Ethics Opinion on Cloud Computing

/ 09.May, 2012

The issue of cloud computing, the storing and sharing of data on/with remote servers, has been a hot topic in attorney ethics circles recently.  The most obvious issues arise out of Rule 1.6, regarding the confidentiality of information.  The Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility has issue its formal opinion 2011-200 on the ethical obligations of attorneys using cloud computing.  The Committee’s opinion is:

Yes. An attorney may ethically allow client confidential material to be stored in “the cloud” provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks.

Importantly, the opinion sets forth a set of guidelines to ensure compliance with the attorney’s ethical obligations, that is the “reasonable safeguards” required:

Thus, the standard of reasonable care for “cloud computing” may include: • Backing up data to allow the firm to restore data that has been lost, corrupted, or accidentally deleted; • Installing a firewall to limit access to the firm’s network; • Limiting information that is provided to others to what is required, needed, or requested; • Avoiding inadvertent disclosure of information; • Verifying the identity of individuals to whom the attorney provides confidential information; • Refusing to disclose confidential information to unauthorized individuals (including family members and friends) without client permission; • Protecting electronic records containing confidential data, including backups, by encrypting the confidential data; • Implementing electronic audit trail procedures to monitor who is accessing the hidden data; • Creating plans to address security breaches, including the identification of persons to be notified about any known or suspected security breach involving confidential data; • Ensuring the provider:

o explicitly agrees that it has no ownership or security interest in the data;

o has an enforceable obligation to preserve security;

o will notify the lawyer if requested to produce data to a third party, and provide the lawyer with the ability to respond to the request before the provider produces the requested information;

o has technology built to withstand a reasonably foreseeable attempt to infiltrate data, including penetration testing;

o includes in its “Terms of Service” or “Service Level Agreement” an agreement about how confidential client information will be handled;

o provides the firm with right to audit the provider’s security procedures and to obtain copies of any security audits performed;

o will host the firm’s data only within a specified geographic area. If by agreement, the data are hosted outside of the United States, the law firm must determine that the hosting jurisdiction has privacy laws, data security laws, and protections against unlawful search and seizure that are as rigorous as those of the United States and Pennsylvania;

o provides a method of retrieving data if the lawyer terminates use of the SaaS product, the SaaS vendor goes  out of business, or the service otherwise has a break in continuity; and,

o provides the ability for the law firm to get data “off” of the vendor’s or third party data hosting company’s servers for the firm’s own use or in-house backup offline.

• Investigating the provider’s:

o security measures, policies and recovery methods;

o system for backing up data;

o security of data centers and whether the storage is in multiple centers;

o safeguards against disasters, including different server locations;

o history, including how long the provider has been in business;

o funding and stability;

o policies for data retrieval upon termination of the relationship and any related charges; and,

o process to comply with data that is subject to a litigation hold.

• Determining whether:

o data is in non-proprietary format;

o the Service Level Agreement clearly states that the attorney owns the data;

o there is a 3rd party audit of security; and,

o there is an uptime guarantee and whether failure results in service credits.

• Employees of the firm who use the SaaS must receive training on and are required to abide by all end-user security measures, including, but not limited to, the creation of strong passwords and the regular replacement of passwords. • Protecting the ability to represent the client reliably by ensuring that a copy of digital data is stored onsite. • Having an alternate way to connect to the internet, since cloud service is accessed through the internet.

An attorney or law firm which has followed all of these guidelines should be well protected from any potential claim of professional liability and/or breach of ethical duties.

– Josh J.T. Byrne, Esquire