September 01, 2017

Clarifying Cloud Computing: Your Client’s Data and Software, Engagement Agreements, and Ethics

Al Harrison and Joseph Jacobson

This article, the second in our series exploring cloud computing and ethics, addresses engagement agreement modification to take into account a firm’s use of cloud computing. The previous Clarifying Cloud computing column may be found here. Our introduction to the topic appeared as the “GP Mentor” column in GPSolo magazine’s May/June 2017 issue.

 

Disclosure and consent are the two key elements in your documented relationship with clients when you use cloud computing.

Your obligations are dependent on the type of data your clients provide, and your ethical obligations emanate from this data’s characterization. Your clients will most likely not know the key elements for characterizing the data. So, it will be best for you to provide information to alert them of the possibilities of how the data and software they provide you may be used, and most importantly, where it may be used or stored. Your obligations and the disclosures appropriate to the client depend on the client’s answers to these questions.

 

What Type of Data and Software Do Your Clients Provide?

You’ll need to develop a checklist and conduct an inventory with the client regarding client-provided data and software. Here are some of the issues that help frame your inquiry. Your inquiry is not limited to your practice area because possession of this same data would be expected if you practice in such as diverse concentrations as criminal, estate planning, employment, intellectual property, or personal injury.

Does the information contain:

  • Personal Identifying Information (PII)? The definition of PII definition may vary from state to state but often includes combinations of identifiers such as a person’s name, mother’s maiden name, middle initial, address, birth date, or government identification (driver’s license or other state-issued identification).
  • Protected Health Information or Personal Health Information (PHI)? Using the abbreviation PHI covers all permutations because some states have their own, more restrictive definitions of PHI—more comprehensive than Health Insurance Portability and Accountability Act (HIPAA) data and with state certifications for how to handle the data.
  • HIPAA Data? Do you and your firm have the appropriate certifications for handling this data? HIPAA, as amended in 2009 by the Health Information Technolgy for Economic and Clinical Health Act (HITECH), requires certification in accordance with the U.S. Department of Health and Human Services. And some states, such as Texas, require additional state certification.

You’ll also need to know about the software that clients give you, and where this software is stored:

  • Is the client providing you with software with which to analyze or generate data?
  • If yes, then are you going to run the software on servers in the cloud?
  • If yes, then are the servers possibly located outside the United States?
  • If yes, then does the client have permission or is the software allowed to be exported out of the country?

This last information will be a surprise to many of you who have not pored over the details of your cloud contracts. Most contracts with cloud service providers (CSPs) provide for a representation by the customer (your firm or you) that there are no prohibitions to the export of software you’ll utilize. This provision is easily understood in light of CSPs’ having facilities all around the world where they might store your data and your (or your client’s) software programs. The United States has export laws preventing some software from export outside the country. You may contract with Microsoft, Google, or Amazon (U.S. corporations), but your data and software may be housed in data centers in India, Finland, Sweden, Canada, or Ireland. Some CSPs offer geographical limitations on where your software and data will be held and used, but they may still include a provision placing all the responsibility on you that if the software or data had to be exported, then you had authority (directly or as your client’s agent) to grant approval.

Note that if you need this information from your client, then your client needs this information before entering into its own agreement with its CSP (if it uses such a service). You’ll be relieved that most circumstances will not require you to run your client’s software on your cloud. If your client did not request your comments and review of its agreement with its own CSP, then this may create the opportunity for an additional engagement.

 

What Is in Your Firm’s Own CSP Agreement?

You’ll need to examine your own CSP agreement to know how it will interact with your clients’ needs, but you’ll then be more prepared to work with your clients.

If you pose the questions above to your firm, the responses you collect will provide a template for examining your firm’s own agreement with its CSP. You’ll also develop a greater understanding of the software you use in your practice and the limitations, if any, on its export. You’ll be able to guide your clients through federal and state certification processes depending on the type of information in their custody, and which ultimately may be in your custody.

HIPAA, for example, applies to lawyers as "business associates," and lawyers may become responsible for HIPAA data through personal injury or employment law representation. With this information, you’ll be able to examine your firm’s as well as your clients’ cybersecurity insurance to make sure all goals are addressed. Although the initial work may appear laborious and cumbersome, you may find it is a source of additional assignments from your client and a greater understanding of their business and how you may help them.

We’ll continue examining engagement agreements, cloud computing, and ethics in our next column.

Entity:
Topic:

Al Harrison and Joseph Jacobson

Al Harrison is a patent attorney concentrating on oil and gas and software and practicing intellectual property law in Houston, Texas. He is co-chair of the GPSolo Division’s Joint Resource Center—Technology Committee, chair of the Intellectual Property Committee, and a member of the Book Publishing Board. He is chair of the Data Privacy and Security Committee of the ABA Business Law Section and a past chair of the Computer and Technology Section of the State Bar of Texas; he also serves on the Advertising Review and the Professionalism Committees and is a board member of the Texas Bar College.

 

Joseph Jacobson is a transactional attorney practicing various aspects of business law and commercial real estate. He has represented businesses having operations in Europe and Asia. He was a board member of the Japan-American Society of Dallas and a founder of the e-Commerce Committee of the Dallas Bar Association. He was an adjunct professor at Southern Methodist University Dedman Law School. He is vice-chair of the Data Privacy and Security Committee of the ABA Business Law Section and a past chair of the Computer and Technology Section of the State Bar of Texas.