Computing in the Cloud: A Warning for Lawyers
Cloud computing is a new and fascinating set of technologies that is changing the way the world does business. Is the legal profession ready for it?
Cloud computing is the generic term used to describe a variety of technologies that transfers the responsibility for a computing activity (storage or processing) from a local computer to a network of remote computers. The remote computers are generally operated by one or more third parties. The principal benefit of cloud computing is cost. By using the cloud, a business can reduce the amount of money it spends on procuring and maintaining its own IT infrastructure, and instead pay usage fees to the cloud provider based on the business’s usage of computing resources.
Cloud computing is an increasingly successful technology model, and will become quite prevalent in the coming years. Merrill Lynch sees the cloud business reaching $160 billion by 2011 (which is perhaps a bit optimistic, given the recent market troubles caused by the European credit crisis), and Gartner predicts $150 billion by 2013. Given that the cloud business was worth $50 billion in 2009, these numbers represent significant growth worldwide. Whether we are aware of it or not, much of our daily computing (email, banking, etc.) may move from dedicated servers to a cloud environment over the next few years. Google Docs, including Gmail email accounts, which are used by millions of businesses and people worldwide, are already hosted in Google’s cloud.
Lawyers could use cloud computing in a number of different ways, the simplest example being for document storage. Documents stored in the cloud could be accessible by lawyers and clients from anywhere, and could be selectively shared with other parties to facilitate negotiations or litigation.
However, cloud computing has its drawbacks. The two biggest concerns are privacy and security, both of which warrant particular attention of lawyers. Using a cloud computing service entails in almost every instance a disclosure of personal or confidential information to a third party. The disclosure itself may be prohibited by privacy laws and the rules of professional conduct applicable in a lawyer’s jurisdiction.
A lawyer may only disclose a client’s information to a third party under very limited circumstances. The standards for privacy and client confidentiality are different. Under federal privacy laws, a lawyer may disclose personal information of an individual to a third party so long as the lawyer obtains the individual’s consent, and the third party is contractually bound to at least the minimum privacy standards as those promised by the lawyer to the individual, which are strict in the first place.
The standard governing client confidentiality is similarly strict under the Rules of Professional Conduct that govern Ontario lawyers. The lawyer must keep information in strict confidence and not disclose it without the express or implied consent of the client. Implied consent may be presumed in some limited circumstances. For example, if a client communicates confidential information with a lawyer by email, the lawyer can reasonably infer that the client has consented to the lawyer responding in the same manner, even though the transmission of an email is demonstrably not secure.
A lawyer cannot presume consent with cloud computing. Cloud computing is a new technology, the uses and vulnerabilities of which are still being explored. It would be completely unreasonable for a lawyer to infer consent for the use of document storage in a cloud, for example, unless the client had an extraordinary background in cloud computing. Even then, a lawyer may still be in breach of his or her obligation to keep a client’s information in strict confidence because most cloud computing technologies cannot yet be considered secure. A lawyer should tread carefully here.
The cloud computing community is well aware of the drawbacks of this emerging technology, and is working hard to address them. Before long, there will be ways to make the cloud secure enough for our client’s confidential information. When that time is upon us, the cloud will be ready for the legal profession.
Some resources on the topic:
Gellman, Robert. “Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing” World Privacy Forum
Cohen, Reuven. “The Cloud Computing Opportunity by the Numbers” from the blog ElasticVapor
Certainly, there are potential privacy and security concerns with cloud computing; concerns that a lawyer need take into account when considering solutions that are in the cloud. Moreover, federal privacy legislation requires some due diligence in selecting cloud service providers, as well as contractual safeguards, as you note.
I also tend to agree that, as a general principle, lawyers should \presume\ consent for as little as possible; far better to obtain the express or implied consent of clients to a comprehensive privacy policy — one that explicitly contemplates disclosure of personal information to third parties, subject to contractual safeguards.
With such a general policy in place, however, I don’t see why cloud computing would be treated any differently than contracting with third parties for off-site hard copy document storage, or photocopying, or even tech support. The principle is the same in all cases: you need to trust those third parties with whom you entrust client data and bind them contractually to maintaining the same security and privacy standards to which you adhere yourself.
You’ll pardon me please, but this post strikes me as terribly ill-informed. Cloud technology is hardly new (perhaps it’s new to lawyers!). And there are exceedingly few reported cases of privacy or security issues because of the cloud – in contrast to the nearly daily announcement of a massive and far-reaching security breach by a major corporation from presumably secure, in-house data stores.
You lost me on your second sentence. The legal world has been using cloud computing solutions since at least 2002 and today there are thousands of lawyers leveraging the power of cloud computing for their practice especially in the area of email, document management and practice management.
Your concerns are legitimate but they are no different than from the concerns lawyers had 100 years ago when they were sending documents through the mail and David nailed it with his analogy in his third paragraph.
