Security & Ethics of Law Practice Cloud Services
“The transition from local desktop and local server-based operations to cloud computing and SaaS (software as a service) is possibly the greatest shift in information technology since the advent of the commercialized Internet in the early 90s.”
Get the white paper: Cloud9 Legal Cloud Report
Law Practice Cloud Services Security & Ethics
While the advantages afforded by law practice cloud services are many, several issues arise relating to the relative security of the newer cloud-based systems versus traditional, on-premises setups. In a law firm context, the use of Saas (software-as-a-service) cloud computing raises ethics issues around storing confidential client data.
The advantages of migrating traditional desktop and server-based software to ‘the cloud’ are numerous for law practices of all sizes. Law Practice Cloud Services typically reduce or eliminate altogether the large advance licensing and server payments, offer markedly reduced consulting and deployment fees, and eliminate the never-ending “upgrade hamster wheel” typically associated with conventional desktop and server-based applications. Cloud-computing also offers “anytime/anywhere availability,” an increased level of access, and compatibility with both Windows and Mac operating systems.
Ethics of Law Practice Cloud Services
The discussion on the legal profession ethics of Law Practice Cloud Services took a large leap forward in March 2010 with the issuance of a proposed Formal Ethics Opinion (FEO) on cloud computing by the North Carolina State Bar. This was the first FEO in North America to explicitly deal with the use of SaaS/cloud computing in a legal practice. While the FEO ultimately embraces cloud computing for a legal firm, provided that “…reasonable care is taken effectively to minimize the risks to the confidentiality and to the security of client information and client files,” … the onus of evaluation of a cloud computing provider’s security measures is placed squarely on the law practice.
Relatedly, the use of law practice cloud services raises ethical issues connected with entrusting an independent 3rd party with confidential client property. Alice Neece Mine, Executive Assistant Director of the North Carolina State Bar, outlines the primary concerns in the proposed FEO (2010 FEO 7):
SaaS [cloud services] for law firms may involve the storage of a law firm’s data, including client files, billing information, and work product, on remote servers rather than on the law firm’s own computer and, therefore, outside the direct control of the firm’s lawyers. Given the duty to safeguard confidential client information, including protecting that information from unauthorized disclosure, the duty to protect client property from destruction, degradation or loss (whether from system failure, natural disaster, or dissolution of a vendor’s business), and the continuing need to retrieve client data in a form that is usable outside of the vendor’s product, may a law firm use SaaS?
To this question the proposed FEO answers:
“Yes, provided steps are taken effectively to minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property, including file information, from risk of loss.”
Likewise, the Arizona Bar opined similarly in an earlier limited opinion –
“Lawyers providing an online file storage and retrieval system for client access of documents must take reasonable precautions to protect the security and confidentiality of client documents and information. Lawyers should be aware of limitations in their competence regarding online security measures and take appropriate actions to ensure that a competent review of the proposed security measures is conducted. As technology advances over time, a periodic review of the reasonability of security precautions may be necessary.”
Pennsylvania Says ‘Yes’ to Law Practice Cloud Services Security Ethics Notwithstanding
Another new opinion comes from the Pennsylvania Bar. In Formal Opinion 2011-200, the Pennsylvania committee addresses the ethical obligations of lawyers using cloud computing and SaaS while fulfilling their duties of confidentiality and preservation of client data.
The short answer it gives (within a lengthy and thoughtful opinion) is this:
Yes. An attorney may ethically allow client confidential material to be stored in “the cloud” provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks.
Attorneys pondering cloud services for their firm must comprehend the technologies and practices that both the provider and they themselves must leverage to effectively minimize the risks outlined by the NC BAR FEO. The following provides an overview of the technologies and best practices that can be employed to effectively minimize risks related to using cloud computing.
Law Practice Cloud Services: Data Security
Data security includes 4 fundemental areas: encryption, server security, client security and password security.
One key component of the cloud security equation is data encryption. Secure Sockets Layer (SSL) is an industry standard encryption technology that provides secure Web banking and e-commerce. SSL ensures that all communication flow between your computer and the cloud-based server are protected from unlawful interception. SSL is an powerful and trusted technology, as it allows for completely protected communications even over public, untrusted networks, such as a public Wi-Fi connection.
• Server Security
While SSL secure connections between your desktop and the cloud, you also need to know that the servers you are communicating with are fully protected against hackers and other threats. While it may be difficult for the typical Internet user to assess a cloud-based provider’s server security, there are services from companies such as Microsoft that perform regular security audits on SaaS providers to ensure server security.
• Client Security
Though cloud computing and hosting services and SaaS have the benefit of outsourcing server-level security and backup to a 3rd-party service company, one often-overlooked component of the security consideration is the vulnerability of your desktop or laptop from which you are accessing the SaaS applications and cloud service.
• Password Security
Password security is paramount. The best SSL encryption and client/server security will be for naught with a weak password.
What About ‘Client Consent’ of Legal Practice Cloud Services Security?
The State Bar of Nevada’s Standing Committee on Ethics and Professional Responsibility issued a Formal Opinion in February 2006 where they directly addressed the question on whether lawyers violate their professional responsibility when they store “confidential client information, without client consent, in an electronic format on a server that is not exclusively in the lawyer’s control.”
The Opinion describes the potential risks:
“The use of an outside data storage or server does not necessarily require the revelation of the data to anyone outside the attorney’s employ. The risk, from an ethical consideration, is that a rogue employee of the third party agency, or a “hacker” who gains access through the third party’s server or network, will access and perhaps disclose the information without authorization. In terms of the client’s confidence, this is no diferent in kind or quality than the risk that a rogue employee of the attorney, or for that matter a burglar, will gain unauthorized access to his confidential paper files.”
The Nevada Ethics Committee concluded that an attorney may use “an outside agency to store confidential client information in electronic forms” as long as the attorney exercises reasonable care in the selection of the vendor and there is a reasonable expectation that the information will be kept confidential.
The significance of a cloud-computing provider’s data availability strategy cannot be too highly emphasized. Provided that a relevant stratagem is actively maintained, SaaS cloud hosting of the law firm’s software will give a significantly higher caliber of data availability than desktop applications. By asking a cloud hosting provider about their data availability plan, you are seeking an answer to a very relevant question: What is your in place plan to guarantee that our data remains constant, even in the event of a catastrophe?
These measures, taken together, make data availability one of the most compelling advantages of Law Practice Cloud Services over traditional desktop applications.
To gain an equal measure of data availability with desktop applications would be cost-prohibitive and technically difficult, whereas cloud-based SaaS providers can accomplish economies of scale to make such level of technology available to users for a low quarterly or monthly subscriber fee. For lawyers in areas prone to higher risks of natural calamities, like tornadoes or tidal waves, cloud-hosting software can provide a strong solution to the challenge of data availability, as the cloud-computing-based applications and data will remain available even if the law firm’s offices are damaged or destroyed.
If you represent a law practice that is rightly considering the numerous advantages of cloud computing, remember Cloud9 Real Time, voted best and most secure cloud computing and SaaS application host by 4000 accountants. Download our white paper, get a demo and take a test drive, we are looking forward to your inquiry!