Regular Internet users have likely heard the terms “cloud storage,” “cloud computing,” and/or “the cloud.” The “cloud” refers to electronic storage and programming resources available through the Internet instead of hosted on servers owned and wholly controlled by the owner of the stored information or the program’s user. The “cloud” consists of domains and servers accessible through a network of Internet service providers, and includes any service provided online and operated by a third party such as online data storage, Internet-based e-mail and Software-as-a-Service.
Cloud computing can benefit companies in a number of ways, particularly in reducing the cost of storing large volumes of data on-site. Cloud computing can also benefit lawyers in representing their clients. For example, online data storage can reduce the costs and inefficiencies associated with the storage and retrieval of large volumes of hard copy documents. Internet e-mail permits faster communication and the ability to transmit documents and files more quickly than express mail services. Finally, Software-as-a-Service can include useful law practice management programs that reduce costs and enhance the efficiency of client representation.
However, a company or law department’s use of cloud computing is not without certain concerns that inside counsel need to consider. Those concerns include unauthorized access to confidential information by hackers or the cloud vendor’s employees, as well as policies for notifying customers about any security breaches. In the event of any dispute between the company and the cloud vendor, what jurisdiction governs—the company’s place of business, the cloud vendor’s place of business, the cloud servers’ are physical location or somewhere else? If the company is working with proprietary third-party programs, who is responsible for making sure the relevant software licenses permit cloud computing usage?
Other concerns include data backup, data encryption and policies for data destruction, as well as the company’s ability to audit these functions during the course of the service contract. Finally, a lawyer or in-house legal department interested in cloud computing must consider the need for the client’s consent before using that service to store or transmit a client’s confidential information.
There also are concerns related to e-discovery, including whether the company owns or controls the data in the cloud and the extent to which the company has ready access to that data, particularly in the likely event that data is covered by pending discovery requests. Another concern is how the cloud vendor will respond to any third-party requests for information (e.g., a subpoena) and whether that vendor is obligated to notify the company of such requests prior to producing the requested information.
Another concern relates to the storage of confidential information on servers in countries with less legal protection for electronically stored information (ESI). Finally, in the event of litigation, inside counsel must consider how the information in the cloud would be handled (e.g., litigation holds), collected, searched and reviewed to comply with the company’s obligation to produce relevant ESI in a reasonable and defensible manner.
Among the important questions related to cloud computing and e-discovery obligations, inside counsel must also carefully consider the protection of privileged communications—both as part of the overall cloud computing process and as part of the review and production of ESI stored in the cloud. Attorneys have an ethical obligation to assert a client’s privilege and to protect the confidentiality of those privileged communications, and cloud computing raises a number of issues regarding that obligation:
- What impact will storing client confidential materials in the cloud or using client confidential information in cloud-based applications have on the attorney-client privilege?
- Will storing or using such materials in the cloud waive the attorney-client privilege?
- Is the security and confidentiality of the client information being stored or used in the cloud sufficiently strong to ensure that an attorney’s ethical obligation regarding privilege has been met?
- What special steps must be taken during the collection and review process to ensure privileged communications stored in the cloud are not inadvertently produced?
Cloud services are provided by a third party and use servers at locations other than the user’s place of business. Thus, cloud computing is considered a form of outsourcing. This raises unique issues for inside counsel on at least two levels.
First, counsel must ensure that the company and its internal legal department use best practices to handle issues related to cloud computing, including the ethical obligations regarding privileged communications. Next, they must ensure that retained outside counsel also uses best practices to manage the company’s information and that outside counsel’s own use of cloud computing, including in connection with e-discovery, does not put any privileged communications at risk.
A number of state bar associations have addressed the relationship between the use of cloud computing and the ethical obligations surrounding privilege. For example, in September 2010, the New York State Bar Association Committee on Professional Ethics issued Opinion 842, which provided:
A lawyer may use an online data storage system to store and back up client confidential information provided that the lawyer takes reasonable care to ensure that confidentiality will be maintained in a manner consistent with the lawyer’s obligations under Rule 1.6. In addition, the lawyer should stay abreast of technological advances to ensure that the storage system remains sufficiently advanced to protect the client’s information, and should monitor the changing law of privilege to ensure that storing the information online will not cause loss or waiver of any privilege.
