A Practice Smart(TM) Feature*
By Tad Thomas, Esq.
“Cloud computing” generally refers to the process of storing data on a third party server that can be accessed using the Internet. According to the Pennsylvania Bar Association, cloud computing is “a fancy way of saying stuff’s not on your computer.” Pennsylvania Bar Association Formal Opinion No. 2011-200. With the advent of high-speed Internet connections and cheap data storage, cloud computing can provide attorneys with a cost effective means to store and access their information. A service like DropBox starts at only $9.99 a month and, like other cloud-based data storage services, provides the benefit of mobile access using not only laptops, but also smart phones and tablets.
Whether attorneys are using cloud-based service providers for merely storing files, or for maintaining a robust case management software, they must be cognizant of the ethical obligations that arise from storing confidential client information on someone else’s servers. Fortunately, the bar associations of many states have issued opinions governing how attorneys can use cloud computing to store client data. Indeed, every state that has rendered an opinion on an attorney’s use of cloud computing has stated that it is a permissible activity. In general, each of those opinions impose the same standard of care on attorneys, namely, that they must use “reasonable care” when storing confidential client information on the cloud.
Reasonable care is defined a bit differently in each opinion, with Pennsylvania being the most restrictive, but many requirements are common amongst the states. Specifically, attorneys using cloud-based service providers must:
- Ensure that the cloud provider’s user agreement acknowledges the information stored will be kept confidential;
- Stay up to date with the current technology to ensure that they are using adequate measures to protect client information;
- Be able to recreate the original paper document if needed;
- Ensure that only authorized personnel can access the information;
- Confirm the extent to which the cloud provider backs up data;
- Be able to access and delete the information if the service is terminated by either party.
The first step any attorney should take in finding a cloud-based service provider is reading the company’s “user agreement” or “terms and conditions.” Most user agreements are adhesion contracts and will not offer an attorney the option for negotiation. Things that an attorney should look for in reviewing the provider’s terms and conditions includes, identifying whether or not the attorney retains ownership of the information stored on the account. Recently, the social media site Instagram announced that its terms and conditions provided that any photograph uploaded to its servers gave it ownership rights in that photograph. Thus, Instragram took the position that it was allowed to use its member’s photographs for any purpose, including selling those photographs to a third-party. After a public uproar and the loss of many of its members, Instragram recanted that position.
Attorneys should also examine user agreements for language requiring the provider to give notification to the user if information is subjected to illegal access or attempted illegal access. Many states require that the attorney find a service that will notify users if there is a security breach, so that the attorney can further relay that information to their clients.
Most well-established cloud-based storage providers maintain levels of security that meet strict industry standards. This includes providing military grade encryption during uploads, downloads and storage of the data. Encryption is an electronic way to scramble the files to prevent them being accessed by third parties. Only persons with the right “key” are able to access the files once they have been encrypted. The Oregon Bar Association has said that, under certain circumstances, an attorney’s duty of reasonable care may be satisfied through a third-party vendor’s compliance with those industry standards. Oregon Bar Association Formal Opinion 2011-188.
Attorneys can also increase the security of their data by adding another level of encryption with services like Sookasa, Boxcryptor, Cloudfogger, or Secretsync. These services, all of which will work with the larger cloud service providers, add an additional level of encryption and give only the attorney access to the “key” for unlocking those files.
Many of the opinions go on to discuss an attorney’s obligation to take actions even before using cloud-based service providers. This includes taking reasonable actions to protect the firm’s internal networks and computers from unauthorized access or viruses. The primary means for network protection is a quality firewall. Firewalls are devices designed to limit outside access to the network and notify operators if there is an attempted infiltration.
Most attorneys understand that the duty of confidentiality is the most important obligation we have to our clients. However, in the cloud computing context, bar associations recognize that reasonable care does not mean that a lawyer must guarantee that information will be “utterly invulnerable against all unauthorized access.” New Jersey Bar Association Opinion 701. Regardless, to meet the standard of care these opinions require, attorneys must make sure they are educated on the security features that available to protect their client’s information and exercise due diligence to ensure that those tools are implemented in their practices.
To determine whether your state bar association has rendered an opinion in this area, visit the American Bar Association’s website at http://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/cloud-ethics-chart.html.
Mr. Thomas has recently returned to private practice after being asked to serve three years in the Office of Kentucky Attorney General where he supervised the Offices of Civil and Environmental Law, Medicaid Fraud, Consumer Protection and Rate Intervention. Mr. Thomas also handled a docket of civil litigation that included both high profile and complex litigation.
Currently, Mr. Thomas operates a private practice in Louisville, Kentucky, focusing primarily on civil litigation. He is a frequent lecturer and has conducted seminars on technology, including the use of litigation management and trial preparation software, ethics and mediation. He is a cum laude graduate of Salmon P. Chase College of law and obtained his undergraduate degree from Georgetown College. www.tadthomas.com.
The information in this article is provide for informational purposes only and with the understanding that the author is not engaged in rendering legal, accounting, tax or other professional advice or services. The discussion is not intended as legal advice and cannot be relied on for any purpose without the services of a qualified professional.
*Practice SmartTM Features are a service of Michael Blum and Appeal Funding Partners, LLC. The Features are thoughts from a variety of sources on our practices, on being trial lawyers and things of importance to trial lawyers and their clients.
Michael Blum is a trial attorney and CEO of Appeal Funding Partners, LLC with over 17 experience easing the financial hardship and stress of attorneys and plaintiffs with money judgments on appeal. He has served on the Board of Directors of the Consumer Attorneys of California and of the Marin Trial Lawyers Association and is an active member of the American Association for Justice. He regularly speaks to trial-lawyer groups and has written for TLA publications on the financial management of a contingency-fee law firm. He may be contacted at 415-729-4214.
If you would like to be informed of these Articles, please CLICK HERE to fill in your details.