can be solved. However, as Tara Hogan pointed out in her 2006 article titled, “Now That the Floodgates Have Been Opened, Why Haven’t Banks Rushed Into The Certification Authority Business,” “[e]ven though states are responding to the sudden emergence of digital technology by enacting  legislation, this state-by-state approach is more difficult and cumbersome[.]”[22]

Basically, changing state statutory language one state at a time is ineffective and insufficient to address the widespread issue. Legislation needs to be enacted on the federal level to address it; however, without a general consensus from the high court or a majority of states, it is unlikely it will be changed in the near future.


Why Facebook Should Resolve these Issues on Their Own Behalf

As evidenced by Mr. Berlin and his family’s story, the advantages of providing loved ones access to a deceased user’s digital content are abundant. They include closure for grieving loved ones, memorialization of their legacy, a chance for mourners to voice their support, and provide an overall therapeutic process for grieving. On Facebook for example, often a deceased user’s account provides a much needed medium for loved ones and friends to post supportive messages and kind words. Social media not only allows us to communicate with the living, but gives us a place to express our thoughts for the deceased. For digital content providers such as Facebook and Twitter, this only adds to the user generated content, and brings even more visitors to decedents pages to pay tribute. The additional traffic, add revenue, and general good will associated with the seemingly increased compassion would be a win-win situation for most digital content providers.

However, with every pro, there is a con. In this case, the need to affirmatively identify whether a user is legitimately deceased is clear. Without such measures in place content providers risk jeopardizing security and privacy measures. Additional privacy concerns include; the ability for someone to falsely gain access to a user’s content by disguising themselves as grieving loved one. With nearly a billion users, digital content providers such as Facebook could potentially run into issues where access to the wrong account could be given.  Unfortunately, helping grieving loved ones would have to be reconciled with existing antiquated federal privacy laws.


To summarize, newly created problems that affect society as a whole require new outcome orientated solutions. These new 21st century problems requires approaches that are equally outside the mainstream. Creative problem solving techniques under the therapeutic justice approach brings new and modified ideas to existing and new dilemmas. Not only users, but digital content providers alike, have a shared goal of improving ones online experience. It would make sense then that since both have a vested stake in its outcome to require both sides to maximize its creative problem solving potential.



[1] Melissa Dolin, Joint Authorship and Collaborative Artwork Created Through Social Media, 39 AIPLA Q.J. 535, 537 (2011).

[2] Jeremy Gelms, High-Tech Harassment: Employer Liability Under Title VII for Employee Social Media Misconduct, 87 Wash. L. Rev. 249, 264 (2012).

[3] Id.

[4] Id.

[5] Alan J. Bojorquez & Damien Shores, Open Government and the Net: Bringing Social Media into the Light, 11 Tex. Tech Admin. L.J. 45 (2009).

[6] Maria Lillia Montagnani, A New Interface Between Copyright Law and Technology: How User-Generated Content Will Shape the Future of Online Distribution, 26 Cardozo Arts & Ent. L.J. 719, 766 (2009).

[7] Id.

[8] Adrienne A. Garber, E-Commerce: A Catalyst for Change in Intellectual Property Law, 6 Duq. Bus. L.J. 157, 160 (2004).

[9] Id.

[10] Jeremy Gelms, High-Tech Harassment: Employer Liability Under Title VII for Employee Social Media Misconduct, 87 Wash. L. Rev. 249, 264 (2012), supra note 17

[11] Id.

[12] Id.

[13] Id.

[14] Id.

[15] Jeff Nolan, OMG, LOL, AND WAY TMI — SOCIAL MEDIA IN THE HIRING PROCESS – 15 No. 10 Vt. Emp. L. Letter 1, (2010).

[16] Carolyn Elefant, The “Power” of Social Media: Legal Issues & Best Practices for Utilities Engaging Social Media, 32 Energy L.J. 1, 4 (2011), supra note 37

[17] What happens to your Facebook account when you die? – News, Weather & Sports, , (last visited Nov 16, 2012).

[18] Id.

[19] Id.

[20] Joseph M. Mentrek, ESTATE PLANNING IN A DIGITAL WORLD. 19 Ohio Prob. L.J. 195 (2009).

[21] John Conner, DIGITAL LIFE AFTER DEATH: THE ISSUE OF PLANNING FOR A PERSON’S DIGITAL ASSETS AFTER DEATH, 3 Est. Plan. & Community Prop. L.J. 301, 302 (2011), supra note 93