Print Page | Report Abuse | Sign In | Register
Protecting Client Confidentiality in the Cloud

Protecting Client Confidentiality In the Cloud
Daniel E. Lawrence 4-26-16

“Cloud computing” – the remote use by a lawyer of software and other IT resources located at some site other than the lawyer’s office, over the Internet, using either a browser or some other form of software in a client-server arrangement – is rapidly gaining acceptance among members of the legal profession.  Since 2013, the American Bar Association’s (ABA) annual TechReport has conducted a survey of ABA members concerning their use of cloud computing.  Some viewed the results as surprising: though only a minority of had issued ethics opinions providing guidance on how lawyers should approach the problem of squaring their confidentiality obligations with the perceived risks to those obligations posed by cloud computing, approximately a third of all lawyers surveyed reported using some form of cloud-based services.  ABA TechReport 2014 – Cloud Computing, http://www.americanbar.org/publications/techreport/2014/cloud-computing.html (last visited April 6, 2016).  That number has held steady, more-or-less, through the results of similar surveys performed in 2014 and 2015.

Despite its wide adoption, the legal profession seems to view practitioners’ use of cloud computing – and particularly its most popular incarnation, cloud-based file hosting and storage solutions, such as OneDrive and DropBox – with a persistent undercurrent of fear and suspicion.  The basis for this sentiment is easily understandable: when it is placed on the servers of a third-party provider of cloud computing services, the same information that lawyers are uniformly bound to keep confidential by various states’ rules of professional conduct can, to a greater or lesser extent, be accessed by that third-party provider.  And unlike offsite storage of physical documents, an attorney using a cloud provider most likely has no idea where their data is actually located, compounding concerns.  The following provision in one version of Google Drive’s terms of service provoked a furor when it was introduced in March of 2012, seeming to confirm the worst fears of privacy advocates and confidentiality-obsessed lawyers alike:

When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.

Google Terms of Service – Privacy & Terms (March 1, 2012), available at https://www.google.com/policies/terms/archive/20120301/ (last visited April 6, 2016).

The natural suspicions that these facts and circumstances give rise to are aggravated by the fact that adoption of cloud computing by the legal profession is outstripping the rate at which state ethical authorities have been able to issue guidance on its use.  Lawyers in most jurisdictions are using cloud storage and other cloud computing services without any formal guidance as to how they can do so ethically: as of the date of writing, only 18 jurisdictions have formally issued ethics opinions addressing how lawyers can utilize cloud computing while still honoring the obligations imposed by Model Rule 1.6 (and its state analogs).  Though those jurisdictions are among the most populous, with the largest contingents of practicing lawyers (including all of the West Coast states and most of the East), it is, however, clearly a certainty that many lawyers using cloud computing in their practice are doing so without the guidance of their state ethics committee. 

That said, although the jurisdictions that have weighed in differ in some of their particulars (for instance, in the various factors and criteria that practitioners are instructed to consider in connection with the analysis of whether and how to use a cloud computing service), all have agreed on two key points: first, cloud computing may be used by practitioners in a manner consistent with their respective jurisdictions’ rules of professional conduct; and, second, that the standard for ethical use of cloud computing is one of “reasonable care.”  See American Bar Assocation – Cloud Ethics Opinions Around the U.S., available at https://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/cloud-ethics-chart.html (last visited April 19, 2016)

Sources of Recordkeeping Requirements

Law offices are subject to record-keeping requirements that arise out of various sources.  Law firms can, for example, become "business associates" of physicians and other healthcare provider clients as that term is defined under the Health Insurance Portability and Accountability Act (HIPAA), requiring them to store certain types of records for no less than 6 years.  See 45 C.F.R. § 164.316(b)(2).  Clients may also be subject to record retention requirements imposed by the Occupational Safety and Health Administration (OSHA), state or federal tax code, state probate codes, statutes of limitation, or other statutory or regulatory authority which indirectly affect the lawyer's own record-keeping obligations.  The Model Rules of Professional Responsibility address record retention only indirectly, in their provisions (Model Rule 1.15, chiefly) prescribing the duty to safeguard client property, by suggesting that at least “records of such [client] account funds and other property” of the client should be kept for five years. 

