Lawyers, Ethics, Security & The Cloud
The regulatory bodies governing lawyers have long recognized the benefits and the risks of information technology in modern legal practices. However, with “Cloud computing” seemingly (and finally) “catching on”, one can’t help but wonder when the ethical guidance provided lawyers will be amended to address its possible use by the legal community in Canada.
As for existing guidance for lawyers in Ontario, one need only refer to the Law Society of Upper Canada’s Technology Guideline and it’s 2001 Ethical Considerations and Technology. The Canadian Bar Association, in 2008, produced a very useful document with its Guidelines for Practising Ethically with New Information Technologies. I’ve actually had one American lawyer, active in the American Bar Association leadership, make very positive comments about the CBA Guidelines, suggesting that the ABA should produce a similar document. It is to be noted though, not unexpectedly given their dates of publication, that none of these documents expressly address the subject of cloud computing.
The National Institute of Standards and Technology (“NIST”) in the United States defines “Cloud computing” and identifies five essential characteristics:
On-demand self-service. A consumer can unilaterally obtain computing capacity as needed automatically.
Broad network access. Available over the network and accessed through thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).
Resource pooling. Multiple consumers are serviced with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.
Rapid elasticity. Capacity can be rapidly and elastically obtained, in some cases automatically, to quickly scale out and rapidly released to quickly scale in.
Measured Service. Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.
Cloud computing is far from mature though its use is growing. There are different types of Clouds (e.g. public, private) and different degrees of client control (at the software, platform or infrastructure levels) but the essential point is that client and firm data would be firmly ensconced in the hands of a third party vendor of technology services. Major “Cloud” providers include Google, Microsoft, IBM and Amazon. For those interested, David Navetta of the Information Law Group in the US has written an illuminating three-part analysis of the privacy/infosec aspects of Google’s Cloud contract with the City of Los Angeles.
In pondering the juxtaposition of Cloud computing, ethics and law practice management (since that is the purpose of lawyers and law firms using the Cloud), I recently had the benefit of a conversation with a good friend and colleague, Roland Trope, who practices in New York and serves as an Adjunct Professor at West Point. Roland’s presenting in a session at the 2010 ABA annual meeting in San Francisco on the ethical issues facing lawyers in their use of the Cloud. He’s co-written a very interesting paper with Claudia Ray outlining the issues about Cloud computing, and how, through an over-reliance on Cloud service providers, it may affect the ability of lawyers to provide competent representation. Some of the issues facing the legal profession (or anyone with sensitive data for that matter) that they have identified in their paper include:
- Program, operating system and upgrade instability;
- The ability to locate fault (i.e. whose network has the problem – the law firm’s or the cloud provider’s);
- Reduced or lack of control over (or even knowledge of) software changes;
- Diminished knowledge of data breaches;
- Reduced knowledge of, or control over, the movement/location of personal information or client confidential information; and
- Reduced ability to prevent government searches and seizures.
As might be expected, the issue of using the Cloud has already come up. North Carolina has a proposed ethics opinion on the subject of lawyers’ use of “software as a service” that permits such use, provided a long list of questions is addressed. A lawyer or law firm would have to obtain sufficient answers to permit a conclusion that the risk to the confidentiality and security of client file information is minimal. I’m not quite sure whether North Carolina’s opinion addresses all the issues – just as I’m not quite sure I agree with it – but to see what’s proposed go here and look for Proposed 2010 Opinion # 7 (about two-thirds of the way down the page).
The technology guidance issued by the Law Society of Upper Canada and the CBA appear to be written from a perspective of the law firm having ownership or certainly a greater degree of control over the technology on which client data is stored. That’s not a criticism but it’s likely time for regulators of the legal profession in Canada to update the guidance provided to lawyers to address the use of the Cloud.
This all presupposes that the legal profession uses (or will use) Cloud computing resources. Whether or not lawyers or law firms should be using the Cloud is a separate question and one that deserves a very hard look.