A Practice Smart(TM) Feature
I read an interesting article by Nicole Black, who is an attorney and writes and speaks on the intersection of law, technology and social media and has written a book “Cloud Computing for Lawyers.“ She recently published an interesting article entitled “What Lawyers Should Know About Cloud Computing Security.”
Here are the points she made in the article.
The most important thing to understand when deciding whether to house confidential client data in the cloud is that absolute security is an impossibility. She says that this fact is recognized by the vast majority of legal ethics committees that have addressed this issue. They seem to say that “exercising ‘reasonable care’ does not mean that a lawyer guarantees that the information is secure from any unauthorized access.”
According to a recent Oregon State Bar opinion, the reasonable steps that must be taken to ensure the security and confidentiality of client information include: “Ensuring the service agreement, requires the vendor to preserve the confidentiality and security of the materials. It may also require that vendor notify Lawyer of any non-authorized third-party access to the materials. Lawyer should also investigate how the vendor backs up and stores its data and metadata to ensure compliance with the Lawyer’s duties.”
Ms. Black believes the difficult part of ensuring compliance with your ethical duties is knowing which questions to ask. She suggests that that lawyers use the following list of questions as a starting point:
- What type of facility will host the data?
- Who else has access to the cloud facility, the servers and the data and what mechanisms are in place to ensure that only authorized personnel will be able to access your data? How does the vendor screen its employees? If the vendor doesn’t own the data center, how does the data center screen its employees?
- Does the contract include terms that limit data access by the vendor’s employees to only those situations where you request assistance?
- Does the contract address confidentiality? If not, is the vendor willing to sign a confidentiality agreement?
- How frequently are back-ups performed? How are you able to verify that backups are being performed as promised?
- Is data backed up to more than one server? Where are the respective servers located? Will your data, and any back-up copies of it, always stay within the boundaries of the United States?
- How secure are the data centers where the servers are housed?
- What types of encryption methods are used and how are passwords stored? Is your data encrypted while in transit or only when in storage?
- Has a third party, such as McAfee, evaluated or tested the vendor’s security measures to assess the strength of, among other things, firewalls, encryption techniques, and intrusion detection systems? Are the audits of the security system available for your review?
- Are there redundant power supplies for the servers?
- Does the contract include a guarantee of uptime? How much uptime? What happens in the event that the servers are down? Will you be compensated if there is an unexpected period of downtime that exceeds the amount set forth in the agreement?
- If a natural disaster strikes one geographic region, would all data be lost? Are there geo-redundant back-ups?
- What remedies does the contract provide? Are consequential damages included? Are total damages capped or are specific remedies limited?
- Does the agreement contain a forum selection clause? How about a mandatory arbitration clause?
- If there is a data breach, will you be notified? How are costs for remedying the breach allocated?
- What rights do you have upon termination? Does the contract contain terms that require the vendor to assist you in transitioning from their system to another?
- What rights do you have in the event of a billing or similar dispute with the vendor? Do you have the option of having your data held in escrow by a third party, so that it is fully accessible in the event of a dispute? Alternatively can you back up your data locally so that it is accessible to you should you need it?
- Does the provider carry cyber insurance? If so, what does it cover? What are the coverage limits?
The list isn’t extensive and there are other issues to explore. But, she notes the bottom line is that the key to ensuring that your confidential client data is secure in the cloud is to learn as much as you can about cloud computing, make sure that you have a basic understanding of the concepts, review the applicable ethical rules in your jurisdiction, and ask appropriate questions (and receive adequate answers) from your chosen legal cloud computing provider.
Practice Smart(TM) Features are a service of Michael Blum and Appeal Funding Partners, LLC. The Features are thoughts from a variety of sources on our practices, on being trial lawyers and things of importance to trial lawyers and their clients.
If you would like to be informed of these Articles, please CLICK HERE to fill in your details.