As published in Technology and the Law Section of the New York State Bar Association publication October 2014
Natalie Sulimani (firstname.lastname@example.org) is the founder and partner of Sulimani & Nahoum, PC. She is engaged in a wide variety of corporate, employment, intellectual property, technology, Internet, arbitration and litigation matters. She counsels both domestic and international clients in an array of industries, including Internet and new media, information technology, entertainment, jewelry, consulting and the arts. Ms. Sulimani earned her LL.B. from the University of Manchester at Kiryat Ono, Israel. This article first appeared, in a slightly different format, in the Fall 2013 issue of Inside, a publication of the NYSBA’s Corporate Counsel Section.
Being Prepared When the Cloud Rolls In
By Natalie Sulimani
With each new technological advance comes at least one new word, if not a whole new language. It seems as if once you get a handle on one term there is yet another one to learn – crowdfunding and crowdsourcing, to name a few. And then there is social media, which should not be confused with social networks, of course. This is all in the spirit of service to technology and innovation. But none strike more fear in the heart of attorneys lately than the ubiquitous term “cloud computing.” What is the cause of the shudder you just may have felt run through the legal profession? Maybe the discomfort comes from the natural desire in the field of law to control as much of our client’s situation as possible, and cloud computing is an environment that we, as attorneys, cannot ultimately control. It is, by its very nature, in the hands of someone else. Hopefully, you have found a trusted Information Technology vendor to manage your part of the cloud.
But, while with technology the players and the terminology may change, what does not change is an attorney’s ethical obligations. We have a duty to maintain confidences, a duty to remain conflict free in our representations and, of particular interest to me lately, a duty to preserve.
The lesson has been taught, and sorely learned, that files must be backed up. Hard drive failures are, unfortunately, a reality. So, you back up to an external hard drive. Except the unwritten rule of the cyberverse is hard drives always fail. Always. Recently, the onslaught of natural disasters, the latest being Hurricane Sandy on the East Coast, has taught some lawyers a very harsh lesson. Redundancy is important. Maintaining files in multiple locations is a must. How many files were lost due to flooding or a server going underwater? How many attorneys were unable to access their files because of these or other similar catastrophes? If it was even one, then it was too many. And worse yet, there is no reason for such things to happen.
Early in my solo career, I had a breakfast networking meeting with an attorney from a midsize firm and the discussion turned to the topic of working from home. Now, technically, I do not have a virtual law firm, but I do consider myself mobile as an attorney. I think most of us do. Technology allows us to do so. Moreover, the amount of work necessitates that we work remotely. Clients expect you to be available on their schedule, and worse yet, clients or opposing counsel may live in a different time zone. Not everyone exists on Eastern Standard Time. So, I casually asked, “How do you manage your work from home?” The answer was, “I email my files to myself.” I followed up with, “Okay. To your firm’s address?” The response that mentally gave me pause was, “No, personal email address.” There seemed something wrong about this, but more on that later.
Opinions regarding maintaining confidentiality are numerous, frequent and, as we move forward technologically, the subject keeps returning like a bad penny. We all know that we need to maintain confidentiality. But the challenge as we progress may be to understand new technology so that we are able to use it to be more efficient, while at the same time being confident that we are maintaining client confidentiality.
History and the Ethics Trail to Cloud Computing
If you have attended seminars on cloud computing, then you may know that the first iteration of the cloud was voicemail. Answering machines were replaced with voicemail, which meant that your messages were stored on a remote server that required you to use a code to retrieve them. Although this was a shift in where personal and official information was stored, I cannot remember anyone wondering whether this would be an issue of confidentiality or otherwise. The result was everyone kept answering machines over voicemail for the convenience of listening to messages anywhere.
The next step in cloud computing came in the form of third-party email providers like Gmail, Yahoo, MSN, Hotmail, AOL, and others. These services stored our communications on remote servers in any number of locations, but most important, all this information resided in the cloud. Again, almost everyone is happy to access his or her email from anywhere without fretting over the fact that all our words and thoughts are floating out there in the cloud.
So how do the courts view this use of the cloud? An opinion rendered in 1998 in New York State said that a lawyer may use unencrypted email to transmit confidential information since it is considered as private as any other form of communication. Unencrypted means that, from point to point, the email could be intercepted and read. The reasoning was that there is a reasonable expectation that e-mail will be as private as other forms of telecommunication. However, the attorney must assess whether there may be a chance that any confidential information could be intercepted. For example, if your client is divorcing his or her spouse, an email that both spouses share, or even an email to which the non-client spouse has access, should not be the method of communication. The attorney must seek alternate methods of communicating.
