Let’s clear up your cloud-related obligations

Posted: January 18, 2018

Got responsibilities? Of course you do, lots of them.

Competent lawyering means knowing the law, honing skills, and preparing thoroughly. But that’s just in reference to your cases. A whole other set of responsibilities is cropping up around the technologies you or your firm might use to do your work.

Take the cloud. When you put your case materials in the cloud, you are probably doing that to save money on IT, shed non-core activities, and simplify your operations. As a result, your clients will hopefully enjoy better service, value, or outcomes.

But when you put your clients’ personal, financial, health, and legal information in the cloud, you’re essentially putting that confidential information on someone else’s computer. It’s becoming clear that you have some professional duty to protect it.

As the American Bar Association says in a comment attached to its Model Rules of Professional Conduct,

…a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology

Benefits and risks have a unique relationship in information technology. New products are invented to provide new benefits – e.g., faster, cheaper, smarter access to information. The risks – a breach, for example – are usually a secondary concern. As data breaches proliferate, the legal profession is like every other industry, struggling to catch up.

Your new duties

Keeping abreast of technology risks is necessary but insufficient. Illinois, for one state, spells out the duties of its lawyers around protecting client information when working with the cloud. In an advisory opinion of October 2016, the Illinois State Bar Association (ISBA) says:

A lawyer may use cloud-based services in the delivery of legal services provided that the lawyer takes reasonable measures to ensure that the client information remains confidential and is protected from breaches. The lawyer’s obligation to protect the client information does not end once the lawyer has selected a reputable provider.

So what exactly does the lawyer’s obligation entail?

According to ISBA, “A lawyer must comply with his or her duties of competence in selecting a provider, assessing the risks, reviewing existing practices, and monitoring compliance with the lawyer’s professional obligations.”

That probably means a lawyer or firm must conduct periodic reviews of the technology, industry, and the implementation. Taken at face value, this requirement implies a lot of work, or at least expertise, for somebody at the firm. Clearly, it’s not enough to pick any cloud provider, or even make a good choice. But selection is clearly where the job starts, and for that process ISBA suggests:

  • Reviewing cloud computing industry standards and safeguards.
  • Investigating the provider’s security tools.
  • Investigating the provider’s reputation and history, including breaches.
  • Getting assurance in writing that the provider will abide by the lawyer’s duties of confidentiality and immediately notify the lawyer of any breaches or outside requests for information.
  • Requiring data backup and ensuring attorney access to that data.
  • Requiring provisions for information retrieval if the agreement is terminated or the provider goes out of business.

These steps should be a good start in addressing your responsibility to protect client information.

The shortcut

To make selection, reviewing and monitoring easier, however, take the shortcut: Look for providers who understand your burden and help you take care of it without your having to ask. That means they proactively explain and document their security program, processes, and technology. It means they provide you with proactive, periodic data around the performance of the program. It means they update their technology (and let you know) when standards change.

A good provider will save you a lot of time so you can worry less and apply that recovered time to what really matters – your work.

Jim Ballowe

Jim is a veteran information technology professional, having worked with several global technology pioneers including Digital Equipment Corporation, HP & Lucent. His areas of expertise include enterprise architecture, infrastructure, information security, and product development and is helping Esquire and its clients navigate Litigation 2.0.