An ever-increasing body of ethics opinions and reports on the suitability of cloud computing for lawyers aim to provide guidance that may appear deceptively straightforward. Take the following as an example:
Cloud computing is acceptable, but make sure you first undertake an appropriate level of due diligence on your prospective cloud computing provider.
While this doesn't appear onerous on the surface, the cumulative expense of performing due diligence on multiple cloud providers could prove to be prohibitive for solo- and small-firm lawyers – the very demographic that benefits most directly from cloud computing.
- Will the lawyer have continuous access to the source code and software to retrieve records in a comprehensible form? Consider whether there is a source code escrow agreement to facilitate this.
- What is the service provider’s business structure?
- A lawyer should compare the cloud services with existing and alternative services to best determine whether the services are appropriate.
A lawyer considering cloud computing doesn't just have to review the provider's legal policies, but also needs to establish access to the provider's source code (a request virtually all cloud computing providers will reject), perform an audit of the cloud provider's business structure, and conduct an comparative analysis of the cloud provider's services to alternative offerings, along with the remaining recommended due diligence items.
Similarly, the recent North Carolina State Bar's 2011 Formal Ethics Opinion 6 makes the following due diligence recommendations:
- Inclusion in the SaaS vendor’s Terms of Service or Service Level Agreement, or in a separate agreement between the SaaS vendor and the lawyer or law firm, of an agreement on how the vendor will handle confidential client information in keeping with the lawyer’s professional responsibilities.
- If the lawyer terminates use of the SaaS product, the SaaS vendor goes out of business, or the service otherwise has a break in continuity, the law firm will have a method for retrieving the data, the data will be available in a non-proprietary format that the law firm can access, or the firm will have access to the vendor’s software or source code. The SaaS vendor is contractually required to return or destroy the hosted data promptly at the request of the law firm.
- Careful review of the terms of the law firm’s user or license agreement with the SaaS vendor including the security policy.
- Evaluation of the SaaS vendor’s (or any third party data hosting company’s) measures for safeguarding the security and confidentiality of stored data including, but not limited to, firewalls, encryption techniques, socket security features, and intrusion-detection systems.
- Evaluation of the extent to which the SaaS vendor backs up hosted data.
Again, nothing is unreasonable here, but the time investment required to comply with these recommendations – especially performing an evaluation of the security safeguards of the cloud computing provider – could take several days.
This isn't to say that due diligence is a bad idea, but rather to point out that pushing this responsibility to the individual lawyer level can place an unreasonable burden on the lawyer's time. The simple reality is that most lawyers will at best perform a cursory amount of due diligence, despite what is being recommended by their bar association or law society.
What can we do to lessen the burden of cloud computing due diligence? Let me know in the comments, and I'll follow up with those suggestion as well as some of my own next week.