Malpractice and Ethical Risks in Cloud Computing
TechnologyCloud computing, which is the use of a remote vendor connected by the internet for computing needs, isn’t a futuristic concept. It is here today. In most cases, you use the browser on your local computer to interact with the remote program. The use of cloud computing by lawyers and law firms raises important malpractice and ethical risks.
Potential usage of the cloud by law firms
A wide variety of programs fit the definition of cloud computing. Email may be hosted outside the law firm over the Internet, rather than using a dedicated in-house email server. Some firms utilize Google Apps and other vendors for sending and receiving email. Word processing, spreadsheet, and presentation programs may now reside in the cloud through Google Apps, Microsoft WindowsLive, ThinkFree and Zoho. Many vendors now offer storage, system backup, simple calendaring and contact management online. Even PBX services can now reside in the cloud.
Some online services now offer law firm specific services online. Time and billing services such as BillingOrchard and EasyOnlineBilling.com offer online billing as well as online payment. More and more large corporations are requiring bills in LEDES format, and some online services offer that format. Lexbe offers legal document and case management software for litigation. Clio offers a package including document management, time tracking billing and scheduling with smartphone integration for solos and small firms.
In some cases, larger law firms contract for either a virtual or dedicated server offsite to run purchased or customized software. This, too, is computing in the cloud. Amazon EC2 and Microsoft Cloud are among vendors that offer application hosting on a customized basis.
Why use the cloud?
Law firms, as well as other businesses, are using cloud computing for many reasons. While we will address concerns with the security of client information below, cloud computing offers a potential for enhanced security in some ways. A firm with a single IT person on staff is often a jack of all trades, master of none. With the increasing complexity of software, it makes sense to give a task to someone who performs the task frequently. For example, a single employee keeping up with an email server for one law firm may not experience a sufficient variety of problems to avoid certain security issues. A service that provides email hosting for many customers may well enhance security.
Security can be enhanced in the cloud because of the way many vendors handle backups. Many cloud services perform automated backups to multiple locations on a continuing basis. This means that the failure of a computer in one location does not disrupt the availability of critical software elsewhere.
Cost can be another consideration in using the cloud. Personnel and hardware costs can be reduced when computing needs are outsourced. Many applications include access anywhere, thus allowing easy setup of offsite work that can save rent and commuting costs.
Confidentiality in the Cloud
The ABA Commission on Ethics 20/20 Working Group on the Implications of New Technologies has released an issues paper requesting comment on lawyer use of current technology. http://www.americanbar.org/content/dam/aba/migrated/ethics2020/pdfs/clientconfidentiality_issuespaper.authcheckdam.pdf
The goal of the commission is to decide whether modifications of the ABA Model Rules and comments are warranted, and if formal ABA sanctioned guidance regarding appropriate technology standards should be provided. The issues paper addresses both cloud computing and portable computing devices. With either a rules change or formal guidance, the actions of the commission may ultimately set standards of care for lawyers and law firms utilizing cloud computing. Keep up to date with any changes or guidance that may ultimately be offered by the ABA.
The top concern for lawyers using cloud computing resources is security of confidential information. There is a risk that the employees of cloud vendors will access confidential information and use it to the detriment of a client. Vendors of cloud computing services should be treated like other third parties who have access to confidential client information, such as copy vendors and delivery personnel. Vendors should be considered subagents of the lawyer or firm, with an obligation to protect confidentiality.
Because of the nature of cloud computing services, there is a risk that client information will be subject to destruction or disclosure by unauthorized access. Some information A 1999 ABA Formal Opinion concluded that transmission of confidential and sensitive information over the internet without encryption by email is acceptable in most cases because there is “a reasonable expectation of privacy from both a technological and legal standpoint.” ABA Formal Opinion 99-413. Two opinions have extended this conclusion to cloud computing, stating that storage of confidential data online is permitted if lawyers take reasonable precautions to avoid unauthorized access. NYSBA Opinion 842 (2010), AZ Bar Ethics Op. 09-04 (2009).
Certain information of non-clients may also be subject to confidentiality requirements. Non-clients who provide information in the course of legitimately seeking legal services are entitled to confidentiality. See Texas Disciplinary Rules of Professional Conduct Rule 1.05(a), Texas Rules of Evidence 5.03. Non-client personal information, such as Social Security numbers, bank account numbers and health information may be protected by law.
Service Failures
As this article was going to press, Amazon EC2 experienced a severe outage in it’s cloud servers. http://www.pcmag.com/article2/0,2817,2383980,00.asp Almost every major online player has had outages at times. This is certainly a consideration for law firms who keep information in the cloud that may be needed on a moment’s notice.
What are reasonable precautions?
Lawyers will often not know enough to be certain that security measures are sufficient, but there are computing industry security standards that may help. The response of the Legal Cloud Computing Association to the ABA Working Group provides a good start for a lawyer or firm considering use of a cloud service. http://www.legalcloudcomputingassociation.org/Home/aba-ethics-20-20-response.
Confidentiality: Lawyers should assure that cloud vendors will keep information private. . A vendor’s published privacy policy may provide sufficient assurance of confidentiality by employees of the vendor. Contractual provisions may be necessary to assure confidentiality.
Auditing: Cloud computing vendors often have AICPA SAS 70 Type II audits available for customers to provide to their auditors in order to analyze the adequacy of security. These reports can provide detail about security procedures in place.
Physical Security: Security monitoring of data should be continuous, 24/7 as they say in the business. Physical access to computers should be limited to authorized personnel in charge of servers, with the use of security checkpoints.
Network Security: Cloud vendors should have firewalls blocking unauthorized connections, and third parties should audit firewall security periodically.
Software Security: Independent audits of software security should be conducted by data centers periodically. Security patches and software updates must be applied within 30 days of publication.
Data Transmission Security: All transmission of sensitive data, such as passwords and client information, should use the Secure Sockets Layer (SSL). You can tell if SSL is being used if the URL for secure information begins with https.
Backups and Redundancy: Data centers should have multiple backups during the day. At least one backup location should be a considerable distance away from the data center. Multiple internet service providers and power grids should be available in a network of data locations. Service level agreements should guarantee a minimum level of uptime, with penalties for failure to meet the agreed level.
Data Portability: A lawyer or law firm should assure that they will be able to download all data in a commonly used format.
Insurance coverage
Legal malpractice insurance coverage terms vary widely. Most policies do not have an exclusion that applies to claims involving cloud computing. If a lawyer misses a deadline because of a failure of the calendaring system, it should not matter that the cause is lack of a backup for a cloud computing program rather than forgetting to write the data in a paper calendar. Similarly, if client information is released due to attorney negligence, and this causes harm to a client, the fact that the release occurred online rather than by allowing an unauthorized person to look at the file does not change the character of the claim. These types of claims are not the only claims that might result from use of the cloud, however.
Claims under property insurance policies for technological problems have been denied in some cases, on the basis that data and programs are not “tangible property.” Insurers have recently developed insurance that addresses such technological risks, frequently called cyber insurance. Such policies may cover business risks unrelated to professional liability risks. When confidential information is compromised, all businesses, including lawyers and law firms, are under an obligation to notify all persons whose data was compromised under certain state laws. Developing the lists and sending notices can be quite costly if many parties are involved. Programming necessary to resolve intrusions and reconstruction of data when it is destroyed can be costly. Cyber insurance is aimed at protecting against these types of risk.
