A lawyer is legally obligated to maintaining the confidentiality of his client’s information. Today, more and more lawyers are using the Internet in their day-to-day functioning. They may use cloud services to save data. And as this practice grows, so does the risk of making the client’s confidential information vulnerable to vested interests.
For the uninitiated, cloud computing involves the transfer and/or storage of data on the Internet. Such services provide lawyers with a means to store and share documents, draft litigation papers and connect with their clients.
While making use of these services can be helpful, it can also lead to the exposure of the client’s confidential information, amounting to illegal disclosure. In fact, it may be considered a breach of a lawyer’s responsibility to protect the client’s confidences.
Why Disclosures Are Worrisome
When storing or transferring data to the cloud, lawyers need to exercise extra caution and be mindful of securing their client’s information from the roving eyes on the Internet. Using cloud services, typically, involves collaborating with a service provider, who gives the lawyer access to the data over the Internet through the use of a Web browser.
Transmitting or storing client’s information using this technology can make it susceptible to unauthorized access by third parties, which may result in the misuse of/tampering with information. This unintended disclosure of such confidential information can conclude in a waiver of the attorney-client privilege.
Several ethical issues may spring up when lawyers store confidential data on external servers, which are managed by third parties. In fact, over the last few years, numerous ethics committees have grappled with the ethical concerns presented when attorneys use cloud computing in legal practice.
The same committees have put forth their opinions:
- North Carolina State Bar Council 2011 Formal Ethics Opinion 6
- Massachusetts Bar Association Ethics Opinion 12-03
- Oregon State Bar Formal Opinion No. 2011-188
- Professional Ethics Committee of the Florida Bar Op. 10-2 (2011)
- New York State Bar Association’s Committee on Professional Ethics Op. 842 (2010)
- Pennsylvania Bar Association Ethics Opinion No. 2010-060 (2010)
- Iowa Committee on Practice Ethics and Guidelines Ethics Opinion 11-01
So far, the ethics commissions in the US have conceded that the use of cloud computing by lawyers is ethical. However, it also says that all lawyers making use of such technology should ensure that private data is protected from unauthorized access.
The Iowa opinion, Ethics opinion 11-01, demonstrates and suggests a well-balanced and in-depth analysis of a lawyer’s ethical obligations at the time of using cloud computing platforms for storing client’s confidential data. It says:
“When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.”
Apart from that, the Committee also provided a detailed list of recommended questions that lawyers must ask all technology vendors, and not only cloud computing services, before using their facilities. These questions have been formulated with the aim of helping lawyers get a good idea of the standards of security of these services.
Mentioned ahead are certain considerations that have culminated from the said questions:
- The lawyer should know whether or not he will have unrestricted access to the stored data.
- Requirement of passwords to protect/access the data.
- Formalities pertaining to the setting of the password.
- Storing the data in multiple places to be able to access it from another location, should the original source deny access.
- Carrying out adequate due diligence regarding the company that will be responsible for storing the data.
- Checking for the availability of recommendations and references from other reputed lawyers/law firms for the company in question.
- People with the right to access your data.
- Possibility of providing access only to certain part of the data as opposed to the entire data, which may need to be protected.
- Acknowledging and prioritizing the degree of protection to be provided to confidential data. Use of high-level encryption tools to ensure the security of the data that may be more sensitive than others.
- Headquarters of the company being considered and other countries/regions of business.
- Availability of end user’s licensing agreement (EULA) and whether or not it mentions the legal restrictions regarding responsibility or liability, choice of law or forum, or limitation on damages.
- Considerations regarding EULA granting the company rights (proprietary or user) over the data.
- Cost of the services provided by the company, the mode of payment, and penalties in case of non/delayed payment.
- Checking if a financial default will result in the loss of access to the data, losing copyright, losing the data to the Software as a Service (SaaS) company, or destruction of the data.
- Terminating agreement/contract with the SaaS company.
- Type of notice required by the EULA.
- Conditions related to retrieving data, and whether or not the SaaS maintains a copy of it.
It is best that the lawyer and client mutually decide on the legal matters related to confidentiality in the initial phases of the case discussion, in order to avoid conflicts over the use of cloud platforms for storing a client’s sensitive information later on. In fact, this should be done prior to the drafting of the engagement letter. It is suggested that the engagement letter clearly mention the scope of the use of the Internet for:
- The dissemination of the client’s confidential information via email clients such as Microsoft Outlook.
- Saving client’s sensitive information to the cloud so that the entire team of lawyers can access it from anywhere at any time.
- Using web-based tools of communication.
It is always better for lawyers to avoid risks when handling confidential data, as unwarranted and illegal disclosures could wreak havoc on their practice and reputation. The above points should give you a good idea of what working with sensitive information entails. Understanding them will help you know as to why it is crucial that you avoid the common pitfalls when dealing with privileged client information.