Gmail did add an extra twist, which other email service providers quickly copied. As a “service” to you, email service providers started to scan emails in order to provide you with ad content. They would scan keywords in your email and provide relevant advertising. For instance, if you were discussing shoes in an email, the email service provider would tailor ads when you were in the email inbox and you would now be receiving advertisements for Zappos or any other shoe vendor. After all, nothing is better than a captive audience.
So, the question now becomes whether a lawyer can use an email service that scans emails to provide computer-generated advertisements. The New York State Bar Association opined in Opinion 820 (2/8/08 (32-07)) that, yes, it was okay, since the emails were scanned by machine and not by human eyes. If the emails were read by someone other than sender and recipient, the opinion would have certainly been different.
And now to the topic at hand: storing client files in the cloud. Through services like Dropbox, Box.com, Rackspace, Google Docs, and others, an attorney can add to his or her mobility and efficiency by storing client files online. Although I know there is a lot of debate surrounding this practice, I do not see how it is very different from storing client files off-site in a warehouse. In the cyberworld, electronic files are held by a third party on a secure remote server with a guarantee that they will be safe, and only authorized persons will have access. In the brick-and-mortar world, paper files are held by a third party in a warehouse with the same guarantees. Both are equally secure and equally liable to be broken into by nefarious agents bent on getting to the diligently hidden confidential information. Again, the technology might change, but the principles are the same. One should not be more or less afraid of one method of storage over the other.
A number of state bar associations have been grappling with the issue of cloud computing and the ethical issues it raises; these include North Carolina, Massachusetts, Oregon, Florida, as well as our esteemed New York State Bar Association. However, surprisingly, to date only 14 of the 50 states have opined regarding use of cloud computing in the legal profession. One would think more would have joined the fray in giving its lawyers some guidance.
The American Bar Association amended its model rules last year, perhaps as a beacon to other bar associations, but certainly as a guide for other states.
Model Rule 1.6 holds:
A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Across the board, opinions are cautious about using cloud computing in the practice of law, but there is nothing about it that could be called unethical. The ethical standard of confidentiality is reasonable efforts to prevent disclosure. The question, therefore, lies in what is considered reasonable efforts.
Rule 1.6(a) of the New York Rules of Professional Conduct states that “[a] lawyer shall not knowingly reveal confidential information . . .” and, at Rule 1.6(c) goes on to say that “[a] lawyer shall exercise reasonable care to prevent the lawyer’s employees, associates, and others whose services are utilized by the lawyer from disclosing or using confidential information of a client.”
It is safe to assume that Rule 1.6(c) imposes the obligation for lawyers to use reasonable care in choosing their cloud computing and/or IT vendors, but indeed those lawyers may take advantage of the cloud and employ those who provide and manage those services in good conscience.
In fact, in September 2010, the New York State Bar Association issued Ethics Opinion 842 regarding the question of using an outside storage provider to store client information. The question that was asked of the New York State Bar Association was whether a lawyer can use an online storage provider to store confidential material without violating the duty of confidentiality.
So What Exactly Is the Cloud?
To understand what the issue is and why it may pose a problem, it is best to understand what it means to store information in the cloud. A cloud, in its simplest terms, is a third-party server. The server in which the information is stored is neither on the law firm’s premises nor owned by the law firm. The law firm’s IT person or department does not maintain where the database is stored in any way. It is in the hands of a third party offering a service.
An internal storage system is a closed circuit, meaning there is a direct line from your desktop to the firm’s server. Absent hacking, the information is controlled internally. Once removed from this closed system and stored in the cloud, your information may be more vulnerable because you have now created access points in which others may gain access to that data. To illustrate, data will now flow out on the Internet and beyond your control to get to the remote server where it is housed. However, encrypt the data and you have limited the exposure. As stated above, once encrypted it would take a nefarious and willful mind to be able to read what you are sending into the cloud.
Why Should You Move Your Data to the Cloud?
