As welcome as this advancement is, it is also the subject of much debate and scrutiny as lawyers learn to navigate new threats to the security of their clients’ information. Just as technology changes, so do the measures a lawyer must take to adapt to that change. Although many lawyers are looking for ways to store information in the cloud as a means of off-site backup and for easier access, they are also looking for guidance on how to use this resource without the risk of exposing their clients’ protected information. The American Bar Association Model Rules of Professional Conduct, along with state ethics rules, can provide guidance to attorneys looking to take advantage of this resource.
Modifications to Model Rule 1.6
At the ABA Annual Meeting in August 2012, delegates approved several amendments to Model Rule 1.6 (Confidentiality of Information) that shed some light on a lawyer’s responsibility to take reasonable steps to protect the electronic information related to the representation of a client. Under the new addition to the rule, Model Rule 1.6(c), a lawyer has the duty to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Comment 18 elaborates on this duty by adding that unauthorized disclosure of information will not violate paragraph (c) “if the lawyer has made reasonable efforts to prevent the access or disclosure.” Some of the factors for consideration in determining reasonableness include the sensitivity of the information, likelihood of its disclosure if safeguards are not used, and the cost and difficulty of employing safeguards.
Comment 19 adds “the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.” In State Bar of Arizona Ethics Opinion 09-04, the committee approved the use of online storage providers and offered a list of measures that would constitute reasonable care. The measures include using a secure sockets layer (SSL) server that encrypts your files while they are in transit, along with multiple layers of password protection. Their hypothetical office also implemented a system of unique and randomly generated folder names with passwords and converted each document to a password-protected PDF.
The comments to Model Rule 1.1 (Competence) were also amended to encourage lawyers to keep up with “the benefits and risks associated with relevant technology.” It is important to perform a periodic review of the technology available to attorneys to confirm if there are more secure means of protecting your clients’ data. State Bar of Washington Advisory Opinion 2215 noted that lawyers wanting to use a cloud storage provider must “conduct a due diligence investigation of the provider and its services and cannot rely on lack of technological sophistication to excuse the failure to do so.” The opinion goes on to guide lawyers in best practices, as discussed further below.
State Ethics Opinions
Thus far, there are more than a dozen states with opinions addressing the ethical considerations when using cloud storage providers:
- Alabama, Ethics Opinion 2010-02, “Retention, Storage, Ownership, Production and Destruction of Client Files”;
- Arizona, Ethics Opinion 09-04, “Confidentiality; Maintaining Client Files; Electronic Storage; Internet”;
- California, Formal Opinion No. 2010-179;
- Iowa, Ethics Opinion 11-01, “Use of Software as a Service—Cloud Computing”;
- Maine, Opinion #194, “Client Confidences: Confidential firm data held electronically and handled by technicians for third-party vendors”;
- Massachusetts, Ethics Opinion 12-03;
- Nevada, Formal Opinion No. 33;
- New Jersey, Opinion 701, “Electronic Storage and Access of Client Files”;
- New York, Opinion 842 (September 10, 2010), “Using an outside online storage provider to store client confidential information”;
- North Carolina, 2011 Formal Ethics Opinion 6, “Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property”;
- Oregon, Formal Opinion 2011-188, “Information Relating to the Representation of a Client: Third-Party Electronic Storage of Client Materials”;
- Pennsylvania, Formal Opinion 2011-200, “Ethical Obligations for Attorneys Using Cloud Computing/Software As a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property”;
- Vermont, Advisory Ethics Opinion 2010-6; and
- Washington, Advisory Opinion 2215, “Cloud Computing.”
Links to most of the opinions above are available on the ABA Legal Technology Resource Center website (www.lawtechnology.org). The opinions universally adopt “reasonable care” as the standard for attorneys looking to store their data in the cloud. Unfortunately, you will be hard pressed to find concrete guidelines of what constitutes reasonable care. It is understandably difficult, given the rapidly changing nature of technology. Measures that are considered reasonably secure today may become unreasonably vulnerable tomorrow. Some of these opinions do offer helpful suggestions, however, for evaluating cloud storage providers. Here are a few of the recurring recommendations:
Image Isn’t Everything, But . . .
The State Bar of Alabama, in Ethics Opinion 2010-02, suggested that “[t]he duty of reasonable care requires the lawyer to become knowledgeable about how the provider will handle the storage and security of the data being stored and to reasonably ensure that the provider will abide by a confidentiality agreement in handling the data.” The opinion generally imposes on lawyers a responsibility to make sure data stored in the cloud is as secure as storing traditional paper files, or at least in a manner consistent with the lawyer’s professional obligations. The North Carolina Bar suggested in their 2011 Formal Opinion 6 that lawyers may need to put forth less or more effort in their evaluation depending on the “experience, stability, and reputation of the vendor.” Lawyers should make reasonable efforts to evaluate their prospective cloud storage provider’s reputation for security. For example, have breaches occurred in the past? To what extent was information compromised?
