Technology Attorneys
Photo by Marvin Meyer on Unsplash

Key Points in a SaaS Agreement

Software as a Service (‘SaaS’) functions on a delivery model wherein a third-party provider hosts an application that is offered as a service.  This is to differentiate between ON PREMISE solutions which are fast disappearing.

SaaS offers its users a ton of benefits, but it is best optimized when the provision of the service is governed by an agreement between the provider and the customer.

SaaS agreements CAN be clickthrough agreements on a website but here, we are talking about a direct SaaS agreement that you contract with a vendor.

A SaaS agreement is essentially a legal document that defines the terms of the provision and delivery of software services to customers. Well-drafted SaaS agreements eliminate the incidence of disputes between both parties in the course of the contract. To ensure that a SaaS agreement captures the expectations of the parties involved, there are key points that it must cover. Read to find out what they are.

Key Points To Cover In a SaaS Agreement

The following points must be captured in any properly drafted SaaS agreement for the agreement to serve its purpose

  • Technical Specifications: The technical specifications of the service being provided must be clearly spelt out. These specifications define the functionalities of and the expectations for the SaaS service. It also provides a means for measuring the performance of the SaaS service. Defining the technical specifications prevents disputes between both parties and helps if the need for customization arises. 
  • Intellectual Property Rights: With SaaS, the key element of intellectual property rights is licensing because it specifies the way content is to be used in the course of the subscription period. Provisions must be made for revocation or modification of the licence if the subscription expires or is cancelled. Other issues like the ownership, storage, transmission and access of data should always be clearly defined, and depending on the sensitivity of customer data, it might also be appropriate to address storage. Responsibility for the protection of data created using the SaaS service should be clearly defined here.

It is also important to note that while the SaaS vendor will own their own IP, you must be able to retain your IP and easily move it off of their database.  Also, in more complex business requirements, this SaaS will connect with other internal softwares, those ‘connectors’ should belong to you, not the vendor.

  • Payment Clause: This is the aspect of the SaaS agreement that outlines the preferred payment methods for the SaaS subscription. Are you paying per user/seat, monthly, yearly and CAREFUL OF THE AUTORENEWAL contracts or contracts you can’t cancel.

You should be able to cancel, move your data, etc.  SaaS vendors should rely on the value prop of their software to keep customers.

  • Limitation of Liability and Disclaimers: Like with all business transactions, issues of liabilities and commercial risks are likely to occur in the course of the SaaS subscription. For example, issues like operating system incompatibility, breaching of terms and conditions and third-party hosting, intellectual property infringement, among others, can generate confusion and dispute when not handled properly. Liabilities and disclaimers should be specifically addressed so that in the worst-case scenario, liability is shared accordingly.  Assess YOUR risk, and ensure that the vendor doesn’t completely limit their liability.
  • User Obligations: This deals with the obligations of the end-user about the expectations around the use of the software. Safe storage of personal information and update of the product and the notification in the event of security breaches where and when necessary are some of the user obligations that must be spelt out.

Takeaway

SaaS is a critical element of your business, make sure that the contract you sign with your SaaS vendor fits your business needs. 

Technology Contracts

Tailor Made to Suit Your Business

Recent Rise of Scams

As the current pandemic rages on, more and more companies are adopting remote working models and hackers trying to bank on consumer’s fears are churning out scams more than ever. Remote working offers many benefits to businesses but can also pose certain challenges, including security threats. While some businesses have a good enough cyber and network security system in place, many are not aware of the severe risks involved in connecting remotely. In this article, we shall be discussing some security concerns of companies offering remote work and measures to be taken to curb the threats.

 

Phishing Scams

 

Phishing attacks are one of the most common cybersecurity threats of working remotely and are widely recognized as the top cause of data breaches. The World Health Organization, Homeland Security, Global security centers, and the U.S. Secret Service have all warned of coronavirus-related phishing scams. Hackers exploit the coronavirus to send seemingly legitimate, deceptive emails with malicious links and attachments. Once the employee clicks on this malicious link, their system is instantly infected, and the hacker gains access to the employer’s device. Sometimes, the employees are taken to realistic websites where information about their credentials are requested. Many comply, comprising their logins. 

