If You re a Lawyer Headed to the Cloud, Read This First By Reid F. Trautz, Director, AILA Practice & Professionalism Center

Transcription

1 If You re a Lawyer Headed to the Cloud, Read This First By Reid F. Trautz, Director, AILA Practice & Professionalism Center Not since the terms cyberspace and Y2K has there been an inexact technology term so bandied about as cloud computing. We hear it more and more, but what does it mean? More importantly, what does it mean for lawyers? Cloud computing is the use of software and storage of information, documents, and other electronic files in an off site computer server (or servers) outside of the physical space of the law office and beyond the normal control of the lawyer or law firm. Examples of cloud computing include webmail services such as Gmail, on line file back up services, web based immigration case management services, and hosted services, among others. Cloud computing is really a form of outsourcing functions normally done within the confines of an office. Outsourcing technology functions is growing rapidly across all businesses. Rather than have network servers, software applications, or data reside exclusively within the walls of a law firm, these functions can now be managed off site by third parties at a lower cost than traditional IT. The data is connected to the business by the Internet (and vice versa). Here is a real world analogy of cloud computing (courtesy of the Wall Street Journal): Imagine a large law firm that, instead of using a commercial service like FedEx, decided to create its own worldwide parcel delivery system. The company would buy warehouses, delivery trucks and airplanes. It would hire package handlers, mechanics and logistical experts. All this would require an enormous investment and would be quite impossible for any law firms to do efficiently, cost effectively or well. Cloud computing is the equivalent of hiring FedEx. It is a way to outsource the service of providing the hardware, software, and human resources required to deliver, store and manage digital data. The outside service providers in turn achieve economies of scale, lowering the cost to all their customers. It is up to the individual business to decide how much of their technology to outsource. Cloud computing services can include complete data center infrastructure including networking, electronic file storage, operating systems, application servers, e mail servers, security, update and user management, file backup services, and disaster recovery. The most common use of technology outsourcing is on line data storage, but a growing trend, especially in smaller firms is a form of cloud computing known as Software as a Service or SaaS. SaaS is software that is not installed on your computer but instead is hosted remotely. Users access the software over the internet and the data is hosted remotely along with the software. Another way to think of SaaS is that it uses the web as a platform your operating system becomes, de facto, your web browser.

2 Options for implementing SaaS in your office are multiplying rapidly. There are SaaS solutions for on line backup and data storage, such as ibackup, Carbonite, or Mozy. There are case management programs, such as Clio or RocketMatter. There are office suites, such as GoogleDocs and Microsoft Office 365. There are document management services such as NetDocuments and Worldox. Even old stalwarts of installed software are moving toward SaaS, such as Intuit s QuickBooks and Quicken. SaaS does not require the user to download, patch, update or otherwise maintain the software it is all done at the host site. This creates an uptick in ease of use for users, but as usual, along with that improvement comes a potential disadvantage too: SaaS products are usually billed in monthly or annual subscriptions; i.e., you stop paying for the service and you stop receiving it altogether. Cloud computing (aka outsourcing) is an unbeatable market force, but it is also an ethical minefield for lawyers. That said, it is not an impossible minefield to navigate, so here are some issues to consider and questions to ask before you outsource into the cloud. Ethical Rules and Legal Responsibilities Attorneys have ethical, contractual, common law, and regulatory duties to safeguard client information. Ethical obligations are imposed by your state Rules of Professional Conduct. Legal responsibilities come from state and federal laws addressing data security and consumer protection. Since 2004, 45 states have enacted data security laws that protect consumers if personal information in the possession of a business is lost or stolen. The most common obligations involving client confidences and information stem from these rules: A. Rule 1.1 Competence B. Rule 1.3 Diligence C. Rule 1.4 Communication D. Rule 1.6 Confidentiality of Information (See also Rules 1.9(c) and 1.18(b)) F. Rules 5.1, 5.2 and 5.3 Duties of Supervising and Subordinate Attorneys, and Supervision of Non lawyer Assistants Rule 1.1 covers competence. It is not just competence in law, but in using the technology to practice law and service clients. Comment 16 to this rule states: A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer s supervision. See Rules 1.1, 5.1 and 5.3.

3 A number of state ethics opinions address professional responsibility issues related to attorneys use of various technologies. In 2009, Arizona issued LEO in response to an inquiry about on line file storage that is securely accessible by the firm and authorized clients. Other bar associations have recognized that the duty to take reasonable precautions does not require a guarantee that the system will be invulnerable to unauthorized access. [Citation omitted] Instead, the lawyer is required to exercise sound professional judgment on the steps necessary to secure client confidences against foreseeable attempts at unauthorized access. It is also important that lawyers recognize their own competence limitations regarding computer security measures and take the necessary time and energy to become competent or alternatively consult available experts in the field. The competence requirements of ER 1.1 apply not only to a lawyer s legal skills, but also generally to those matters reasonably necessary for the representation. Therefore, as a necessary prerequisite to making a determination regarding the reasonableness of online file security precautions, the lawyer must have, or consult someone with, competence in the field of online computer security. The opinion provided further guidance for lawyers: [T]he Committee also recognizes that technology advances may make certain protective measures obsolete over time. Therefore, the Committee does not suggest that the protective measures at issue in Ethics Op or in this opinion necessarily satisfy ER 1.6 s requirements indefinitely. Instead, whether a particular system provides reasonable protective measures must be informed by the technology reasonably available at the time to secure data against unintentional disclosure. N.J. Ethics Op As technology advances occur, lawyers should periodically review security measures in place to ensure that they still reasonably protect the security and confidentiality of the clients documents and information. In 2010, the State Bar of California issued Formal Opinion No , and focused on the changing standard of care, but also provided factors to evaluate before using a particular technology to store or transmit client information: The Digest to this opinion states: Whether an attorney violates his or her duties of confidentiality and competence when using technology to transmit or store confidential client information will depend on the particular technology being used and the circumstances surrounding such use. Before using a particular technology in the course of representing a client, an attorney must take appropriate steps

