Lawyers, Ethics, Security & The Cloud
The regulatory bodies governing lawyers have long recognized the benefits and the risks of information technology in modern legal practices. However, with “Cloud computing” seemingly (and finally) “catching on”, one can’t help but wonder when the ethical guidance provided lawyers will be amended to address its possible use by the legal community in Canada.
As for existing guidance for lawyers in Ontario, one need only refer to the Law Society of Upper Canada’s Technology Guideline and it’s 2001 Ethical Considerations and Technology. The Canadian Bar Association, in 2008, produced a very useful document with its Guidelines for Practising Ethically with New Information Technologies. I’ve actually had one American lawyer, active in the American Bar Association leadership, make very positive comments about the CBA Guidelines, suggesting that the ABA should produce a similar document. It is to be noted though, not unexpectedly given their dates of publication, that none of these documents expressly address the subject of cloud computing.
The National Institute of Standards and Technology (“NIST”) in the United States defines “Cloud computing” and identifies five essential characteristics:
On-demand self-service. A consumer can unilaterally obtain computing capacity as needed automatically.
Broad network access. Available over the network and accessed through thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).
Resource pooling. Multiple consumers are serviced with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.
Rapid elasticity. Capacity can be rapidly and elastically obtained, in some cases automatically, to quickly scale out and rapidly released to quickly scale in.
Measured Service. Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.
Cloud computing is far from mature though its use is growing. There are different types of Clouds (e.g. public, private) and different degrees of client control (at the software, platform or infrastructure levels) but the essential point is that client and firm data would be firmly ensconced in the hands of a third party vendor of technology services. Major “Cloud” providers include Google, Microsoft, IBM and Amazon. For those interested, David Navetta of the Information Law Group in the US has written an illuminating three-part analysis of the privacy/infosec aspects of Google’s Cloud contract with the City of Los Angeles.
In pondering the juxtaposition of Cloud computing, ethics and law practice management (since that is the purpose of lawyers and law firms using the Cloud), I recently had the benefit of a conversation with a good friend and colleague, Roland Trope, who practices in New York and serves as an Adjunct Professor at West Point. Roland’s presenting in a session at the 2010 ABA annual meeting in San Francisco on the ethical issues facing lawyers in their use of the Cloud. He’s co-written a very interesting paper with Claudia Ray outlining the issues about Cloud computing, and how, through an over-reliance on Cloud service providers, it may affect the ability of lawyers to provide competent representation. Some of the issues facing the legal profession (or anyone with sensitive data for that matter) that they have identified in their paper include:
- Program, operating system and upgrade instability;
- The ability to locate fault (i.e. whose network has the problem – the law firm’s or the cloud provider’s);
- Reduced or lack of control over (or even knowledge of) software changes;
- Diminished knowledge of data breaches;
- Reduced knowledge of, or control over, the movement/location of personal information or client confidential information; and
- Reduced ability to prevent government searches and seizures.
As might be expected, the issue of using the Cloud has already come up. North Carolina has a proposed ethics opinion on the subject of lawyers’ use of “software as a service” that permits such use, provided a long list of questions is addressed. A lawyer or law firm would have to obtain sufficient answers to permit a conclusion that the risk to the confidentiality and security of client file information is minimal. I’m not quite sure whether North Carolina’s opinion addresses all the issues – just as I’m not quite sure I agree with it – but to see what’s proposed go here and look for Proposed 2010 Opinion # 7 (about two-thirds of the way down the page).
The technology guidance issued by the Law Society of Upper Canada and the CBA appear to be written from a perspective of the law firm having ownership or certainly a greater degree of control over the technology on which client data is stored. That’s not a criticism but it’s likely time for regulators of the legal profession in Canada to update the guidance provided to lawyers to address the use of the Cloud.
This all presupposes that the legal profession uses (or will use) Cloud computing and digital onboarding resources. Whether or not lawyers or law firms should be using the Cloud is a separate question and one that deserves a very hard look.
One should also consider the country where the cloud or SAAS (Software as a Service) is hosted and the sensitivity of the information being processed.
Servers physically located on American soil are subject to the US Patriot Act, for example, where US officials are legally able to obtain copies of any information on any computer. Since such requests are made of the computer server owner without the customer’s knowledge, controlling privacy becomes pretty much impossible.
So for sensitive medical information, for example, cloud and SAAS services should be hosted on servers that are in legal jurisdictions that the customer is comfortable with. Most likely the home team will have a big advantage for this type of information processing as customers look for service providers in the same legal jurisdiction as themselves to keep things simple.
On the other hand, for the new corporate video that is being posted on a company website, the customer likely does not care that Home Land Security might take a look at it. In this case some cloud computing can be called into play from a US vendor to significantly boast “viewer capacity” of the corporate web site without the traditional hardware and software upgrades. The promise of cloud computing is a cost effective on-demand-pay-as-you-play service. If 10 people hit the new corporate video in the first day the price will be low. If 10,000 the price will be proportionally higher. The customer pays for just what is needed and no more.
Michael – good post – the ethics issues related to use of the cloud in law practice need much more attention. Another great article on this topic, worth a read, is “Intro to Cloud Computing and Its Ethical Implications –Is There a Silver Lining” by Jeremy R. Feinberg (Statewide Special Counsel for Ethics for the New York Unified Court System) and Maura R. Grossman (Counsel at Wachtell Lipton Rosen & Katz in New York). The article is available here: http://www.criminallawlibraryblog.com/2010/04/intro_to_cloud_computing_and_i.html.
Great article Michael. Cloud computing does seem like making great noise. It definitely needs lot of maturity on both sides – vendors and customers and hopefully the laws will be made to tackle the next generation of lawsuits that will arise out of this new business computing era.
[…] by lawyers is not new – I recommend this piece by Jeremy Feinberg and Maura Grossman and this blog post by E. Michael Power. A few State Bar associations have opined on the subject of lawyer use of cloud computing and […]
[…] by lawyers is not new – I recommend this piece by Jeremy Feinberg and Maura Grossman and this blog post by E. Michael Power. A few State Bar associations have opined on the subject of lawyer use of cloud computing and […]