 

The solutions are not farfetched. Employees should be regularly reminded that legitimate groups do not request personal information. Also, they should verify any hyperlink before clicking on it and normalize pausing before responding. They should beware of any email insisting on immediate action, generic greetings or an unfamiliar sender are other markers. While bad spelling and grammar usually indicate phishing attacks, properly written communique can be just as dangerous.

 

Insecure Devices 

 

Often, the personal devices of employees are not secure and can pose the risk of unauthorized access to organization’s data. Hence, it is recommended that personal devices should be vetted by employer IT prior to being used for company work. Better still, the organization can ensure that employees are restricted to using only company devices. These devices meet the minimal security benchmark, their hardware is designed to work within a corporate network, and the software has been optimized to cater to the specific needs of the individual user within the company environment. 

 

Secure Networks

 

Home networks and free WiFi available at cafes, libraries, or other public places carry a steep security price tag. In other words, these networks have weaker protocols, unencrypted traffic, and are insecure. Cybercriminals target such environments, leaving cyber mines that activate when a user of interest uses the network. Hence, remote workers should ensure that they use secure network traffic. If the employee didn’t have access to secure WiFi, the company should provide Hotspot. 

 

Weak or Insecure Passwords 

 

Passwords are mandatory security protocols that protect the gateway to data and information. However, they become less relevant and incredibly easy to crack when they are simple or weak. Weak passwords are often short and guessable. Furthermore, if an insecure password is used across several platforms, it allows hackers to gain unauthorized access to multiple accounts in a very short period of time.

 

Conclusion

 

Finally, if you notice new programs that were not previously installed, your computer slowing down, strange pop-up ads on your screen, or you lose control of your mouse or keyboard, then your device might be under attack from hackers. Be sure to notify your company’s IT administrator so they can immediately mitigate risk. These threats can have damaging impacts on businesses. Therefore, employers must rapidly ensure the security of every device or system being used. 

Work From Home Policies

In the past, work from home was rare and unpopular because many employers believed their workforce could be easily distracted at home. However, the pandemic has fast forwarded this practice to almost become the norm in some sectors. Employers have begun to see the many benefits of the work from home model, which includes increased productivity and efficiency, protected public health (especially with the outbreak of Covid19), less need for office space, and so on.

 

Also, the enabling technologies for implementing work from home are increasingly more available and easily accessible. Employer’s now more than ever must create work from home policies to ensure productivity and prevent lapses in workflows across the various levels of operations.  It is also imperative to discuss the various ways the employee must comply with policy to ensure that company data is secure and uncompromised. 

 

Determine which roles can be done remotely

 

It is crucial to know from the onset which roles can shift seamlessly from the office to the home because some functions within the organization demand physical presence. For instance, a forklift operator cannot function from home, whereas a software developer can easily perform their duties from anywhere via a laptop and internet connection. Also, investigate those roles that are office-bound, or warehouse-bound and find out what functions can be performed remotely by those in these roles. 

 

Decide what rules and company policies should be followed

 

It is critical for employers to clarify which rules, regulations, and policies of the company still apply to work from home and what is new for those that work from home. Because these employees will want to know exactly what is expected of them in this regard. Usually, all standard company policies and resources such as code of ethics, attendance policy, professional code of conduct, sick leave, and the confidential agreement still apply. 

 

Establishing metrics to measure the success of your remote model policy

 

Metrics and goals should always be a part of day to day work no matter where your employee has their ‘office’.  So, I won’t get into that here because I also feel that there is a level of maturity and responsibility that goes with work from home.  It goes towards the concept of Results Oriented Work Environment; ROWE, that was introduced a few years ago.

 

Items to Consider in Updating Policies:

 

Technology:  Employees need to make sure they have the right technology to complete their tasks.  If there is a work from home budget allowance, specify what kind of technology they should have.  Often, cheap comes with poor security so you should allow for software, subscriptions and hardware in that budget that have security as a priority instead of free software that leaves your data vulnerable.  Also, make sure that they have their own secure, Wi-Fi connection, using a free or mobile hotspot might not give the security or speed your employee needs.  This is particularly important for REMOTE workers since they are mobile, their internet connection may change from day to day. 

