New York City Bar Report Offers Guidance on Ethical Risks of ‘Leaping Into the Cloud’

The ABA/BNA Lawyers’ Manual on Professional Conduct™ is a trusted resource that helps attorneys understand cases and decisions that directly impacts their work, practice ethically, and...

By Samson Habte  

Dec. 5 --A New York City bar report on cloud computing points to the travails of Puckett & Faraj, a Virginia law firm, as a “chilling example” of one of the “two key risks” posed by the remote-data-storage technology: the possibility of a security breach that results in the unauthorized disclosure of confidential client communications.

The small firm, which defended a Marine who was accused of murdering civilians in Iraq but convicted on lesser charges, was targeted by the hacker group Anonymous, which stole the firm's Google passwords and gained access to three gigabytes of e-mails containing several years' worth of confidential client information. (See Unaware “Anonymous” Existed Until Friday, Partner of Hacked Law Firm Is Now Fielding FBI Phone Calls.)


Never just click 'Agree' to a provider's 'Terms and Conditions of Use.'”

 

New York City Bar Report

That cautionary tale notwithstanding, the report--titled “The Cloud and the Small Law Firm: Business, Ethics and Privilege Considerations”--does not discourage lawyers' use of cloud computing.

“[We] certainly would prefer to give a definitive answer to the question: 'Should I use the Cloud?',” the authors write in the report, published in November by the New York City Bar Committee on Small Law Firms. “However, the answer is an ultimately personal one.”

Summarizing the considerations that should inform a decision whether to store sensitive information on remote servers, the report states:

Each lawyer will have a different view of the competing risks of hackers and provider outages, on the one hand, and convenience of access and protection from natural or other “local” disasters, on the other. The one constant, however, is that a decision must be made thoughtfully, and the lawyer must be prepared to demonstrate to clients, regulators and, perhaps at some point, a court how the decision was reached and what factors went into it.  

Benefits, and Two Main Risks

Small law firms have long struggled to keep up with the physical task of maintaining client files--a problem larger competitors deal with more easily--but technological developments at the turn of the century leveled the playing field.

“Suddenly, it seemed a relief to just store and transmit documents electronically,” the report states. “Files were accessible from a person's desk, rather than down the hall in huge file rooms.”

These new technologies could not be leveraged inexpensively, however. “The expense of space was replaced with the costs of hardware and software training,” the authors write, and “IT departments replaced librarians and file clerks.”

Enter cloud computing. “Nirvana had arrived,” the report states, adding: “Small firms or solos who previously could not afford physical storage space could now store their numerous client related documents on the Cloud, without having to worry about the cost and feasibility of hiring an IT department.”

“More importantly,” the report adds, “small firms and solo attorneys could have constant access to client documents and communications whether they are travelling, in court, at a coffee shop, or at home. This increased availability to respond to their clients will give small firms an advantage that in the past they may have ceded to big firms with armies of associates and support staff.”

These benefits, the report says, have largely put to rest the question of whether lawyers should avoid cloud computing altogether. “With the Cloud becoming more ubiquitous, with clients demanding more responsiveness from their counsel, the question changes--from 'whether to go to the Cloud or manage data through remote access devices …' to 'how to use these tools safely and ethically.'”

The risks of cloud computing generally pertain “to two critically important functions,” according to the report: “storing client data where it might be accessed by the wrong parties or might be inaccessible by the attorney when needed; and exclusive reliance on software or other critical functions not housed under a lawyer's direct control.”

Risk #1: Data Security

Cloud computing “implicates a wide range of ethical obligations,” the report says. “The predominant concern is data security, which implicates a lawyer's ethical duty to safeguard confidential information belonging to clients.”

Accordingly, the authors advise lawyers contemplating a leap into the cloud to ask the following questions: “How secure will be the data hosted with the Cloud provider? Will privilege and confidentiality be maintained in the Cloud provider's servers as well as in transmission to and from those servers?”

The relevant ethics standard on confidentiality is Rule of Professional Conduct 1.6. According to the report, “cloud computing implicates [Rule] 1.6 in two distinct, but related, ways: first, with respect to the delivery of confidential information to the vendor itself; and second, with respect to the potential disclosure to third parties once the information is outside the attorney's control.”

