Chances are, if you haven’t heard of the cloud, your head is probably in it! Today, cloud computing is becoming an essential element of personal and professional technology use. From our smartphones to our computers, both are increasingly becoming synchronized with cloud backup systems. From solo attorneys to big-box law firms, many are embracing cloud-based applications and backup options as a way of doing business. Here, we’ll discuss ethical compliance and cloud services for law firms.
You should be aware there are different platforms of cloud computing. Specifically, cloud computing is characterized as “large groups of remote servers networked to allow centralized data storage and online access to computer services or resources.”[1] The two main components of cloud based services boil down to data storage and applications that run locally but are processed in the cloud. It’s what those in the business refer to as Infrastructure as a Service (IaaS) and Software as a Service (SaaS)respectively . The history of cloud computing dates back to 1969 but “since the internet only started to offer significant bandwidth in the nineties, cloud computing for the masses has been something of a late developer.”[2] The concept gained industry notoriety in 2006 when Amazon first developed its Elastic Compute Cloud (EC2) model as the first commercial internet service allowing small businesses and individuals alike the ability to rent computers to run their own computer applications.[3]
Cloud Computing for Law Firms
For the most part, most cloud based application services offered to solo and small firms fall in the SaaS category. [4] Think of Clio, Rocket Matter, My Case, and Amicus cloud based case management platforms. However, many law firms and solo’s alike who don’t use SaaS based platforms have begun to use IaaS based platforms whether they know it or not. For instance, most iPhone users use iCloud to back up their devices even if not specifically intending to do so. Often times, when setting up a newly purchased iDevice, the setup steps require an iTunes log-in info. By doing so, iUsers inadvertently agree to have their digital content backed-up to Apples Cloud based storage. Don’t get me wrong, having a backup of your device’s content can be a Godsend if your device is lost or stolen. However, if you’re a lawyer who receives client related email or text messages on your phone, you just put confidential client information in a medium you neither are aware of, nor have control over.
Ethics Rules Possibly Affected by Cloud Computing
Under rule 1.1 of the Model Rules of Professional Conduct, the duty to “provide competent representation to a client” includes the duty to comprehend the cloud based technology services being used along with the duty to obtain client consent, and some cases the duty to counsel the client with regards to the use of cloud services in connection to representation. [5] Many states bar ethics committees have released opinions which generally permit attorneys to use “web-based storage services (like Google Docs and Dropbox) provided that the attorneys take reasonable steps to ensure their information is secure and not shared with third-parties.”[6] Given recent data breaches involving celebrity photos, cloud data security vulnerability is a very real possibility and should be paid close attention to. Moreover, if you aren’t even aware your client’s confidential information is being stored in the cloud, you certainly cannot claim to have taken reasonable steps to ensure their information is secure. To avoid any uncertainty, attorneys should be cognizant of what data is being backed up and where. Reasonable steps would include; routinely monitoring End User License Agreements, ascertaining where cloud providers store data, and keeping abreast of their retention policies.
Under, Rule 1.6, which includes an attorney’s duty to “exercise reasonable care to prevent . . . others whose services are utilized by the lawyer from disclosing or using confidential information of a client, comes another set of cloud related responsibility. “[7] Though some disclosure is permitted under RPC 1.6 where “the disclosure is impliedly authorized to advance the best interest of the client and is either reasonable under the circumstances or customary in the professional community,” an attorney should always know what the data is, where it’s located, and who has access to it. Granted these rules were designed to regulate traditional vendors such as storage facilities or copy services, they are also relevant to cloud computing as well.[8] Bottom line, cloud data storage is ethical so long as attorneys take “reasonable care to ensure the system is secure and the client confidentiality is maintained.”[9]
Under Rule 1.15, a lawyer has a duty to maintain and preserve client records and deliver them promptly upon request. Consequently, this applies to digital records kept locally and those maintained in the cloud, and making sure those files aren’t lost, stolen, or destroyed. Presumably, by using cloud-based backup services, you’re more than likely exercising the requisite reasonable efforts to maintain and preserve client records. Delivering client records upon request may be a sticking point for lawyers who use cloud based storage providers as we’ll get into next.
