Litigating in the Cloud - Security Issues for the Trial Practice

Transcription

1 Litigating in the Cloud - Security Issues for the Trial Practice J. Walter Sinclair Stoel Rives LLP 101 S. Capitol Blvd, Suite 1900 Boise, Idaho (208) [email protected] Mr. Sinclair is a partner in the law firm of Stoel Rives in Boise, Idaho. He has practiced law since 1978, developing a trial practice with an emphasis on business, corporate and complex litigation matters associated with agricultural product liability, antitrust, class action, complex commercial litigation contract disputes, mass tort, probate disputes, product liability, real estate and securities litigation. Mr. Sinclair graduated from Stanford University with a B.A. in Economics and then received his Juris Doctor degree from the University of Idaho, College of Law in He is admitted to practice in federal and state courts in Idaho, Washington, and Oregon, including the U.S. Court of Appeals for the Ninth Circuit. He was recently nominated as Lawyer Representative for the U.S. District & Bankruptcy Courts, District of Idaho. Mr. Sinclair has received numerous professional honors including being a Fellow in the American College of Trial Lawyers and the International Academy of Trial Lawyers, receiving the Local Litigation Star by Benchmark Litigation; top 75 Mountain States Super Lawyers; America s Leading Lawyers for Business by Chambers USA; Boise Bet-the-Company Litigator of the Year by Best Lawyers; recipient, Golden Eagle Award, DuPont Legal top award for excellent legal services; and is listed in Best Lawyers in America. Litigating in the Cloud - 1

2 Litigating in the Cloud - Security Issues for the Trial Practice Cloud computing for trial attorneys. The bold new frontier. But is it too risky for the litigation practice? Let s start by identifying what this program will address. This is not a discussion of a virtual law practice; it is simply a discussion of ipads and other tablets used in a litigation practice. Issues of backup files and data retrieval will not be addressed. What will be addressed, however, are the practical, functional, and ethical considerations as they apply to trial attorneys, specifically as they relate to the use of cloud computing with ipads/tablets. Most of us have used and/or heard of Gmail and Hotmail. They deliver a cloud computing service in which users can access their in the cloud, from any computer, with a browser and an internet connection, regardless of what kind of hardware is on that particular device. I dare say most, if not all, of us have used one of those services or something similar. And we do so for the most part without even thinking about it. Yet, that is using cloud computing service. It is here to stay, and we need to get used to it proactively. A component of cloud computing is Software as a Service (SaaS), which connects computer devices and clouds. In this software distribution model, applications are hosted by a vendor or service provider and customers access applications, software platforms, services, and data over a network. You can use traditional desktop computer laptops or a variety of mobile devices. So why do we care? The cloud raises novel, yet familiar, issues. Great concern exists about the potential of a breach of confidentiality or security and the potent vulnerability to unauthorized access or inadvertent disclosure when someone places documents and/or data in a cloud. But these concerns are not new. They are simply recreated in a new environment an environment in which most of us are unsure and often unknowledgeable. The sources of potential security threats are familiar. There are external threats including third party vendors and internal threats including employees of the cloud computing provider who can access data without authorization. What is the difference between a computer hacker and the nightly cleaning crew in an office building? Bad people exist in either world. And what is the difference between an employee of the cloud computing provider and your external data processing company? Confidentiality and security concerns must address them all. While a range of cloud technologies currently exists, including the storage of client data, financial records, legal documents, and other information, this program will only look at those aspects inherent to the trial practice. Cloud-Based Storage In using many of the litigation-based apps, you need a source, other than your firm s computer system, to store and retrieve data/documents. Let s look at the essential security offered in a cloud-based storage solution. One of my favorite services is Dropbox. This is a server + cloud solution (also known as offline cloud access ). Your data is stored on your own computers or servers and synchronized with servers in the cloud. In addition to providing storage, it also synchronizes your data among the various computer devices you control. Litigating in the Cloud - 2

