May 20, 2015 – Do you use a computer, tablet, or mobile device to process, transmit, store, or access client information over the Internet? If yes, welcome to the world of cloud computing. A new ethics opinion provides guidance on what lawyer’s must do to ensure their cloud-computing activities are ethically sound.
Wisconsin Formal Ethics Opinion EF-15-01 (Ethical Obligations of Attorneys Using Cloud Computing), issued by the State Bar of Wisconsin’s Professional Ethics Committee, notes that increased lawyer accessibility to cloud-based platforms and services comes with a direct loss of control over client information.
“The provider of cloud-computing adds a layer of risk between the lawyer and the client’s information because most of the physical, technical, and administrative safeguards are managed by the cloud service provider,” the opinion states.
Lawyers can use cloud computing services if the lawyer uses reasonable efforts to adequately address the potential risks associated with it, the opinion concludes.
What are Reasonable Efforts?
“To be reasonable,” the opinion states, “the lawyer’s efforts must be commensurate with the risks presented.” The opinion acknowledges that lawyers cannot guard against every conceivable danger when using cloud-based services, but lists numerous factors to consider when assessing the risk of using cloud-based services in their practices.
Below is the list of factors identified in the opinion, with some practical notes from Tison Rhine, practice management advisor for the State Bar’s Law Office Management Assistance Program (Practice 411™). Rhine assist attorneys with questions regarding cloud computing, in addition to other questions that relate to technology in law practice.
The information’s sensitivity. “The more sensitive the information, the less risk the lawyer should take in using cloud-based services. Lawyers should assess the sensitivity of the information before determining what cloud-based service can be used with it.”
Lawyers can use cloud computing services if the lawyer uses reasonable efforts to adequately address the potential risks associated with it.
The client’s instructions and circumstances. “A lawyer must follow client instructions unless doing so would cause the lawyer to violate ethical rules or other laws. The client may require the lawyer to implement special security measures not required by the ethics rules, or may give informed consent to forgo certain security measures.”
The possible effect that inadvertent disclosure or unauthorized interception could pose to a client or third party. “Lawyers should ask themselves how bad it would be if unauthorized parties gained access to information on a case-by-case basis. If the lawyer knows a breach could be highly detrimental, the lawyer should take the proper precautions. Note that in all cases, the lawyer must make ‘reasonable efforts’ to prevent access or disclosure.”
The attorney’s ability to assess the technology’s level of security. “Attorneys are not required to be security experts, but those who lack basic competence to assess the security of cloud-based technology must become competent or consult with someone who is. Nothing in the rule says lawyers cannot rely on technology professionals to help assess the security of cloud-based systems.”
The likelihood of disclosure if additional safeguards are not employed. “The fact that additional security measures are available does not alone necessitate their use. In some circumstances, the likelihood of a security breach is very low without additional safeguards.”
What is Cloud Computing?
Cloud computing is not an easy term to define. In the law practice realm, it encompasses a wide range of activities that use different Internet (cloud)-based services. The most basic form of cloud computing is web-based email, like Gmail.
But lawyers now use cloud-based services to perform legal work in many other ways. The services – generally offered through third-party providers with offsite computer facilities and remote servers – allow access to client information from any location with an Internet connection, creating new opportunities for lawyers to work outside the office.
For instance, lawyers can access client files from almost anywhere in the world, using mobile devices in tandem with cloud-based practice management software like Clio – which State Bar members can purchase at a discount– and cloud-based file-sharing services like Dropbox.
In addition, cloud-based information storage options mean law firms can easily back-up and store the firm’s digital files. Cloud-computing services can help lawyers reduce overhead costs, improve efficiency, and provide better client service. But with technology comes ethical duties.
A new ethics opinion from the State Bar of Wisconsin’s Professional Ethics Committee explores the ethical obligations when choosing and using cloud-based services.
The cost of employing additional safeguards. “Again, no security measures are absolute and at some point, lawyers can expect diminishing marginal returns. As such, a reviewing body would consider the cost of additional safeguards when evaluating their necessity under the rules.”
The difficulty of implementing the safeguards. “Some security measures are easy to set up and then run without additional input. Advanced or custom security measures, however, may require expert knowledge of computer hardware and software. In some cases, such advanced safeguards may be necessary, but the more difficult a measure is to implement, the less likely it will be seen as necessary under the rules.”
The extent to which the safeguards adversely affect the lawyer’s ability to represent clients. “If a security measure is preventing the lawyer from accessing information the lawyer needs to represent the client in a timely fashion, that’s problematic for both the lawyer and the client. Safeguards that disrupt the flow of practice so much that representation suffers are less likely to be deemed necessary.”
The need for increased accessibility and the urgency of the situation. “When a legal situation is time-sensitive, perhaps requiring immediate access to a client’s file from a remote location, or when other circumstances make communication or document exchange with clients and/or third parties difficult, the lawyer may be limited to cloud-based options with limited security in place. Under such circumstances, what would normally be deemed necessary under the rules may not actually be necessary.”
The experience and reputation of the service provider. “Lawyers should choose cloud-based service providers with a proven record on security. Lawyers must do their due diligence or consult with a technology expert who can make recommendations.”
The terms of the agreement with the service provider. “Lawyers should always read the terms of service with particular attention to the service provider’s security mechanisms. Ask questions to fully understand how stored information is protected.”
The legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality. “This may come up when a cloud-based service provider is out-of-state or overseas. In these circumstances, the lawyer may need to ensure that the cloud-based provider’s security protocols are on par with the data security protocols required by applicable state or federal law in the U.S.”
