The Burgeoning Cloud—Risks to Communicating and Storing Off Site

 By Kristin Casler

Featuring Francoise Gilbert of the IT Law Group

Storing data and communicating in the cloud is tempting. There’s no easier way to access files when traveling or to share with colleagues around the globe. It usually is less expensive, more efficient and requires less expertise and infrastructure than keeping data in house. It may, in some respects, even be more secure. And new features continually make it more attractive.

Your company probably already takes advantage cloud computing. Perhaps even your law department. And odds are, so do the outside firms you use. But the cloud is fraught with security risks and ethical conundrums because client data is outside the lawyers’ direct control. So, while cloud computing presents significant advantages, you must tread carefully.

Ethical questions

Attorneys have duties of confidentiality, competence and supervision, among others. The American Bar Association Commission on Ethics 20/20 Report to the House of Delegates recognized the potential ethical concerns of cloud computing and updated the Model Rules of Professional Conduct in 2012. Additionally, many state bars across the country have issued opinions about the ethics of cloud computing. The language varies from jurisdiction to jurisdiction. Generally, they permit use of the cloud in legal practices, provided the lawyers take reasonable care to ensure that all materials remain confidential and take reasonable safeguards to protect against loss or breach. Some suggest verifying the reliability and security of the third-party provider, confirm that it will comply with confidentiality requirements and notify the attorneys if served with process to produce client information.

Does your law department or outside counsel measure up when it comes to the cloud? Are you able to use the cloud system competently? Will confidentiality be maintained? Is the data secure?

“Given the potential application of these and other ethical rules, it would be prudent for attorneys and law firms that contemplate the use of cloud computing services to review carefully the ethical rules that apply to their profession, in their region, and review, as applicable, any opinion or guidance that may have been published by the applicable authority that regulates their profession,” advises Francoise Gilbert  of the IT Law Group in Silicon Valley.

Security, or lack thereof

In February, an internal report from Citigroup’s cyber intelligence center warned bank employees of the threat of attacks on the networks and websites of big law firms. It said law firms were at “high risk for cyber intrusions” and would “continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications,” according to a New York Times® report.

Many attorneys who use the cloud are not fully aware of the traps or the security concerns associated with it, Gilbert said. Use of free services such as Dropbox or Gmail may be particularly risky, she said. Both are provided “as is.” The Terms of Service of the Dropbox free offering contain no representations about security or confidentiality. “Right there, there is no guarantee of the integrity or availability of the data,” she said. Instead, look for paid services. “Arguably anyone with access credentials could have access to your data,” Gilbert said. “Consider a free cloud service as just a place to put your stuff. For legal documents, you need it to be more like a bank vault.”

Best practices for managing the risks

Gilbert advises conducting internal and external due diligence in order to determine the potential obstacles or constraints that might prohibit or restrict the use of cloud services by your department or outside counsel. Review the ethical rules, confidentiality agreements and potential contracts with cloud providers. Know how the servers work and use data, and where they are located. What data will be stored? Will documents containing vital information, such as mergers and acquisitions data be stored off site or offshore? Will foreign governments have access to it if it is stored on servers within their borders?

Will you or your outside firm be able to access data if the server goes out of service? Gilbert said you might consider backing up your data to a second server.

When examining cloud vendor contracts, look for disclaimers of liability, confidentiality, intellectual property and security provisions. Ensure your data will be appropriately protected from unauthorized access or modification, Gilbert said. You may need to install a firewall, limit access, use encryption and strong passwords or other authentication measures. Make sure you receive an electronic audit trail to monitor access to data. Make certain you are notified of breaches that affect your data so that you can inform your clients, if necessary.

When you review your contracts, beware of obscure or confusing clauses that might give the cloud provider ownership of data stored in its services, or the metadata associated with the access to or processing of your data. Ensure that the contracts with the service provider(s) acknowledge that the data are owned by the law firm and/or its client, and not by the cloud provider.

Nothing lasts forever, and at some point you may need to switch to a different cloud vendor. Be sure you have an exit strategy in place, so there is continuity of security and continuity of service should the vendor abruptly close its doors due to a force majeure event or financial difficulties, Gilbert said.  

Police your company and your counsel

As cloud computing continues to grow, it is important for attorneys to understand that placing your data off site does not relieve you of your ethical and other obligations, and it may make abiding by them more complex. “Thus, any company should carefully consider the pros and cons, as well as the consequences of the use of cloud services,” Gilbert said. “Before venturing in the cloud, lawyers and law firms must evaluate the effect of the relevant rules of ethics to which they are subject, identify the categories of data that may be processed or stored in the cloud, and take the numerous other necessary measures to ensure that they will be able to fulfill all of their legal and ethical duties to their clients.”