Francesca Giannoni-Crystal, “Something’s got to give” – Cloud Computing, as applied to lawyers – Comparative approach US and EU and practical proposals to overcome differences – My presentation at the Scuola Superiore Sant’Anna (Pisa, Italy) Symposium “Getting around the cloud(s) – Technical and legal issues on Cloud services” (November 30, 2013)

 

Francesca

In my talk I will go ahead analyzing the approach of American will provide some elements to understand benefits and risks of cloud computing from an American lawyer’s perspective. I

ethics opinions on cloud computing. Then, I will discuss the different implications of privacy law on cloud computing under an American perspective, as opposed to a European perspective. Finally, I will provide some practical tips for an international law firm using cloud computing.

1. Benefits and risks of cloud computing from an American perspective

Article 19 Working Group Opinion 05/2012 says that cloud computing “consists of a set of technologies and service models that focus on the Internet-based use and delivery of IT applications, processing capability, storage and memory space”. These models are: (1) Software as a Service (SaaS); Platform as a Service (PaaS); Infrastructure as a Service (IaaS). The 4 deployment models are: (1) private cloud; (2) community cloud; (3) public cloud, and (4) hybrid cloud. A private cloud is an IT infrastructure dedicated to an individual organization, while a public cloud is an infrastructure owned by a provider that makes it available to several users. “Community cloud” is for exclusive use by a specific community of consumers, while hybrid cloud couples a private infrastructure with services purchased from public clouds. If some big laws have private cloud, it is true that the majority of American lawyers use public cloud.

The main benefits for law firms are substantially the same worldwide and consists of (a) efficiency, (b) convenience and flexibility, (c) reduced costs, and (d) respect of the ethical duty of competency. I will focus on the fourth.

The most fundamental ethical obligation for a lawyer is the duty of competency, reflected in ABA Model Rule 1.1. The violation of the duty of competence, in the form of “failure to know” has been reported by the ABA as the most common ground for malpractice. Based on Model Rule 1.1. (and state versions), the duty of competence was  generally thought to include the duty to be aware of modern technologies. However, on August 6, 2012, the ABA added a new Comment [8] to Rule 1.1 to codify it: “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”  Currently only one state (Pennsylvania) has adopted the amendment. The use of cloud computing can help lawyers to comply with their duty of being tech-savvy, because cloud generally gives updated software, back up, etcetera.

I will not talk about all the possible risks; I will mention some American wrinkles.

First of all, cloud implicates some ethical rules.

(1) Duty of Confidentiality (Model Rule 1.6). See especially letter (c) (“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” And Comment [18] listing several “[f]actors to be considered in determining the reasonableness of the lawyer’s efforts”  However, the cloud should not import excessive concern, provided that lawyers use “reasonable care” in the choice of the cloud, as many ethics opinion around the U.S. have specified;

(2) Duty to Safeguard Client Property Model Rule 1.15 (Safekeeping Property): Rule 1.5(a) is relevant especially in the part in which provides:” Other property shall be identified as such and appropriately safeguarded. Complete records of such account funds and other property shall be kept by the lawyer and shall be preserved for a period of [five years] after termination of the representation”

(3) Duty of Supervision of Non-Lawyers Model Rule 5.3 (Responsibilities Regarding Non-lawyer Assistant). The use of cloud computing can generate a risk of lack of supervision, exactly as it is true for any other person that a law firm uses for certain of its activities. Comment [3] to the Rule is relevant: “A lawyer may use non-lawyers outside the firm to assist the lawyer in rendering legal services to the client. …. When using such services outside the firm, a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations” (emphasis added). In case of cloud computing, lawyers must use reasonable efforts to ensure that the cloud provider is compliant with the rules of professional conduct (see ethics opinions). In 2004 ABA published guidelines for lawyers’ ethical use of paralegals (“Guideline on Paralegals”) where lawyers can receive inspiration to deal with cloud providers;

(4) Duty to communicate with the client. Model Rule 1.4(b) imposes to lawyers a general duty to communicate (“A lawyer shall explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.”) The duty to communicate extends to law firm’s technology choices. Accordingly, clients need to know where the cloud stores data to make informed decision (such as for example to retain the law firm). Law firms should develop policies on technology issues and should include these issues in the firm’s engagement agreements seeking client consent to those policies, and inviting clients to inform their lawyers if they wish the firm to use different approaches. We noticed ABA Formal Opinion #11-459, opining that lawyers should warn client of the risks when “sending or receiving substantive communications with a client via e-mail or other electronic means … about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, where there is a significant risk that a third party may gain access.”