Pursuant to Rule 1.16, a lawyer has the “duty, upon termination of representation, to promptly deliver all papers and property to which the client is entitled,” which includes the work of cloud service providers.[10] Simply put, you must give the client all their files back after representation. However, if the cloud provider now legally owns the client’s digital content you uploaded, you can be in ethical violation of this rule. For instance, Google docs has a provision in their terms of service that states “when you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones.” To a layman it may appear that Google is seeking an ownership interest in the information you upload, however such licensing rights allow Google the ability store, transfer, and rewrite the data between multitudes of servers for backup purposes. To avoid RPC 1.16 pitfalls, I suggest understanding the terms of service between you and cloud providers.
Reasonable Precautions Attorneys Can Take to Ensure Client Info is Protected
There is a general consensus among ethic committees around the country that lawyers are ethically permitted to use cloud computing, however it should be noted that certain cases involving HIPAA, GLBA or FRCA may have additional restrictions. Overall, the general requirement is that lawyers take “reasonable precautions to ensure client information is protected from disclosure.”[11] Furthermore, the opinions all generally summate that attorneys will not be held as the guarantors of cloud based services. [12] As the New York State Bar Association put it, “the applicable standard is reasonable care, not strict liability,” and provided the following relevant guidelines attorneys should follow in exercising reasonable precautions. [13]
-
Stay on top of emerging technologies to ensure client information is safeguarded.
-
Research any cloud providers they are considering using to ensure the providers are well established, reputable, and have appropriate policies and practices to ensure that information is secure, properly handled, and backed up.
-
Take steps to ensure that the vendor and its personnel are competent to perform the tasks required.
-
Review all contracts and terms of service to ensure they comply with all ethical requirements.
-
Take steps to ensure that service contracts: (a) require the cloud provider to safeguard client information; (b) have appropriate provisions about the ownership of data, handling of subpoenas and other legal process, and notification of data breaches; and (c) have appropriate end-of-contract or termination provisions, including the ability to retrieve data regardless of the reason for termination and proper procedures for deleting data from the cloud.
-
Take steps to determine the geographical location of servers to ensure they are located in jurisdictions with adequate legal protections for data.
-
Take steps to ensure that data stored in the cloud is accessible when needed, even if the contract is terminated or the vendor goes out of business.
-
Protect against “end -user” vulnerabilities, such as the failure to use strong passwords or the use of unsecured Internet connections.
-
Notify clients in the event of a significant data security breach.[14]
Conclusion
If ever unclear about a potential ethical dilemma involving client data or otherwise, simply pick up the phone and call your state bar for guidance. After all, it’s what you pay yearly membership fees for. For those who lack the time to scour end user license agreements the makers of EULAlyzer have created free software that will scan end user license agreements specifically in search of inconspicuous language which unfairly binds users to unfair terms. Bottom line, if you can document that you’ve taken reasonable steps to safeguard your clients data you should be fine.
[1] Cloud computing – Wikipedia, the free encyclopedia, , http://en.wikipedia.org/wiki/Cloud_computing (last visited Nov 18, 2014).
[2] A history of cloud computing, , http://www.computerweekly.com/feature/A-history-of-cloud-computing (last visited Nov 18, 2014).
[3] Id.
[4] New York City Bar Association – Ethics Overview – Ethics Panel, , http://www.nycbar.org/ethics/ethics-overview (last visited Nov 18, 2014).
[5] Id.
[6] The Best Law Firm Case Management Software – An In-Depth Comparison, , https://jurispage.com/2013/law-practice-management/the-best-law-firm-case-management-software-an-in-depth-comparison/ (last visited Nov 18, 2014).
[7] New York City Bar Association – Ethics Overview – Ethics Panel, supra note4.
[8] Id.
[9] Id.
[10] Id.
[11] Id.
[12] Id.
[13] Id.
[14] Id.