The ABA Model Rule of Professional Conduct Rule 1.1 Competence states that “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology”. Rule 1.6 Confidentiality of Information states that “a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Now that lawyers are storing and retrieving information from Cloud services, what does it mean to keep abreast of relevant technology and to make a reasonable effort to prevent the inadvertent disclosure or unauthorized access of client information? Does the recent revelation that the NSA has access to data stored in Google, Amazon and Microsoft Azure Cloud services require lawyers to pull data from Cloud services that store their databases with these hosts? Should lawyers continue to use web-hosted mail such as Gmail, Outlook.com, Verizon, AOL and EarthLink accounts for client related email? What about GoogleDocs, Microsoft 365, DropBox, and the ever-growing panoply of legal-specific Cloud solutions?
Bar association committees focused on ethics and practice management are educating lawyers about how to assess the risks of Cloud services. The Small Law Firm Committee of the New York City Bar published “The Cloud and the Small Law Firm: Business, Ethics, and Privilege Considerations”, which points out the many benefits of Cloud services – low infrastructure, access from anywhere, quick responsiveness to client inquiries, but also the obligation of the attorney to determine “how to use these tools safely and ethically.” Two key risks and requirements must be investigated before engaging any Cloud provider: (1) “How secure will be the data hosted with the Cloud provider? Will privilege and confidentiality be maintained in the Cloud provider’s servers as well as in transmission to and from those servers?”, and (2) “Can the firm access its data as needed?”, considering the possibilities of Internet connection failure, server or maintenance failure, or provider business failure. In the latter case, for example, secured creditors could claim servers without considering preservation data for its owners, or the requirement to keep data confidential.
An easily adopted best practice in the report is to insert into every client engagement letter a provision granting the client’s consent to store its data in the Cloud, and to ensure that no data provided to the attorney by a potential client is disclosed to a Cloud provider before having that written consent from the client.
The report discusses at length how a lawyer should review the Cloud provider’s Service Level Agreement (SLA). The lawyer should spend time performing due diligence on a proposed provider and its contract, and document the process, including your review, any negotiations with the provider and the reasons why you concluded that your client’s information is going to be secure. Due diligence should include security protections such as intrusion-detection systems, firewalls, passwords, back-up procedures, etc., as well as the provider’s business, especially its financial condition, reliability, and ability to meet its ongoing commitments. Request copies of the prospective provider’s certifications from one of the agencies that independently audit the security practices of Cloud providers. Internationally recognized standards used by these auditors include SSAE-16 (Statement on Standards for Attestation Engagements, the successor to SAS 70, Statement No, 70 of the Statement on Auditing Standards, Service Organizations), and SOC3, SysTrust/Webtrust. An attorney using providers who demonstrate having received one of these certifications would probably be held, in a dispute, to have exercised reasonable care in assessing the provider’s security.
In our own experience as consultants, passwords that can be easily hacked or guessed (Password1, anyone?) provide the easiest breach. Educate your staff. A firm’s data is only as secure as its most clueless employee. Either make sure that Cloud services that provide access via mobile devices such as tablets and smartphones do not store data on them, or else set up strong passwords for your devices. Use repositories like RoboForm, Password Safe, or LastPass to store your strong passwords, so that they cannot be pulled out of a contact list or document.
For web-based email and for firm email, consider use of an email encryption solution such as ZixMail, which is used by government agencies and by insurance companies who have to meet HIPAA confidentiality standards. Enable TLS encryption on your mail server.
Your own systems should be assessed as well as the Cloud provider’s; verify that your office has information management protocols that include technical safeguards (password policies, etc.), and that your equipment and software are capable of sending encrypted transmissions.
Data should be encrypted in transit from the firm to the provider and back again, and at the provider’s locations. Use encryption applications to encrypt your computer hard-drive and portable media such as USB drives, laptops, tablets and smartphones. Check with the provider on encryption policies – is the data encrypted when stored on their servers as well as when sent?
Either a lawyer should understand the technology or should engage an expert to assist him/her, and should not simply accept the assurances of a Cloud provider there is no need for concern.
http://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct.html – the rules are downloadable to Apple iOS devices as an app via the App Store.
http://www.thecyberadvocate.com/2013/07/29/abas-ethical-use-of-technology-update/ – summary of updates to ABA model rules with table relating each rule to the corresponding NC ethics opinion
http://www.checktls.com/ – secure email test tools and services