Cloud Computing - A Silver Lining or Ethical Thunderstorm for Lawyers?
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Consultus Electronica
Cloud Computing — A Silver Lining or Ethical
Thunderstorm for Lawyers?
by James M. McCauley, Ethics Counsel, Virginia State Bar
Because of the flagging economy, busi- cept of cloud computing is not new, its technology budget on competitive
nesses and professionals are searching rapid expansion and diversification in advantage rather than infrastructure.
for increased efficiency and reduced the IT and business world are recent.
costs and risks in their endeavors. This is Cloud computing might also be • Identified cost: Your investment in
especially true for the ever-increasing described as shifting information tech- hardware and software is minimized.
risks and costs associated with informa- nology responsibility from the consumer Cost for the SaaS model can be based
tion technology (IT) management. to service providers who deliver IT ser- on the number of users or the amount
Today, the business world is overrun vices via the Internet — the “cloud.” The of data storage volume; it is easy to
with entreaties by IT firms offering consumer relinquishes control over IT identify and budget for monthly or
“cloud computing services” who adver- functions compared with legacy systems. annually. For the best pricing, the con-
tise that “the future is here and it is in Responsibility shifts from the consumer tract terms are often multiyear commit-
the clouds.” to a third party for infrastructure, appli- ments — sometimes three to five years.
cation software, development platforms,
What Is Cloud Computing? developer and programming staff, licens- • Save time: There is no installation, and
ing and updates, security, and mainte- the SaaS provider takes care of updates,
There is no one agreed definition of nance. Some might describe cloud including security, and is responsible
“cloud computing.” 1 Software as a computing as the virtualization of the for data storage and retrieval.
Service (SaaS) is but one form of cloud computing process or as outsourcing IT.2
computing referring to a category of Many firms today are considering • Intuitive: SaaS programs are more
software delivered via the Internet to a switching from obtaining and loading intuitive and easier to use than tradi-
web browser (such as Internet Explorer) software on their own computers to SaaS tional software. However, because they
rather than installed directly onto the platforms to facilitate their practices,
user’s computer. The resulting data is particularly in the areas of case manage-
held by the third-party service provider ment and time and billing platforms.
(or maybe by a data center provider by There are arguments for and against
companies like Amazon, RackSpace or using SaaS. Examine those issues before
other host), not on a computer or server you decide to switch over. Cloud com-
within the law firm. Cloud computing is puting liberates the consumer from
not new, but it has become a hot topic in many of the burdens of IT management
the IT and business world. Software has issues, enabling the consumer to focus
been employed over networks for on core activity. Cloud computing also
decades, including through application reduces costs and expenses associated
James M. McCauley is the ethics
service providers that rose to promi- with purchasing and maintaining the counsel for the Virginia State Bar. He
nence in the 1990s and then fizzled out hardware and software necessary to run and his staff write the draft advisory
with other tech companies that went applications, security measures, backup, opinions for the Standing Committees
bust in the early 2000s. Some lawyers and disaster recovery. on Legal Ethics and Unauthorized
Practice of Law and provide informal
already use web-based applications in
advice to members of the bar, bench,
their practice, including online legal Benefits of Cloud Computing and general public on lawyer regula-
research (Westlaw, LexisNexis, tory matters, through the Legal Ethics
CaseFinder or Fastcase), web-based e- • Save money: Cloud computing appli- Hotline (http://www.vsb.org/site/
mail (Gmail, Yahoo, or Hotmail), docu- cations greatly reduce the costs of elec- regulation/ethics/). McCauley teaches
professional responsibility at the
ment creation or collaboration tools tronic data management. These
University of Richmond School of
(Google Docs), and data backup services applications are less expensive than Law in Richmond and serves on the
(Mozy, i365, IBackup, Steel Mountain, designing your own program or modi- American Bar Association’s Standing
and Carbonite). These are all examples fying an existing program. Focus your Committee on Legal Ethics and
of cloud computing. Although the con- Professionalism.
