What Lawyers Should Know About Cloud Computing Security
The most important thing to understand when deciding whether to house confidential client data in the cloud is that absolute security is an impossibility. This fact is recognized by the vast majority of legal ethics committees that have addressed this issue. (See: Professional Ethics Committee of the Florida Bar Op. 10-2 (2011), New York State Bar Association’s Committee on Professional Ethics Op. 842 (2010), Pennsylvania Bar Association Ethics Opinion No. 2010-060 (2010), North Carolina Bar Proposed 2011 Formal Ethics Opinion 6 (2011), Iowa Committee on Practice Ethics and Guidelines Ethics Opinion 11-01 (2011), and, most recently, the Oregon State Bar in Formal Opinion No. 2011-188 (2011).)
By way of example, in the New York State Bar Association’s Committee on Professional Ethics Op. 842, the Committee noted that “exercising ‘reasonable care’ under Rule 1.6 does not mean that a lawyer guarantees that the information is secure from any unauthorized access.”
The most recent opinion on lawyers using cloud computing, issued by the Oregon State Bar (Formal Opinion No. 2011-188), offers a good example of the standards established by the various ethics boards. According to the opinion, the reasonable steps that must be taken to ensure the security and confidentiality of client information include: “(E)nsuring the service agreement requires the vendor to preserve the confidentiality and security of the materials. It may also require that vendor notify Lawyer of any nonauthorized third-party access to the materials. Lawyer should also investigate how the vendor backs up and stores its data and metadata to ensure compliance with the Lawyer’s duties.”
The difficult part of ensuring compliance with your ethical duties is knowing which questions to ask. In my recently published book, Cloud Computing for Lawyers (ABA 2012), I suggest that lawyers use the following list of questions as a starting point:
- What type of facility will host the data?
- Who else has access to the cloud facility, the servers and the data and what mechanisms are in place to ensure that only authorized personnel will be able to access your data? How does the vendor screen its employees? If the vendor doesn’t own the data center, how does the data center screen its employees?
- Does the contract include terms that limit data access by the vendor’s employees to only those situations where you request assistance?
- Does the contract address confidentiality? If not, is the vendor willing to sign a confidentiality agreement?
- How frequently are back-ups performed? How are you able to verify that backups are being performed as promised?
- Is data backed up to more than one server? Where are the respective servers located? Will your data, and any back up copies of it, always stay within the boundaries of the United States?
- How secure are the data centers where the servers are housed?
- What types of encryption methods are used and how are passwords stored? Is your data encrypted while in transit or only when in storage?
- Has a third party, such as McAfee, evaluated or tested the vendor’s security measures to assess the strength of, among other things, firewalls, encryption techniques, and intrusion detection systems? Are the audits of the security system available for your review?
- Are there redundant power supplies for the servers?
- Does the contract include a guarantee of uptime? How much uptime? What happens in the event that the servers are down? Will you be compensated if there is an unexpected period of downtime that exceeds the amount set forth in the agreement?
- If a natural disaster strikes one geographic region, would all data be lost? Are there geo-redundant back ups?
- What remedies does the contract provide? Are consequential damages included? Are total damages capped or are specific remedies limited?
- Does the agreement contain a forum selection clause? How about a mandatory arbitration clause?
- If there is a data breach, will you be notified? How are costs for remedying the breach allocated?
- What rights do you have upon termination? Does the contract contain terms that require the vendor to assist you in transitioning from their system to another?
- What rights do you have in the event of a billing or similar dispute with the vendor? Do you have the option of having your data held in escrow by a third party, so that it is fully accessible in the event of a dispute? Alternatively can you back up your data locally so that it is accessible to you should you need it?
- Do the provider carry cyber insurance? If so, what does it cover? What are the coverage limits?
Of course, this list isn’t extensive and, as I discuss in my book, there are other issues to explore. But, the bottom line is that the key to ensuring that your confidential client data is secure in the cloud is to learn as much as you can about cloud computing, make sure that you have a basic understanding of the concepts, review the applicable ethical rules in your jurisdiction, and ask appropriate questions (and receive adequate answers) from your chosen legal cloud computing provider.