“He has his head in the clouds,” – a familiar expression used to refer to someone who is theoretical, impractical, or dreamy. However, for lawyers today being in the clouds is not only practical, it may be “inevitable.”
Cloud computing seems to be everywhere lawyers turn, from email to legal research to data storage and case management. Despite this availability to many lawyers the technology is daunting and the legal and ethical implications of use of cloud services unclear. In this period of rapid change, the recent release by the New York City Bar of a report by its Small Law Firm Committee on Cloud Computing is most welcome.
The Report identifies major risks associated with the use of cloud services, which the report divides into external and internal categories. External risks involve principally the provider of the service and include the following:
- Unauthorized disclosure resulting from security breaches of the provider;
- Other unauthorized disclosures resulting from inadequate procedures by providers to deal with demands for information, such as subpoenas;
- Lack of clarity about ownership and provider ability to license use of the data;
- Temporary loss of access to data due to internet connection failure, provider maintenance, or provider failure;
- Permanent loss of data resulting from provider business failure;
- Geographical risks associated with location of servers housing the data in other countries where the governing law may be different;
- Problems of return of the data on termination of service.
The internal risk is that the firm will fail to adopt and implement policies and procedures designed to eliminate or minimize the external risk associated with the use of cloud services. In addition, regardless of whether they use cloud services, law firms face their own internal risks in handling data; they need to have appropriate policies and procedures to eliminate or minimize risk associated with their own storage and use of data. For example, firms need to have policies regarding the types of devices that lawyers can use in dealing with client data and disposal of those devices.
The Report notes the ethical duties implicated by these risks: competency (ABA Model Rule 1.1), communication (Rule 1.4), confidentiality (Rule 1.6), Maintenance, preservation and delivery of client property on termination (Rules 1.15 and 1.16), and supervision (Rule 5.3). Of particular note is the ABA’s addition to Rule 1.1 of comment 8, which now states: “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”
The Report concludes with eight suggested guidelines for lawyers considering use of a cloud services. I found particularly useful Guideline 4, which deals with key contractual terms in service level agreements that lawyers should carefully review before employing a cloud service provider.
The Report concludes “Go Forth, with Care,” to which I would add “always remembering that when dealing with clouds, you need to ‘Keep Your Feet on the Ground.’”
Ken Rashbaum, Co-director of Training of Technethics, was one of the coauthors of the New York City Bar Report. For the full text of the report, see http://www2.nycbar.org/pdf/report/uploads/20072378-TheCloudandtheSmallLawFirm.pdf.
For more information contact Nathan M. Crystal