Second, cloud can generate risks of malpractice and this not only not only as an indirect consequence of the violation of the ethical duties mentioned above, but also under other perspectives. For example claims for conflict of interests under Model Rule 1.7 while choosing a cloud computing provider – similar to what happened to the law firm Boies Schiller & Flexner in the choice of a document management company, where the problem was law firm’s lack of disclosure (see http://online.wsj…). In addition, I want to mention one possible claim that is connected to a critical issue in the American system: possible loss of attorney-client privilege because of cloud’s conduct. The use of cloud does not in itself amount to a waiver of the privilege either because a provider can be seen as an agent for the lawyer or because lawyer did not intend to waive the privilege and took reasonable precautions to protect it. However, cloud services have the “potential” to determine a constructive waiver of the ACP privilege. In federal cases (and in some states) the issue of when the inadvertent disclosure amounts to a waiver of the privilege is regulated by Federal Rule Evidence 502, based on the reasonable precaution standard. Outside of these cases the issue is far from being settled because courts follow different approaches on the issue of inadvertent disclosure (some have held that any disclosure amount to a waiver of the privilege, some others that a lawyer’s inadvertent disclosure cannot waive the privilege unless the client wants to waive; some others that privilege is not waived by an inadvertent disclosure if there was no intent to waive and lawyer took reasonable precautions.) In these cases focus should be on the reasonable precautions. Communications to provider shall not amount to a waiver as the latter can be considered as an agent. It can also be shown the adoption of reasonable precautions and the intention not to waive privilege.  I also want to mention cloud has some critical aspects for those law firms working for the government or for defense contractors and that are in possession of technology or information relevant under International Traffic in Arms Regulations. Indeed, the use of cloud computing by those entities and also by their lawyers, when the cloud are located outside of the U.S., may amount to an “export” under applicable law). § 120.17(4) ITAR provides “Disclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad”. However, Department of Commerce Advisory Opinion – January 2009 according to which cloud provider not considered the “exporter” when user exports data on the cloud.

Third, errors cloud computing can determine a security breach under the relevant laws. Forty-six states, the District of Columbia, and some territories have enacted personal information protection laws requiring notification of security breaches involving personal information. These laws require notification if personal client information is inadvertently disclosed. At the federal level, the SEC (Division of Corporation Finance) outlined requirements that companies report cyber theft and attack. However even where the law firm would be not required to do so by the security breach law or a regulation, “a law firm representing … clients that suffered a security breach would be ethically required to informs the …clients about the breach so that they could make informed decisions regarding the matter.” Professor Crystal, Technology and ConfidentialityPart II, SC Lawyer, November 2011. However, to be sure, security breach risk is not increased by the use of the cloud; the reserve is true: service providers have certificates which witness the security level of their systems that law firms’ systems generally do not have.

Fourth, cloud implies some technical risks. Just to clarify: these technical risks can result in an ethical violation, legal action (in torts or contracts), or damage to reputation or all of it. Technical risks fall into two categories: external risks associated principally with the provider of the service and internal risks associated with the firm ability to adopt and execute policies and procedures to deal with risks associated with the services. Such as for example the risks deriving by the lack of control of the devices depending on which devices the members of the firm use to access the cloud. I will not talk about these risks here. We deal with these risks in our paper “Something’s got to give” – Cloud Computing, as applied to lawyers – Comparative approach US and EU and practical proposals to overcome differences (forthcoming). For a discussion of the risks, see the recently issued report The Cloud and the Small Law Firm: Business, Ethics, and Privilege Considerations (November 2013) issued by Small Law Firm Committee of the New York City Bar.

