Confidentiality and Data Security Concerns
Whether you may be storing your firm’s own data, or that of your clients, confidentiality and security issues are of paramount concern. There are limitations to protecting the confidentiality of your firm’s data when dealing with third-party vendors, and the risks of unauthorized disclosure of your firm’s or clients’ sensitive data by cloud providers can be significant. Major data breaches are continuing to occur at an unprecedented pace, and are affecting millions of customers. See, e.g., LivingSocial Hack Exposes Data for 50 Million Customers, N.Y. Times, April 26, 2013. Even the courts themselves are not immune. See, e.g., Washington State Court Hacked: 160,000 Social Security Number Potentially Accessed, Forbes, May 10, 2013. When a data breach does occur, the implications can be disastrous. Costs can rise into the thousands if not millions of dollars, not to mention the intangible loss to a firm’s reputation and the loss of its clients’ confidence.
To protect data confidentiality, be prepared to negotiate specific contractual terms before uploading data into a “cloud” storage system. Law firms should consider factors such as:
- Whether the provider will segregate your data;
- Whether the provider will access, use, or copy data for its own purposes;
- Whether the provider will delete or return your firm’s data at your request;
- How the provider will adequately purge data to ensure that confidential information is not compromised; and
- What are the cloud provider’s obligations to notify your firm of a potential data breach.
Law firms also should establish preventative and back-up measures to protect the integrity of the firm’s data and that of its clients. Ensure that service providers offer advanced security capabilities that include:
- A high level of tested encryption technology to ensure the shared storage space safeguards all data;
- Stringent access controls to prevent unauthorized access to the data;
- Scheduled data backup and safe storage of the backup media; and
- Business continuity and disaster recovery solutions.
Electronic data may long outlive the creator of the data. It is therefore also important to remember that, unless the data is properly deleted or otherwise purged, it may remain in cyberspace longer than intended. Law firms need to keep this in mind and act accordingly when entering contracts with “cloud” providers. For example, retention policies need to include provisions not just for destroying hard copy files, but also electronic information stored at the firm, as well as in the cloud. This last category is sometimes forgotten either in preparing retention policies themselves, or in the actual execution of those policies.
Intellectual Property Issues
As the U.S. economy has transitioned into the information age, the legal system also has been forced to adapt. Property law concepts in existence for centuries are now being applied to modern day concepts. For example, in Thyroff v. Nationwide Mut. Ins. Co., 8 N.Y.3d 283 (2007), a New York appellate court held that a party could sue for conversion of intangible electronic records that are stored on a computer. The court recognized the intrinsic value of both electronic and print documents and declined to draw a distinction between electronically stored information and printed documents for these purposes. Similarly, several courts have held that electronic information stored on computer disks, magnetic tapes, audio files, and even data sent via electronic signals are protectable property rights.
Moreover, the data stored by a firm may constitute trade secrets, copyrighted work, or other materials protected by U.S. intellectual property laws. If a law firm’s “cloud” resides off-shore in another country, the laws of that country may not provide adequate protection if someone else obtains this information.
Concerns Regarding Compelled Disclosure to Third-Parties
Law firms and their clients also need to be aware that cloud providers may be compelled to disclose the firm’s data and the clients’ data if the provider is served with a civil or criminal subpoena or search warrant. Current U.S. law—including the Electronic Communications Privacy Act, the Stored Communications Act, and the USA PATRIOT Act—could be used by government officials to obtain client data that is stored on cloud servers. Although cloud-based computing was not necessarily considered when these statutes were enacted, they are being used to gain access to data in the cloud—possibly without notifying the owner of the data.
Moreover, questions may arise as to whether Fourth Amendment protections apply to data stored in the cloud, as opposed to data stored locally or in print. Thus, law firms and their clients may be unable to prevent disclosure of sensitive information stored in the cloud that may otherwise not be disclosed if stored on a local server. Law firms need to be aware (and preferably make their clients aware) that their clients’ data stored in the cloud may not be protected from compelled disclosure to the government or civil litigants.
Jurisdictional Issues
Although data may be stored in the cloud, that cloud —or at least a corresponding server—has a physical location. It may be in another state, or even another country. Moreover, the “cloud” can move. The provider storing the data may itself move, or may decide to relocate your data to a server stored in one of its other locations. While the law firm should be able to access its data from anywhere, chances are you may not know the location of the physical server being accessed.
Cloud service contracts may provide that any disputes arising out of the service agreement are to be resolved in a foreign jurisdiction. Whether that means another state, or another country’s legal system altogether, it may present unique challenges if the parties need to turn to the court system to resolve a dispute.
Pay particular attention to whether the contract contains a venue or choice-of-law provision, and consider whether it will be problematic. Litigating in foreign venues can obviously present significant disadvantages. The jurisdiction in which data is stored may also have different regulations than the U.S. For example, countries’ privacy laws vary, and may affect the ability to access data.
Conclusion
The analysis, presentation, and storage of electronic data has become a primary function of law firms. A solid data storage plan is essential, but requires a concrete understanding of the opportunities and challenges presented by the ever-growing number of options for storing electronic information. Make sure your law firm has such a plan in place, and keep your head out of the cloud.
Jason M. Rosenthal is the managing partner of Schopf & Weiss LLP in Chicago.. He is a cochair of the Computer and Technology Subcommittee of the ABA Section of Litigation Insurance Coverage Litigation Committee.