June 06, 2011

Cloud Caution: Look Before You Leap

Joshua Poje

Cloud computing is among the hottest legal technology topics on e-mail discussion lists and in continuing legal education. The appeal of the technology isn't difficult to understand. With applications hosted off-site and the ability to harness large amounts of processing power, cloud computing offers several benefits over using an on-site alternative: manageable monthly fees rather than major initial expenditures; enhanced mobility; simpler, more intuitive interfaces; and easier setup. The virtualization of hardware and computing power enables cloud computing, yet it also is a source of concern: cloud-based services store users’ (and their clients’) valuable and often sensitive data on vendors' servers, outside of users’ direct control.

As set out in Model Rule of Professional Conduct 1.6, one of an attorney’s foremost ethical obligations is safeguarding her client’s confidentiality. So it’s understandable that many attorneys are hesitant to entrust their client’s data to cloud computing vendors. Unfortunately, there is little official guidance on adopting cloud technologies. Earlier this year, the North Carolina Bar Association proposed an opinion on cloud-based software, also known as software as a service, but later withdrew it for further consideration. The ABA Commission on Ethics 20/20 is also investigating the topic and is soliciting comment, but formal action may be several months away.

Until attorneys have official guidance from the ABA or their state’s disciplinary body, it’s important to approach cloud computing with reasonable caution. Attorneys should exercise due diligence in evaluating both the specific services they are considering implementing and the vendors that offer the services.

Before committing to a cloud-based service, there are several important issues lawyers should evaluate:

  • First and foremost, attorneys should ensure that the product meets their business requirements. While cloud computing can be alluring for many reasons, lawyers shouldn’t switch just for the sake of adopting the latest technology. Lawyers should make sure the cloud product offers the features and functionality they require at a price that their firm can afford.

  • Look for companies that specifically cater to the business market. Consumer-oriented companies tend to be cheaper, better advertised and more common, but they also come with consumer-oriented terms of service and support. Vendors that work exclusively with the legal market will likely have a better understanding of the needs and obligations of lawyers.

  • What level of encryption does the vendor offer? When are files encrypted--before transmission to the vendor’s servers or after? Who holds the encryption key needed to decrypt the data? Ideally, data should be encrypted at a high level prior to transmission and only the user should hold the key for decryption.

  • Ask for a service level agreement. The SLA should spell out, in detail, the vendor’s obligations with regard to issues like server uptime, support response time and data security. The SLA should also specify the consequences if the vendor fails to meet its obligations.

  • Read all of the vendor’s policies carefully, including the terms of service agreement, and if applicable, the privacy, security and intellectual property policies. In particular, lawyers should look for the vendor’s policy on the following key issues:

    • To whom, and under what circumstances, will the vendor reveal user data? Attorneys should consider both their personal information as a customer and the client data the vendor is housing on the attorney's behalf. If the TOS allows the vendor to share data freely, then the service isn’t appropriate for handling client data. Better policies will limit the vendor to producing data only upon subpoena. Ideally, the vendor will also provide the user with notice and opportunity to object prior to release of the data, if notice is permissible by law.

    • Who really holds the data? Realistically, few cloud vendors host their own servers; most rely on dedicated third-party data centers. Lawyers should evaluate the data center's policies, and if possible, the TOS between the cloud vendor and the data center.

    • How much access do vendor (and data center) employees have to user data? Security compromises are more likely to result from an incompetent or hostile employee on the vendor/data center side than from an outside hacker.

    • When in doubt, ask for clarification–in writing. If a policy or TOS is unclear, attorneys should not assume that the ambiguities will be construed in their favor. Lawyers should be proactive in upholding their ethical obligations.

This article first appeared in YourABA e-newsletter, a monthly publication distributed via email to all ABA members.  Learn more about the benefits of belonging to the American Bar Association.

Joshua Poje