 

Access to work systems.  We have come along way since Citrix Remote Access and I still cringe to think about how S L O W Citrix was.  But happily, with the advent of Dropbox, GDrive and Office 365.  Enterprise solutions allow you to control how your employees access company data.  Again, this is where free can get you in trouble.  An enterprise solution will also allow you to REMOTE WIPE a device if (or should I say when) your employee misplaces a laptop or phone.  Or, if you need to terminate employment.

 

Tech support.  Pro-actively offer the assistance of your internal tech support to ensure that the technology and hardware that your employee is using is fast, effective and secure.  This is not the time for self-help measures.

 

Client confidentiality.  While security and connectivity are important, consider that now, your employee may not have a designated workspace at home.  Important documents maybe be available for anyone to read if their workspace is, let us say, the kitchen table.  BE CLEAR that all documents should be securely held where third parties cannot view or access.  Or, that no printing is allowed or encouraged.  After all, haven’t we come so far with paperless offices?

 

 Communication.  Your Policies should also include HOW you want your employees to communicate with clients and internally.  Data retention policies need to be adhered to regardless of medium.  Encourage the use of internal tools like Microsoft Teams, or Google Meet to control the data retention and security.  The use of texts is now a normal day to day work occurrence but your employee’s should be aware that even that should be subject to data policies and act accordingly.  A best practice should be communicated to your employees.  

 

It is important to be clear about how and where you want your employees to work remotely or from home. 

 

The goal here is to discuss security and policy that will help your company stay compliant with IT security and other regulations such as privacy.  And moreso, how education is so important that your employee understand the why behind these policies.

 

Conclusion

 

 

A work from home policy is essentially an agreement that outlines everything needed to allow employees to work from home without causing any disruption to company goals and procedures, and these tips will help employers do just that.  While the above are general guidelines, every company has specific needs.  Talk to us today to help you update your policy!

Work From Home vs Remote Work

Remote Work and Work From Home are not the same...

Work from home is remote work BUT remote work is NOT work from home.  Understanding the difference and implementing compliance and policy will make all the difference in your business.  The current pandemic has forced the hands of many businesses to adopt these, what have been in the past, unorthodox work methods.

 

Many people understand remote work as working from home, and they are not wrong per se. However, remote work has a broader meaning. It is work that doesn’t take place in a traditional office—in other words; a remote job means you won’t be driving to the same physical business or office building Monday through Friday and staying there for the duration of an eight-hour shift. Keep in mind that a non-traditional workplace can be anywhere with high-speed internet access like any co-working space or even a coffee shop. While work from home is a subgroup of remote working environments, there are huge differences between the two options, as you will get to understand in this article.

 

Work from Home 

 

Working from home means that you have a full-time job and flexibilities that allow you to work from home when needed. For some employees, it means being able to balance the demands of others who depend on your help with the demands of paid work. This practice has become more accepted as organizations continue to evolve and understand the ever-changing needs of their employees, especially when it comes to schedules. For instance, an employee may have a medical appointment on a particular day, and it’s more productive for her to work from home if the commute from her home to the doctors is just a short distance away. 

 

However, if you choose to work from home, you must put systems in place to be successful—things like a dedicated home office space, a defined work schedule, and clear boundaries for friends and family. No matter how flexible your schedule is, you need to plan ahead and know when you’re going to work. After these arrangements are established, your home can become an ideal workplace, even while juggling domestic tasks.

 

Remote Work

 

Remote working, on the other hand, is synonymous with a digital nomad, a person who can work from any place in the world, with his/her digital devices and access to a fast internet connection. As a remote worker, you can connect with your employer or teams digitally while seated at Café or sunbathing in a resort halfway across the world. Also, a remote worker may never have to meet their employers physically, due to their variable location and most likely won’t be required to attend company events or training in person. However, a remote worker must always be reachable and available for online meetings in case vital information is needed to be passed or for necessary discussions. 

 

Of course, remote working also means that you don’t have a set office time, and your schedule and hours remain yours to develop, and you can move from remote workplace to remote workplace as you see fit. Organizations often employ the services of remote workers, who already have good working experience, for smaller projects since little to no training is required. 

