The Risk Manager, Summer 2012

Cloud Computing Defined: n. A loosely defined term for any system providing access via the Internet to processing power, storage, software or other computing services, often via a web browser. Typically these services will be rented from an external company that hosts and manages them. (The Free On-line Dictionary of Computing)

"You are going to look up one day and all you will be doing is managing the systems that connect all your printers." (Carl Ryden, MarginPro)

Introduction

Perhaps unknowingly, Kentucky lawyers are already using cloud computing in great numbers. The Pennsylvania Bar Association Committee On Legal Ethics And Professional Responsibility in Formal Opinion 2011-200 opens an evaluation of cloud computing with this observation:

If an attorney uses a Smartphone or an iPhone, or uses web-based electronic mail (e-mail) such as Gmail, Yahoo!, Hotmail or AOL Mail, or uses products such as Google Docs, Microsoft Office 365 or Dropbox, the attorney is using “cloud computing.” While there are many technical ways to describe cloud computing, perhaps the best description is that cloud computing is merely “a fancy way of saying stuff’s not on your computer.”

Formal Opinion 2011-200 is the best recent opinion on cloud computing that includes recommendations for protecting client confidentiality and risk management. It includes a review of other states ethics opinions reflecting a consensus that lawyers by taking the appropriate precautions may use cloud computing. In the absence of any known Kentucky authority specifically on the use of cloud computing by lawyers, this article reviews the key points of Formal Opinion 2011-200 along with other sources to assist you in your appreciation of what cloud computing means to the modern practice of law and the risks it invokes.

Just a Little More Definition

The Internet for Lawyers Website adds to the previous definition of cloud computing as follows:

  • Cloud computing and “Software as a Service” (SaaS) are two terms used to describe similar services. They allow you to access software, or store files [STaaS -- storage as a service],
    on computers that are not at your physical location or even in your physical control.
  • Dictionary.com defines Cloud Computing as: Internet-based computing in which large groups of remote servers are networked so as to allow sharing of data-processing tasks, centralized data storage, and online access to computer services or resources.
  • Wikipedia defines SaaS as: “Software as a service, sometimes referred to as ‘on-demand software,’ is a software delivery model in which software and its associated data are hosted centrally (typically in the Internet cloud) …. [They] are typically accessed by users using a thin client, … using a web browser over the Internet.” Gmail and Flickr are examples of
    cloud computing or SaaS products because they give you access to e-mail software and message storage, and photo storage (respectively) on computers at a remote location.

Editor’s note: Wikipedia defines “thin client” as: A thin client (sometimes also called a lean or slim client) is a computer or a computer program that depends heavily on some other computer (its server) to fulfill its traditional computational roles.

The Teachings of Formal Opinion 2011-200

  1. Benefits of using cloud computing:
    • Reduced infrastructure and management;
    • Cost identification and effectiveness;
    • Improved work production;
    • Quick, efficient communication;
    • Reduction in routine tasks, enabling staff to elevate work level;
    • Constant service;
    • Ease of use;
    • Mobility;
    • Immediate access to updates; and
    • Possible enhanced security.
  2. The risks of using cloud computing providers include:
    • Storage in countries with less legal protection for data;
    • Unclear policies regarding data ownership;
    • Failure to adequately back up data;
    • Unclear policies for data breach notice;
    • Insufficient encryption;
    • Unclear data destruction policies;
    • Bankruptcy;
    • Protocol for a change of cloud providers;
    • Disgruntled/dishonest insiders;
    • Hackers;
    • Technical failures;
    • Server crashes;
    • Viruses;
    • Data corruption;
    • Data destruction;
    • Business interruption (e.g., weather, accident, terrorism); and,
    • Absolute loss (i.e., natural or man-made disasters that destroy everything). (ABA, “Issues Paper Concerning Client Confidentiality and Lawyers’ Use of Technology” (Sept. 20, 2010))
  3. Key professional responsibility rules implicated:
    • Rule 1.1, Competence (“Part of a lawyer’s responsibility of competency is to take reasonable steps to ensure that client data and information is maintained, organized and kept confidential when required. A lawyer has latitude in choosing how or where to store files and use software that may best accomplish these goals. However, it is important that he or she is aware that some methods, like ‘cloud computing,’ require suitable measures to protect confidential electronic communications and information. The risk of security breaches and even the complete loss of data in ‘cloud computing’ is magnified because the security of any stored data is with the service provider.”);
    • Rule 1.4, Communication (“[I]f an attorney intends to use ‘cloud computing’ to manage a client’s confidential information or data, it may be necessary, depending on the scope of representation and the sensitivity of the data involved, to inform the client of the nature of the attorney’s use of ‘cloud computing’ and the advantages as well as the risks endemic to online storage and transmission.”);
    • Rule 1.6, Confidentiality of Information;
    • Rule 1.15, Safekeeping Property; and
    • Rule 5.3, Responsibilities Regarding Nonlawyer Assistants.
  4. Reasonable care in selecting a cloud service provider:
    Lawyers contemplating using cloud services must be sure that the selected provider takes reasonable precautions to back up data and ensure its accessibility when the user needs it. With this overarching consideration in mind Formal Opinion 2011-200