2. Approach of American jurisdictions to cloud computing

Ethics opinions on cloud computing in at least sixteen U.S. jurisdictions have opined that the use of cloud is ethical (Alabama, Arizona, California, Connecticut, Florida, Iowa, Maine, Massachusetts, New Hampshire, New Jersey, New York, Nevada, North Carolina, Oregon, Pennsylvania, and Vermont.) There are early opinions comparing cloud to a  “third-party storage of client files” (Nevada and New Jersey) and more recent opinions depicting current cloud-based systems in much more tech-savvy language (for example Massachusetts, and Connecticut). The principles expressed in the two groups of opinions, however, are similar. Both old and new opinions suggest that – while cloud computing is ethical – a lawyer must use “reasonable care” in using it. In addition, some opinions have addressed the issue of obtaining client consent under certain circumstances. For example PA Formal Opinion 2011-200 states that if “an attorney intends to use ‘cloud computing’ to manage a client’s confidential information or data, it may be necessary, depending on the scope of representation and the sensitivity of the data involved, to inform the client of the nature of the attorney’s use of ‘cloud computing’ and the advantages as well as the risks endemic to online storage and transmission”.  The approach of most ethics committees has been to decline to explicitly set forth specific conditions precedent to cloud computing. Pennsylvania has set forth likely the most extensive list of considerations (15-point list, with additional sub-points, to help define the cloud computing standard of “reasonable care”). California opinion suggests not only reviewing the security a particular form of technology affords but also additional security that can be used as enhancement. California opinion also cautions lawyers to weigh inadvertent disclosure and its impact on applicable privileges. Other considerations identified by the California committee include the sensitivity of the information, the urgency of the situation, and the opportunity to adhering to client instructions regarding the use of technology. North Carolina opinion suggests to include clauses dealing with how security will be handled which should be in accordance with the lawyer’s ethical obligations, a plan for retrieving data if service is interrupted or discontinued and a contractual obligation for the provider to return or destroy data at the lawyer’s request, evaluation of how the provider backs up data, review of any user or license agreement, and review of the provider’s data safeguard measures. New York adds that a lawyer might want to ensure the provider has an enforceable obligation of preservation of security and confidentiality and of notification if the provider is served with process requiring the provider to produce client information. New York opinion adds that a lawyer should periodically review safeguards in place in light of advances in technology and should take appropriate action if the provider experiences a breach in security. One notation: European readers should not be surprised to see that none of the opinions make a mention of privacy (intended as data protection). The reason is that in the U.S., there is no general law of privacy as there is in Europe.

What about client consent? A lawyer that handles particularly sensitive client information should consider obtaining informed consent from the client before transmitting client information. So for example again Pennsylvania Opinion 2011-200 which  states that if “an attorney intends to use ‘cloud computing’ to manage a client’s confidential information or data, it may be necessary, depending on the scope of representation and the sensitivity of the data involved, to inform the client of the nature of the attorney’s use of ‘cloud computing’ and the advantages as well as the risks endemic to online storage and transmission.” On converse, client consent might not be sufficient in case of highly sensitive information. So a lawyer may need to consider additional security measures or forgo cloud storage. So a Florida opinion (Opinion 13-2) which warns that a “lawyer should consider whether the lawyer should use the outside service provider or use additional security in specific matters in which the lawyer has proprietary client information or has other particularly sensitive information.”

Let’s talk now of email encryption, which is an issue that is “contiguous” to cloud computing and should be carefully considered by law firms. The issue is contiguous because email is the most used cloud computing service. In the great majority of American jurisdictions failure to encrypt emails, even without client consent, is not unethical unless special circumstance occur. However, where the content of an email is highly confidential, a lawyer should pause before sending it in unencrypted form. At least twenty-five jurisdictions and the ABA have issued opinions on the use of encryption by lawyers. The overwhelming majority view is that encryption is not necessary except special circumstances calls for it (example highly sensitive information). ABA Formal Opinion 99-413 opined that unencrypted e-mail sent over the Internet are not unethical (confirmed by Opinion 11-459)

3. Some practical tips for an American law firm that wants to put its “head in the cloud”.

The risks identified above risks are manageable if law firm performs an accurate due diligence (balancing benefits and risks) use reasonable care. In case there are risks that are not avoidable, a law firm should ask client consent. In our paper “Something’s got to give” – Cloud Computing, as applied to lawyers – Comparative approach US and EU and practical proposals to overcome differences (forthcoming) we outline 5 steps that are relevant in determining due diligence obligations for a firm that is considering using cloud computing services:

i.               Identify the type or types of cloud services that the firm is considering using and conduct a cost/benefit analysis.

ii.               Identify the risks associated with the particular cloud services that could result in ethical violations, legal liability, or damages to the firm’s reputation.