The authors point to a 2010 ethics opinion for guidance on the application of that rule. “The opinion,” they note, “concludes that lawyers may ethically use online 'cloud' storage systems provided they take 'reasonable care to ensure that the system is secure and that client confidentiality is maintained.'” See New York State Ethics Op. 842, 26 Law. Man. Prof. Conduct 639 (2010). That opinion lists four steps that a lawyer may take in exercising reasonable care:

1.  “Ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information”;

2.  “Investigating the online data storage provider's security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances”;

3.  “Employing available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored”; and/or

4.  “Investigating the storage provider's ability to purge and wipe any copies of the data, and to move the data to a different host, if the lawyer becomes dissatisfied with the storage provider or, for other reasons changes, storage providers.”

 

“The NYSBA approach comports with other ethics opinions around the country,” the report observes. “The opinions emphasize that lawyers are not guarantors of cloud computing services,” it adds. “Thus, the applicable standard is reasonable care, not strict liability.”

Risk #2: Access to Data

The second primary concern associated with cloud computing relates to file accessibility. “When [a] firm stores information in a remote location, it runs the risk that it may be unable to access data from that location,” the report states.

“To successfully access the file,” the authors explain, “you must (1) have a reliable Internet connection, (2) the remote location (the Cloud) must be up and running, (3) the file must have been properly transmitted to and stored with the Cloud provider.”

The report points out that the relationship between a law firm and cloud provider typically is governed by a Service Level Agreement (SLA). “The small law firm would be well-advised to seek providers whose SLA provisions give the firm comfort that its data will be accessible, either through the service provider's primary servers, or back-up servers, the purchase of which is a critical component of a firm's management,” it says.

According to the authors, selectivity in the selection of a cloud provider is not just good business practice--it is an ethical obligation under Rule 1.1 (competence). See, e.g., Pennsylvania Formal Ethics Op. 2011-200, 27 Law. Man. Prof. Conduct 780 (duty of competence requires lawyers to ensure that they can “reliably access and provide information relevant to a client's case when needed”).

Cloud Guidelines

The report outlines eight guidelines that the authors suggest will help practitioners comply with their professional obligations. Although cautioning that the guidelines are suggestions rather than requirements, the authors indicate that “adopting some or all of them can be very helpful in building a strong case that your use of the cloud complies with the reasonableness standard.” The guidelines advise attorneys to:

1.  “Only use reliable providers and, even with well-established providers, keep up to date on their business condition and prospects.”

2.  “Spend time performing due diligence on a proposed provider … and document the process, including your review, any negotiations with the provider and the reasons why you concluded that your client's information is going to be secure.”

3.  “Never just click 'Agree' to a provider's 'Terms and Conditions of Use.' Obtain, and review, the complete Service Level Agreement and all Addenda and Attachments. Read all website information referenced in links in the SLA.”

4.  “Get promises from a prospective Cloud Provider, in the SLA, that it will meet your key requirements, and check the Provider's track record of meeting them with reliable references.”

5.  “Obtain your clients' consent before storing their information in the cloud or relying on cloud-based software for client-critical functions.”

6.  “Be sure you know the technology or engage an expert to assist you.”

7.  Ensure that “data housed with a Cloud provider [are] encrypted in transit from your firm to the provider and back again, and at the provider's locations.”

8.  Establish internal data management policies that “sensitize all staff (professional and non-professional) to the importance of maintaining security (such as protecting the privacy of passwords, avoiding unsecure networks to access the cloud, etc.) and to the operation of the online service so that data entry and manipulation is conducted in the manner necessary for the provider to fulfill its part of the protection regimen.”

 

To contact the reporter on this story: Samson Habte in Washington at shabte@bna.com

To contact the editor responsible for this story: Kirk Swanson at kswanson@bna.com


Full text of the report is at http://www2.nycbar.org/pdf/report/uploads/20072378-TheCloudandtheSmallLawFirm.pdf.

The ABA/BNA Lawyers’ Manual on Professional Conduct is a joint publication of the American Bar Association Center for Professional Responsibility and Bloomberg BNA.

Copyright 2013, the American Bar Association and The Bureau of National Affairs, Inc. All Rights Reserved.