Rule 1.1 of the Model Rules of Professional Conduct requires that all lawyers provide “competent representation to a client.” In August 2012, the ABA added new language to Model Rule 1.1, comment 8:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. (new language in italics).
Because a lawyer’s “competence” now includes the ability to evaluate and use computer technology, attorneys must understand computer technology tools for their own benefit and for their clients.
Cloud Computing and Its Information Benefits and Risks
One such technology tool is cloud computing, broadly defined as contracting with another company (a “cloud services provider”) to provide computing resources, such as networks, storage, software applications and other services. The key difference between cloud computing services and traditional computer hardware and software is that cloud computing software resides on the cloud service provider’s servers and is delivered via the Internet rather than being installed on the lawyer’s computer. As a result, information is stored on the cloud service provider’s servers rather than on the lawyer’s own computers.
Numerous cloud-computing services are available to lawyers, including email, time and billing software, case management, document management, online storage and backup, and even secure portals allowing lawyers to work directly with clients online (“virtual law office” services).
Using the cloud for one or more law practice functions offers many potential benefits for attorneys and their clients. The cloud service “pay-as-you-go” business model gives a law firm the ability to use and grow its use of computing resources flexibly and on an as-needed basis, limiting or eliminating capital expenditures on equipment and software in the process. However, doing business in the cloud presents a number of potential risks. Certain risks, such as complete loss or unauthorized disclosure of client or other valuable information, may result in violations of lawyer ethical responsibilities or applicable state and federal law.
Ethical Obligations to Protect Client Information
The primary rules addressing a lawyer’s obligation to protect the confidentiality and security of client information are Model Rule 1.6 “Confidentiality of Information” and Model Rule 1.15 “Safekeeping Property”:
-
Model Rule 1.6(e) requires that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of the client.”
-
Model Rule 1.15, “Safekeeping Property,” requires that all client property be “appropriately safeguarded.”
Model Rule 5.3, “Responsibilities Regarding Non-Lawyer Assistance,” makes clear that a lawyer contracting with a cloud services provider retains the obligation to make “reasonable efforts” to maintain client confidentiality and to safeguard client information.
Legal Obligations to Protect Personal Information
Lawyers who hold personal information related to clients, employees or any other person may owe privacy and security obligations under various state and federal laws. “Personal information” typically includes any information that can identify an individual, e.g., Social Security numbers, driver’s license numbers, credit card numbers, financial account information and health information.
Every state except Alabama, New Mexico and South Dakota now has a statute requiring notification in the event of an unauthorized disclosure of personal information, and several states require the adoption of reasonable security standards to protect personal information.
The federal Health Insurance Portability & Accountability Act (HIPAA) establishes privacy and security requirements for an individual’s “protected health information” (PHI). Any lawyer receiving PHI from a HIPAA “covered entity” will generally be required to comply with the HIPAA security requirements.
ISO 27018 and Protecting Information in the Cloud
While the obligation to protect client and personal information is clear, the methods for securing valuable information assets may be less clear to lawyers, given that cloud services are relatively new and seemingly complicated. And while state ethics opinions[1] shed some light on the “reasonable efforts” lawyers must undertake when storing information in the cloud, this guidance lacks specificity in some areas, particularly with respect to what security measures employed by a cloud services provider are considered adequate.
In order to gain a more comprehensive and detailed description of the people, processes and technology necessary to protect information, lawyers may look to information security standards. The International Standards Organization (ISO) has issued a standard — ISO 27018[2] — for protecting personal information in the cloud. ISO 27018 not only describes various information-protection actions to be followed by cloud services providers, but also identifies key provisions to be included in the cloud services agreement with the “customer” (the lawyer or law firm):
Contracts between the customer and the cloud services provider should specify the methods by which the cloud services provider will protect personal information.
The cloud services agreement should contain not only an enforceable obligation to protect client and other protected information, but also identify (or incorporate by reference) the specific physical, administrative and technical security measures the cloud services provider will use to maintain the confidentiality and security of protected information:
Require all individuals with access to personal information to be bound by a confidentiality agreement.
Provide security awareness, education, and training for employees.
The confidentiality obligation owed by the lawyer must extend throughout the cloud service provider’s organization (and to any third parties working on the cloud service provider’s behalf). Critically, the cloud services provider (and the lawyer) must continuously make employees aware of the importance of protecting information through ongoing training and awareness efforts:
Make clear in its contractual arrangements with the customer that it will a) reject requests for personal information that are not legally binding; b) consult the customer when legally permissible before making any disclosure of personal information; and c) accept any requests for disclosures of personal information authorized by the customer.
Notify the customer of any request for disclosure of personal information by a law enforcement authority unless that disclosure is otherwise prohibited;…
The lawyer should ensure that the cloud services agreement specifically addresses the process for responding to subpoenas or other requests for disclosure of client information, and allow the lawyer to retain as much control over that process as possible:
Provide independent evidence that the cloud services provider has implemented information security in accordance with its contractual obligations.
Not every lawyer can conduct a compliance audit of a cloud services firm, but a cloud services provider can verify its security processes throughout the life of the cloud services agreement:
Notify the customer promptly of any unauthorized access to personal information or loss, disclosure or alteration of personal information.
Help the customer meet its obligations in the event of a data breach.
In the event that client or personal information is disclosed without authorization, the lawyer needs to know as soon as possible in order to notify any affected person and to take any additional actions as may be required by law:
Implement a policy for the return, transfer, and disposal of personal information and make that policy available to the customer.
Finally, the lawyer must have a clear understanding of what happens to information at the close of the contractual relationship, or in the event that the cloud services provider cannot continue to perform its services.
Conclusion
ISO 27018 is one of several references that lawyers may use to build technological competence and assist in undertaking “reasonable efforts” to safeguard client information stored in the cloud.