iii.               Identify which measures could be taken to eliminate or minimize the risks associated with the use of cloud services. The paper contains a list of 14 questions that law firm should ask and analyze. In deciding whether to use a cloud computing service a firm should do due diligence on the provider, review the service agreement for compliance with the lawyer’s professional obligations (competency, confidentiality, communication, protection of property, and supervisor of non-lawyer providers), and institute internal policies and procedures with regard to the use of the service to comply with lawyer’s professional obligations. These questions can be summarized into a shorter due diligence standard (combining internal and external risks) to be carried out by the firm deciding to use cloud computing: in deciding whether to use a cloud service a firm should do due diligence on the provider, review the Service Agreement for compliance with the lawyer’s professional obligations (competency, confidentiality, communication, protection of property, and supervision of nonlawyer providers), and institute internal policies and procedures with regard to the use of the service to comply with the firm’s professional obligations. For receiving a detailed set of checklist questions, you can contact me at info@cgcfirm.com.

iv.               Making the decision. Note that the decision is in part objective and looks at the direct economic costs and benefits associated with the service. However, a significant part of the decision is subjective because it is based on anticipated benefits that are difficult to measure, like increase in productivity, likelihood of occurrence of a risk, and the consequences to the firm and its client if one of the identifiable risks materializes. If the firm decides to use a particular service, but is unable to eliminate a risk, it would be prudent to identify it in the firm’s engagement agreement so that the affected clients can either consent or express their objections. The data of a client who objects should be handled without using the cloud service, if possible. An example of such a risk may be a clause in the cloud service agreement that relieves the provider of liability for an unauthorized disclosure of data (which for most providers is non-negotiable.) It may be wise for the law firm to include a reference to the provider’s disclaimer of liability (along with other critical non-negotiable provisions) its engagement agreement with clients.

v.               Post-decision obligations. The cloud computing inquiry should not be static. As technology and the law related to technology evolve, lawyers’ understanding should keep abreast: lawyers should stay abreast of best practices in data security and implement them, they should periodically review data security measures (both those of providers and internally), and should and stay abreast of changes in the law, particularly as they relate to privileges and waivers thereof.

4. Relevance of European privacy law to American firms

As said, there is no general privacy law in the US. What is there instead? We must answer this to understand if lawyers’ use of the cloud in the US finds a hurdle in privacy law. As a general principle we could say, maybe somewhat simplistically, that US privacy law is not a serious hurdle to the adoption of cloud.

First of all, we should say that when we talk about privacy in the US we refer to the right to protect personal information from public scrutiny”. It is the right that Justice Brandeis defined as “the right to be left alone” from external interferences. Warren and Brandeis, “The Right to Privacy”(4 Harvard L.R. 193 (Dec. 15, 1890). The right of privacy so intended is well developed in the U.S.: protection goes from the Fourth Amendment’s right to be free from unwarranted search and seizures from the government, to protection against the intrusion of solitude and seclusion into private quarters and the public disclosure of private facts, from the right not to be cast in “false light” to the protection against the appropriation of a person’s name and likeliness. Not so developed in the U.S. is “data protection” as intended in Europe (where as you know privacy is intensively regulated perhaps for historic reasons.) The U.S. does not have a general privacy law like European Directive 95/46.

At the federal level, there is a sectorial approach towards data protection legislation; the legislation covers only certain industries (health and financial services) and certain people (children below thirteen). Among the most important statutes on data protection, we can list HIPAA (“Health Insurance Portability and Accountability Act”), FACTA (“Fair and Accurate Credit Transaction Act”), and COPPA (“Children’s Online Privacy Protection Act”). While HIPAA protects “individually identifiable health data” and defines who can have access to health information, FACTA “protect[s] consumers’ credit information from the risks related to data theft”. COPPA, which is the most similar to European privacy law, “protect[s] the privacy of children under the age of 13 … [and] imposes [for example] an obligation on the operators of … websites [visited by children] to publish privacy policies specifying whether or not personal information is being collected, how this information is being used, as well as the disclosure practices of the operators of the websites.”

At a state level, most states have enacted some form of privacy legislation but, with the exception of California, data protection is generally limited to “data breach” laws.

As for data collected by businesses, the truth is that American businesses are largely self-policing and enforcement is limited to a company’s own privacy policy. Consumers who want to do business with a particular retailer usually must agree to its privacy policy; in many cases there is no option to opt-out except to not buy from a merchant. However, f a company has a privacy policy and does not comply with it then the US Federal Trade Commission (FTC) can step in. The FTC is the largest federal agency that handles consumer complaints; it regulates unfair or deceptive trade practices. Even local trade practices deemed unfair or deceptive may fall within the jurisdiction of FTC laws and regulations when they have an adverse effect on interstate commerce. In case of a company’s non compliance with it privacy policy, the FTC can bring claims and also the Attorney General can bring claims because it can be a violation of Federal Trade Commission Act, Section 5: Unfair or Deceptive Acts or Practices or the state equivalent. In addition, every state has enacted consumer protection statutes, which are modeled after the Federal Trade Commission Act (15 U.S.C.A. § 45(a)(1)).). This legislature allows state attorneys, along with general and private consumers, to commence lawsuits over false or deceptive advertisements, or other unfair and injurious consumer practices. This type of claims can trigger treble damages and attorney’s fees.

