At some point in the early to mid-2010s, jokes about “the cloud” were common. What’s “the cloud” mean? Where is it? Does anyone even know?
These days, most of us are pretty familiar with what cloud computing is and all the benefits that it offers. What’s less clear, though, is the ethical pitfalls that it poses. Yes, cloud computing is easier, more accessible, and perfectly suited for today’s pandemic workplace.
But for professional industries like law, there is the need to balance cybersecurity risks with the professional ethical responsibility to maintain attorney-client privilege and confidentiality. Without evaluating the issues that come with this territory, you leave your firm open to malpractice and bar complaints, loss of revenue, and loss of client trust.
Cloud Computing for Lawyers: The Lay of the Land
Although the legal industry has adopted cloud computing more slowly than others, it has a general level of acceptance. Cloud computing has been field-tested and numerous state bar associations have issued guidance that cloud computing is acceptable by industry standards. So, broadly speaking, an attorney can ethically use cloud-based services for confidential client information.
However, this is assuming that they’re using reasonable caution and care to protect confidential data. This doesn’t just apply to how the attorneys themselves are handling the data, though that is important as well. It means that vendors providing cloud-based services are ethically compatible with their legal obligations – something lawyers are responsible for knowing.
Questions to Consider
How is client information being protected?
Protecting your client information is a major professional responsibility, no matter how you’re storing it. But the questions for protecting client information are more involved when you’re involving a vendor in the process. You need to assess your cloud-based service vendors for the following:
- WIll the vendor ensure that confidentiality of client information is maintained? If so, how?
- How does the vendor protect client data from theft and cyber-attacks? What level of security is implemented, from password protection to data encryption?
- Who officially “owns” the data stored in the cloud?
- What will happen to the data if the business relationship is terminated? Will the vendor keep copies of data? What is their retention period?
- Where is the vendor’s server located? What state laws apply? International laws?
What are your terms of service?
As an attorney, you know the importance of reading terms of use/service and other fine print. So don’t forget to do it for cloud-based vendor agreements. Among the issues you’re looking for is whether the vendor is obligated to keep your client’s data confidential.
This is important because if your vendor is served with a subpoena, warrant, civil search and seizure actions or even the more benign request for information, you need to know that your client’s data isn’t disclosed. To provide additional security, consider building an agreement into your contract with your vendor addressing confidentiality needs.
What goes where: How to decide what files belong on the cloud?
If you’re moving over to the cloud, you’ll appreciate the ease and accessibility that it offers you. But do you have a plan for records management? Retention and access are a big part of appropriately handling confidential information. You need to know which files are stored in the cloud, how long they’re going to be there, and what you’re doing to back up the data. (Yes, you still need a backup plan!)
How are you handling vendor relations?
Your vendor relationships are a key part of your professional network, but at some point, you may need to change. When that happens, you need to be assured that you can move the data from one server to another.
And you can’t just move a copy of records over to another vendor. You need to be sure that you have a satisfactory agreement with your old vendor as to how client data is handled if your contract with them is terminated.
What are the mobile technology risks?
These days, your smartphone and tablets can be as useful as your laptop. Cloud computing is amazing because it lets you connect with your client information from anywhere at any time.
But mobile technology has its own set of risks. They’re easier to lose or have stolen. If lost or stolen, how easily accessible are your accounts?
It’s common to have cloud drives accessible without needing to log in from your phone. Also, our phone isn’t protected by the same kinds of virus protection and cyber defense tools that your computer has.
To guard against these risks, you need to implement good security practices for your mobile devices. Logging out of accounts when you’re done using them and using strong passwords and encryption provide a higher degree of security.
It’s a cliche that technology is always changing, but we should still recognize the fact that the way that attorneys use online platforms for professional activities will undergo changes as new tools become available. There is never just one answer. Instead, the best thing that attorneys can do is find efficient ways to evaluate ethical duties and risks with professional tools.
Cloud computing can provide great value and benefit to lawyers, as long as they’re sure to conduct their due diligence in selecting a vendor.
For even more information on selecting a cloud-based practice management system, visit the CosmoLex Cloud Computing & Security Resource Center.