Raising the Bar for Legal Cloud Computing
State bar groups and even the American Bar Association are chiming in on the ethics and permissibility of legal cloud computing technologies.
Send to Kindle
Like most other verticals, law firms are attracted to cloud computing for its combination of functionality and reduced cost. Befitting a barrister, the legal profession’s use of cloud computing is getting a fair bit of scrutiny, with state bar groups and even the American Bar Association chiming in on the ethics and permissibility of legal cloud computing technologies.
After all, lawyers handle a great deal of sensitive information and are under fairly strict regulatory mandates to protect client confidentiality, chain-of-information custody, and data security and integrity. And they’re lawyers, so crafting Byzantine guidelines comes rather naturally.
If there’s a recurring theme in the legal vertical’s cloud directives, it’s that cloud service providers need to show -- beyond a reasonable doubt, one presumes -- their cloud and SaaS offerings meet strict minimum standards. Any solution provider hoping to add legal cloud computing to their lawyerly clients’ bill of fare should take note of the industry’s main concerns.
So far, 15 state bar associations have issued opinions guiding the professional use of legal cloud computing. All have concluded cloud computing is suitable for lawyers to handle most of the work of their firms. Where they differ most is in the definition of “reasonable care” that all of the industry groups say needs to be applied to the adoption of cloud computing in law offices.
Three state bar groups -- Maine, New Jersey and New York -- put the heaviest burden on legal cloud computing vendors, including language in their opinions that say the vendor, and possibly its employees, should have an enforceable obligation to maintain confidentiality.
At the other end of the spectrum are states bar association like the one in Connecticut, the most recent to opine on the cloud computing question, which said “The ultimate responsibility for insuring the privacy and security of the data resides with the user purchasing the cloud services. While much of the physical, technical, and administrative safeguards are handled by the cloud service provider, the user will still retain responsibility for a significant portion of these safeguards.”
Most fall somewhere in the middle, with guidelines that encourage dialog between lawyers and service providers so that the client understands how data is handled, who is responsible for it when problems arise and how security and privacy protocols are enforced or updated.
In a formal ethics opinion on the matter, the North Carolina State Bar makes some specific references to the legal cloud computing SLA.
Given the rapidity with which computer technology changes, law firms are encouraged to consult periodically with professionals competent in the area of online security. Some recommended security measures are listed below.
Inclusion in the SaaS vendor’s Terms of Service or service-level agreement, or in a separate agreement between the SaaS vendor and the lawyer or law firm, of an agreement on how the vendor will handle confidential client information in keeping with the lawyer’s professional responsibilities.
If the lawyer terminates use of the SaaS product, the SaaS vendor goes out of business, or the service otherwise has a break in continuity, the law firm will have a method for retrieving the data, the data will be available in a non-proprietary format that the law firm can access, or the firm will have access to the vendor’s software or source code. The SaaS vendor is contractually required to return or destroy the hosted data promptly at the request of the law firm.
Careful review of the terms of the law firm’s user or license agreement with the SaaS vendor including the security policy.
Evaluation of the SaaS vendor’s (or any third party data hosting company’s) measures for safeguarding the security and confidentiality of stored data including, but not limited to, firewalls, encryption techniques, socket security features, and intrusion-detection systems.4
Evaluation of the extent to which the SaaS vendor backs up hosted data.
The state bar groups that have weighed in on cloud computing have suggestions and guidelines that are fairly consistent, with the occasional quaint throwback, like the Vermont Bar’s suggestion that lawyers carefully “consider whether certain types of data (e.g. wills) must be retained in original paper format.”
The American Bar Association has a good rundown of the variations in cloud computing opinions state by state. And in fact, the ABA gives legal cloud computing a significant endorsement in its own evaluation of the technology.
"A legitimate argument can be made that files stored on the vendor's servers are more secure than those located on a typical attorney's PC, as the vendors often employ elaborate security measures and multiple redundant backups in their data centers," ABA officials wrote.
Legal Cloud Computing for the Provider
The important element for service providers is to recognize that in a world rapidly migrating to the cloud with little compunction, the legal vertical is taking a measured approach to the technology with some serious discussions of the underlying ethics as they pertain to their profession.
Understanding these ethical considerations can help a cloud service purveyor hit the key points of concern when pitching law-firm clients and crafting their practices with a fine, value-added focus on legal cloud computing that resonates with this profitable vertical.