Anthony E. Davis ()
A recently issued report of the Committee on Small Firms of the New York City Bar, “The Cloud and the Small Law Firm: Business, Ethics and Privilege Considerations” provides a helpful introduction to the subject of cloud computing, and considerable guidance to practitioners.1 But perhaps necessarily the report does not give definitive answers to the fundamental questions: When—if ever—should lawyers use cloud computing in the context of the practice of law? This article will review the report and will seek to provide additional guidance to the perplexed practitioner or managing partner.
Before either defining “the cloud,” or surveying the city bar report, it is essential to place the subject of the limitations on lawyers’ ability to protect confidential information in our digital universe in context. There are two dimensions to the challenge of preserving confidential information. First, if anyone still believes that the National Security Agency (NSA) does not have the ability to access any and all data that can be accessed using the Internet, they are living in what an English politician (many decades before the term cloud computing was invented) referred to as “cloud cuckoo land.” Similarly, the recent loss to hackers of the personal financial information of 40 million customers by the Target retail store chain highlights the fact that even giant corporations, with technology budgets that presumably dwarf the resources of most, if not all law firms, are unable to guarantee the security of their customers’ information.
Taken together, these realities necessarily lead to a conclusion that is fundamental and critical to understanding the duties of lawyers—there is no such thing as digital data that is completely secure. Another way to express that conclusion is that “security” is a relative state and never absolute. The corollary to that principle is the question that lawyers must address when trying to fulfill their duties in this realm—What constitutes “secure enough” when it comes to preserving the confidentiality of client information?
The second dimension of the problem facing lawyers moves the discussion from the first, theoretical expression of the problem, to the practical. This is best understood by taking two hypothetical situations.
Law Firm “A” has decided that its solution to the problem of securing the confidentiality of its clients’ data will be accomplished by ensuring that all the data will be stored in servers owned, operated and controlled by the firm. Because the firm has limited resources, the servers are kept in a closet inside the firm’s offices. The firm’s backup data is not transmitted over the Internet, but is kept on hard drives that are transported back and forth from the home of the firm’s senior administrator. In neither location are the servers or the discs physically secured, either by lock and key in the office (otherwise the janitors would not be able to access the server room to clean) or in a safe at the administrator’s home. The law firm has a complex set of policies that essentially prohibit all the firm’s lawyers and staff from copying client data onto any medium that can be removed from the firm’s offices—but no means of effectively enforcing those prohibitions.
Law Firm “B” has decided that A’s approach is unworkable, because the absence of meaningful physical security of the servers or backup data means that it is vulnerable to intruders (and insiders). Also, “B” is concerned that by the simple means of transferring data to “flash” (sometimes called “thumb”) drives, or by transmitting data over the Internet to the personal devices carried by all its lawyers, the data is not adequately protected. Accordingly, “B” has decided to use a “cloud” solution—all its clients’ data will be encrypted and transmitted to a server farm owned by a third-party cloud computing solutions provider.
The server farm (as confirmed by the law firm) is located in a remote desert town in a Western state, is surrounded by 14-foot-high barbed wire fences and is patrolled by armed guards carrying machine guns and supported by vicious guard dogs. Firm “B” also has a BYOD (“bring your own device”) policy that requires all the lawyers to register their personal devices with the firm so that they can be remotely wiped if they are lost. But no one knows for sure if all the lawyers are in compliance with the policy.
The question is: Which firm’s clients’ data are either (a) more secure, or (b) sufficiently secure?
Risks and Duties
The city bar report properly acknowledges, in the Introduction, that: “whether confidential and privileged information remains on-site within the firm, resides on the servers of a third-party cloud provider, or rests in the drives of smartphones, tablet PCs or laptops, attorneys must know the rules and potential disclosure risks, and exercise reasonable care when choosing computing technologies and service providers.” The report then sets itself the task of exploring “the landscape of what is reasonable care.”
The city bar report thoroughly and carefully defines what is meant by “the cloud,” going into some depth as to the various models of service provision that are available to lawyers and law firms, and the different kinds of security protocols that these models provide. The report then moves to consider the challenges which these alternative approaches present to lawyers and, in that context, addresses in detail the two fundamental issues that lawyers need to consider before deciding to put data in the cloud:
A. How secure will be the data hosted with the cloud provider? Will privilege and confidentiality be maintained in the cloud provider’s servers as well as in transmission to and from those servers?
B. Can the firm access its data as needed?
The third section of the city bar report deals—in commendable detail and length—with “The Ethical Risks and Obligations of Using Cloud Services.” The report identifies the following sections of the New York Rules of Professional Conduct (RPCs) as being pertinent:
The duty to “provide competent representation to a client,” pursuant to RPC 1.1, which includes the duty to understand the cloud technology and services being used, the duty to obtain client consent—where appropriate—to the use of cloud services, and the duty to counsel the client on their own use of cloud services in connection with the representation;
The duty to communicate with the client about the representation, pursuant to RPC 1.4, which includes the obligations to “promptly” inform the client of “material developments” in the matter, “reasonably consult with the client about the means by which the client’s objectives are to be accomplished,” and “keep the client reasonably informed about the status of the matter”;
The duty to safeguard client confidential information, pursuant to RPC 1.6, which includes the duty to “exercise reasonable care to prevent…others whose services are utilized by the lawyer from disclosing or using confidential information of a client”;
The duty to maintain and preserve client records and deliver them promptly upon request, pursuant to RPC 1.15, including records that are maintained in the cloud;
The duty, upon termination of representation, promptly to deliver all papers and property to which the client is entitled, pursuant to RPC 1.16, again, including records maintained in the cloud; and
The duty to supervise the work and conduct of nonlawyers, pursuant to RPC 5.3, including the work of cloud service providers.