3 So, how secure is this service? Here is what Dropbox has to say: All transmission of file data and metadata occurs over an encrypted channel (Secure Socket Layer (SSL)). All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password. Dropbox website and client software has been hardened against attacks from hackers. Dropbox employees are not able to view any user s files. All files stored online by Dropbox are encrypted and kept securely on Amazon s Simple Storage Service (S3) in data centers located along the East Coast of the United States. 1 You should note that Dropbox uses Amazon s S3 servers. So in reality you are trusting two services. Amazon provides the storage, and Dropbox encrypts the data before any files are stored on Amazon s S3 servers. 2 The benefit of using Amazon s S3 servers is the level of their data center security, which anyone s due diligence would confirm. Physical Security: In reality, certain cloud-based storage may provide a superior degree of security than what many law firms could. And as will be addressed below, that security is what the legal profession requires. The same confidentiality standards that apply to physical client files apply to computer-generated data as well. By its very nature, cloud computing presents a unique set of risks and legal issues. However, in many ways, the risks are no different from those faced when outsourcing the management of client data to any third party. Therefore, lawyers seeking to implement any type of new IT system have an obligation to take reasonable steps to ensure that client data remains confidential. There is no obligation to ensure absolute security, however, because that is an impossibility. Legal and privacy issues surrounding cloud computing are still evolving, and a majority of states have yet to issue opinions regarding its use. The California State Bar issued Formal Opinion No regarding the use of cloud computing to maintain a virtual law office practice, where all legal services and communications were conducted solely through the internet using third party vendors. 3 While many litigators may not use cloud computing to the extent that a virtual law office might, many of the issues remain the same. 1 Nicole Black, Cloud Computing for Lawyers 98 (2012). 2 Id. at State Bar of California Standing Comm. on Prof l Responsibility & Conduct, Formal Op. No , at 1 (2012), available at Litigating in the Cloud - 3

4 The California opinion indicates an attorney must assess the technology to determine if it is adequate to comply with the ethical obligations of maintaining client confidentiality. 4 To help legal practitioners ensure they meet their ethical and professional obligations when using new technologies such as cloud computing, the Law Society of NSW, in conjunction with the Office of the Legal Services Commissioner (OLSC), is developing a series of guidelines that will be based on the findings of a major research project by the OLSC. On a national level, the International Legal Technology Standards Organization has published a set of standards for the use of technology in law practice. To summarize, it is the lawyer s duty to competently investigate and exercise sound professional judgment in forming a reasonable conclusion as to the security of a potential service provider. In August 2009 the American Bar Association (ABA) created the Commission on Ethics 20/20 to consider whether the Model Rules of Professional Conduct adequately address the challenges of a 21st century law practice. The issues that committee reviewed included concerns regarding the privacy and security of client confidential data stored online on third party servers and the acceptable level of data access by providers. The discussion focused on the professional obligation to take reasonable steps to protect electronically stored client confidential data from inadvertent disclosure or unauthorized access. On September 19, 2011, the ABA Commission on Ethics 20/20 published its Revised Proposal regarding Technology and Confidentiality, which includes proposed changes to Model Rules 1.0 and 1.6. Of particular interest to attorneys using cloud computing, the proposed changes to Model Rule 1.6 include proposing new language to Comment [16] to identify several factors that lawyers should consider when determining whether their efforts in this regard have been reasonable, including the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer s ability to represent clients This may require some reasonable due diligence. 6 The obligation of reasonable due diligence should be used in selecting a third party vendor. 7 Vendor policies should also employ the same policies and procedures that an attorney would use to comply with the attorney s duty of confidentiality. 8 4 Id. at 3. 5 See ABA Commission on Ethics 20/20, Report on Revised Proposal Technology and Confidentiality, at 5 (Sept. 19, 2011), 0_technology_and_confidentiality_revised_resolution_and_report_posting.authcheckdam.pdf. 6 Id. at 2. 7 Id. 8 Id. Litigating in the Cloud - 4