 

While work-from-home opportunities entail commuting from your bedroom to your office—pants optional and pajamas welcome—working remotely outside the home has more ‘x’ factors built in.  Working from home means that your environment is static.  Same internet, same desk, same space to keep your laptop. Working remotely involves traveling from your home to wherever you choose to work and being in a public or semi-public environment.  This can pose many risks since internet connection can be compromised, human error increases exponentially to leave your technology unsecure or even lost!

 

This being said, it is extremely important that while the trend may be work from home that can blur to remote work, you, as a business, need to ensure that you have the right technology, practices, protocols and security in place to ensure that your employee’s choice of venue does NOT leave your company vulnerable.

 

Don’t Be a Robot: You Cannot Automate Your Ethical Considerations

As published in the New York State Bar Association Corporate Counsel Inside Newsletter Winter 2016.

I could say that today’s lawyer faces a myriad of challenges when it comes to staying abreast of emerging technology and client considerations, but let’s face it, every generation has its challenges.

A few years ago, I wrote articles and spoke on panels regarding Cloud computing and I hope you paid attention. Cloud computing is now the backbone of most emerging technologies out there. More and more, technology vendors base their platforms in the cloud. It is cost effective, mobile, and more secure.

To illustrate it in simple terms, have you noticed the trend of diminishing hard drives and cell phones that come in 32GB models? Do you wonder why? Simply, the trend is to now store everything in the cloud and for good reason. TECH FAILS. The only thing that can help you avoid data loss is redundancy. Sure, you can store your information on a local hard drive but you are doing your clients a disservice by not storing data in the cloud.

To address the mounting concerns and opinions regarding the legal profession and technology, the American Bar Association drafted a model rule in which it is imperative that the attorney stay abreast of legal trends. No longer is ignorance of technology an excuse for not fulfilling your ethical obligations. On March 28, 2015,  the New York State Bar Association agreed by adopting a variation of the ABA’s model rule 1.1 pertaining to competence:

To maintain the requisite knowledge and skill, a lawyer should (i) keep abreast of changes in substantive and procedural law relevant to the lawyer’s practice, (ii) keep abreast of the benefits and risks associated with technology the lawyer uses to provide services to clients or to store or transmit confidential information, and

(iii) engage in continuing study and education and comply with all applicable continuing legal education requirements under 22 N.Y.C.R.R. Part 1500.

In other words, lawyers cannot be ignorant of technology in their practice or, even, their day-to-day lives because our ethical obligations do not stop when we leave the office. We carry around our laptops, cell phones and various points of electronic vulnerabilities so that we need to be vigilant. Vigilant in terms of password protection, knowing how to wipe your data remotely and even checking the permissions of a mobile app you are downloading.

Notably, the rule says benefits AND risks. I am an early adopter. I like technology and we have a rapport. That’s not to say that I think that all technology is for everyone. Part of your ethical duty is knowing your limits. Just because a software boasts of all the bells and whistles, if you can’t learn the software (it may not be you but them), don’t use it. You are putting your clients at risk because you know just enough to be dangerous.

For a moment, let’s take a step back in time. Let me take you, once again, through the basics of cloud computing. In simple terms, cloud computing is any data that does not reside on your hard drive or on your local server (if you have servers in your office). The first iteration of the cloud is voicemail. Answering machines were replaced with voicemail, which meant that your messages were stored on a remote server that required you to use a code to retrieve them. Although this was a shift in where personal and official information was stored, I cannot remember anyone wondering whether this would be an issue of confidentiality or otherwise.

In the various local and state bars you will find more than a handful of opinions about the cloud and technology in general, and I think, it all boils down to the adopted rule above. Use technology. Your clients and your practice demand that you do but be smart about it. Know the risks. What I find the most interesting, and seems a bit counterintuitive, is the relaxing of the rules when it comes to legal practice and ethical obligations. This, by no means, reflects on the relaxation of our ethical obligations but in a testament to the evolving technology.

When lawyers began to use third party emails such as Gmail, the question was whether there were ethical issues with using unencrypted email. If you’ll recall, there were vendors (and they probably still do exist) that sell encrypted email platforms, one that requires authentication to open the email. Not to say there isn’t a place or a reason for this, but not many of us would need that level of security. It is also cumbersome and delays pertinent information to your client.