www.vsb.org Vol. 59 | February 2011 | VIRGINIA LAWYER 49are newer, they sometimes have more party vendor and secures an agreement to evaluate and deploy appropriate
limited features than older software that the vendor will safeguard the confi- computer hardware and software to
programs. dentiality of the information shared. Va. accomplish that end. An attorney
Rule 1.6(b)(6). In the past, lawyers have who lacks or cannot reasonably
• Staying current: Gain immediate outsourced copying and document pro- obtain that competence is ethically
access to the latest innovations and duction to third-party vendors. required to retain an expert consul-
updates at the provider’s expense. Confidentiality of client information tant who does have such compe-
was protected by contractual arrange- tence. Arizona State Bar Op. 05-04.
• Mobility: SaaS products allow lawyers ments between the law firm and the The Massachusetts Bar Association
to access their software and their data third-party vendor. In other advisory Committee on Professional Ethics
from many locations, without addi- opinions, the VSB Standing Committee issued an ethics opinion that “A law
tional cost (with an Internet connec- on Legal Ethics has emphasized that firm may provide a third-party soft-
tion). Because most SaaS is accessed lawyers must act competently to protect ware vendor with access to confi-
through a web browser, system require- the confidentiality of information relat- dential client information stored on
ments are minimal. ing to the representation of their clients, the firm’s computer system for the
including protecting both open and purpose of allowing the vendor to
• Service: You may get better service from closed client files.3 support and maintain a computer
a vendor. If you are considering SaaS, In ABA Formal Opinion 95-398 software application utilized by the
ask a vendor about a service level agree- (1995) the American Bar Association’s law firm. … However, the law firm
ment. A good agreement should guar- Standing Committee on Legal Ethics and must ‘make reasonable efforts to
antee both a certain level of uptime for Professionalism recognized that “in this ensure’ that the conduct of the soft-
the product and a response time for era of rapidly developing technology, ware vendor (or any other indepen-
technical and support service requests. lawyers frequently use outside agencies dent service provider that the firm
for numerous functions such as account- utilizes) ‘is compatible with the pro-
Ethical Concerns for Lawyers Using ing, data processing, photocopying, fessional obligations of the
Cloud Computing computer servicing, storage and paper lawyer[s],’ including the obligation
disposal and that lawyers retaining such to protect confidential client infor-
Concerns about Security and outside service providers are required to mation reflected in Rule 1.6(a). The
Reliability. There are always concerns make reasonable efforts to prevent unau- fact that the vendor will provide
about a new technology’s security and thorized disclosures of client informa- technical support and updates for
reliability. Comment 16 to American Bar tion.” The opinion states that outside its product remotely via the Internet
Association Model Rule 1.6 states that service providers would be considered to does not alter the Committee’s
“[a] lawyer must act competently to be nonlawyer assistants under Model opinion.” Massachusetts Bar Op.
safeguard information relating to the Rule 5.3, which states that lawyers have 2005-04 (March 3, 2005).
