Consultus Electronica Cloud Computing — A Silver Lining or Ethical Thunderstorm for Lawyers? by James M. McCauley, Ethics Counsel, Virginia State Bar
Because of the flagging economy, busi - cept of cloud computing is not new, its technology budget on competitive nesses and professionals are searching rapid expansion and diversification in advantage rather than infrastructure. for increased efficiency and reduced the IT and business world are recent. costs and risks in their endeavors. This is Cloud computing might also be • Identified cost: Your investment in especially true for the ever-increasing described as shifting information tech - hardware and software is minimized. risks and costs associated with informa - nology responsibility from the consumer Cost for the SaaS model can be based tion technology (IT) management. to service providers who deliver IT ser - on the number of users or the amount Today, the business world is overrun vices via the Internet —the “cloud.” The of data storage volume; it is easy to with entreaties by IT firms offering consumer relinquishes control over IT identify and budget for monthly or “cloud computing services” who adver - functions compared with legacy systems. annually. For the best pricing, the con - tise that “the future is here and it is in Responsibility shifts from the consumer tract terms are often multiyear commit - the clouds.” to a third party for infrastructure, appli - ments —sometimes three to five years. cation software, development platforms, What Is Cloud Computing? developer and programming staff, licens - • Save time: There is no installation, and ing and updates, security, and mainte - the SaaS provider takes care of updates, There is no one agreed definition of nance. Some might describe cloud including security, and is responsible “cloud computing.”1 Software as a computing as the virtualization of the for data storage and retrieval. Service (SaaS) is but one form of cloud computing process or as outsourcing IT. 2 computing referring to a category of Many firms today are considering • Intuitive: SaaS programs are more software delivered via the Internet to a switching from obtaining and loading intuitive and easier to use than tradi - web browser (such as Internet Explorer) software on their own computers to SaaS tional software. However, because they rather than installed directly onto the platforms to facilitate their practices, user’s computer. The resulting data is particularly in the areas of case manage - held by the third-party service provider ment and time and billing platforms. (or maybe by a data center provider by There are arguments for and against companies like Amazon, RackSpace or using SaaS. Examine those issues before other host), not on a computer or server you decide to switch over. Cloud com - within the law firm. Cloud computing is puting liberates the consumer from not new, but it has become a hot topic in many of the burdens of IT management the IT and business world. Software has issues, enabling the consumer to focus been employed over networks for on core activity. Cloud computing also decades, including through application reduces costs and expenses associated James M. McCauley is the ethics service providers that rose to promi - with purchasing and maintaining the counsel for the Virginia State Bar. He nence in the 1990s and then fizzled out hardware and software necessary to run and his staff write the draft advisory with other tech companies that went applications, security measures, backup, opinions for the Standing Committees bust in the early 2000s. Some lawyers and disaster recovery. on Legal Ethics and Unauthorized already use web-based applications in Practice of Law and provide informal advice to members of the bar, bench, their practice, including online legal Benefits of Cloud Computing and general public on lawyer regula - research (Westlaw, LexisNexis, tory matters, through the Legal Ethics CaseFinder or Fastcase), web-based e- • Save money: Cloud computing appli - Hotline (http://www.vsb.org/site/ mail (Gmail, Yahoo, or Hotmail), docu - cations greatly reduce the costs of elec - regulation/ethics/). McCauley teaches ment creation or collaboration tools tronic data management. These professional responsibility at the University of Richmond School of (Google Docs), and data backup services applications are less expensive than Law in Richmond and serves on the (Mozy, i365, IBackup, Steel Mountain, designing your own program or modi - American Bar Association’s Standing and Carbonite). These are all examples fying an existing program. Focus your Committee on Legal Ethics and of cloud computing. Although the con - Professionalism.