4 to evaluate: 1) the level of security attendant to the use of that technology, including whether reasonable precautions may be taken when using the technology to increase the level of security; 2) the legal ramifications to a third party who intercepts, accesses or exceeds authorized use of the electronic information; 3) the degree of sensitivity of the information; 4) the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product; 5) the urgency of the of the situation; and 6) the client s instructions and circumstances, such as access by others to the client s devices and communications. The ethics opinions that have addressed attorneys use of cloud technology have focused primarily on the duties of competence and confidentiality. Some have also addressed the duty to supervise. The key issues in all opinions are: a) Failure to timely service clients because of a temporary or permanent loss of data or connection to cloud service. b) Lack of control over data. c) International storage of data beyond the laws, rules, and regulations of the United States. d) Obligation to obtain client consent about the outsourcing of their personal data storage to a cloud vendor. Competence & Supervision You are responsible for supervising the work and assuring the competence of your outsourced service providers. At a bare minimum, check the service provider s references. You may also want to perform a background investigation on all service providers and interview principal lawyers. Finally, consider investigating the security of the provider s premises, computer network, and waste disposal services. Confidentiality Model Rule 1.6(a) mandates that a lawyer may not reveal confidential client information without the client s informed consent. This includes client information and data that you entrust to a cloud provider. Increasingly, state bar associations are tackling the ethical dimensions of electronically stored information and lawyers using SaaS must exercise professional judgment and caution. Outsourcing Cloud computing is a form of outsourcing. We are delegating the maintenance of some or all computing functions to a non employee outside of our direct control within our

5 office. The ABA has recognized the competing benefits and risks of outsourcing and has provided ethical guidance in ABA Formal Opinion (Lawyer s Obligations When Outsourcing Legal and Non Legal Support Services). Although this opinion is non binding on lawyers, it is a source of reasoned guidance. It concludes: The challenge for an outsourcing lawyer is, therefore, to ensure that tasks are delegated to individuals who are competent to perform them, and then to oversee the execution of the project adequately and appropriately. At a minimum, a lawyer must investigate the background of any service provider to make sure they possess the correct skill, competence, and integrity to adequately and appropriately handle the tasks being delegated. An outsourcing lawyer should recognize and minimize the risk that any outside service provider may inadvertently or perhaps even advertently reveal client confidential information to adverse parties or to others who are not entitled to access. One recommended precaution is to require the third party provider to sign a confidentiality agreement that provides specific guidance to the provider for maintaining confidentiality. Such language may already be in the proposed services contract, but reasonable modifications may be required for the best reasonable protection under Rule 1.6. The agreement should give specific examples of prohibited conduct and triggers for notification of a breach (unless covered elsewhere in your services contract). Some legal technology experts opine that the outsourced data may actually be safer under the control of a third party provider than at a small law firm with a small or no IT staff. Legal Responsibilities Legal responsibilities come from state and federal data security laws that are of growing importance in our interconnected world. These laws address what happens if your client information (including that held by a cloud based service) is breached (lost or stolen). Generally, these state laws require anyone who holds consumers personal information to take action if the breach exposes consumers to risk of financial fraud. Although each state law defines consumer personal information differently, a social security number or financial institution account number in combination with a name is at the core of most definitions. If there is a breach of data on your computers or the cloud provider s computers and you possess consumer personal information, data security laws require that your clients be notified of the breach. The same is true if any lawyer s computer or mobile device is lost or stolen and the data is breached. This client notification can be an embarrassing step for lawyers, but it is a necessary one. The purpose of the notice is to allow consumers to protect themselves from possible repercussions of the data breach such as identity theft, so delaying the notice to them could be harmful.

6 These laws should not scare you away from cloud computing, but you must be prepared to respond to protect your clients interests if there is a breach of client information. Potential Questions for Cloud Providers Here is a list of questions to help you select the right cloud provider, while meeting your ethical and legal obligations. These are aimed at particularly at SaaS providers. The list is not exhaustive, just a starting point. Before purchasing a cloud solution: 1. Read the user or license agreement terms. 2. Determine where the data is stored. Is it solely within the United States? 3. Determine who, besides you, has access to the data. 4. Who owns the data residing on the service provider s servers? 5. If you terminate the service, how do you retrieve your data and what happens to the data hosted by the service provider? 6. Examine the service provider s physical and electronic security and confidentiality policies. What layers of protection do they have? Do they provide notice of a breach? 7. What is the history of downtime for the service? What redundancy do they have to avoid downtime? Potential Questions for Cloud Storage Providers A separate article, available on InfoNet, addresses the questions to ask a cloud storage/data back up provider in more depth. Conclusion As Internet connection speeds become faster and less costly, as the cost of internal hosting of law firm servers and software becomes more expensive, and as the reliability and functionality of "cloud" options increase, will firms be able to resist the economic forces at play? As this next era in law firm technology begins, firms must ethically balance the needs of the client with the realities of this new technology. However, caution rather than fear should rule the day.