After a major upgrade of our computer system, internal business policy restrictions prevented the installation of a cloud- or web-based storage account for individual use. This naturally led to an investigation of the legal, business and ethical implications of such accounts.

There are many different service providers available, such as Dropbox, Windows Live Mesh, SpiderOak, SugarSync, iCloud, Box and Wuala. Each of these services provides an interface program that permits the transfer and management of data via the Internet to and from remote data centers that contain multiple servers and massive amounts of computer data storage (i.e., hard disk drives).

An application program is installed on each registered computer along with login access information. The application program creates a file folder on the computer that allows transferring of and access to the documents, even though the documents are stored at a remote location by the third-party service provider. The benefit is that files can be accessed from any registered computer—such as a desktop, home computer, laptop or tablet—making working with files while out of the office simple and effective.

Until these services came along, to access or work on files from different devices, either a remote secured connection had to be made between the remote device and the business server (through programs such as Citrix) or the files had to be manually transferred by email or removable storage, such as USB drives.

Many states, including Alabama, Arizona, Nevada, New York and North Dakota have issued ethical opinions stating that lawyers are permitted to use online cloud storage providers to store and back up client files provided that the attorney takes “reasonable” care or precautions to protect the security and confidentiality of the client documents and information. Reasonable care implicates three different levels of protection:

  1. How and to whom account access is provided
  2. The process of transferring data to and from the account
  3. The form in which data is stored when in the account

The security measures vary greatly from service to service. Most services protect access to the account itself through the use of usernames and passwords. Many of the services also protect communications to and from the account using SSL, AES, RSA or SHA encryption technologies. However, not all of the services encrypt the actual data before storing it in the account. Using a service that provides protection for all three levels should be justifiable from an ethical standpoint. Whether a client or a court—if information is subject to a protective order—would consider the protection sufficient is on an ad hoc basis depending on the confidentiality level of the information. The best solution is encryption before files are sent to the third-party storage provider, using locally stored and generated encryption information. The number of service providers with this option are more limited, as are the number of independent encryption programs that operate seamlessly on various operating systems (e.g., Windows, Mac, Android, etc.), but they do exist.

The other main consideration is record-keeping and version control. There is no “tracking” of a file that is dragged-and-dropped to virtual storage from a desktop or mobile device. Finding security breaches or simply reconstructing past events becomes difficult.

Additionally, multiple versions of the document may exist between different systems. However, this process is fundamentally no different from moving a file via a USB drive or private email accounts, with the same record keeping and tracking issues. The gold standard, which is remote direct access through a secured connection, is simply unworkable on most public transportation and at many remote locations. While certainly a valid concern, the difficulty of record keeping and version control should not be an impediment to use of a technology that makes working remotely easier.

Virtual storage for individual use offers a convenience that should not be overlooked, provided that the service provider meets security requirements consistent with the ethical rules and the individual clients’ business requirements.