So how do the courts view this use of the cloud? An opinion rendered in 1998 in New York State said that a lawyer may use unencrypted email to transmit confidential information since it is considered as private as any other form of communication. The reasoning was that there is a reasonable expectation that email will be as private as other forms of telecommunication. However, the attorney must assess whether there may be a chance that any confidential information could be intercepted. For example, if your client is divorcing his or her spouse, an email that both spouses share, or even an email to which the non-client spouse has access, should not be the method of communication. The attorney must seek alternate methods of communicating.

Gmail will also scan keywords in your email and provide relevant advertising. For instance, if you were discussing shoes in an email, the email service provider would tailor ads when you were in the email inbox and you would now be receiving advertisements for Zappos or any other shoe vendor. After all, nothing is better than a captive audience.

So, the question now becomes whether a lawyer can use an email service that scans emails to provide computer-generated advertisements. The New York State Bar Association opined in Opinion 820 (2/8/08 (32-07)) that, yes, it was okay, since the emails were scanned by machine and not by human eyes. If the emails were read by someone other than sender and recipient, the opinion would have certainly been different.

Which now brings us to emerging technologies. This can come in so many different forms such as keyword searches to automated documents to utilizing big data (i.e., databases of information) to gain an edge over your adversary. We are all familiar with these concepts in one form or another such as HotDocs, OCR, and litigation review platforms but the technology continues to be more sophisticated and more intuitive. Even to the point that there are services out there marketing to in-house counsel that their software can review contracts and technologies that will help you parse together a contract, all at the click of a button.

How ethical can this be and where is the line of streamlining legal fees for your clients and just malpractice?

Pursuant to ABA Rule 5.4, a lawyer, when advising his or her client, must exercise independent professional judgment.

The rule of thumb being, you can use technology up to a point. The attorney still needs to review the work product and maintain a level of control over the final product. You can use technology as it was meant to be, a tool, but you are the one representing the client. It is up to you to present independent legal counsel to them. The technology is there to help you help your client.

Some of the best practices in utilizing emerging technology is sourcing the right technology for you and your practice. What will help you in your field to best represent your client? This could mean document automation, an online docketing system or an online intake platform. Also, recognize whether your clients will be open to this technology. After all, if your clients won’t want to use this technology, you are now hindering your representation of them.

You should also be careful to vet your technology vendors. What is their reputation? Where do they store your information and how can they ensure the confidentiality of your client’s information? These are all questions that need to be addressed. Vendors that service the legal industry should easily be able to give you the answer to these questions. Read their terms of service. If you don’t like something, negotiate. We are lawyers, after all!

And, most importantly, if you decide to discontinue the use of the software, what will become of your data? Is it data you’ll want to export out or ensure that it is destroyed?

The New York State Bar Association Ethics Opinion 842 offers some guidance on choosing vendors, specifically, cloud vendors, which as I mentioned above, since most legal technology does run in a cloud environment:

  • Ensure that the online storage provider has an en- forceable obligation to preserve confidentiality and security and will notify you of a subpoena.
  • Investigate the online storage provider’s security measures, policies, recoverability methods, and other procedures.
  • Ensure that the online storage provider has avail- able technology to guard against breaches.
  • Investigate storage provider’s ability to wipe data and transfer data to the attorney should you decide to sever the relationship.

Our obligations to keep abreast of changing law don’t stop there. We owe it to our clients to take advantage of technology in our practice and to do so safely. Pick and choose what works for you and leave what doesn’t. Technology, after all, is only as good as its user and that’s okay.

 

 

 

Being Prepared When the Cloud Rolls In

As published in Technology and the Law Section of the New York State Bar Association publication October 2014

 

Natalie Sulimani (natalie@sulimanilawfirm.com) is the founder and partner of Sulimani & Nahoum, PC. She is engaged in a wide variety of corporate, employment, intellectual property, technology, Internet, arbitration and litigation matters. She counsels both domestic and international clients in an array of industries, including Internet and new media, information technology, entertainment, jewelry, consulting and the arts. Ms. Sulimani earned her LL.B. from the University of Manchester at Kiryat Ono, Israel. This article first appeared, in a slightly different format, in the Fall 2013 issue of Inside, a publication of the NYSBA’s Corporate Counsel Section.

