Now in Legal Rebels:
Posted Apr 01, 2010 06:48 am CDT
Cloud computing—also known as software as a service, or SaaS—is, in essence, a sophisticated form of remote electronic data storage on the Internet. Unlike traditional methods that maintain data on a computer or server at a law office or other place of business, data stored “in the cloud” is kept on large servers located elsewhere and maintained by a vendor.
That means the vendor—not the firm—purchases, maintains and updates hardware and software, and the firm generally pays a monthly fee to the vendor for its services. More over, data stored in the cloud can be accessed more easily than information maintained on a local network, as long as there is a handy Internet connection.
But some of the advantages of cloud computing also are reasons for lawyers to be cautious about its use. In particular, the fact that client data and work product are stored somewhere outside the direct control of the law firm raises potential ethics concerns about whether the confidentiality and security of the information is adequately protected within the mandates of professional conduct rules for lawyers.
Confidentiality issues center on where the data is being stored, how and to where it’s moved, and where it might be moving in the future, says Roland Trope, a partner at Trope and Schramm in New York City who is writing a book on cloud computing.
“Remember in the Watergate scandal, there was the famous quote: ‘Follow the money,’ ” Trope says. “It’s a much more subtle analysis when you say, ‘Follow the data.’ The difference is, when money moves you don’t leave copies of it.
“If you move data from your firm to the cloud, there is usually a digital copy of it in your firm, but the cloud providers reserve the right to move data around for their own convenience, as in, ‘First we had your data in Santa Fe, but then we moved it to Duluth, and now we’ve built a data warehouse in Iceland.’
“But every time the data moves, it leaves a copy behind, and there is no promise in the terms of service that when they move your data they expunge it from hard drives where it once resided,” Trope says.
“The terms of service do not provide a map of where your data resides or whether it’s in one location or several, and they will not notify you if they move it.”
The early indications from ethics authorities are that storing client data in the cloud does not violate ethics rules, as long as the lawyer took appropriate steps to safeguard the information from inadvertent or unauthorized disclosure.
Rule 1.6 of the ABA Model Rules of Professional Conduct states that, generally, a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent or the disclosure is impliedly authorized to carry out the representation. (Rule 1.6 is generally followed by the states.)
But the comments to Model Rule 1.6 provide some leeway in applying its mandate. Comment 16, for instance, states, “A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.” And Comment 17 states that a lawyer must take “reasonable precautions” to prevent information relating to the representation of a client from going to unintended recipients when it is being transmitted.
“If you purchase the technology and there’s a breach, you’re going to say, ‘I relied on the cloud provider,’ and the rules back you up,” says Lucian T. Pera, a partner at Adams and Reese in Memphis, Tenn., and president of the Association of Professional Responsibility Lawyers. “The rules say attorneys must act competently to safeguard information. It’s a reasonableness standard, and nothing has changed about the rules but how they apply in a changing world.”
Some recent ethics opinions reach a similar conclusion. The Arizona State Bar’s Committee on the Rules of Professional Conduct, for instance, concluded in Opinion 09-04 (issued Dec. 9, 2009), that a law firm may use an online file storage and retrieval system that enables clients to access their files over the Internet as long as the firm takes reasonable precautions to safeguard the security and confidentiality of the client’s information.
The opinion emphasizes that the duty to take reasonable precautions does not mean a lawyer must guarantee a computer storage system’s absolute protection against unauthorized access. Rather, the lawyer should exercise sound professional judgments about what steps are appropriate to protect against foreseeable attempts at unauthorized access.
But the opinion also cautions lawyers to be aware of the limits of their knowledge about computer security, and to consult experts when their own knowledge is lacking.
The twist to the reasonableness standard is that when it comes to technology, what is reasonable is changing all the time, says Pera, a member of the Ethics 2000 Commission that conducted a sweeping review of the Model Rules a decade ago. “If someone breaks into your server and you have the appropriate security, I don’t think it’s likely you would be subject to discipline or a breach of fiduciary duty. But the answer of what you have to do to act reasonably changes all the time—that’s what is frightening about it.”
That changing digital environment is why lawyers need to learn about developments in cloud computing, says Michael F. Fleming, who chairs the Cyberspace Law Committee in the ABA Section of Business Law.
“The cloud today is very different in its characteristics and risks than it was two years ago and different than it will be four years from now, when some of these clouds become capable of handling a major company’s data,” says Fleming, a shareholder at Larkin Hoffman Daly & Lindgren in Minneapolis. “New communications technologies don’t just arrive; they evolve, and we need to keep up on how they evolve and how the culture using them changes.”
There is, for instance, a wide divergence between systems available for remote storage and backup, says Richard Granat, a member of the council for the ABA’s Law Practice Management Section who also chairs the section’s eLawyering Committee.
“If you’re using a ‘tier 4’ hosting provider that’s the same as banks and insurance companies use, it’s different than a run-of-the-mill hosting provider,” says Granat, the founder and CEO of DirectLaw Inc. in Palm Beach Gardens, Fla., a company that helps law firms use the Internet to deliver legal services. Tier 4 systems typically include hardware-oriented firewalls, redundant backups and other security features that smaller systems often lack.
The nature of the firm’s work may dictate the level of security needed, Granat says. While sole practitioners have the potential to realize the greatest savings from cloud computing, their security needs may differ from a larger firm. “If I were a huge law firm and my client is Goldman Sachs, where someone might have incentive to use subtle tools to hack into a $3 billion deal, I would want to take extreme precautions to make sure it’s secure,” he says. “That’s a very different situation from a solo doing a will or business incorporation where the stakes are much lower.”
Granat urges law firms to focus on their relationship with a cloud provider’s employees. “The contract should be written so that the employees at the data center act as a fiduciary for the law firm and are agents of the law firm, like the IT personnel who work on the firm’s premises,” he says.
Experts on both technology and ethics agree that the most important thing lawyers can do is learn more about cloud computing, if only to keep up with what their cli ents know about it.
“It’s not possible for a lawyer to ignore cloud computing, even if they don’t choose to do it themselves,” says Trope. “Their clients are going there, and if you don’t understand what your clients are doing, you’re almost in the same kind of trouble, because clients will find a lawyer who speaks their language.”