EU privacy might also be relevant for an American law firm. Pursuant to Article 4 Directive 95/46/EC, European privacy law applies if: (1) an American law firm can be subject to European privacy because it has an office in Europe (i.e. it has an “establishment”); (2) “for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member state, unless such equipment is used only for purposes of transit through the territory of the community.” Note that Opinion 1/2010 Article 29 Working Group (“on the concept of ‘controller’ and ‘processor’”) stated that the application of the equipment provision would require a “case-by-case assessment …  whereby the way in which the equipment is actually used to collect and process personal data is assessed.” Article 29 Working Group also stated that “if controllers established in different countries over the world have their data processed in a Member state of the EU, where the database and the processor are located, those controllers will have to comply with the data protection law of that member state.” Opinion 08/2010. This opinion also criticized Article 4 as it may not bring to satisfactory conclusions, such as when, for example, the controller – established in different countries over the world – have their data processed in a Member State of the EU, where the database and the processor are located. Those controllers will have to comply with the data protection law of that Member State. Working Group suggests that “additional criteria should apply when the controller is established outside the EU.”, such as (1) the targeting of individuals, or “service oriented approach (data controller collects personal data in the context of services explicitly accessible or directed to EU residents); (2) the criterion of the equipment/means (here there is a relevant infrastructure in the EU connected with the processing of information. This interpretation is not the law, however. The law is that if a non EU controller (for example a US law firm) uses a cloud with equipment in Europe, the controller is subject to EU privacy.

But let’s take a step back and identify two definitions which are relevant for the cloud: data controller and data processor. There is no need to define these terms here. I will only say that if a law firm decides to use the cloud, the law firm is the data controller (because obviously the law firm is the one that “determines the purposes and means of the processing of personal data” under Article 2(d) of the Data Protection Directive). The cloud is generally the data processor (so in the case of private clouds) — data “processor” because under Article 2(e) it is the one that “processes personal data on behalf of the controller. Opinion 5/2012 in which in particular it is stated: “The cloud client determines the ultimate purpose of the processing and decides on the outsourcing of this processing and the delegation of all or part of the processing activities to an external organisation. The cloud client therefore acts as a data controller.” In certain cases, however, a cloud provider can also be a controller.

A last point: what if an American based international law firm wants to use an American based cloud provider also for its European office? It should be possible provided that the American provider is safe-harbor certified. In 2000 the US and the EU have agreed to a “safe harbor rule.” Saying it simply, an American cloud that follows the seven Safe Harbor Privacy Principles” (notice, choice, onward transfer -transfers to third parties, access, security, data integrity, enforcement) and certifies (third party certification or self-certification) the compliance would demonstrate to have an “adequate level of protection” (Article 25 of Data Protection Directive.) All 28 EU Member States are bound by the European Commission’s finding of “adequacy”. This sound perfect logic … until we read Opinion 05/2012 on the point: “[I]n the view of the Working Party, sole self-certification with Safe Harbor may not be deemed sufficient in the absence of robust enforcement of data protection principles in the cloud environment.” Opinion 05/2012 triggered a reaction in the U.S. The U.S. Department of Commerce’s International Trade Administration (ITA) issued a document titled Clarifications Regarding the U.S.-EU Safe Harbor Framework and Cloud Computing “to clarify that Safe Harbor continues to offer eligible U.S. organizations, regardless of whether or not they are operating in the cloud environment, an officially recognized means of complying with the Directive’s “adequacy” requirement.” However, the ITA specifies that “a cloud service provider [is] required to enter into a contract [with the controller] even if it is Safe Harbor-compliant and is receiving personal data merely for processing”. Clarifications Regarding the U.S.-EU Safe Harbor Framework and Cloud Computing is available at https://business.usa… Of course having and reviewing such an agreement is a fundamental aspect of reasonableness, as advised by all American opinions and the CCBE opinion. And with that we close the circle.