Being Prepared When the Cloud Rolls In

By Natalie Sulimani

With each new technological advance comes at least one new word, if not a whole new language. It seems as if once you get a handle on one term there is yet another one to learn – crowdfunding and crowdsourcing, to name a few. And then there is social media, which should not be confused with social networks, of course. This is all in the spirit of service to technology and innovation. But none strike more fear in the heart of attorneys lately than the ubiquitous term “cloud computing.” What is the cause of the shudder you just may have felt run through the legal profession? Maybe the discomfort comes from the natural desire in the field of law to control as much of our client’s situation as possible, and cloud computing is an environment that we, as attorneys, cannot ultimately control. It is, by its very nature, in the hands of someone else. Hopefully, you have found a trusted Information Technology vendor to manage your part of the cloud.

But, while with technology the players and the terminology may change, what does not change is an attorney’s ethical obligations. We have a duty to maintain confidences, a duty to remain conflict free in our representations and, of particular interest to me lately, a duty to preserve.

The lesson has been taught, and sorely learned, that files must be backed up. Hard drive failures are, unfortunately, a reality. So, you back up to an external hard drive. Except the unwritten rule of the cyberverse is hard drives always fail. Always. Recently, the onslaught of natural disasters, the latest being Hurricane Sandy on the East Coast, has taught some lawyers a very harsh lesson. Redundancy is important. Maintaining files in multiple locations is a must. How many files were lost due to flooding or a server going underwater? How many attorneys were unable to access their files because of these or other similar catastrophes? If it was even one, then it was too many. And worse yet, there is no reason for such things to happen.

Early in my solo career, I had a breakfast networking meeting with an attorney from a midsize firm and the discussion turned to the topic of working from home. Now, technically, I do not have a virtual law firm, but I do consider myself mobile as an attorney. I think most of us do. Technology allows us to do so. Moreover, the amount of work necessitates that we work remotely. Clients expect you to be available on their schedule, and worse yet, clients or opposing counsel may live in a different time zone. Not everyone exists on Eastern Standard Time. So, I casually asked, “How do you manage your work from home?” The answer was, “I email my files to myself.” I followed up with, “Okay. To your firm’s address?” The response that mentally gave me pause was, “No, personal email address.” There seemed something wrong about this, but more on that later.

Opinions regarding maintaining confidentiality are numerous, frequent and, as we move forward technologically, the subject keeps returning like a bad penny. We all know that we need to maintain confidentiality. But the challenge as we progress may be to understand new technology so that we are able to use it to be more efficient, while at the same time being confident that we are maintaining client confidentiality.

History and the Ethics Trail to Cloud Computing

If you have attended seminars on cloud computing, then you may know that the first iteration of the cloud was voicemail. Answering machines were replaced with voicemail, which meant that your messages were stored on a remote server that required you to use a code to retrieve them. Although this was a shift in where personal and official information was stored, I cannot remember anyone wondering whether this would be an issue of confidentiality or otherwise. The result was everyone kept answering machines over voicemail for the convenience of listening to messages anywhere.

The next step in cloud computing came in the form of third-party email providers like Gmail, Yahoo, MSN, Hotmail, AOL, and others. These services stored our communications on remote servers in any number of locations, but most important, all this information resided in the cloud. Again, almost everyone is happy to access his or her email from anywhere without fretting over the fact that all our words and thoughts are floating out there in the cloud.

So how do the courts view this use of the cloud? An opinion rendered in 1998 in New York State said that a lawyer may use unencrypted email to transmit confidential information since it is considered as private as any other form of communication. Unencrypted means that, from point to point, the email could be intercepted and read. The reasoning was that there is a reasonable expectation that e-mail will be as private as other forms of telecommunication. However, the attorney must assess whether there may be a chance that any confidential information could be intercepted. For example, if your client is divorcing his or her spouse, an email that both spouses share, or even an email to which the non-client spouse has access, should not be the method of communication. The attorney must seek alternate methods of communicating.

