Last week I discussed the definition of cloud computing and explored the idea that lawyers are already using cloud computing (and have been for some time) but just don’t realize it. This week, in part 2 of this series, I’ll focus on the security and ethical issues presented by cloud computing and then move on to a discussion of some of the different types of legal cloud computing platforms.
Now, let’s turn to the the third thing that lawyers need to know about cloud computing.
3. Absolute security is an impossibility.
According to the 2011 ABA Legal Technology Survey, one of the main reasons lawyers are reluctant to use cloud computing tools in their law practice is lack of familiarity. Other reasons cited included confidentiality and security concerns (47%) and the lack of control over data due to outsourcing it to a third party (41%).
Before we delve into the security issues presented by cloud computing, it’s important to acknowledge that no type of data storage system is risk-free. The truth is, anytime you entrust your data to a third party, you incur risk. This applies equally to any type of outsourcing, whether it is the outsourcing of administrative tasks or the outsourcing of the management of your physical or digital data.
Lawyers have always entrusted confidential data to third parties, including process servers, court employees, building cleaning crews, summer interns, document processing companies, external copy centers, and legal document delivery services. Absolute security has never been required in these situations because absolute security is an impossibility. Rather, due diligence requires that you take reasonable steps to ensure that confidential client data remains safe and secure. Cloud computing is no different.
Accordingly, regardless of who has access to your data or what format the data takes, the steps you take are always be the same: you should ensure that the same confidentiality standards that are applied to physical client files apply to computer-generated data as well. In other words, it is your duty to ensure that the third parties to whom you entrust your data and who have access to the computer servers that house your data meet the same security obligations as any other third party to whom you entrust confidential client files.
That being said, cloud computing, by its nature, involves unique risks. These include security, ethical, and privacy risks and the possibility of temporarily or permanently losing access to your data. The best way to ensure that you understand these risks is to ask the right questions. Make sure that your cloud-computing vendor’s responses are satisfactory. Negotiate an agreement that protects both your interests and your clients’ data.
As discussed below, part of your ethical obligation as an attorney is to carefully assess these risks. The steps that you will need to take to meet this standard will vary depending on the ethical rules applicable in your juris- diction and the ways in which you seek to use cloud computing in your law practice.
4. Most U.S. ethics commissions have concluded that it is ethical for lawyers to use cloud computing.
The American Bar association recently published a very useful chart comparing all of the cloud computing ethics opinions handed down in the United States. That chart can be found here.
For illustrative purposes, let’s consider Ethics Opinion 11-01, which was handed down in September by the Iowa Committee on Practice Ethics and Guidelines. In my opinion, this opinion is one of the most well-written decisions on this issue. In it, the Committee concluded that:
When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.
The Committee also provided the following very useful list of questions to ask any technology vendor, not just cloud computing providers. The suggested questions focus on determining how accessible and secure the data will be:
- Will I have unrestricted access to the stored data?
- Have I stored the data elsewhere so that if access to my data is denied I can acquire the data via another source?
- Have I performed “due diligence” regarding the company that will be storing my data?
- Are they a solid company with a good operating record and is their service recommended by others in the field?
- What country and state are they located and do business in?
- Does their end user’s licensing agreement (EULA) contain legal restrictions regarding their responsibility or liability, choice of law or forum, or limitation on damages?
- Likewise does their EULA grant them proprietary or user rights over my data?
- What is the cost of the service, how is it paid and what happens in the event of non- payment?
- In the event of a financial default will I lose access to the data, does it become the property of the SaaS company or is the data destroyed?
- How do I terminate the relationship with the SaaS company?
- What type of notice does the EULA require.
- How do I retrieve my data and does the SaaS company retain copies?
- Are passwords required to access the program that contains my data?
- Who has access to the passwords?
- Will the public have access to my data?
- If I allow non-clients access to a portion of the data will they have access to other data that I want protected?
- Recognizing that some data will require a higher degree of protection than others, will I have the ability to encrypt certain data using higher level encryption tools of my choosing?
So, now that I’ve provided a brief overview of your ethical obligations, the next step is to asses the legal cloud computing platforms currently available to lawyers.
5. There are an assortment of cloud computing software platforms developed specifically for lawyers.
Finally, let’s consider the various legal cloud computing platforms available to you. Once again, the ABA comes to the rescue, offering a handy chart which provides a comparison of billing and law practice management software, both cloud and server-based. MyCase’s law practice management software is included, along with a host of other platforms.
So there you have it. Lots of information about cloud computing for lawyers. What else would you like to know? Let me know. Perhaps I can address those issues in a later blog post.