The point is, what constitutes an appropriate retention period for file materials is going to depend upon a variety of factors.  However, it may be worth noting that the longer a record is kept unnecessarily, the greater the risk that the information contained in the record is going to be, in some regard, exposed.  Given the rapidly increasing rate at which data breaches occur, it is becoming increasingly probable that every organization of any size will, at some point, be the victim of a breach.  See Verizon – 2015 Data Breach Investigation Report, at 1, available at http://www.verizonenterprise.com/DBIR/2015/ (last visited April 19, 2016) (reporting 79,790 security incidents; 2,122 resulting in confirmed data loss); see also, e.g., The Hill – Corporate data breaches ‘inevitable,’ expert says, available at http://thehill.com/policy/cybersecurity/225550-cybersecurity-expert-data-breaches-inevitable(last visited April 19, 2016).  An example from recent headlines that may hit close to home for some practitioners was the infiltration of the cloud-based notetaking program Evernote in March of 2013. As many as 50 million Evernote accounts were compromised.  See CNN – 50 million compromised in Evernote hack, available at http://www.cnn.com/2013/03/04/tech/web/evernote-hacked/(last visited April 19, 2016).  Given Evernote’s popularity with attorneys (articles, blog posts, CLE’s, and even books have been authored touting the virtues of incorporating Evernote into one’s practice – see, e.g., Evernote for Lawyers: A Guide to Getting Organized and Increasing Productivity, http://www.amazon.com/Evernote-Lawyers-Increasing-Productivity-Management-ebook/dp/B00DKCQWHU (last visited April 7, 2016)), and the fact that Evernote’s total user base did not exceed 100 million users until more than a year later (in May of 2014 (Evernote Blog – We have 100 million people to thank, available at https://blog.evernote.com/blog/2014/05/13/evernote-reaches-100-million-users/ (last visited April 19, 2016)) the odds are better than even that a not-insignificant number of those 50 million compromised accounts belonged to attorneys. 

Data Storage Options

It makes sense to discuss, briefly, types of cloud computing arrangements.  Experts generally recognize two chief infrastructure models for cloud computing: "private cloud" and "public cloud." Public cloud vendors provide their services over the Internet via infrastructure that belongs to and is managed by the service provider.  Though the customer's data is silo'ed and logically segregated from that of other customers so that only authorized users can access it, the underlying infrastructure is still shared.  The major providers of cloud computing services that have the most name recognition - Google Docs, OneDrive, DropBox, etc - fall into this category.  A private cloud, conversely, is generally dedicated to a particular user, serving only that organization's needs and likely using infrastructure that is administered and controlled by that organization.  Microsoft, VMWare, and OpenStack all offer private cloud solutions.  The chief difference between the two arrangements essentially boils down to control: a public cloud customer has no practical ability to control where and how its data is hosted, whereas a private cloud customer has such control, to a greater or lesser degree. 

The chief way that a lawyer can exercise the "reasonable care" required of him or her by the rules is through the careful selection of a solution - whatever the architecture, whether private or public cloud - that will provide adequate assurances of confidentiality. This is where the rubber meets the road, so to speak, in virtually all of the ethics opinions that address the confidentiality of client data in cloud computing.  A lawyer exercises reasonable care by selecting a provider who will safeguard client data.  This is consistent with the instructions of Rule 5.3, regarding non-lawyer assistance:

With respect to a nonlawyer employed or retained by or associated with a lawyer:            

(a) a partner, and a lawyer who individually or together with other lawyers possesses comparable managerial authority in a law firm shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that the person's conduct is compatible with the professional obligations of the lawyer;

(b) a lawyer having direct supervisory authority over the nonlawyer shall make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer . . .

KRPC 5.3.

Although every jurisdiction thus far agrees that cloud computing can be used ethically and in conformity with the attorneys' obligations under Rule 1.6, the guidance that they provide regarding how an attorney should approach the selection of a cloud computing provider is not uniform. There is, however, a common thread running through their ethics opinions, which is that the selection process entails, at the least, some consideration of the technological security measures that are employed by the vendor to secure client data, and an understanding of the vendor's terms of service and their bearing on confidentiality-related issues.  For example, Connecticut emphasizes that "the lawyer outsourcing cloud computing tasks. . . must exercise reasonable efforts to select a cloud service provider [who]  . . . is able to limit authorized access to the data, ensure that the data is preserved . . . [is] reasonably available to the lawyer, and [is] reasonably safe from unauthorized intrusion."  Connecticut Informal Opinion 2013-07.  Massachusetts likewise focuses on selection criteria, instructing that practitioners should review a cloud computing provider’s written policies and procedures pertaining to access to confidential data, review security practices such as encryption and password protection, and examine the providers' service history.  Massachusetts Ethics Opinion 12-03.  Oregon suggests that a lawyer should "investigate how the vendor backs up and stores its data and metadata."  Oregon Formal Opinion 2011-188.  And Pennsylvania prescribes no less than 33 factors that an attorney should take into account when evaluating cloud computing service providers.  Pennsylvania Formal Opinion 2011-200. 