There are many reasons why you would want to move to the cloud and many reasons why it is prudent to move your storage to the cloud. To begin with, properly using cloud computing in the storage of client information reduces the possibility of human error. Emailing files to yourself, transferring them to a thumb drive, storing client files in offsite warehouses, to name a few, are all steps that introduce and increase the chance for human error. Email to your personal email account runs the risk that your family would access your email at home, thumb drives get lost, people break into warehouses and natural disasters happen that can destroy files. Cloud computing, by contrast, puts your files in the hands of competent IT professionals who will secure your information and provide the necessary redundancy so that if a server goes down your files will live on and be available when you need them from another server. Their major, if not sole, purpose (and the reason you pay them) is to safeguard your files and ensure that you will always have access to them when necessary, so they are highly motivated to do it well and properly.
In March 2012, the Federal Trade Commission (FTC) issued a report titled Protecting Consumer Privacy in an Era of Rapid Change. While attorneys may be subject to higher standards in keeping client confidences, I think this is a good guide in understanding the technology and best practices associated with it.
The FTC report recognized that businesses are moving to the cloud because it improves efficiency and is cost effective. However, the overarching concern is privacy. The FTC recommended overall guidelines for technology and consumer data. In particular, there are four recommendations that businesses should follow:
•Scope: Define what information is stored.
•Privacy by Design: Companies should promote privacy in their organizations.
•Simplified Choice: Simplify choice so that the customer is able to choose how information is collected and used in cases where it is not routine, such as order fulfillment.
•Greater Transparency: Companies should be transparent in their data practices.
Using these guidelines, what are best practices for attorneys?
•Consider what client information you will store in the cloud.
•Privacy is easy to ensure, attorney-client privilege should be maintained.
•Determine what information you will share with your clients. For example, will you share their case files with them? You can pick and choose what you share with your clients in the cloud for greater collaboration and reduction of emails going back and forth with attachments. They can upload their data in a secure environment, and you can share information in a secure, password-protected environment where you can ensure that only a specific client or clients have access.
•Choice and transparency go hand in hand. While it is the attorney’s best judgment in deciding how to reasonably protect client information, you should make your client aware that you are using these services. Build it into your retainer. If, for any reason, your client objects, you will know and can deal with the reasons why right at the beginning. It may take just a short conversation about the confidentiality, reliability and ease of the cloud to assuage any fears or concerns.
•Finally, have a breach- notification policy in place. This is not just for your corporate clients; any client whose information is in the cloud should be notified of and subject to this policy.
Now that I have you on board with moving your files to the cloud, consider that you need to exercise “reasonable care” in choosing a cloud provider. New York State Bar Association Ethics Opinion 842 offers some guidance:
•Ensure that the online storage provider has an enforceable obligation to preserve confidentiality and security and will notify you of a subpoena.
•Investigate the online storage provider ‘s security measures, policies, recoverability methods and other procedures.
•Ensure that the online storage provider has available technology to guard against breaches.
•Investigate storage provider’s ability to wipe data and transfer data to the attorney should you decide to sever the relationship.
Read the Terms of Service and, when you can, negotiate with the cloud vendor. Cloud vendors update their policies and may be willing to change their practices to meet the needs of their (and your) clients. If you have concerns and/or specific needs, contact the vendor, and if it is unwilling to change its practices, go somewhere else. Frankly, there are many online storage providers so be discerning when it comes to client data.
While utilizing an online storage provider, consider its encryption practices. Will your data be stored encrypted? Will you encrypt the data enroute to the online storage? And who has access while it is being stored? Also, if the online storage provides access on mobile devices, just as you would your computer, laptop, tablet and mobile phone, add security by password protecting the online storage’s mobile app. After all, just as in the non-cyber world, a big threat to effective storage is human error. Therefore, it is of utmost importance that you know how to remotely wipe the data if your device is lost or stolen. One aspect of mobile storage to be aware of is that when you download client data to your mobile device, it may be downloaded to your SD card. Whether you want this is something to consider; take steps to avoid it, if desired. This is an example of the importance of understanding how the technology works, understanding where problems, such as interception, may occur, and ultimately how to take steps to avoid them. Education is key.
In short, the advantages of cloud computing as outlined in this article make it a perfect complement to an effective and successful law practice. There is little difference in the potential ethical issues or any other such problems that exist in the cloud and in the brick and mortar world of physical offsite storage of clients’ files. Rather than running away from this new technology, it would be better to embrace it by learning more and making wise decisions that will minimize potential pitfalls down the road, while at the same time increasing the ease and usefulness of client communication and interaction.