Protecting Client Information: Should Lawyers Be in 'The Cloud'?
A recently issued report of the Committee on Small Firms of the New York City Bar, "The Cloud and the Small Law Firm: Business, Ethics and Privilege Considerations" provides a helpful introduction to the subject of cloud computing, and considerable guidance to practitioners.1 But perhaps necessarily the report does not give definitive answers to the fundamental questions: When—if ever—should lawyers use cloud computing in the context of the practice of law? This article will review the report and will seek to provide additional guidance to the perplexed practitioner or managing partner.
Before either defining "the cloud," or surveying the city bar report, it is essential to place the subject of the limitations on lawyers' ability to protect confidential information in our digital universe in context. There are two dimensions to the challenge of preserving confidential information. First, if anyone still believes that the National Security Agency (NSA) does not have the ability to access any and all data that can be accessed using the Internet, they are living in what an English politician (many decades before the term cloud computing was invented) referred to as "cloud cuckoo land." Similarly, the recent loss to hackers of the personal financial information of 40 million customers by the Target retail store chain highlights the fact that even giant corporations, with technology budgets that presumably dwarf the resources of most, if not all law firms, are unable to guarantee the security of their customers' information.
Taken together, these realities necessarily lead to a conclusion that is fundamental and critical to understanding the duties of lawyers—there is no such thing as digital data that is completely secure. Another way to express that conclusion is that "security" is a relative state and never absolute. The corollary to that principle is the question that lawyers must address when trying to fulfill their duties in this realm—What constitutes "secure enough" when it comes to preserving the confidentiality of client information?
The second dimension of the problem facing lawyers moves the discussion from the first, theoretical expression of the problem, to the practical. This is best understood by taking two hypothetical situations.
Law Firm "A" has decided that its solution to the problem of securing the confidentiality of its clients' data will be accomplished by ensuring that all the data will be stored in servers owned, operated and controlled by the firm. Because the firm has limited resources, the servers are kept in a closet inside the firm's offices. The firm's backup data is not transmitted over the Internet, but is kept on hard drives that are transported back and forth from the home of the firm's senior administrator. In neither location are the servers or the discs physically secured, either by lock and key in the office (otherwise the janitors would not be able to access the server room to clean) or in a safe at the administrator's home. The law firm has a complex set of policies that essentially prohibit all the firm's lawyers and staff from copying client data onto any medium that can be removed from the firm's offices—but no means of effectively enforcing those prohibitions.
Law Firm "B" has decided that A's approach is unworkable, because the absence of meaningful physical security of the servers or backup data means that it is vulnerable to intruders (and insiders). Also, "B" is concerned that by the simple means of transferring data to "flash" (sometimes called "thumb") drives, or by transmitting data over the Internet to the personal devices carried by all its lawyers, the data is not adequately protected. Accordingly, "B" has decided to use a "cloud" solution—all its clients' data will be encrypted and transmitted to a server farm owned by a third-party cloud computing solutions provider.
The server farm (as confirmed by the law firm) is located in a remote desert town in a Western state, is surrounded by 14-foot-high barbed wire fences and is patrolled by armed guards carrying machine guns and supported by vicious guard dogs. Firm "B" also has a BYOD ("bring your own device") policy that requires all the lawyers to register their personal devices with the firm so that they can be remotely wiped if they are lost. But no one knows for sure if all the lawyers are in compliance with the policy.
The question is: Which firm's clients' data are either (a) more secure, or (b) sufficiently secure?
Risks and Duties
The city bar report properly acknowledges, in the Introduction, that: "whether confidential and privileged information remains on-site within the firm, resides on the servers of a third-party cloud provider, or rests in the drives of smartphones, tablet PCs or laptops, attorneys must know the rules and potential disclosure risks, and exercise reasonable care when choosing computing technologies and service providers." The report then sets itself the task of exploring "the landscape of what is reasonable care."
The city bar report thoroughly and carefully defines what is meant by "the cloud," going into some depth as to the various models of service provision that are available to lawyers and law firms, and the different kinds of security protocols that these models provide. The report then moves to consider the challenges which these alternative approaches present to lawyers and, in that context, addresses in detail the two fundamental issues that lawyers need to consider before deciding to put data in the cloud:
A. How secure will be the data hosted with the cloud provider? Will privilege and confidentiality be maintained in the cloud provider's servers as well as in transmission to and from those servers?