But some commentators evaluating the emerging body of ethical authority have noted - probably quite rightly - that the steps some of the state ethics authorities prescribe are often not practical, nor even realistic. In most cases, attorneys lack the technical expertise to perform anything but the most superficial assessment of the technological measures that a cloud computing provider uses to secure data.

But does the lawyer, as Alabama suggests, really “have a continuing duty to stay abreast of appropriate security safeguards that should be employed by ... the third-party provider”? Is an attorney equipped, as mandated by the Florida Bar, to “[i]nvestigat[e] the online data storage provider's security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances”? Should an attorney know how Google is defending against  “zombie drones,” “dumpster divers,” and DDOS attacks? Should she know Dropbox's emergency plans for a “zero day threat” or the difference between SAML 2.0 and ID-FF 1.2? New Jersey understates the obvious when it says that “[p]roviding security on the Internet against hacking and other forms of unauthorized use has become a specialized and complex facet of the industry, and it is certainly possible that an independent ISP may more efficiently and effectively implement such security precautions.

Stuart L. Pardau, Blake Edwards, The Ethical Implications of Cloud Computing for Lawyers, 31 J. Marshall J. Info. Tech. & Privacy L. 69, 80-81 (2014).  Similarly, although attorneys are eminently well-positioned to interpret terms of service, their attempts to obtain contractual guarantees from public cloud providers beyond the boilerplate are liable to be hampered by the fact that the great majority of cloud computing vendors offer their services on a "take it or leave it" basis - they do not negotiate, thus making it impractical for a lawyer to "instruct[] and require[] the [vendor] to keep the information confidential and inaccessible" or take similar steps, as some of the states suggest. Id. at 83 (citing and quoting State Bar of Nev. Comm. on Ethics and Prof'l Responsibility, Formal Op. 33 (2006)). 

So, where does this leave lawyers in other jurisdictions?  Beyond the plain language of Rule 1.6, Rule 5.3, and Rule 1.15, concrete, specific takeaways are not available to us - we do not have a 33-factor list to hold in one hand while we examine the DropBox terms of service in the other.  This makes the safe harbor of “informed consent” that is offered by KRPC 1.6 (and the identical (more-or-less) Model Rule 1.6) all the more attractive:

A lawyer shall not reveal information relating to representation of a client unless the client consents after consultation, except for disclosures that are impliedly authorized in order to carry out the representation, and except as stated in paragraph (b).

Accordingly, an attorney who intends to use cloud storage for client data can take steps to ensure compliance with Rule 1.6 by obtaining the client's informed consent to the use of a cloud storage provider.  Informed consent, of course, is a term of art within the rules: it means that "the lawyer has communicated adequate information and explanation about the material risks of and reasonably available alternatives to the proposed course of conduct."  KRPC 1.0(f).   

It bears noting, too, that feasible cloud storage solutions for lawyers do not need to be exotic: the majority of attorneys who utilize cloud storage use DropBox (58% in 2014, 51% in 2015), EverNote, iCloud, and Google Apps.  ABA TechReport 2015 – Cloud Computing, available at http://www.americanbar.org/publications/techreport/2015/CloudComputing.html (last visited April 20, 2016).  This may be because attorneys who use these services consider that they provide a reasonable level of security, notwithstanding permissive-sounding terms of use (DropBox uses AES 256 encryption for data-in-place – see infra, regarding the NSA’s approval of that encryption standard for “top secret” information).  That said, solutions designed with security in mind can be found easily and provide peace-of-mind without a staggering price tag.   See, e.g., PC World - Loaded and Locked: 3 seriously secure cloud storage services, http://www.pcworld.com/article/2105100/loaded-and-locked-3-seriously-secure-cloud-storage-services.html(last visited April 16, 2016).

HIPAA Considerations for Personal Health Information

Cloud storage may not be suitable for every type of data: there may be considerations unique to a particular client’s circumstances that merit an extra level of care.  Trade secrets, for example, sensitive business plans, and similar information may merit extra precautions.  Alternatively, there may be external considerations, such as HIPAA or GLBA, that mandate extraordinary precautions.  The ethics rules recognize this, instructing that the criteria that should be taken into account when evaluating the reasonableness of efforts to maintain secrecy include the “sensitivity of the information.”  KRPC 1.6.  Still, the rules advise that the weight of these considerations can always be mitigated through informed consent:

A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule.

KRPC 1.6. 