representation of a client against inad- an obligation to ensure that the conduct
vertent or unauthorized disclosure by of the nonlawyer employees they Attorneys are not required to guar-
the lawyer or other persons who are par- employ, retain, or become associated antee that a breach of confidentiality
ticipating in the representation of the with is compatible with the professional cannot occur when using an outside ser-
client or who are under the lawyer’s obligations of the lawyer. But how does a vice provider. Rule 1.6 only requires the
supervision.” Comment 17 states that lawyer exercise the supervision required lawyer to act with reasonable care to
“the lawyer must take reasonable precau- of Rule 5.3 over a company such as protect information relating to the rep-
tions to prevent the information from Google or Yahoo that essentially offers resentation of a client. Nevada’s Ethics
coming into the hands of unintended cloud computing contracts on a take-it- Committee addressed the question of
recipients.” or-leave-it basis? whether an outside party could be used
There is no basis in the Virginia In addressing attorney use of the to store files in digital format or if this
Rules of Professional Conduct for an Internet for client file storage, the State would be considered a breach of confi-
unqualified prohibition of lawyers man- Bar of Arizona’s Ethics Committee has dentiality. In reaching a decision, the
aging their office software applications stated: Nevada committee analogized storing
and client data using cloud computing. digital files on an off-site server to stor-
Lawyers have always had an ethical duty [A]n attorney or law firm is oblig- ing paper documents in an off-site stor-
to safeguard confidential client informa- ated to take reasonable and compe- age facility operated by a third party. In
tion. Rule 1.6. However, lawyers may tent steps to assure that the client’s reviewing prior ABA opinions, the com-
share information protected under Rule electronic information is not lost or mittee concluded that as long as the
1.6 with third parties as needed to per- destroyed. In order to do that, an lawyer exercises care in the selection of
form necessary office management attorney must be competent to eval- the vendor, has a reasonable expectation
functions, if the lawyer exercises reason- uate the nature of the potential that the vendor will keep the data confi-
able care in the selection of the third- threat to client electronic files and dential and inaccessible by others, and
50 VIRGINIA LAWYER | February 2011 | Vol. 59 www.vsb.orginstructs the vendor to preserve the con- Health Insurance Portability and data for its own reasons to another
fidentiality of the information, the Accountability Act of 1996, Pub. L. No. server in another country.
requirements of Rule 1.6 are met. 104-191, 110 Stat. 1936 (1996), 42 U.S.C.
Nevada Formal Op. 33 (2006). 1320d et seq., 45 C.F.R. Parts 160 & 164; Questions You Need Answered
A recent Alabama ethics opinion and the Gramm-Leach-Bliley Act, 15
takes a similar approach consistent with USC 6801et seq. Various states may have Cloud computing is a global undertak-
the Nevada and Arizona opinions. data protection or security laws, such as ing. Considerations should include:
Alabama lawyers may outsource the Massachusetts General Law Chapter
storage of client files using cloud com- 93H, Regulations 201 CMR 17.00; the • Where will users be located?
puting if they keep abreast of appropri- New Jersey Identity Theft Protection Act,
ate security safeguards and take N.J.S.A. 56:11-44 to 50 and 56:8-161 to • Where will the data be processed?
reasonable steps to make sure the off- 166; and the Virginia Health Records
premises provider uses sound methods Privacy Act, Va. Code § 32.1-127.1:03. • Where will the data be stored?
to protect the data. Alabama State Bar The Federal Trade Commission has
Disciplinary Comm’n, Op. 2010-02. posted enforcement actions for security • Where is the disaster-recovery and
Although Virginia has not issued an breaches by cloud computing providers.5 backup site located?
ethics advisory opinion on a lawyer’s use The European Union also has laws pro-
of cloud computing, Virginia Rule tecting the privacy of information that • Where are the data subjects located?
1.6(b)(6) appears similar to Alabama’s. may affect users of cloud computing.6
The rule allows lawyers to share confi- There has been much discussion in • Where will support services be based,
dential information with an outside the legal community over whether and will support have access to sensi-
agency if “necessary for statistical, book- lawyers should convert to SaaS. tive data?
keeping, accounting, data processing, Opponents argue that lawyers should
printing, or other similar office manage- not be the first to test the water. Rather, • Will subcontractors or outsourcing be
ment purposes, provided the lawyer lawyers should consider letting problems utilized for any functions having access
exercises due care in the selection of the be resolved by other businesses. Lawyers to sensitive data?
agency, advises the agency that the infor- should protect of their data and their
mation must be kept confidential and clients’ data. Putting it in the hands of a • Does the customer have the right to
reasonably believes that the information third party is a loss of control that approve in advance any transfer of data
will be kept confidential.” This rule does should not be risked. On the other hand, to another state or country?
not require the lawyer to obtain the proponents of SaaS say that lawyers have
client’s consent before disclosing infor- shared client information with third- • Who will have access to the data and
mation to the outside agency. In LEO party vendors for decades and that data will there be different levels of access?