Principles and Guidelines
The city bar report then extensively discusses how these rules operate in the context of when it is appropriate to elect to use cloud computing, and the scope and meaning of the duties of oversight when this approach has been selected. The report discusses many of the ethics opinions from around the country that have addressed these topics, including New York State Bar Opinion 842, issued in 2010. Summarizing the conclusions of these opinions, the report notes that “[t]he opinions emphasize that lawyers are not guarantors of cloud computing services.… Thus, the applicable standard is reasonable care, not strict liability,” and the report suggests that:
“[a] synthesis of the existing ethics opinions indicates that lawyers should consider taking some or all of the following precautions subject to the reasonableness standard:
1. Stay on top of emerging technologies to ensure client information is safeguarded.
2. Research any cloud providers they are considering using to ensure the providers are well established, reputable, and have appropriate policies and practices to ensure that information is secure, properly handled, and backed up.
3. Take steps to ensure that the vendor and its personnel are competent to perform the tasks required.
4. Review all contracts and terms of service to ensure they comply with all ethical requirements.
5. Take steps to ensure that service contracts: (a) require the cloud provider to safeguard client information; (b) have appropriate provisions about the ownership of data, handling of subpoenas and other legal process, and notification of data breaches; and (c) have appropriate end-of-contract or termination provisions, including the ability to retrieve data regardless of the reason for termination and proper procedures for deleting data from the cloud.
6. Take steps to determine the geographical location of servers to ensure they are located in jurisdictions with adequate legal protections for data.
7. Take steps to ensure that data stored in the cloud is accessible when needed, even if the contract is terminated or the vendor goes out of business.
8. Protect against “end-user” vulnerabilities, such as the failure to use strong passwords or the use of unsecure Internet connections.
9. Notify clients in the event of a significant data security breach.”
(Footnotes referring to relevant ethics opinions omitted).
Based upon these principles, the city bar report then sets out and discusses at length eight helpful guidelines for how lawyers and law firms should proceed when making the decision to move to cloud computing and then managing the process.
However, the city bar report does not actually answer the fundamental issues raised at the beginning of this article, namely what can lawyers and law firms do to establish with any certainty that their clients’ data is sufficiently secure? One approach that is arguably fundamental if firms are to have any comfort in the decisions they make, is to obtain client consent. The report addresses this subject twice, first in the section discussing the risks of cloud computing, but (in this writer’s opinion, much more usefully) in its Suggested Guideline 5:
Suggested Guideline 5—Get Client Consent
Obtain your clients’ consent before storing their information in the cloud or relying on cloud-based software for client-critical functions.
No matter how careful an attorney is, no system of storing confidential information (cloud-based or otherwise) is foolproof. That is why the standard for using cloud computing is “reasonable care,” not strict liability. Although express client consent to cloud computing is not necessarily required under the RPCs, lawyers may wish to consider inserting into their engagement letters a provision granting the client’s consent to use of the cloud.
In addition, lawyers should consider discussing with the client whether certain information entrusted to the attorney is particularly sensitive and, therefore, needs a higher level of protection than the rest of the client’s information. For example, even if a client would generally have no objection to the attorney storing encrypted client documents in the cloud, the client might object to storing its recent unpublished financial statements in the cloud during the quiet period leading up to an IPO. Under circumstances where the client’s consent is required to store information on the cloud, as discussed in Section III.B above, lawyers should not do so before obtaining client consent in writing.
If there is an answer to the fundamental question articulated at the beginning of this article—what constitutes “secure enough” when it comes to preserving the confidentiality of client information?—it surely lies here. Different clients, and different categories of clients, have differing levels of need with respect to the security of their data. Clients that are regulated by the government, such as banks and financial institutions, and clients in certain industries, such as health care that are governed by data protection legislation such as the Health Insurance Portability and Accountability Act, have differing needs from those of individual clients such as clients seeking advice on estate planning. Indeed, as law firms serving regulated industries are well aware, those clients are already insisting that their lawyers observe the same levels of data security as are required of the clients themselves—and are actively auditing and monitoring their lawyers to assure compliance.
In a world where there is no absolute security of data protection, only relative security, apart from observing the ethical requirement of taking “reasonable care” to protect and preserve client confidential data, it is critical to inquire of each client what it will accept as meeting that standard with respect to its data, or at least to notify each client what are the firm’s normal safeguards. Accordingly, the recommendation that I suggest lawyers and firms consider, in addition to the recommendations of the city bar report, is to include language in their engagement letters that identify the firm’s policies, protocols and practices for data protection—whether inside or outside the cloud—and notify clients that those will be the arrangements in place unless the client explicitly requests that the firm take additional security protections with respect to its confidential information. Such a provision is not a guarantee of success in the event of a later challenge to the firm’s systems should a data breach occur, but it is surely likely to provide an eventual trier of fact with a solid basis for establishing the reasonableness of the firm’s security decisions.
Anthony E. Davis is a partner at Hinshaw & Culbertson and is a past president of the Association of Professional Responsibility Lawyers.
1. The City Bar Report may be found at: http://www2.nycbar.org/pdf/report/uploads/20072378-TheCloudandtheSmallLawFirm.pdf.