Getting Your Head in the Cloud: Does it Meet Ethical Standards of Client Confidentiality?
by Cindy Wolf
The cloud has been around for many years under different names, and some of those names persist because the cloud encompasses many types of technology services. The types of cloud services that raise ethical questions are any that store client-related electronic data somewhere beyond your control. If you need an Internet connection to access it, you need to ask further questions.
Are you already in the cloud? No? Think again. Do you use Gmail1 or Google Docs2 ? These consumer services are in the cloud. Do you use any of them for business purposes? Do you know where your data is?
Under Colorado Rule of Professional Conduct 1.6, "A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent."3 Comment 17 to that rule addresses what this means with regard to communications, requiring the lawyer to take reasonable precautions to prevent unintended recipients from seeing this information. In some circumstances, this may require the use of special security measures.
How does this relate to cloud services? For your data (documents, calendar, etc.) to get to the cloud, a communication must take place. The data is sent and saved to a website stored on a server somewhere.
Some things to inquire about are "reasonable precautions," "special circumstances," and "special security measures." Colorado has yet to opine, but the American Bar Association and a few other states4 have attempted to provide guidance on those terms as specifically related to the cloud.
Two key questions will drive the reasonable precautions you take before using the cloud:
What kind of data are you sending there, and why?
Your Data. If you are sending "information related to the representation of a client" to the cloud, it is subject to Rule 1.6. If it is "highly sensitive information," meaning protected health or financial information, attorney-client privileged information, or information subject to a confidentiality agreement or trade secret, special security measures may be required that depend on the applicable regulatory requirements5 or contract terms.
Why? Is the cloud service mission critical to your practice, provides backup, or is merely convenient? If the service involves primary document accessibility, calendaring, or other key practice information, it is mission critical. It must be reliable or it will affect your ability to represent your clients or other ethical violations may occur. If it is less critical or solely backup, you may be able to meet ethical requirements with less reliability.
What does your cloud provider do with your data?
Not all clouds are the same. Some are gigantic (think Google) and some are tiny (think Joe’s basement6 ), and, there are an infinite number of models in between. Providers may balk at these questions, either because they have several data farms around the world and do not know where your data will be at any given time or because they do not want to tell you where they live. Get the physical addresses.
Bigger is not always better. Did you know that every time your data is moved from data center to data center, a copy is made? Redundancy creates better accessibility, but also more copies of data.
Does your data contain client technology that is subject to export7 control? Each time the data moves to a new server in a different country, it is an export.
Smaller providers that use top tier commercial data centers may have excellent reliability and security but then they are not in control of the facilities. This adds another layer between you and your data.
One method cloud providers use to share resources is to store like-data together. For example, your calendar data may be stored on the same server with other customers’ calendar data because it uses the same application(s) to run. Even though your data cannot be accessed by another customer because of passwords, encryption, or partitions, that doesn’t mean it will be stored in a manner that allows for efficient removal or copying of your data alone.
Why is this important? If the provider experiences an outage and you want to have the backup tapes of your data to run them yourself, can the provider give you just your data and no one else’s? How will you return or destroy a client’s confidential information if you have to? Will your data also be disclosed if another customer asks for his or her data, or if the provider is compelled to provide another customer’s data under subpoena or court order? How do they handle third-party requests to disclose customer data?
Consider written policies. Get documents on client data security, facilities security, handling and reporting security breaches, data backup and recovery, data retention and destruction, data privacy, and service levels. If they don’t have them all, this is a red flag. If they have them, do they meet industry standards? Do they contain the special security measures required by HIPAA, the Gramm-Leach-Bliley Act, or your client’s confidentiality agreements, if required? Do they otherwise meet your needs? What insurance does the provider carry and can you be added as an additional insured? Has the provider done a security audit? Is the provider and data center SAS-70 compliant?8 This is complicated stuff and there is no shame in getting professional help from an IT consultant.9
Considerations at the end of a contract. When the contract ends, or even during a dispute or delivery failure, how and when will the provider deliver your data to you or a new vendor (see commingled data discussion above) and is there an extra charge? Will they give you all data or just some recent data? What format is it in and can you use it that way? When will they purge it from all of their systems? Can either of you cancel the contract without penalty?
Consider a provider’s financial stability. Perform a credit check and review other information about the provider’s stability and reputation. If the provider is a public company, their annual reports must contain a discussion of cybersecurity risks to its business.10 Understand that if the provider files for bankruptcy or closes, you may not be able to access your data for 90 days or more. Have a contingency plan. Be sure the contract states that you, not the provider, own your data so it doesn’t become an asset to be divided among creditors.
The provider should agree in writing to keep your information confidential. This is an obvious requirement, but one at which Google Docs fails.
Is it impossible?
This research may seem or actually may be impossible. But, here are some resources:
Finally, you may ask whether you can’t just depend on the provider’s warranties instead of doing this investigation. If you can get good warranties and indemnities, perhaps, but that is unlikely. Many providers refuse to negotiate their terms. Warranties are typically disclaimed and do not specifically address a lawyer’s ethical responsibilities.12 Liability is typically limited to the amount paid under the contract for a limited time frame (90 days to one year).
Some cloud offerings may be a major improvement over a lawyer’s current computing solution, both from a functionality and security perspective. But even with implementing a more robust cloud-based solution, the security guidelines listed in "Preventing Law Firm Data Breaches" by Sharon D. Nelson and John W. Simek13 still apply. Confidentiality of client data is the lawyer’s liability. D
1. Ethics committees have generally agreed that cloud-based email has a reasonable expectation of confidentiality. The courts have ruled on both sides of the question of whether the attorney-client privilege is waived by use of cloud-based email depending on many variables.
3. Some commentators, including insurance carrier CNA, recommend getting your client’s informed consent to put their information in the cloud in any event.
4. New York, New Jersey, North Carolina, Nevada, Pennsylvania, Arizona, Iowa, and Alabama. Each state has its own approach to the "reasonable precautions" requirement, some containing best practices that a lawyer should follow.
5. If the terms of service prohibit you from putting protected health, personally identifiable, or credit card information into the system, it does not meet HIPAA or card processing security standards.
6. I wish I was kidding.
7. The Commerce Department has opined that cloud providers are not considered exporters for export control purposes, which leaves the responsibility for export compliance to cloud users.
8. SAS-70 is an auditing standard created by the American Institute of Certified Public Accountants. An independent auditor will assign SAS 70 type I certification only after a thorough review of the operational controls of a data center provider against these standards.
9. In fact, both Arizona and North Carolina recommend this.
10. See SEC Division of Corporation Finance, Disclosure Guidance: Topic No. 2 Cybersecurity (Oct. 13, 2011).
11. See Clio’s white paper on whether its product satisfies attorneys’ ethical requirements and make your own decision at goclio.com/resources.
12. North Carolina recommends asking the provider’s employees to act as your fiduciary. Good luck with that.
13. See The Docket, Vol. 34 Issue 1 (January 2012).
Cindy Wolf is a Colorado lawyer with more than 25 years’ experience representing large and small domestic and multinational companies. Her expertise is in commercial contracting, with an emphasis on technology licensing and the Internet.