1818 (2005) the Virginia State Bar’s stored in the cloud is at least as safe and
Standing Committee on Legal Ethics secure, if not more so, than data stored • Who will supervise the project and will
concluded that a lawyer or law firm may locally. They argue that most SaaS ven- there be monitoring and auditing of
store a client’s file or information in dors use sophisticated data centers to policies and procedures?
electronic or digital format. In so doing, house their customer’s data. These data
the committee acknowledged in a foot- centers feature elaborate, redundant To see how some of these questions
note that it may be necessary for the security and backup systems to ensure are addressed by Google, you might
lawyer to rely on outside technical sup- that data is protected from accidental check out Google’s cloud computing
port to develop a paperless office.4 loss and unauthorized access. The tech- contract. A Google Apps Premier Edition
If you are using a SaaS provider, nology and the expertise employed by Online Agreement can be found at
protect your confidential data and infor- SaaS vendors are greater than at most http://www.google.com/apps/intl/en/
mation. Secure portals and secure trans- law firms. Carefully consider the pros terms/education_terms.html.
mission protect client confidentiality. Is and cons before you decide what’s right
the transmission of the data encrypted for your firm and your clients. Best Practices for Cloud Computing
to preserve confidentiality? Are you Because of the complexity of this Vendors
using a safe password or even biometrics ever-changing technology, lawyers have
for access? to be careful with cloud computing. The • Transparency: Cloud computing plat-
primary concern for most is control over forms should explain their information
Laws Protecting Privacy of Data the data. While the customer owns the handling practices and disclose the per-
data, the data is stored on a third-party formance and reliability of their ser-
Laws in the United States and overseas server, the location of which may not be vices on their public web sites.
protect privacy of data or information. known to the customer. The cloud com-
They include the Family Educational puting service provider may move the • Use limitation: A cloud provider
Rights and Privacy Act of 1974; the should claim no ownership rights in
www.vsb.org Vol. 59 | February 2011 | VIRGINIA LAWYER 51customer data and should use cus- claims. Rule 3.4(a) provides that [a] Lawyers,” The Bencher, Nov.-Dec. 2010
tomer data only as its customers lawyer shall not: at 17.
instruct or to fulfill contractual or legal 3 Virginia LEO 1305 (lawyers must
obligations. (a) Obstruct another party’s access destroy and cannot simply dump closed
client files). Also, this obligation of con-
to evidence or alter, destroy or con-
fidentiality survives the death of the
• Disclosure: A cloud provider should ceal a document or other material
client. See Virginia LEO 1207 (1989). In
disclose customer data only if required having potential evidentiary value addition, lawyers may convert paper
by law and should provide affected cus- for the purpose of obstructing a files into electronically stored data. LEO
tomers prior notice of any compelled party’s access to evidence. A lawyer 1818 (2005).
disclosure. shall not counsel or assist another 4 Va. Legal Ethics Op. 1818 (2005) at n.2.
person to do any such act. 5 ChoicePoint – settlement of data secu-
• Security management system: A rity breach charges in violation of Fair
cloud provider should maintain a Rule 3.4(e) requires a lawyer “to make Credit Reporting Act and Federal Trade
robust security management system reasonably diligent effort to comply with Commission Act. The settlement
that is based on an internationally a legally proper discovery request by an included $10million in civil penalties —
the largest in FTC’s history — and fur-
accepted security framework (such as opposing party.”
ther required $5 million for consumer
ISO 27001) to protect customer data. In dealing with cloud providers,
redress as well as implementation of
lawyers must consider issues regarding new procedures. See http://www.ftc.gov/
• Customer security features: A cloud access to data, contractual provisions for opa/2006/01/choicepoint.shtm; and
provider should provide customers disclosure of confidential information recently filed complaint with the FTC:
with configurable security features to including customer data to third parties, IMO Google Inc. and Cloud Computing
implement in their usage of the cloud including via subpoena or other com- Services, seeking injunctive relief and
computing services. pelled disclosure, and litigation holds investigation into Google Inc. and its
• Data location: A cloud provider should may require nondestruction of cloud provision of cloud computing services
tell customers the countries in which provider records and backup media. alleging failure to adequately safeguard
customer data is hosted. confidential information)(Complaint
available at http://epic.org/privacy/
Conclusion
cloudcomputing/google/ftc031709.pdf.)