Opinion 842 does not expressly answer the question of what constitutes “reasonable care,” but does state that it may include consideration of the following:
- Ensuring that the cloud provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information
- Investigating the provider’s security measures, policies, recoverability methods and other procedures to determine if they are adequate
- Employing available technology to guard against reasonably foreseeable attempts to infiltrate the data
- Investigating the provider’s ability to purge and wipe any copies of the data and to move the data to a different host if the lawyer becomes dissatisfied or otherwise wants to change providers.
The opinion also points out that a lawyer must periodically audit the vendor’s security protocol to verify that the protocol still remains effective as technology changes. In addition, if the lawyer obtains information suggesting that the vendor’s security measures are no longer sufficient, or if the lawyer learns of a breach of confidentiality, the lawyer must investigate whether there has been a breach of confidentiality of its client information, must notify the client and must discontinue use of the service unless the lawyer receives assurances that the problems have been sufficiently cured.
Bar committees in other states (e.g., Alabama, Arizona, California, Nevada, New Jersey, North Carolina and Pennsylvania) have also reviewed ethical issues associated with cloud computing and have generally found the practice to be permissible. These committees all seem to agree that a lawyer’s ethical obligations have not significantly changed in view of these new technologies. Lawyers still have a duty to protect client confidential materials from third parties, whether it is stored in physical form in an on-site filing cabinet or electronically in a remote data center.
The views of these committees can be distilled down to a few key points:
- Lawyers need to develop a competent understanding of the technology and its security
- Lawyers have a duty to exercise reasonable care to ensure the vendor acts in a manner that is consistent with the client’s instructions regarding confidentiality
- Lawyers must remain up to date regarding any changes to the online security, as well as any challenges to that online security
As long as certain precautions are taken, companies and their counsel can adopt cloud computing services without raising a significant risk that an opponent can successfully argue that doing so results in a privilege waiver. However, additional steps must also be taken during the e-discovery process to ensure that any privileged communications stored in the cloud are not inadvertently produced.
Interestingly, many of the precautions that various bar associations identify as being sufficient to fulfill an attorney’s ethical obligation regarding privilege will also assist in preventing inadvertent disclosure during discovery. A full awareness by counsel of the cloud vendor’s practices, the technology being used, how the data is stored, where it is stored, how it can be retrieved and how to transfer the data from the cloud to a review database will help lawyers identify locations where privileged communications would most likely be stored in the cloud server.
One potential option is to create a separate sub-sector in the cloud server where data, communications and documents generated by the legal department are stored and segregated from the company’s general information. This detailed knowledge would also assist in determining what search terms should be used to identify the likely authors or recipients of privileged communications.
While not absolutely foolproof, such sub-sectors and search capabilities provide a readily identifiable location and methodology for screening privileged communications during the e-discovery review.
Most if not all of these issues can also be addressed before selecting a cloud vendor. Knowledge of the types of problems that can arise is an important part of the due diligence process to ensure the vendor has suitable capabilities to handle these issues before entering into any service agreement.
Moreover, once a cloud vendor is selected, the service agreement can be drafted to address these issues in advance to eliminate any uncertainty regarding how to best protect privileged communications, as well as address any broader e-discovery issues. These steps, along with diligent document review and suitable claw-back provisions in a protective order, will help minimize the risk of any inadvertent disclosure of confidential privileged communications.
As the discussion above indicates, companies and their counsel can utilize cloud computing in a way that is consistent with a lawyer’s ethical obligations regarding privilege. However, inside counsel and their outside lawyers must use proper due diligence and reasonable care to safeguard that privilege so that confidential client communications are not placed at undue risk of unauthorized disclosure. This can include being aware of the available technology and its security features, as well as monitoring the security of the technology. This can also include obtaining client input before engaging with any service providers.
Indeed, the standards of various bar associations provide useful guidelines to protecting privilege as part of the initial cloud process, as well as part of an e-discovery process that requires review and production of data in cloud storage. Assuming suitable safeguards are in place and the cloud vendor’s technology is monitored as technology changes, companies and their counsel can use the benefits of cloud computing without an undue risk of ethical problems.