Gmail did add an extra twist, which other email service providers quickly copied. As a “service” to you, email service providers started to scan emails in order to provide you with ad content. They would scan keywords in your email and provide relevant advertising. For instance, if you were discussing shoes in an email, the email service provider would tailor ads when you were in the email inbox and you would now be receiving advertisements for Zappos or any other shoe vendor. After all, nothing is better than a captive audience.

So, the question now becomes whether a lawyer can use an email service that scans emails to provide computer-generated advertisements. The New York State Bar Association opined in Opinion 820 (2/8/08 (32-07)) that, yes, it was okay, since the emails were scanned by machine and not by human eyes. If the emails were read by someone other than sender and recipient, the opinion would have certainly been different.

And now to the topic at hand: storing client files in the cloud. Through services like Dropbox, Box.com, Rackspace, Google Docs, and others, an attorney can add to his or her mobility and efficiency by storing client files online. Although I know there is a lot of debate surrounding this practice, I do not see how it is very different from storing client files off-site in a warehouse. In the cyberworld, electronic files are held by a third party on a secure remote server with a guarantee that they will be safe, and only authorized persons will have access. In the brick-and-mortar world, paper files are held by a third party in a warehouse with the same guarantees. Both are equally secure and equally liable to be broken into by nefarious agents bent on getting to the diligently hidden confidential information. Again, the technology might change, but the principles are the same. One should not be more or less afraid of one method of storage over the other.

A number of state bar associations have been grappling with the issue of cloud computing and the ethical issues it raises; these include North Carolina, Massachusetts, Oregon, Florida, as well as our esteemed New York State Bar Association. However, surprisingly, to date only 14 of the 50 states have opined regarding use of cloud computing in the legal profession. One would think more would have joined the fray in giving its lawyers some guidance.

The American Bar Association amended its model rules last year, perhaps as a beacon to other bar associations, but certainly as a guide for other states.

Model Rule 1.6 holds:

A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

Across the board, opinions are cautious about using cloud computing in the practice of law, but there is nothing about it that could be called unethical. The ethical standard of confidentiality is reasonable efforts to prevent disclosure. The question, therefore, lies in what is considered reasonable efforts.

Rule 1.6(a) of the New York Rules of Professional Conduct states that “[a] lawyer shall not knowingly reveal confidential information . . .” and, at Rule 1.6(c) goes on to say that “[a] lawyer shall exercise reasonable care to prevent the lawyer’s employees, associates, and others whose services are utilized by the lawyer from disclosing or using confidential information of a client.”

It is safe to assume that Rule 1.6(c) imposes the obligation for lawyers to use reasonable care in choosing their cloud computing and/or IT vendors, but indeed those lawyers may take advantage of the cloud and employ those who provide and manage those services in good conscience.

In fact, in September 2010, the New York State Bar Association issued Ethics Opinion 842 regarding the question of using an outside storage provider to store client information. The question that was asked of the New York State Bar Association was whether a lawyer can use an online storage provider to store confidential material without violating the duty of confidentiality.

So What Exactly Is the Cloud?

To understand what the issue is and why it may pose a problem, it is best to understand what it means to store information in the cloud. A cloud, in its simplest terms, is a third-party server. The server in which the information is stored is neither on the law firm’s premises nor owned by the law firm. The law firm’s IT person or department does not maintain where the database is stored in any way. It is in the hands of a third party offering a service.

An internal storage system is a closed circuit, meaning there is a direct line from your desktop to the firm’s server. Absent hacking, the information is controlled internally. Once removed from this closed system and stored in the cloud, your information may be more vulnerable because you have now created access points in which others may gain access to that data. To illustrate, data will now flow out on the Internet and beyond your control to get to the remote server where it is housed. However, encrypt the data and you have limited the exposure. As stated above, once encrypted it would take a nefarious and willful mind to be able to read what you are sending into the cloud.

Why Should You Move Your Data to the Cloud?