Location, Location, Location
One issue lawyers need to address when selecting a storage provider is where the stored data will be located. Depending on where the data is actually stored, it may fall under different regulations. The geographic location of the cloud provider itself and any of its data storage facilities should be taken into consideration. This much was suggested by the Pennsylvania Bar Association in Formal Opinion 2011-200, which put together an extensive, but not exhaustive, list of factors to evaluate when exercising reasonable care. In the opinion, the committee suggests that lawyers exercising reasonable care should ensure their providers “will host the firm’s data only within a specified geographic area. If by agreement, the data are hosted outside of the United States, the law firm must determine that the hosting jurisdiction has privacy laws, data security laws, and protections against unlawful search and seizure that are as rigorous as those of the United States and Pennsylvania.”
Keep a Hold on the Reins
The service agreement should explain who retains ownership of the data once it is stored on the cloud server. Attorneys need to be able to access their data if the cloud service provider becomes insolvent or if the relationship with the cloud service provider ends abruptly for other reasons. In 2011 Dropbox briefly updated its terms of service to include language that permitted Dropbox ownership rights over its users’ data when stored in the cloud. Ownership quickly reverted back to the users in response to public outcry, as Dropbox backpedaled to explain to users that it only needed access for administrative purposes.
Don’t Shun Security
The information of lawyers and their clients needs to be secured while it is stored in the cloud and while in transit. There are many ways lawyers can secure the data they put in the cloud. Some key areas to be concerned with are encryption, server security, and authentication/authorization.
Encrypting your files before transferring them to the cloud makes them unreadable to any accidental recipients. The file is jumbled with a key that can later be used to decipher it back into a usable form when it is taken out of the storage database. Keep in mind, if you encrypt data before storing it in the cloud, you should not store the encryption key itself in the cloud alongside the data. That would be the virtual equivalent of locking a file cabinet and storing the key on top of it. (For more, see “Encryption Made Simple for Lawyers,” GPSolo, November/December 2012, tinyurl.com/bqyzw8t.)
An evaluation of server security should include gathering information on how and where the physical servers are stored along with how your information will be stored on the server. In other words, will your data be stored across several physical servers or on a single unit? This could be a problem if multiple clients are on a single server; then a subpoena to access one client’s file would create unintentional access to others. You should also have a basic understanding of the server facility’s infrastructure. For instance, are there backup power grids in place for the facility if the primary grid is overloaded? You may also want to confirm that a sufficient cooling system is in place.
Lawyers need to select a provider that will permit multiple layers of security. One of those layers should include authentication and authorization. Authentication is the means by which a service provider identifies the user. An authentication system should be in place to make sure the user accessing your data is who he or she claims to be. This is generally accomplished by entering a unique user name and password. Authorization is the means by which the system determines what the authenticated user can access. For instance, some authenticated users may be permitted to retrieve information from the cloud storage but may not be able to change the information stored there.
Lawyers should consider setting up a strong or two-factor authentication option to ensure that only authorized personnel are able to access data. Standard authentication typically involves the input of a username and password. Two-factor authentication requires the input of an additional “code” to confirm your identity. For example, Dropbox users who have enabled two-factor authentication are required to enter a six-digit code in addition to their username and password whenever they sign in to Dropbox or connect a new computer, smartphone, or tablet device. Users looking to access their files on Dropbox sign in as they would under standard authentication, and then either receive a text message or can use a mobile app to generate the six-digit code to complete their authentication. When you enable two-step verification, Dropbox will provide you with a 16-digit backup code that you should store in a safe place. In the event you lose your phone or cannot generate a security code, this backup code will grant you access to your files.
When Breaches Occur
As suggested by the Oregon State Bar Association Formal Opinion 2011-188, reasonable care of an attorney may require that the “vendor notify Lawyer of any nonauthorized third-party access to the materials.” Thus, the service provider should be responsible for notifying users of a possible security breach, and the users are then responsible for notifying clients if the security breach affected their data. This was a problem that haunted Dropbox on at least two separate occasions. In 2011 a bug in the authentication process left all Dropbox user accounts accessible with any password for approximately four hours. In 2012 a breach on another website led to a Dropbox employee’s account getting hacked. Once inside the employee’s account, the hacker accessed an e-mail that contained users’ e-mail addresses and began spamming those addresses. In response to this breach, Dropbox has implemented a two-factor authentication option that will allow Dropbox users to log in with both a password and a second code texted to a user’s phone.
It’s Better in the CLoud
In the end, the benefits of cloud computing far outweigh the pain of due diligence. Most questions about your data’s security and confidentiality can be answered with a careful review of the terms of service and user agreement. Whatever cloud solution you choose does not have to be impervious to security breach, but simply well thought out given the technology and security measures available at the time.