Understanding Technology Concepts
The opinion states that in determining what efforts are reasonable to address the cloud-computing risk, lawyers should understand a number of computer security concepts.
For instance, lawyers should understand the use of firewalls, virus and spyware programs, operating system updates, strong passwords and multifactor authentication, and encryption for electronically stored information. Let’s take these one by one.
For ethics questions, email State Bar Ethics Counsel Tim Pierce or Assistant Ethics Counsel Aviva Kaiser or call the Ethics Hotline at (608) 229-2017 or (800) 254-9154.
For cloud-computing or other technology or practice management questions, email Tison Rhine or call (608) 250-6012 or (800) 444-9404, ext. 6012.
Firewalls. According to Microsoft, a firewall “is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.” Most operating systems (including Windows and Macs) have built-in firewall systems, but lawyers should make sure the firewall is turned on at all times.
Virus and spyware programs. According to Microsoft, virus and spyware are terms used to describe “software that performs certain behaviors, generally without appropriately obtaining your consent first.” That includes programs that collect personal information from your computer or change your computer’s configuration. Viruses and spyware can cause your computer to freeze, stop responding, or act oddly.
A type of spyware includes “adware,” which tracks Internet habits to strategically place ads. However, many consumers agree to let companies track information as a trade-off for using its services, such as a free music service. “A common trick is to covertly install the software during the installation of other software you want,” Microsoft says.
To avoid this, only download software from trusted sources and read all disclosure, license, and privacy statements before installing any new software program. To remove spyware that has already been installed, use the built-in spyware removal program that came with your operating system, or purchase a spyware removal program.
Operating system updates. Companies such as Microsoft and Apple continuously issue operating system updates to improve the quality of service and patch security holes that these companies have identified. Ensure your computer is automatically receiving these updates by reviewing your operating system’s default settings.
Strong passwords and multifactor identification. These steps are necessary to prevent unauthorized users from accessing your computer, tablet, or mobile device, and to prevent hackers from accessing your online accounts.1 For more on this, check out:
Encryption for stored information. Encryption transforms readable data into unreadable data, and “encrypted data cannot be read or used unless one has access to the decryption key,” according to a recent Wisconsin Lawyer article, “Encryption Made Simple for Lawyers,” which outlines the step lawyers should take to encrypt hard drives, software programs and files, smartphones and tablets, and wireless networks.
In addition, the ethics opinion states that lawyers should understand the dangers of using public Wi-Fi and file-sharing sites. In general, lawyers should not use public Wi-Fi networks when working with client information, since that information can be intercepted. Lawyers who must use a public network can add a layer of security by using a virtual private network (VPN), which requires a password to access.
When sharing digital files over the Internet, lawyers should always ensure the data is encrypted, according to a recent technology article on file-sharing from Tison Rhine.
Lawyers should also understand the importance of regularly backing up data and storing it in more than one place, the ethics opinion states. Back-ups allow lawyers to protect client data from natural disasters or computer or network failures.
Ethics Rules, Must the Lawyer Tell the Client About Cloud Computing?
Supreme Court Rule (SCR) 20:1.1 requires a lawyer to perform legal services competently, which includes the duty to remain competent on technology.
Joe Forward, Saint Louis Univ. School of Law 2010, is a legal writer for the State Bar of Wisconsin, Madison. He can be reached by email or by phone at (608) 250-6161.
“Lawyers who use cloud computing have a duty to understand the use of technologies and the potential impact of those technologies on their obligations under the applicable law and under the Rules,” the ethics opinion states. “[A]s technology, the regulatory framework, and privacy laws change, lawyers must keep abreast of the changes.”
SCR 20:1.4(b) requires that a lawyer explain a matter to the extent reasonably necessary to permit the client to make informed decisions concerning the representation. But what must the lawyer tell clients about cloud computing?
“While the lawyer is not required in all representations to inform clients that the lawyer uses the cloud to process, transmit, or store information, a lawyer may choose, based on the needs and expectations of the clients, to inform the clients,” the opinion states.
The opinion suggests that lawyers include provisions about their use of cloud-computing services in the engagement agreement or letter to inform clients.
SCR 20:1.6 prohibits a lawyer from revealing information relating the representation of a client unless that client gives informed consent or unless the disclosure is impliedly authorized in order to carry out the representation.
“The processing, transmission, and storage of information in the cloud may be deemed an impliedly authorized disclosure to the provider as long as the lawyer takes reasonable steps to ensure that the provider of the cloud computing services has adequate safeguards,” the opinion states.
Lawyers need not guarantee that a breach of confidentiality will not occur, the opinion notes, but they must take reasonable steps to minimize the likelihood of breach.
Under SCR 20:5.3, when a lawyer employs or retains nonlawyers to help provide legal services, the lawyer must take reasonable steps to ensure the nonlawyer’s conduct is consistent with the professional obligations of the lawyer.
“The extent of this obligation when using a cloud service provider to process, transmit, store, or access information protected by the duty of confidentiality will depend greatly on the experience, stability, security measures and reputation of the provider as well as the nature of the information relating the representation of the clients,” the opinion says.
1 For more on this topic, see “Mobile Device Gone Missing? Protect Your Information Before It’s Too Late” – InsideTrack (Sept. 3, 2014); and Password Protection: How Often Do You Change Your Password – InsideTrack (Oct. 3, 2012).