Does the provider have procedures for:

  • Backing up data to allow the firm to restore data that has been lost, corrupted, or accidentally deleted;
  • Installing a firewall to limit access to the firm’s network;
  • Limiting information that is provided to others to what is required, needed, or requested;
  • Avoiding inadvertent disclosure of information;
  • Verifying the identity of individuals to whom the attorney provides confidential information;
  • Refusing to disclose confidential information to unauthorized individuals (including family members and friends) without client permission;
  • Protecting electronic records containing confidential data, including backups, by encrypting the confidential data;
  • Implementing electronic audit trail procedures to monitor who is accessing the data; and
  • Creating plans to address security breaches, including the identification of persons to be notified about any known or suspected security breach involving confidential data

The firm should ensure that the provider:

  • Explicitly agrees that it has no ownership or security interest in the data;
  • Has an enforceable obligation to preserve security;
  • Will notify the lawyer if requested to produce data to a third party, and provide the lawyer with the ability to respond to the request before the provider produces the requested information;
  • Has technology built to withstand a reasonably foreseeable attempt to infiltrate data, including penetration testing;
  • Includes in its “Terms of Service” or “Service Level Agreement” an agreement about how confidential client information will be handled;
  • Provides the firm with right to audit the provider’s security procedures and to obtain copies of any security audits performed;
  • Will host the firm’s data only within a specified geographic area. If by agreement, the data are hosted outside of the United States, the law firm must determine that the hosting jurisdiction has privacy laws, data security laws, and protections against unlawful search and seizure that are as rigorous as those of the United States and … [Kentucky];
  • Provides a method of retrieving data if the lawyer terminates use of the SaaS product, the SaaS vendor goes out of business, or the service otherwise has a break in continuity; and,
  • Provides the ability for the law firm to get data “off” of the vendor’s or third party data hosting company’s servers for the firm’s own use or in-house backup offline.

The firm should investigate the provider’s:

  • Security measures, policies and recovery methods;
  • System for backing up data;
  • Security of data centers and whether the storage is in multiple centers;
  • Safeguards against disasters, including different server locations;
  • History, including how long the provider has been in business;
  • Funding and stability;
  • Policies for data retrieval upon termination of the relationship and any related charges; and,
  • Process to comply with data that is subject to a litigation hold.

The firm should determine whether:

  • Data is in non-proprietary format;
  • The Service Level Agreement clearly states that the attorney owns the data;
  • There is a 3rd party audit of security; and,
  • There is an uptime guarantee and whether failure results in service credits.

Internal firm responsibilities

  • Employees of the firm who use the SaaS must receive training on and be required to abide by all end-user security measures, including, but not limited to, the creation of strong passwords and the regular replacement of passwords;
  • Protect the ability to represent the client reliably by ensuring that a copy of digital data is stored onsite; and
  • Have an alternate way to connect to the Internet, since cloud service is accessed through the Internet.

Conclusion

Formal Opinion 2011-200 concluded that:

[An] attorney may store confidential material in “the cloud.” Because the need to maintain confidentiality is crucial to the attorney-client relationship, attorneys using “cloud” software or services must take appropriate measures to protect confidential electronic communications and information.

This opinion is consistent with other jurisdictions that have considered lawyer use of the cloud. While none of these opinions is a substitute for Kentucky authority, it is difficult to think that we would rule differently and the risk management guidance in Formal Opinion 2011-200 is spot on. Accordingly, the information in this article should be helpful to Kentucky lawyers in avoiding malpractice claims and ethically using cloud computing services. We urge you to include in letters of engagement a description of all electronic transmission methods used when communicating client confidential information. In some cases it may be prudent to get client concurrence with the methods used and in others it may be necessary to avoid electronic communications over the Internet and cloud altogether. And always remember – when in doubt call the KBA Ethics Hotline.