Your obligations are dependent on the type of data your clients provide, and your ethical obligations emanate from this data’s characterization. Your clients will most likely not know the key elements for characterizing the data. So, it will be best for you to provide information to alert them of the possibilities of how the data and software they provide you may be used, and most importantly, where it may be used or stored. Your obligations and the disclosures appropriate to the client depend on the client’s answers to these questions.
What Type of Data and Software Do Your Clients Provide?
You’ll need to develop a checklist and conduct an inventory with the client regarding client-provided data and software. Here are some of the issues that help frame your inquiry. Your inquiry is not limited to your practice area because possession of this same data would be expected if you practice in such as diverse concentrations as criminal, estate planning, employment, intellectual property, or personal injury.
Does the information contain:
- Personal Identifying Information (PII)? The definition of PII definition may vary from state to state but often includes combinations of identifiers such as a person’s name, mother’s maiden name, middle initial, address, birth date, or government identification (driver’s license or other state-issued identification).
- Protected Health Information or Personal Health Information (PHI)? Using the abbreviation PHI covers all permutations because some states have their own, more restrictive definitions of PHI—more comprehensive than Health Insurance Portability and Accountability Act (HIPAA) data and with state certifications for how to handle the data.
- HIPAA Data? Do you and your firm have the appropriate certifications for handling this data? HIPAA, as amended in 2009 by the Health Information Technolgy for Economic and Clinical Health Act (HITECH), requires certification in accordance with the U.S. Department of Health and Human Services. And some states, such as Texas, require additional state certification.
You’ll also need to know about the software that clients give you, and where this software is stored:
- Is the client providing you with software with which to analyze or generate data?
- If yes, then are you going to run the software on servers in the cloud?
- If yes, then are the servers possibly located outside the United States?
- If yes, then does the client have permission or is the software allowed to be exported out of the country?
This last information will be a surprise to many of you who have not pored over the details of your cloud contracts. Most contracts with cloud service providers (CSPs) provide for a representation by the customer (your firm or you) that there are no prohibitions to the export of software you’ll utilize. This provision is easily understood in light of CSPs’ having facilities all around the world where they might store your data and your (or your client’s) software programs. The United States has export laws preventing some software from export outside the country. You may contract with Microsoft, Google, or Amazon (U.S. corporations), but your data and software may be housed in data centers in India, Finland, Sweden, Canada, or Ireland. Some CSPs offer geographical limitations on where your software and data will be held and used, but they may still include a provision placing all the responsibility on you that if the software or data had to be exported, then you had authority (directly or as your client’s agent) to grant approval.
Note that if you need this information from your client, then your client needs this information before entering into its own agreement with its CSP (if it uses such a service). You’ll be relieved that most circumstances will not require you to run your client’s software on your cloud. If your client did not request your comments and review of its agreement with its own CSP, then this may create the opportunity for an additional engagement.
What Is in Your Firm’s Own CSP Agreement?
You’ll need to examine your own CSP agreement to know how it will interact with your clients’ needs, but you’ll then be more prepared to work with your clients.
If you pose the questions above to your firm, the responses you collect will provide a template for examining your firm’s own agreement with its CSP. You’ll also develop a greater understanding of the software you use in your practice and the limitations, if any, on its export. You’ll be able to guide your clients through federal and state certification processes depending on the type of information in their custody, and which ultimately may be in your custody.
HIPAA, for example, applies to lawyers as "business associates," and lawyers may become responsible for HIPAA data through personal injury or employment law representation. With this information, you’ll be able to examine your firm’s as well as your clients’ cybersecurity insurance to make sure all goals are addressed. Although the initial work may appear laborious and cumbersome, you may find it is a source of additional assignments from your client and a greater understanding of their business and how you may help them.
We’ll continue examining engagement agreements, cloud computing, and ethics in our next column.