www.vsb.org Vol. 59 | February 2011 | VIRGINIA LAWYER 49 are newer, they sometimes have more party vendor and secures an agreement to evaluate and deploy appropriate limited features than older software that the vendor will safeguard the confi - computer hardware and software to programs. dentiality of the information shared. Va. accomplish that end. An attorney Rule 1.6(b)(6). In the past, lawyers have who lacks or cannot reasonably • Staying current: Gain immediate outsourced copying and document pro - obtain that competence is ethically access to the latest innovations and duction to third-party vendors. required to retain an expert consul - updates at the provider’s expense. Confidentiality of client information tant who does have such compe - was protected by contractual arrange - tence. Arizona State Bar Op. 05-04. • Mobility: SaaS products allow lawyers ments between the law firm and the The Massachusetts Bar Association to access their software and their data third-party vendor. In other advisory Committee on Professional Ethics from many locations, without addi - opinions, the VSB Standing Committee issued an ethics opinion that “A law tional cost (with an Internet connec - on Legal Ethics has emphasized that firm may provide a third-party soft - tion). Because most SaaS is accessed lawyers must act competently to protect ware vendor with access to confi - through a web browser, system require - the confidentiality of information relat - dential client information stored on ments are minimal. ing to the representation of their clients, the firm’s computer system for the including protecting both open and purpose of allowing the vendor to • Service: You may get better service from closed client files. 3 support and maintain a computer a vendor. If you are considering SaaS, In ABA Formal Opinion 95-398 software application utilized by the ask a vendor about a service level agree - (1995) the American Bar Association’s law firm. … However, the law firm ment. A good agreement should guar - Standing Committee on Legal Ethics and must ‘make reasonable efforts to antee both a certain level of uptime for Professionalism recognized that “in this ensure’ that the conduct of the soft - the product and a response time for era of rapidly developing technology, ware vendor (or any other indepen - technical and support service requests. lawyers frequently use outside agencies dent service provider that the firm for numerous functions such as account - utilizes) ‘is compatible with the pro - Ethical Concerns for Lawyers Using ing, data processing, photocopying, fessional obligations of the Cloud Computing computer servicing, storage and paper lawyer[s],’ including the obligation disposal and that lawyers retaining such to protect confidential client infor - Concerns about Security and outside service providers are required to mation reflected in Rule 1.6(a). The Reliability . There are always concerns make reasonable efforts to prevent unau - fact that the vendor will provide about a new technology’s security and thorized disclosures of client informa - technical support and updates for reliability. Comment 16 to American Bar tion.” The opinion states that outside its product remotely via the Internet Association Model Rule 1.6 states that service providers would be considered to does not alter the Committee’s “[a] lawyer must act competently to be nonlawyer assistants under Model opinion.” Massachusetts Bar Op. safeguard information relating to the Rule 5.3, which states that lawyers have 2005-04 (March 3, 2005). representation of a client against inad - an obligation to ensure that the conduct vertent or unauthorized disclosure by of the nonlawyer employees they Attorneys are not required to guar - the lawyer or other persons who are par - employ, retain, or become associated antee that a breach of confidentiality ticipating in the representation of the with is compatible with the professional cannot occur when using an outside ser - client or who are under the lawyer’s obligations of the lawyer. But how does a vice provider. Rule 1.6 only requires the supervision.” Comment 17 states that lawyer exercise the supervision required lawyer to act with reasonable care to “the lawyer must take reasonable precau - of Rule 5.3 over a company such as protect information relating to the rep - tions to prevent the information from Google or Yahoo that essentially offers resentation of a client. Nevada’s Ethics coming into the hands of unintended cloud computing contracts on a take-it- Committee addressed the question of recipients.” or-leave-it basis? whether an outside party could be used There is no basis in the Virginia In addressing attorney use of the to store files in digital format or if this Rules of Professional Conduct for an Internet for client file storage, the State would be considered a breach of confi - unqualified prohibition of lawyers man - Bar of Arizona’s Ethics Committee has dentiality. In reaching a decision, the aging their office software applications stated: Nevada committee analogized storing and client data using cloud computing. digital files on an off-site server to stor - Lawyers have always had an ethical duty [A]n attorney or law firm is oblig - ing paper documents in an off-site stor - to safeguard confidential client informa - ated to take reasonable and compe - age facility operated by a third party. In tion. Rule 1.6. However, lawyers may tent steps to assure that the client’s reviewing prior ABA opinions, the com - share information protected under Rule electronic information is not lost or mittee concluded that as long as the 1.6 with third parties as needed to per - destroyed. In order to do that, an lawyer exercises care in the selection of form necessary office management attorney must be competent to eval - the vendor, has a reasonable expectation functions, if the lawyer exercises reason - uate the nature of the potential that the vendor will keep the data confi - able care in the selection of the third- threat to client electronic files and dential and inaccessible by others, and