5 While an attorney does not have to be an expert in technology, he or she should at least have an understanding of what protections are afforded by the technology. 9 If an attorney does not have enough knowledge to assess the security of the technology, then he or she should seek the help of an IT professional. 10 Other considerations may include a disclosure to the client about how and where his or her confidential information is being kept and whether the attorney should seek consent regarding the receipt and storage of information. 11 Concerns over confidentiality and compliance with Rule 1.6 (a) and Rule 1.15 are the overarching ethics concerns that loom over the general use of all cloud computing in the trial practice context, regardless of the specific application or intended use by the litigator. 12 The following list was compiled from the various state bar ethics opinions and may help in making a reasonable conclusion as to the security of a cloud service 13. A. Clarify Relationship with the Service Provider Did you perform due diligence in checking the background of the service provider? o Is it a solid company with a good operating record and a good reputation with others in the field? o In what country and state is it located and does it do business? Did you notify the vendor of the confidential nature of the information stored on the firm s servers and in its document database? Does the vendor understand a lawyer s professional responsibilities? Did you examine the vendor s existing policies and procedures with respect to the handling of confidential information? Has some third party addressed this issue before? B. Create an Enforceable End-Users Licensing Agreement 9 Id. 10 Id. at Id. at For further reading, see ABA Commission on Ethics 20/20 Working Group on the Implications of New Technologies, Issues Paper Concerning Client Confidentiality and Lawyers Use of Technology (Sept. 20, 2010), migrated/2011_build/ethics_2020/clientconfidentiality_issuespaper.authcheckdam.pdf; ABA Comm. on Ethics & Prof l Responsibility, Formal Op (1999) (discussing confidentiality issues of using unencrypted ). 13 Sharon Bradley, Ethics on the Wing: Examination of Opinions on Electronic Services and Cloud Computing, 1, Georgia Law, University of Georgia Law School, March 19, 2012 Litigating in the Cloud - 5

6 What is the cost of the service, how is it paid, and what happens in the event of nonpayment? o Do you lose access to your data, does the data become the property of the service provider, or is the data destroyed? Are any proprietary rights over your data granted to the service provider? Has the vendor assured you that confidential client information on your computer system will be accessed only for technical support purposes and only on an as needed basis? Has the vendor assured you that the confidentiality of all client information will be respected and preserved by the vendor and its employees? Do you and the vendor agree on additional procedures for protecting any particularly sensitive client information? How is the relationship terminated? o What type of notice is required? o How do you retrieve your data? Is the policy different from that for nonpayment? Are there any choice of law or forum, or limitation of damages provisions? Has any third party addressed these issues before? C. Understand the Security Measures Know how these things work o Encryption Is there an encrypted connection to which to send your information? Will you have the ability to encrypt some data using higher level encryption tools? Was the service provider s initial encryption scheme tested by an independent auditor? o SSL - This is an industry standard that ensures that the communications between your computers and the cloud-based server are encrypted and protected from interception. o Intrusion detection - What security measures are used to protect the servers and keep out hackers? o Firewalls o Passwords - Who has access to the passwords? o Tiered data center - The Uptime Institute s tiered classification system is an industry standard approach to site infrastructure functionality. Tier 4 data centers have the most stringent protection for their servers. o Does the company conduct regular security audits in-house or via third party? D. What Happens to the Data Itself? Retrieving the data o What if the service provider goes out of business or there is a break in continuity (sales, merger, etc.)? o Server failure o You close your account/cancel the service Litigating in the Cloud - 6

