As long as there are hackers willing to do anything to infiltrate private information, there are risks associated with storing your clients' proprietary data on the cloud. Fortunately, however, there are steps attorneys can take to lessen the chances of cloud infiltration.
“From a legal standpoint, we are starting to see cloud storage companies that are beginning to appreciate the need for elevated security for law firms and attorneys,” says Eric Griffin, a solo practitioner and former general counsel in Dallas. He is also the Chair-elect of the State Bar of Texas’s Computer & Technology Committee.
Considerations When Considering Cloud Storage
Under Rule 1.6 of the Model Rules of Professional Conduct (replacing DR 4-101), lawyers have a broad obligation to act competently and to reasonably protect client information and confidences. That updated rule revamped the scope of confidential information.
Since reality is that practicing law sans technology has become virtually impossible, intertwining the two gives rise to ethical considerations for lawyers, says Paul Unger, a Columbus attorney and partner in Affinity Consulting Group. Unger’s organization advises lawyers how to practice law more efficiently, including matters of technology.
According to Unger, the standard of reasonable care attorneys must take when storing client files on the cloud includes:
- Backing up data to allow the firm to restore data that has been lost, corrupted, or accidentally deleted
- Installing a firewall to limit access to the firm’s network
- Limiting information access to what is required, needed, or requested
- Avoiding inadvertent disclosure of information
- Verifying the identity of individuals to whom the attorney provides confidential information
- Refusing to disclose confidential information to unauthorized individuals (including family members and friends) without client permission
- Protecting electronic records containing confidential data, including backups, by encrypting the confidential data
- Implementing electronic audit trail procedures to monitor who is accessing the data
- Creating plans to address security breaches, including the identification of persons to be notified about any known or suspected security breach involving confidential data
In addition, lawyers should not presume that a service provider is responsible for managing the data, access and usage of their service, says Boris Gorin, head of security engineering at FireLayers.
The Ethics of Cloud Computing
Attorney-client privilege is a mantra reiterated throughout a lawyer’s career, starting from Day One in law school. If a client divulges otherwise confidential information, the privilege is lost. But, if an attorney stores a client’s personal data on a cloud that is breached, is the lawyer liable for that infiltration?
The answer, says Griffin, is “it depends."
"There is case law that says if you data in an outside location, you lose many Fourth Amendment rights to privacy,” he says. Griffin strongly urges attorneys to read the Terms of Service of any service provider they are considering for cloud storage.
For example, he says, “The TOS of Google Docs gives them the right to use your information. That’s not safe at all.” If a lawyer is contemplating storing client files in the cloud, it’s imperative they familiarize themselves with various state bar decisions about doing so safely, Griffin says.
However, those opinions also come with caveats, since technology changes so rapidly, Griffin says. An excellent compilation of ethics decisions around the country can be found at the ABA Law Practice Management Section’s Legal Technology Resource Center, says Unger.
How Safe is Cloud Storage?
It is safe to store client data in the cloud, “but it depends on whose cloud,” says Unger. In fact, most reputable vendors offer more data security than what most law offices and legal departments do within their ranks, he says.
Since Griffin sends his client’s files to the cloud, he takes several precautions to ensure their safety. Among those steps is the encryption of the data. Moreover, he maintains the keys to his cloud. “Don’t rely on the cloud service provider’s encryption keys,” suggests Griffin.
Moreover, since Griffin encrypts his client’s files before sending them to the cloud, the vendor cannot de-encrypt them. He holds the keys to his cloud.
Securing client data, whether stored on the cloud or in a file cabinet, is an ethical consideration lawyers cannot overlook. “As more sensitive data shifts into the cloud, whether potentially inappropriate selfies of something more business-like, such as customer data, maintaining security becomes even more critical,” says Gorin.
He calls recent iCloud breaches, including the unauthorized posting of naked photos of actress Jennifer Lawrence on the Internet a “good lesson as to what not to do – not the part about placing sensitive data in the cloud, but about ensuring appropriate security measures are being put in place.”
Tami Kamin Meyer is an Ohio attorney and writer.