50 VIRGINIA LAWYER | February 2011 | Vol. 59 www.vsb.org instructs the vendor to preserve the con - Health Insurance Portability and data for its own reasons to another fidentiality of the information, the Accountability Act of 1996, Pub. L. No. server in another country. requirements of Rule 1.6 are met. 104-191, 110 Stat. 1936 (1996), 42 U.S.C. Nevada Formal Op. 33 (2006). 1320d et seq., 45 C.F.R. Parts 160 & 164; Questions You Need Answered A recent Alabama ethics opinion and the Gramm-Leach-Bliley Act, 15 takes a similar approach consistent with USC 6801et seq. Various states may have Cloud computing is a global undertak - the Nevada and Arizona opinions. data protection or security laws, such as ing. Considerations should include: Alabama lawyers may outsource the Massachusetts General Law Chapter storage of client files using cloud com - 93H, Regulations 201 CMR 17.00; the • Where will users be located? puting if they keep abreast of appropri - New Jersey Identity Theft Protection Act, ate security safeguards and take N.J.S.A. 56:11-44 to 50 and 56:8-161 to • Where will the data be processed? reasonable steps to make sure the off- 166; and the Virginia Health Records premises provider uses sound methods Privacy Act, Va. Code § 32.1-127.1:03. • Where will the data be stored? to protect the data. Alabama State Bar The Federal Trade Commission has Disciplinary Comm’n, Op. 2010-02. posted enforcement actions for security • Where is the disaster-recovery and Although Virginia has not issued an breaches by cloud computing providers. 5 backup site located? ethics advisory opinion on a lawyer’s use The European Union also has laws pro - of cloud computing, Virginia Rule tecting the privacy of information that • Where are the data subjects located? 1.6(b)(6) appears similar to Alabama’s. may affect users of cloud computing. 6 The rule allows lawyers to share confi - There has been much discussion in • Where will support services be based, dential information with an outside the legal community over whether and will support have access to sensi - agency if “necessary for statistical, book - lawyers should convert to SaaS. tive data? keeping, accounting, data processing, Opponents argue that lawyers should printing, or other similar office manage - not be the first to test the water. Rather, • Will subcontractors or outsourcing be ment purposes, provided the lawyer lawyers should consider letting problems utilized for any functions having access exercises due care in the selection of the be resolved by other businesses. Lawyers to sensitive data? agency, advises the agency that the infor - should protect of their data and their mation must be kept confidential and clients’ data. Putting it in the hands of a • Does the customer have the right to reasonably believes that the information third party is a loss of control that approve in advance any transfer of data will be kept confidential.” This rule does should not be risked. On the other hand, to another state or country? not require the lawyer to obtain the proponents of SaaS say that lawyers have client’s consent before disclosing infor - shared client information with third- • Who will have access to the data and mation to the outside agency. In LEO party vendors for decades and that data will there be different levels of access? 1818 (2005) the Virginia State Bar’s stored in the cloud is at least as safe and Standing Committee on Legal Ethics secure, if not more so, than data stored • Who will supervise the project and will concluded that a lawyer or law firm may locally. They argue that most SaaS ven - there be monitoring and auditing of store a client’s file or information in dors use sophisticated data centers to policies and procedures? electronic or digital format. In so doing, house their customer’s data. These data the committee acknowledged in a foot - centers feature elaborate, redundant To see how some of these questions note that it may be necessary for the security and backup systems to ensure are addressed by Google, you might lawyer to rely on outside technical sup - that data is protected from accidental check out Google’s cloud computing port to develop a paperless office. 4 loss and unauthorized access. The tech - contract. A Google Apps Premier Edition If you are using a SaaS provider, nology and the expertise employed by Online Agreement can be found at protect your confidential data and infor - SaaS vendors are greater than at most http://www.google.com/apps/intl/en/ mation. Secure portals and secure trans - law firms. Carefully consider the pros terms/education_terms.html. mission protect client confidentiality. Is and cons before you decide what’s right the transmission of the data encrypted for your firm and your clients. Best Practices for Cloud Computing to preserve confidentiality? Are you Because of the complexity of this Vendors using a safe password or even biometrics ever-changing technology, lawyers have for access? to be careful with cloud computing. The • Transparency : Cloud computing plat - primary concern for most is control over forms should explain their information Laws Protecting Privacy of Data the data. While the customer owns the handling practices and disclose the per - data, the data is stored on a third-party formance and reliability of their ser - Laws in the United States and overseas server, the location of which may not be vices on their public web sites. protect privacy of data or information. known to the customer. The cloud com - They include the Family Educational puting service provider may move the • Use limitation: A cloud provider Rights and Privacy Act of 1974; the should claim no ownership rights in www.vsb.org Vol. 59 | February 2011 | VIRGINIA LAWYER 51 customer data and should use cus - claims. Rule 3.4(a) provides that [a] Lawyers,” The Bencher , Nov.