Most Lawyers are already in the "Cloud." If you use Gmail or online backup like Mozy, you are using cloud services. Cloud computings benefits include low up-front costs and anywhere access. But it comes with ethical risks. Those risks can be managed successfully. These tips will help you comply with the ethical rules.
Tip 1 - Know Your Ethical Obligations
Cloud computing implicates several ethical obligations. First, attorneys have a duty to provide "competent representation" to clients, MRPC 1.1, which arguably requires attorneys to deploy appropriate technology in their practices. Second, attorneys also have a duty to maintain client confidentiality, MRPC 1.6, a fundamental aspect of the client-lawyer relationship. Third, lawyers must make "reasonable efforts"' to ensure that a nonlawyer employed by the lawyer complies with the "professional obligations of the lawyer." MRPC 5.3. It is also a good idea to review the ethics opinions on cloud services, compiled by the American Bar Association here. Generally speaking, the states that have issued ethics opinions concerning cloud computing have concluded that lawyers may store client flies in the cloud provided that they take reasonable care to ensure security and confidentiality.
Tip 2 - Consider What Kind of Data You Will Entrust to the Cloud
If you choose to use the cloud for client information or files, make sure that you have reviewed the security and privacy policies of your chosen cloud providers.
We may disclose to parties outside Dropbox f'Iles stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request .... If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox's encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Drop box.
Tip 4 - Do an Initial Screening to Ensure that the Provider Takes Adequate Security Measures
Some questions to consider include the following:
• Does the provider take precautions to protect data and guard against unauthorized attempts to access data?
• Does the provider explicitly agree that it has no ownership interest in the data?
• Will the provider notify the lawyer if a third-party requests production of the data?
• Does the provider encrypt confidential data?
Tip 5 - Contact the Provider
You need to instruct the provider that as a nonlawyer employed by you, pursuant to your state's ethical rules, that the provider is subject to the same ethical nondisclosure obligations that you are. The provider must acknowledge and accept this.
Tip 6 - Investigate the Provider's History, Policies, and Procedures
Things you will want to know and review: (1) the provider's security measures and recovery procedures; (2) the provider's policies for backing up data; (3) the number and location of the data centers; (4) what tier the datacenters are certified for (you want a tier 4 certified data center-an explanation of the data center tier system can be found here); (5) the business history of the provider, including length in business and funding; (6) the provider's disaster plan; and (7) the provider's policies for returning your data if your contract ends or the provider goes out of business.
Tip 7 - Find Out if the Provider Owns the Servers Where Your Data is Stored
For example, some providers such as MyCase don't own their own cloud servers and instead use Amazon EC2 cloud servers for storing your data and back it up via Amazon S3. The problem this creates is that ifMyCase defaults on a payment to Amazon, Amazon may immediately cut off My Case's access to your data and may not be able to return it to you if it goes out of business.
Tip 8 - Negotiated Specific Contract Terms with the Cloud Provider if Possible
Terms to pay attention to when entering into a contract with a cloud provider include warranties, indemnification, and governing law and jurisdiction. You will also want to include a specific term in the contract (or a separate agreement altogether) concerning the provider's obligation to maintain confidentiality that specifies how the provider will handle confidential information. Finally, you want to negotiate a price fiX for as long as possible so they can't raise monthly fees on you at their sole discretion.
Tip 9 - Know How Your Provider Will Handle Third-Party Requests for Information
As mentioned above, many cloud providers will produce files pursuant to a court order. When those providers also hold the decryption key, like Dropbox does, they decrypt the files before production. You can add your own encryption before storing files and other client information with those providers. That way, even if those providers produce files, they will still be encrypted and unreadable. Alternatively, you can search for cloud providers that do not hold the decryption key to your data such as SpiderOak.
Tip 10 - Plan for Problems
Have a plan in place should there be security breaches-who gets notified and what steps are taken and by whom. Have a plan in place for provider outages or Internet interruption. Keep a copy of your data locally. Have a plan in place for termination (whether you end the contract or the provider goes out of business). How will your firm retrieve the data? Will the data be in a format that is accessible by your firm? How long with the provider retain your data after termination of the relationship?
- Barron K. Henley, Esq., Affinity Partner