1/7/13

iThings, Therefore I Am Unsafe?

Image [cc] anti_christa
Friday morning I stumbled into an interesting Twitter conversation between Jeffrey Brandt (Pinhawk guru), Nicole Black (Mycase.com and Cloud Computing for Lawyers), and - I assume - Andrea Cannavina (LegalTypist), tweeting as @LegalTypist. As I often do, I jumped in mid-conversation, completely uninvited, and offered my opinions. The topic was Innovation vs. Security and the tweet that caught my eye was Jeffrey saying, "My biggest fear is that firms will relax their standards to support iThings, and some young lawyer will bypass more traditional tools causing their client to get hosed."*

Of course Jeffrey is completely right.  That would be a terrible outcome resulting from security standards being relaxed simply to support the latest and greatest new-fangled gadget.  However, as an hopelessly progressive technologist, who regularly finds himself in the midst of this very battle, I had to offer the counter argument.

"How about firms who stick to rigid, outdated standards and then fail to meet their clients' needs?", I asked.

The 140 character limit on Twitter is both it's salvation and it's undoing.  Nuance and subtlety are impossible and my comment got @LegalTypist a bit riled.**

"A firm that fails to use the latest and greatest technology does not automatically fail to meet their clients needs. But a firm that fails to protect client data..."* She left the sentence dangling there like a fish, but I knew what she meant, and she was also completely right.

Security, especially of client data, is always of the utmost importance.  You will get no argument from me.

BUT, (and this is not a new revelation) security is also always a trade off.  Your million dollar diamond bracelet is highly secure in it's safe deposit box, but if you ever care to wear it you will be forced to diminish its security, at least temporarily. Data is like that bracelet. If you want USE it, you risk losing exclusive control over it. If you're happy just knowing that you own it, you can leave it locked up somewhere safe and never take it out. Unlike the bracelet, however, if you don't make your client's data easily accessible to those who need access to it via the tools they are likely to have with them when they need to access it, then the value of that data diminishes for both you and for your client.

The assumption in Jeffrey Brandt's scenario is that both traditional tools and iThings are readily available and the young lawyer chooses the less secure option. Leaving aside for the moment whether an iThing is indeed less secure than more traditional tools, the problem here is not the technology, but the young lawyer's decision making skills.  If we change the scenario just a bit and suggest that the young lawyer is out and about spending his year end bonus when he receives an urgent request from a client, then what is the value of having client data accessible via iThings? The alternative is for the young lawyer to seek out a public library to log in to a remote portal, or to hunt down a colleague with immediate access to a computer, or to talk his secretary, spouse, or <shudder> child through the task of meeting the client's needs over the phone. Any of these options would be more time consuming and  less secure (except maybe the colleague scenario) than simply accessing the client's data securely through the iThing. The value to the client is much more concrete.  How much will the young attorney bill for his time and services in each scenario?

As I tweeted in response to @LegalTypist, "I am not arguing that ALL technology is good, or that we should ever put client data at undue risk, but we can't fail to innovate the practice of law in the name of securing data."*

It is a different technological world than it was just a few short years ago.  Today there are vendors providing consumer-like services with enterprise level (and beyond) security. You may have evaluated consumer technology options a year ago and decided that they were inappropriate for your practice, but that information is woefully outdated and you should probably re-evaluate.  I am ultimately arguing for broader, more flexible technology usage policies that incorporate the concept of "good judgment" (radical, I know) and can accommodate the rapid change of technology.  Or at the very least, I would hope for much shorter review periods for such policies.

And, as usual, this little rant probably has nothing to do with what Jeffrey, Nicole, and Andrea were actually talking about and I simply hijacked it to make my own point.

Sorry guys.


*Twitter-ese translations are mine.
**Attributions of emotion are mine as well.

Bookmark and Share

2 comments:

John C said...

There is a natural tension between security and innovation. Security by its very nature is supposed to get in the way. But the two are not mutually exclusive, as long as you do two things:

1. Consider what the security impact is and how you can address that at the same time as the innovation itself (ie; not afterwards); and

2. Somehow drill "good judgement" into everyone's heads. Acting in a secure and confidential way is not just the job of the IT guy or the security guy or the risk guy (or girl, of course).

Fo me the breaches and potential problems don't come from the innovation or technology itself but from how / what they are used for, often without any thought.

Tony Chan said...

I'm totally into fitness. Not just physical fitness, but business and IT fitness. To be fit, one needs to be able to perceive, adjust, and adapt to order to improve.

Perception is tricky as individuals perceive security in different ways. Convenience often trumps judgment and the recent news about how the Director of the CIA (Petraeus) use his personal email is a good example.

IT needs to constantly adjust due to the avalanche of technological innovation as well as client demands. The key is to find the right tool for the right job.

Once we figure out the perception and adjustment components, we can then turn to adaptation. It's find-tuning the systems to work efficiently without secrificing performance.

Perhaps the focus should be on figuring new ways to protect data rather than limiting the technologies that are used to enable productivity.

 

© 2014, All Rights Reserved.