Storing a document in the cloud does not give anyone access to the documents but rather trusts a company, who specializes in the specific service (rather than a lawyer trying to manage servers etc.), to care for the document in transit such as Fed Ex does. Furthermore, I would argue that web based document management is at least as secure as managing document on your own hard drive or servers and much more secure than emailing attachments back and forth between clients.
I agree this post is not accurate on a number of points, primarily the statement that ” Using a cloud computing service entails in almost every instance a disclosure of personal or confidential information to a third party.” Of course, you need to contract with a vendor who has the necessary security measures in place. But assuming those measures are in place, at no time is the information stored in a cloud application automatically (or otherwise) disclosed to third parties.
It is blog posts like these that unnecessarily scare lawyers away from the use of technology that can both enhance their practices and make legal representation more accessible to those who need it, but cannot afford it.
What I appreciate about your post, James, is that you advocate mindful use of these services. We should not just jump into them without giving some thought as to how we are using them and whether they are appropriate. Security and privacy indeed have to be kept foremost in mind for lawyers using any technology.
I appreciate the responses above, as well. Sometimes whether services are appropriate are in the eye of the beholder. It is good to hear the various points of view so that we can all make up our minds on them. It appears it is not a clear-cut decision.
I’ve made a point of reading many dozens of articles on cloud computing and this is one of the poorest. There are too many conclusory statements of opinion presented as fact.
Some people opin negatively about the cloud, but think nothing of sending confidential attachments via e-mail, which is clearly less secure.
Others want to talk about privacy but may only spend a few minutes discussing that core concept with new staff members. Do each of you carefully lock all client files away every night before the cleaning crew comes?
Absolute security is impossible. It is a question of what is reasonable. But somewhere this week a lawyer will look at his burned or flooded law office and wish he had kept digital client files in an offsite online location instead of relying exclusively on “insecure” paper files in filing cabinets.
In the privacy area, there’s often confusion about the very important distinction between a “disclosure” of information and a “transfer” of information. Generally understood, a disclosure only takes place if you provide information to another person so that the other person can use it for his or her own purposes (or it’s exposed to a person who has no restriction on his or her use of the info). A transfer is where there is a change of custody, but the person receiving the info is limited to using only on behalf of the original custodian.
Cloud computing is almost always a transfer of information and not a disclosure. Maybe the architecture of cloud computing is new, but the underlying principles aren’t. I’m sure the vast majority of law firms, even in Ontario, use services like Iron Mountain to store old files. I don’t think you can argue that a firm has waived privilege over the files by using this outside service provider. As long as the provider is contractually bound to keep them secure and confidential, there’s no problem in principle. Same goes with hosted e-mail, which is as old as law firm electronic communications.
It makes sense to be cautious, but not to the point of losing perspective. Maybe the first lawyers to use off-site storage were hesitant and paranoid, but years later there are petabytes of paper-based storage in the non-digital cloud.
Encryption is essential to cloud computing, because it eliminates many privacy and security issues. Of course, encryption is not perfect, but then we should talk about the strength of encryption and the ability of lawyers to use it as potential risk factors rather than about cloud computing in general.
http://lawiscool.com/2010/04/29/cloud-computing-tips-for-lawyers/
In reality, one could swap out the words “legal profession” for just about every category of business. Not many organizations would be unaffected by data, sensitive or not, finding its away into the wrong hands. As others have already mentioned in the comments, complete security is next to impossible. However, there are steps that can be taken by businesses wanting to utilize cloud storage. For instance, the company I work for encrypts, compresses, and chunks customers’ files before they even leave for the cloud. Using a combination of OpenPGP 256-bit encryption and randomly generated keys, there is no way to decipher the data stored off site. There is no doubt, security in the cloud is a hot-button issue, but there is much more to it than meets the eye. We recently published a blog post relating to the top 5 security challenges of cloud storage. If anyone is interested in reading more, you can find the post here: http://www.nasuni.com/news/nasuni-blog/top-5-security-challenges-of-cloud-storage/ The bottom line is that even if the cloud provider leaked the data (maliciously or accidentally) only the owner, who is holding the key, could decrypt it.
Thank you for your comments. My intention was to provoke discussion on this topic by lawyers and those in the cloud computing space, and it appears that I have done so.
In particular, I appreciate those comments that suggest that there are technological solutions, such as encryption, to the concerns I raise. I completely agree that technology will be part of the solution. However, it was not my intention to delve into all of the possible technological solutions that lawyers might consider using in this short column. From the sound of it, that topic may be worthy of another column. If you are a cloud computing technology provider, and would like to share your technological solution to my concerns about the appropriateness of cloud computing in the legal field, I would be happy to discuss it with you.
I also appreciate the distinction that some of the posters are making between disclosure and a transfer of personal information. It is a fair comment. Regardless of whether we are discussing a disclosure or a transfer, however, the onus remains on the lawyer to ensure that the personal information and confidential infromation of his or her clients is protected. This does not affect, in my view, the analysis regarding the risks that have to be addressed when using a true cloud computing solution.