Attorneys should also be mindful that even where there are prohibitive terms of service or other properties of a cloud storage solution that seem to make its use “unreasonable” within the meaning of Rule 1.6, those facts are not necessarily determinative of whether it can be used – even for the most sensitive information.  It is exceedingly simple for a practitioner to implement additional security measures before information is transmitted to the cloud that will go a long way toward ensuring that it remains confidential under virtually any circumstances.  Most versions of Windows support Microsoft Encrypting File System (EFS), which provides Triple-DES key encryption (considered a “strong cryptography” standard by the metrics of authorities such as the payment card industry).  See Payment Card Industry Data Security Standard – Requirements and Security Assessment Procedures v. 3.1 (April 2015), at 46, available at https://www.pcisecuritystandards.org/document_library (last visited April 20, 2016); see also Official PCI Security Standards Council Site – Glossary, available at https://www.pcisecuritystandards.org/pci_security/glossary (last visited April 20, 2016) (“At the time of publication, examples of industry-tested and accepted standards and algorithms for minimum encryption strength include AES (128 bits and higher), TDES (minimum triple-lengthkeys)”). And free or inexpensive tools such as 7-Zip (http://www.7-zip.org/) or WinRAR (http://www.rarlab.com/) support encryption using the AES-256 standard, which the NSA has approved for use in connection with “top secret” information and which some security professionals consider to be unbreakable by any means other than an impracticable brute force attack.  See NSA Suite B Cryptography, available at https://www.nsa.gov/ia/programs/suiteb_cryptography/ (last visited April 20, 2016).  In some instances, even simple password protection may be enough to provide the additional assurance that makes the use of cloud storage “reasonable” when it otherwise might not be. 

Secure Client Access to Files

Most public cloud storage systems will also provide a way for clients to access files securely over the web, typically through a browser-based interface using Transport Layer Security (TLS, the successor to Secure Sockets Layer (SSL)).  Given the sensitivity of the information in question, this may or may not be acceptable.  TLS is generally considered secure from most practicably executable attacks, but it is falling out of favor and, as of June 30, 2016, the PCI DSS no longer views the use of SSL or "early TLS" as sufficient for compliance.  See Payment Card Industry Data Security Standard - Summary of Changes from PCI DSS Version 3.0 to 3.1, April, 2015 (available at https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1_Summary_of_Changes.pdf).  However, TLS 1.0 plus is still considered sufficient for HIPAA compliance.  See NIST Special Publication 800-52 Rev. 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf). But practitioners can still ensure end-to-end security by using one of the add-on encryption solutions alluded to above (e.g., 7-Zip or one of many others).

BYOD and Mobile Device Considerations

Preferences for personal technology are becoming as varied as preferences for personal style.  Some attorneys prefer Android devices, others Apple.  Some attorneys perform substantial work using tablets, others none.  Some attorneys work only in the office; others prefer to work also from home, the coffee shop, and so on.  This creates a tension with law firm IT personnel, who desire relative uniformity of devices and platforms to facilitate support and administration.  Oftentimes, a compromise comes in the form of some sort of bring-your-own-device (BYOD) policy, under which attorneys' desires for disparate technology are accommodated by allowing them to utilize their own.

The problem this presents is that a network, like a chain, is only as strong as its weakest link.  If a device utilized under a BYOD policy provides an entry point to cloud storage where client data is stored, then the security of that device must be part of the "reasonable efforts" prescribed by Rule 1.6.

What to Do If You Get Hacked

There are undoubtedly legal obligations that may apply if a law firm is hacked - if nothing else, one of the 47 different data breach reporting statutes that have been passed by legislatures across the country may be implicated by the hack and require action. See, e.g., K.S.A. 50-7a01.  From the perspective of the Rules of Professional Responsibility, however, it is unclear whether there is an ethical obligation to report a breach.  Rule 1.6, though it requires confidentiality, does not explicitly require an attorney to report to a client when confidentiality has been breached.  But Rule 1.4 might:

(a) A lawyer shall keep a client reasonably informed about the status of a matter and promptly comply with reasonable requests for information.

(b) A lawyer shall explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.

KS R RULE 226 RPC KRPC 1.4.  Given the centrality of the duty to maintain confidentiality to the lawyer-client relationship, it is easy to see how exposure of client information as the result of an intrusion could trigger Rule 1.4's obligation to inform the affected clients.

Contact Us

info@wichitabar.org

T 316.263.2251
F 316.263.0629

Find Us

Wichita Bar Association
225 N. Market, Suite 200
Wichita, KS 67202

Connect: