February 14, 2013
Like businesses in virtually all other fields, legal service providers now routinely use cloud computing services provided by outside vendors. This form of outsourcing of critical information technology services has significant legal ethics implications. State bar organizations in several states have begun to address this issue, and fairly clear compliance standards for legal professionals are emerging.
Cloud computing is commonly defined as the use of pooled computer resources which are conveniently accessed and shared on an as-needed basis. Popular applications of cloud computing include on-demand access to software (often referred to as, “software as a service”) and data storage capacity.
The pooled computer resources provided by cloud computing often provide significant cost and efficiency advantages to users. When cloud computing services are provided by outside parties, however, the user generally loses some level of control over the material processed by the cloud network.
The loss of control over content presents important data security issues for cloud users. This security concern is particularly significant for legal service providers who operate under ethical requirements for preservation of confidentiality for client communications and data.
Approximately 13 state bar organizations have addressed the issue of cloud computing use by legal service providers. All of those organizations have approved use of cloud computing to support legal services, provided that “reasonable care” is applied when cloud services are used.
Key components of reasonable care in the context of cloud computing include the following:
Due Diligence Before Using Cloud Services
Legal service providers should consult with computer security experts before using cloud computing services. They should understand the potential security threats they face and identify both best available security measures and generally accepted commercial security standards. Legal service providers should assess the different levels of security sensitivity associated with their data and communications and develop appropriate plans to manage the different types of data and communications appropriately. They should determine which materials, if any, should also be retained in hard-copy, paper form.
Establish Appropriate Relationships with Cloud Service Providers
Substantial care should be applied in the selection of cloud service providers. Only reputable and reliable service providers should be used. Written, fully enforceable service agreements should be used to define all the terms of service. The legal service provider should fully understand all aspects of the terms of service, particularly the provisions applicable to data security, procedures associated with security breaches, upgrades and enhancements to security measures, and back-up systems and processes in the event of security breaches or other service failures. The terms of service should also provide that ultimate control over the data involved, including ownership and control of the data when the service arrangement ends, should rest with the legal service provider, not the cloud service provider. Adequate and enforceable non-disclosure provisions for confidential and proprietary material should be included in the terms of service.
Special Care for Extremely Sensitive Material
Legal service providers should take exceptional steps to secure their most sensitive data, communications, and other materials. Those special materials should be identified and evaluated specifically by legal service providers before being included in cloud computing systems. As appropriate, separate data management and security practices should be applied to the most sensitive materials. In some cases, specific client approval should be obtained prior to including highly sensitive client materials in cloud computing networks.
Continuously Review and Enhance Security Measures
Legal service providers should conduct ongoing monitoring of the security of their cloud computing activities. They should work with their cloud service providers to anticipate potential security threats and to analyze fully all security breaches they encounter. Terms of service applied to cloud computing services should be reviewed and re-examined on a regular basis. Legal service providers should remain informed of advances in cloud computing security technologies and capabilities.
Cloud computing offers an important tool for legal service providers. Compliance with legal ethics obligations, however, requires that legal service providers be informed and disciplined users of cloud services.