There are many reasons why you would want to move to the cloud and many reasons why it is prudent to move your storage to the cloud. To begin with, properly using cloud computing in the storage of client information reduces the possibility of human error. Emailing files to yourself, transferring them to a thumb drive, storing client files in offsite warehouses, to name a few, are all steps that introduce and increase the chance for human error. Email to your personal email account runs the risk that your family would access your email at home, thumb drives get lost, people break into warehouses and natural disasters happen that can destroy files. Cloud computing, by contrast, puts your files in the hands of competent IT professionals who will secure your information and provide the necessary redundancy so that if a server goes down your files will live on and be available when you need them from another server. Their major, if not sole, purpose (and the reason you pay them) is to safeguard your files and ensure that you will always have access to them when necessary, so they are highly motivated to do it well and properly.

In March 2012, the Federal Trade Commission (FTC) issued a report titled Protecting Consumer Privacy in an Era of Rapid Change. While attorneys may be subject to higher standards in keeping client confidences, I think this is a good guide in understanding the technology and best practices associated with it.

The FTC report recognized that businesses are moving to the cloud because it improves efficiency and is cost effective. However, the overarching concern is privacy. The FTC recommended overall guidelines for technology and consumer data. In particular, there are four recommendations that businesses should follow:

•Scope: Define what information is stored.

•Privacy by Design: Companies should promote privacy in their organizations.

•Simplified Choice: Simplify choice so that the customer is able to choose how information is collected and used in cases where it is not routine, such as order fulfillment.

•Greater Transparency: Companies should be transparent in their data practices.

Using these guidelines, what are best practices for attorneys?

•Consider what client information you will store in the cloud.

•Privacy is easy to ensure, attorney-client privilege should be maintained.

•Determine what information you will share with your clients. For example, will you share their case files with them? You can pick and choose what you share with your clients in the cloud for greater collaboration and reduction of emails going back and forth with attachments. They can upload their data in a secure environment, and you can share information in a secure, password-protected environment where you can ensure that only a specific client or clients have access.

•Choice and transparency go hand in hand. While it is the attorney’s best judgment in deciding how to reasonably protect client information, you should make your client aware that you are using these services. Build it into your retainer. If, for any reason, your client objects, you will know and can deal with the reasons why right at the beginning. It may take just a short conversation about the confidentiality, reliability and ease of the cloud to assuage any fears or concerns.

•Finally, have a breach- notification policy in place. This is not just for your corporate clients; any client whose information is in the cloud should be notified of and subject to this policy.

Now that I have you on board with moving your files to the cloud, consider that you need to exercise “reasonable care” in choosing a cloud provider. New York State Bar Association Ethics Opinion 842 offers some guidance:

•Ensure that the online storage provider has an enforceable obligation to preserve confidentiality and security and will notify you of a subpoena.

•Investigate the online storage provider ‘s security measures, policies, recoverability methods and other procedures.

•Ensure that the online storage provider has available technology to guard against breaches.

•Investigate storage provider’s ability to wipe data and transfer data to the attorney should you decide to sever the relationship.

Read the Terms of Service and, when you can, negotiate with the cloud vendor. Cloud vendors update their policies and may be willing to change their practices to meet the needs of their (and your) clients. If you have concerns and/or specific needs, contact the vendor, and if it is unwilling to change its practices, go somewhere else. Frankly, there are many online storage providers so be discerning when it comes to client data.

While utilizing an online storage provider, consider its encryption practices. Will your data be stored encrypted? Will you encrypt the data enroute to the online storage? And who has access while it is being stored? Also, if the online storage provides access on mobile devices, just as you would your computer, laptop, tablet and mobile phone, add security by password protecting the online storage’s mobile app. After all, just as in the non-cyber world, a big threat to effective storage is human error. Therefore, it is of utmost importance that you know how to remotely wipe the data if your device is lost or stolen. One aspect of mobile storage to be aware of is that when you download client data to your mobile device, it may be downloaded to your SD card. Whether you want this is something to consider; take steps to avoid it, if desired. This is an example of the importance of understanding how the technology works, understanding where problems, such as interception, may occur, and ultimately how to take steps to avoid them. Education is key.

In short, the advantages of cloud computing as outlined in this article make it a perfect complement to an effective and successful law practice. There is little difference in the potential ethical issues or any other such problems that exist in the cloud and in the brick and mortar world of physical offsite storage of clients’ files. Rather than running away from this new technology, it would be better to embrace it by learning more and making wise decisions that will minimize potential pitfalls down the road, while at the same time increasing the ease and usefulness of client communication and interaction.