• Breach notification: A cloud provider
6 (a) European Union Directive on Data
should notify customers of known With any emerging technology, lawyers Protection, effective October 1998
security breaches that affect the must confront ethical issues that arise (Directive 95/46/EC), prohibits transfer
confidentiality or security of the when the lawyer considers using that of personal data to non-EU countries if
customer data. new technology. Because data security is they do not meet EU “adequacy stan-
the lawyer’s primary concern, lawyers dard” for protection of privacy.
• Audit: A cloud provider should use need to approach the issue of cloud
third-party auditors to ensure compli- computing carefully. “When going to the (b) Swiss Federal Act on Data
ance with its security management cloud, you’ve got to do some due dili- Protection regulates the processing of
system. gence,” to ensure not only that the data about physical and legal persons
provider can do what you need it to do,
(c) Various EU member s may imple-
• Data portability: A cloud provider but that it will be around long enough to
ment their own data protection laws,
should make available to customers do it when you need it.7 Finally, lawyers e.g., German data protection authorities
their data in an industry-standard, should consider that there may be par- issued April 29, 2010, resolution requir-
downloadable format. ticular types of information too valuable ing additional diligence when transfer-
or critical to store in the cloud. As David ring data to parties who are self-certified
• Accountability: A cloud provider Cearley put it, “I wouldn’t ever put the under the Safe Harbor program; data
should work with customers to desig- formula for Coca-Cola in the cloud.” 8 protection authority of the German fed-
nate appropriate roles for privacy and eral state of Schleswig-Holstein issued a
security accountability. Endnotes: June 18, 2010, legal opinion concluding
1 For a very technical and detailed defini- that clouds outside of the EU are unlaw-
tion see the National Institute of ful, even if the EU commission has
Data May Be Subject to E-Discovery
Standards and Technology’s “NIST issued an adequacy decision in favor of
Rules
Definition of Cloud Computing,” that country.
authors: Peter Mell and Tim Grance,
A client’s data may be subject to discov- Version 15, 10-7-09, at 7 John Tomaszewski, general counsel of
ery in pending or anticipated litigation; a http://csrc.nist.gov/groups/SNS/cloud- TRUSTe, an Internet privacy services
lawyer may be ethically obligated to take computing/, last updated Aug. 27, 2010. provider in San Francisco, who was a
measures reasonably necessary to pre- 2 Kevin F. Brady, “Cloud Computing: panelist speaking at a presentation titled
serve client data and avoid spoliation Panacea or Ethical ‘Black Hole’ for
Cloud continued on page 54
52 VIRGINIA LAWYER | February 2011 | Vol. 59 www.vsb.orgCloud continued from page 52
“The Real Realities of Cloud
Computing: Will the Cloud
Produce Smooth Sailing or
Stormy Weather?” on Aug. 7,
2010, offered by the American
Bar Association Section of
Science and Technology Law.
Participants in the program
looked at security risks to law
firms that choose to move data
application and storage into the
cloud of the Internet.
8 David W. Cearley, a vice-presi-
dent at the technology research
company Gartner Inc., in
Stamford, CT, who was a copan-
elist at the program cited in note
8, supra.
Attorneys May Submit
Ethics Questions
by E-mail
The Virginia State Bar now
responds to lawyer’s ethics ques-
tions submitted by e-mail, as well
as telephone.
E-mail:
Go to http://www.vsb.org/site/
regulation/ethics/ and click the
blue box, “E-mail Your Ethics
Questions.”
Phone:
Call (804) 775-0564 and leave a
voice mail. Your call will be
returned.
The ethics staff tries to respond
to questions on the same business
day they are received.
54 VIRGINIA LAWYER | February 2011 | Vol. 59 www.vsb.orgYou can also read