-Dec. 2010 tomer data only as its customers lawyer shall not: at 17. instruct or to fulfill contractual or legal 3 Virginia LEO 1305 (lawyers must obligations. (a) Obstruct another party’s access destroy and cannot simply dump closed to evidence or alter, destroy or con - client files). Also, this obligation of con - fidentiality survives the death of the • Disclosure : A cloud provider should ceal a document or other material client. See Virginia LEO 1207 (1989). In disclose customer data only if required having potential evidentiary value addition, lawyers may convert paper by law and should provide affected cus - for the purpose of obstructing a files into electronically stored data. LEO tomers prior notice of any compelled party’s access to evidence. A lawyer 1818 (2005). disclosure. shall not counsel or assist another 4 Va. Legal Ethics Op. 1818 (2005) at n.2. person to do any such act. 5 ChoicePoint – settlement of data secu - • Security management system: A rity breach charges in violation of Fair cloud provider should maintain a Rule 3.4(e) requires a lawyer “to make Credit Reporting Act and Federal Trade robust security management system reasonably diligent effort to comply with Commission Act. The settlement that is based on an internationally a legally proper discovery request by an included $10million in civil penalties — accepted security framework (such as opposing party.” the largest in FTC’s history — and fur - ther required $5 million for consumer ISO 27001) to protect customer data. In dealing with cloud providers, redress as well as implementation of lawyers must consider issues regarding new procedures. See http://www.ftc.gov/ • Customer security features: A cloud access to data, contractual provisions for opa/2006/01/choicepoint.shtm; and provider should provide customers disclosure of confidential information recently filed complaint with the FTC: with configurable security features to including customer data to third parties, IMO Google Inc. and Cloud Computing implement in their usage of the cloud including via subpoena or other com - Services , seeking injunctive relief and computing services. pelled disclosure, and litigation holds investigation into Google Inc. and its • Data location: A cloud provider should may require nondestruction of cloud provision of cloud computing services tell customers the countries in which provider records and backup media. alleging failure to adequately safeguard customer data is hosted. confidential information)(Complaint Conclusion available at http://epic.org/privacy/ cloudcomputing/google/ftc031709.pdf.) • Breach notification: A cloud provider 6 (a) European Union Directive on Data should notify customers of known With any emerging technology, lawyers Protection, effective October 1998 security breaches that affect the must confront ethical issues that arise (Directive 95/46/EC), prohibits transfer confidentiality or security of the when the lawyer considers using that of personal data to non-EU countries if customer data. new technology. Because data security is they do not meet EU “adequacy stan - the lawyer’s primary concern, lawyers dard” for protection of privacy. • Audit: A cloud provider should use need to approach the issue of cloud third-party auditors to ensure compli - computing carefully. “When going to the (b) Swiss Federal Act on Data ance with its security management cloud, you’ve got to do some due dili - Protection regulates the processing of system. gence,” to ensure not only that the data about physical and legal persons provider can do what you need it to do, (c) Various EU member s may imple - • Data portability: A cloud provider but that it will be around long enough to 7 ment their own data protection laws, should make available to customers do it when you need it. Finally, lawyers e.g., German data protection authorities their data in an industry-standard, should consider that there may be par - issued April 29, 2010, resolution requir - downloadable format. ticular types of information too valuable ing additional diligence when transfer - or critical to store in the cloud. As David ring data to parties who are self-certified • Accountability: A cloud provider Cearley put it, “I wouldn’t ever put the under the Safe Harbor program; data should work with customers to desig - formula for Coca-Cola in the cloud.”8 protection authority of the German fed - nate appropriate roles for privacy and eral state of Schleswig-Holstein issued a security accountability. Endnotes: June 18, 2010, legal opinion concluding 1 For a very technical and detailed defini - that clouds outside of the EU are unlaw - Data May Be Subject to E-Discovery tion see the National Institute of ful, even if the EU commission has issued an adequacy decision in favor of Rules Standards and Technology’s “NIST Definition of Cloud Computing,” that country. authors: Peter Mell and Tim Grance, A client’s data may be subject to discov - Version 15, 10-7-09, at 7 John Tomaszewski, general counsel of ery in pending or anticipated litigation; a http://csrc.nist.gov/groups/SNS/cloud- TRUSTe, an Internet privacy services lawyer may be ethically obligated to take computing/, last updated Aug. 27, 2010. provider in San Francisco, who was a measures reasonably necessary to pre - 2 Kevin F. Brady, “Cloud Computing: panelist speaking at a presentation titled serve client data and avoid spoliation Panacea or Ethical ‘Black Hole’ for Cloud continued on page 54
52 VIRGINIA LAWYER | February 2011 | Vol. 59 www.vsb.org Cloud continued from page 52
“The Real Realities of Cloud Computing: Will the Cloud Produce Smooth Sailing or Stormy Weather?” on Aug. 7, 2010, offered by the American Bar Association Section of Science and Technology Law. Participants in the program looked at security risks to law firms that choose to move data application and storage into the cloud of the Internet. 8 David W. Cearley, a vice-presi - dent at the technology research company Gartner Inc., in Stamford, CT, who was a copan - elist at the program cited in note 8, supra .
Attorneys May Submit Ethics Questions by E-mail
The Virginia State Bar now responds to lawyer’s ethics ques - tions submitted by e-mail, as well as telephone.
E-mail: Go to http://www.vsb.org/site/ regulation/ethics/ and click the blue box, “E-mail Your Ethics Questions.”
Phone: Call (804) 775-0564 and leave a voice mail. Your call will be returned.
The ethics staff tries to respond to questions on the same business day they are received.
54 VIRGINIA LAWYER | February 2011 | Vol. 59 www.vsb.org