7 Will you be able to take the data with you? Make sure data will be returned in a readable format. Backup policies o How often is data backed up, and are backups distributed across geographic regions? Backups should not be located in only one place, in case something catastrophic happens at that location. o What are the steps to recover data? Where are the servers located? They should not be located outside the United States, where they might be subject to foreign laws. Foreign privacy laws can differ markedly from U.S. laws. Who has access to your data? Can employees of the service provider access the stored data, and is their access restricted and tracked? Do the service provider s employees understand their responsibilities regarding confidentiality? What would the service provider do if served with a subpoena? Federal laws like the Gramm-Leach-Bliley Act (financial services modernization) and the Health Information Portability and Accountability Act require safeguards to be in place to prevent disclosure of private and personal information. How does the service provider meet these federal requirements? Will you have unrestricted access to the stored data? Is your data stored elsewhere so that if access is thwarted you can acquire the data via another source? E. Security Begins in the Office Client security includes the security of the desktop or laptop from which you are accessing the service. All office computers need to be properly secured with firewall and anti-virus protection, and the latest security updates for your operating system and web browsers. Enforce strict password protocols; use a password generator. Employees have to be trained to use the products and everyone held to the same security standards. F. Conclusion The primary and final responsibility for data integrity, maintenance, disposition, and confidentiality rests with you. Addressing the issues above should help you find the best cloud computing service provider for your practice, while also ensuring that your law firm is taking the necessary steps to minimize the risk of inadvertent disclosure of confidential client information. And finally, recognizing your limitations is also part of exercising professional competence. If you have neither the time nor the inclination to develop sufficient technical knowledge, hire a consultant. Cloud Computing Service Questionnaire Although absolute security is impossible, and no law firm can be expected to achieve it, lawyers must take reasonable steps to ensure that their client s data is securely stored and remains confidential. Litigating in the Cloud - 7

8 Below is a summary list of questions to ask any cloud computing provider ) What type of facility will host the data? 2) Who else has access to the cloud facility, the servers, and the data, and what mechanisms are in place to ensure that only authorized personnel will be able to access your data? How does the vendor screen its employees? If the vendor does not own the data center, how does the data center screen its employees? 3) Does the contract include terms that limit data access by the vendor s employees to only those situations where you request assistance? 4) Does the contract address confidentiality? If not, is the vendor willing to sign a confidentiality agreement? 5) How frequently are backups performed (the more often, the better)? How are you able to verify that backups are being performed as promised? 6) Is data backed up to more than one server? Where are the respective servers located? Will your data, and any backup copies of it, always stay within the boundaries of the United States? 7) How secure are the data centers where the servers are housed? 8) What types of encryption methods are used and how are passwords stored? Is your data encrypted while in transit or only when in storage? 9) Has a third party, such as McAfee, evaluated or tested the vendor s security measures to assess the strength of, among other things, firewalls, encryption techniques, and intrusion detection systems? Are the audits of the security system available for your review? 10) Are there redundant power supplies for the servers? 11) Does the contract include a guarantee of uptime? How much uptime? Does the contract include historical data regarding uptime, or will the provider give you that information? What happens in the event that the servers are down? Will you be compensated if there is an unexpected period of downtime that exceeds the amount set forth in the agreement? 14 Nicole Black, Cloud Computing for Lawyers 101 (2012). 15 This list is not exhaustive. For additional resources, including suggestions of questions to ask and additional issues to consider before signing an agreement with a cloud computing vendor, see Tanya L. Forsheit, Contracting for Cloud Computing Services: Privacy and Data Security Considerations, Privacy & Sec. L. Rep. 9PVLR20 (May 17, 2010), available at Edward A. Pisacreta, Law Technology News, A Checklist for Cloud Computing Deals (Apr. 9, 2010), PubArticleLTN.jsp?id= ; Michael P. Bennett, Law Technology News, Ruuuuumble... Negotiating Cloud Computing Agreements (Mar. 11, 2010), ng_cloud_computing_ Agreements. Litigating in the Cloud - 8

9 12) If a natural disaster strikes one geographic region, would all data be lost? Are there geo-redundant backups? 13) What remedies does the contract provide? Are consequential damages included? Are total damages capped or specific? 14) Does the agreement contain a forum selection clause? How about a mandatory arbitration clause? 15) If there is a data breach, will you be notified? How are costs for remedying the breach allocated? 16) What rights do you have upon termination? Does the contract contain terms that require the vendor to assist you in transitioning from its system to another? 17) What rights do you have in the event of a billing or similar dispute with the vendor? Do you have the option of having your data held in escrow by a third party so that it is fully accessible in the event of a dispute? Alternatively can you back up your data locally so that it is accessible to you should you need it? 18) Does the provider carry cyber insurance? If so, what does it cover? What are the coverage limits? Litigating in the Cloud - 9