As technology continues its intersection with the practice of law, the absence of basic technical knowledge is a distinct competitive disadvantage for any lawyer. While lawyers are not required to be masters of technology, a basic understanding of technological applications is critically necessary to meet the competence standard put forth by the ABA’s Model Rule 1.1, which seeks to avoid malpractice and best serve clients. U.S. District Court Judge Shira Scheindlin, one of the leading jurists on e-discovery, has urged lawyers to become more tech-savvy to avoid being held ethically liable for losing confidential client data. Though e-discovery is the primary area associated with the words “legal technology,” the duty to understand technological advances is by no means limited to litigation.
Recently, “cloud computing” has also become a buzz term that has seeped into mainstream parlance. The term “cloud” or “the cloud” is essentially used as a metaphor for “the Internet,” so “cloud computing” essentially refers to “Internet-based computing.” In cloud computing, servers, applications, and storage are delivered to computers and other devices through the Internet. From Evernote to Instagram to Gmail, there are very few applications regularly used by individuals that do not operate through cloud computing. As businesses and individuals begin to integrate their data and software into the cloud, so too are law firms in order to provide faster and cheaper services for clients. It is thus important to understand not only the scope of such technology, but also potential ethical issues that a lawyer may face in employing otherwise advantageous technology.
The cloud offers numerous benefits—because it uses a network of large servers, not only is it a cost-efficient manner of storing data, but it also contains virtually unlimited storage capacity that does not require physical space. Through cloud computing, information is more easily recovered than it is on a single server and is easier to manage on multiple devices. Additionally, there are fewer software and hardware conflicts, eliminating the need for continuous and time-consuming system updates.
However, cloud computing raises security concerns where data might commingle with another client’s data. A rather common example of data commingling is found when attorneys use smartphones and tablets for personal and professional uses, interweaving personal emails, GPS history, text messages, and social media accounts with confidential client information. While this is more inconvenient for the attorney whose personal information is potentially subject to discovery, larger and more immediate issues may arise when the client’s information is commingled with a non-client’s data because it may reside on the same cloud. Confidential client data may reside on the same hard drive as another business (though not necessarily another law firm), which may become subject to a future discovery order. As it is common for electronic evidence to be seized or demanded as part of litigation, even if your client is not a party to the litigation in question, their data may become sequestered if it resides on the same cloud computing equipment as the defendant.
Furthermore, when an agreement with a cloud service provider terminates, there may be issues with continuous data security and return of data. ABA Model Rule 1.6 explicitly prohibits inadvertent disclosure of and unauthorized access to client information, and ABA Model Rule 1.15 obligates a lawyer to segregate and preserve client property.
To mitigate against unauthorized disclosure, a lawyer must be cognizant of the risks involved with cloud-computing and sharing the risks with the client. A lawyer can practice due diligence by reading and understanding the entire service level agreement and assessing security and risk in the context of the attorney-client relationship. This means for lawyers who practice in the areas of HIPAA, most finance and banking related practice areas (including GLBA and FCRA), heightened concerns of online storage for a client’s data may necessitate costlier services that ultimately ensure greater security.
Key points to consider and address when reviewing service level agreements:
- Vendor contracts may contain unclear or inappropriate provisions about who owns or has the right to use information stored on the cloud. Like any business, cloud service providers can be bought, sold, or liquidated in bankruptcy. It is key to address this potential issue in an assignation clause. In case of bankruptcy, the cloud providing may stop maintaining the servers, or secured creditors may claim those servers without considering preservation of data for its owners.
- Data breaches are not the only causes of unauthorized disclosure of data. Data may also be disclosed if the service provider has inadequate procedures for responding to subpoenas, court orders, or other process seeking production of information.
- Service providers may have inadequate procedures for preserving, delivering, or deleting data at the end of a service contract.
- Disputes over payment or other contract terms may delay access to data.
Other tips for best practices:
- Regularly review activity reports. Just like WestLaw and LexisNexis can provide a research trail, digital storage providers can provide activity reports. These reports should identify who has accessed client information, when the information was accessed, and what files were viewed.
Use a trusted provider who segregates your client’s data from other sources of data. This prevents inadvertent disclosure and can prevent your client’s data from being accessed through a subpoena or unrelated discovery matter.