Ethical Considerations, Security Concerns and the Cloud
BY Barbara Atkinson STAFF CONTRIBUTOR
More firms are moving toward cloud-based solutions to enhance productivity and cut down on paper. This shift has ethical implications surrounding offsite data storage and security. What are these issues and how can attorneys address them?
Even though your firm may not yet be using cloud computing, a great deal of the work you do is already utilizing cloud computing — accessing and using platforms, software, and infrastructure via the Internet. Cloud computing encompasses everything from using a web-based email account to using a sophisticated, customized application or firm-specific network, offering systems based on the level of service you need, including software-as-a-service (SaaS), platform-as-a-service (PaaS), and data-hosting.
While cloud computing is increasingly being used by law firms as a way to streamline their own offices and leave the IT issues to outside vendors, it is still new enough that many firms are not convinced of its benefits or its safety. And, as with most of our latest technological advances, the technology is moving so fast that best practices are scrambling to catch up.
The Ethical Question
For law firms concerned about storing confidential client data on third-party-access servers, cloud computing can raise ethical concerns. State bar ethics committees have been wrestling with cloud computing opinions for the past several years, from Oregon to Florida; the American Bar Association House of Delegates explored the ethics of cloud computing in August, 2012, and approved cloud computing as it follows the Model Rules of Professional Conduct. As long as reasonable steps are taken by firms and attorneys to protect confidential data from unintended recipients and reasonable efforts have been made to ensure that the cloud computing services are provided in a manner that is compatible with the attorney’s professional obligations, it has been widely agreed, cloud computing is – or can be, with the right structure and care in place – ethical.
But to be safe, before you push your firm into the cloud, keep in mind all of your ethical obligations, and exercise due diligence when vetting your service provider. What might that mean? Your firm will likely be held responsible for preserving and producing relevant data which is considered to be in your company’s “possession, custody or control,” which includes the ability request it from a third-party contractor providing service to you, upon demand. If your firm fails to produce that data in litigation, you may face significant monetary sanctions, an adverse inference of liability and/or a default judgment against your firm. So, even if that data is not in your physical possession, your firm will more likely than not be considered in “control” of all of your electronic data, regardless of where it is actually maintained.
When considering cloud computing for your firm, look at the electronic discovery (e-discovery) issues that may arise with your cloud computing system choice, and discuss them with your potential service provider. Some things to discuss:
- What is the overall data retention and retrieval policy?
What is your law firm’s standard document retention policy? Will the cloud system retain data for significantly longer than internal policy? Will the system automatically delete data on a predetermined schedule? What system is or can be put into place to quarantine data if it is subjected to a legal hold? What is the service provider’s policy on legal holds? How will data be collected so that it can be produced, if needed?
- What boundaries are placed on data?
How will your firm’s data be stored – segregated or comingled? If your cloud service provider has a roster of clients, and one of those clients is sued or subpoenaed, will your firm’s data be protected from retrieval during someone else’s electronic discovery search?
- What privacy laws should be considered?
Will your firm’s data cross international borders? What are that country’s privacy laws?
- What are the access parameters?
Is your data limited to one access point? What if you have an issue with access – how can your firm be guaranteed access to the data if something happens to the system? Will your firm have unrestricted access to the stored data, or are there limits placed on what can be retrieved? What happens if some data needs a higher degree of protection than other data – are there multi-level encryption tools available?
- What about the third-party provider?
What due diligence should your firm run on the vendor being considered to store your data? What happens to the data if there is nonpayment by your firm or a financial default? Who will own the data? Or, will it be destroyed? What is the timeframe for that? What happens if the firm decided to terminate the relationship with the provider – can data be retrieved, and where will it be stored? Will the provider be able to retain copies of the data?
- Security Concerns For Your Firm
One of the most attractive things about cloud computing is remote access. Staff is able to work outside of office hours or remotely, accessing the files and data needed from wherever they are, whenever they want – at home, on the road, or at a client’s office, from their laptop, pad or smartphone. But that easy access can also be a huge security risk. While cloud vendors typically have a much better track record for security than do most company’s own IT departments, a security breach tends to be the biggest concern for users. And rightly so; cloud computing users have little control over system security, as all of their data is stored offsite.
If you do use cloud computing, the one area of control you do have is in which vendor you hire; carefully choose a cloud service vendor that is reliable and competent. Things to look for: Is the vendor SAS 70 certified? Certification means that the vendor has been through an in-depth safety audit. Do they utilize enterprise-class firewalls? Do they use encryption, converting data into ciphertext to discourage unauthorized personnel? Do they monitor invalid login attempts, and have a system lock in place?
Law firms are turning to cloud-based computing to reduce IT management costs and reduce paper waste, while gaining the flexibility to quickly expand or contract services, based on the changing market.