Complications With Using Cloud Computing Solutions
New technologies, like cloud based services, present lawyers with both opportunity and potential danger. Unlike some business people, attorneys owe unique duties to their clients, and are governed by a special set of professional rules of conduct. One important duty attorneys owe their clients is confidentiality.
Attorneys must keep client communications confidential and protect client privacy. Oftentimes, new technology offers convenience, but the way the technology provides this convenience might be at odds with the attorney’s duty of confidentiality. Cloud based computing is a prime example of this possibility.
The Definition of Cloud Computing
The definition of cloud computing is the practice of “using a network of remote servers hosted on the internet to store, manage, and process data, rather than a local server or a personal computer.” (https://en.oxforddictionaries.com/definition/cloud_computing). This means the data stored “on the cloud” is actually stored on a computer owned by someone else.
Theoretically, the owner of the “cloud” computer has access to any data stored on the computer, and has the ability to grant access to others. This potential lack of privacy is unusual for attorneys, who, as a profession, are accustomed to a confidential workspace.
Ethical Considerations When Evaluating The Disadvantages of Cloud Based Services
In light of the danger presented by placing confidential client information on a computer belonging to someone else, lawyers must be cautious when using cloud based computing.
In Illinois, this means attorneys must “take reasonable measures to ensure that the client information remains confidential and is protected from breaches.” (ISBA Professional Conduct Advisory Opinion No. 16-06 October 2016).
When considering whether to use cloud based computing options, Illinois attorneys should review Illinois Rules of Professional Conduct 1.1, 1.6, 5.1 and 5.3, according to the ISBA Professional Conduct Advisory Opinion No. 16-06 October 2016. Illinois attorneys should also read Illinois Rule 1.1, Comment 8 (amended effective Jan. 1, 2016).
Attorneys’ Obligations When Using Cloud Computing And Cloud Storage
Illinois lawyers interested in using third party cloud based computing solutions must take reasonable steps to ensure that the vendor of the cloud based services protects the confidentiality of the client’s information. (ISBA Advisory Opinion)
Illinois lawyers must also monitor changes in the law, and constantly evaluate the benefits of the technology against the risks of disclosing confidential information. To accomplish this, Illinois lawyers must fully and accurately understand cloud technology. If attorneys do not sufficiently understand the technology, they cannot properly assess the risk of unauthorized access and/or disclosure of confidential information.
The risk, from an ethical standpoint, is that “a rogue employee of the third party agency, or a 'hacker' who gains access through the third party’s server or network, will access and perhaps disclose the information without authorization.” (Nevada Formal Opinion No. 33 (2006), pg. 2-3).
The aforementioned Nevada opinion compares this risk to the risk all law firms face that a rogue lawyer might disclose confidential information, or that a thief might break into a law office and steal client property.
An attorney has the same duty to reasonably protect against both of these threats.
ISBA Recommendations For Attorneys Using Cloud Services
The ISBA does not provide specific requirements for lawyers choosing to use cloud-based services. Instead, the ISBA opines that a lawyer must use due diligence when selecting a cloud-based service, and suggest that reasonable inquiry and practices might include:
- Reviewing cloud computing industry standards and familiarizing oneself with the appropriate safeguards that should be employed;
- Investigating whether the provider has implemented reasonable security precautions to protect client data from inadvertent disclosures, including but not limited to the use of firewalls, password protections, and encryption;
- Investigating the provider’s reputation and history;
- Inquiring as to whether the provider has experienced any breaches of security and if so, investigating those breaches;
- Requiring an agreement to reasonably ensure that the provider will abide by the lawyer’s duties of confidentiality and will immediately notify the lawyer of any breaches or outside requests for client information;
- Requiring that all data is appropriately backed up completely under the lawyer’s control so that the lawyer will have a method for retrieval of the data;
- Requiring provisions for the reasonable retrieval of information if the agreement is terminated or if the provider goes out of business. (ISBA Advisory Opinion)
An attorney’s obligation to understand what technology is being used, and guard against disclosure of confidential materials does not end with selecting a cloud service provider. Once a lawyer has determined what provider to use, the attorney has a duty to monitor that provider.
Pursuant to this ongoing obligation, Illinois lawyers must “conduct periodic reviews and regularly monitor existing practices to determine if the client information is adequately secured and protected" by the cloud based service provider. (ISBA Advisory Opinion).
Attorneys are ethically permitted to use cloud computing based services, as long as they understand the technology, and take reasonable steps to ensure that the cloud-based service will protect client confidentiality.
All attorneys should learn about new technologies, like cloud computing, and understand those technologies. Understanding technology not only allows attorneys to use the technology to further law firm business, it allows attorneys to protect themselves and their clients against inadvertent disclosure of confidential information.
Follow Attorney Nessler to receive updates when new articles are posted, because its important that you learn about new technologies and fully understand how the technologies work.