Just as technology has evolved rapidly in recent years, so too has the need to address ethical ramifications surrounding new technologies. Recently, state ethical committees, as well as the American Bar Association, have been tasked with considering the ethical questions surrounding cloud-based storage. Cloud-based storage involves saving data and software on servers owned by third parties. Such storage has the potential to save law practices a great deal of money, and is often more convenient than traditional storage methods.
Looming in the background of the benefits, however, is the potential cybersecurity risks. Accordingly, ethics commissions have been tasked with determining the appropriate balance between allowing law practices to take advantage of cloud-based storage, while still protecting confidential client data. In balancing the competing factors, state associations, as well as the American Bar Association, have universally approved the use of cloud-based storage. However, the allowance is not without restriction.
For example, the American Bar Association, after addressing cloud computing during an annual meeting, recently amended Model Rule 1.6, adding a subpart that requires lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Although the American Bar Association did not disapprove of cloud-based storage, law practices using third-party storage services are cautioned to carefully consider safety mechanisms offered by potential providers, as well as their ethical obligations, before entering into service agreements.
Lawyers and their law firms should consider the following best practice tips:
1. Before entering into a third-party agreement, first determine how the information saved via cloud-based storage will be accessed (i.e., is the information accessed via password?).
2. If the information is accessed using passwords, determine who will have access to the passwords; the fewer persons with access, the better.
3. Always do due diligence regarding the company that will be storing your data. Have they experienced a data breach before? If so, how have they addressed their deficiencies?
4. Cost is not, and should not, be the determining factor. Especially in the world of cybersecurity, you often get what you pay for.
5. Determine whether the end user’s licensing agreement contains any legal restrictions regarding liability in the event of a data breach. Is the third-party provider attempting to contract away potential liability?
6. Determine whether there are different levels of encryption for highly sensitive information. Does the third-party provider offer you the ability to add a level of protection to your most sensitive information?
7. Always shop around before entering into an agreement. You will never know which third-party providers are offering added protections unless many different providers are consulted.
Karen Painter Randall is the Cyber Security & Data Privacy chair with Connell Foley, LLP in Roseland, New Jersey.