Niki Black, lawyer, journalist, and legal technology maven, wrote a concise analysis of what the folks at the NY State Bar have whipped up in terms of an opinion on the ethics of cloud computing.
Full disclosure: Niki is writing a book on cloud computing for the ABA and interviewed me on a number of occasions for expertise on that subject matter.
As looks to be the case with the pending opinion in North Carolina, the central idea is that lawyers need to conduct due diligence on their cloud providers. Specifically, as Niki points out:
In other words, as I’ve often repeated, reasonable security measures do not ensure absolute security. Absolute security is an absolute impossibility — and it’s heartening that the committee acknowledged that reality in its opinion. The committee also provided very helpful guidance for lawyers, explaining the steps the should be taken to ensure client data will be sufficiently protected.
- Be certain the cloud provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information;
- Investigate the provider’s security measures, policies, recoverability methods and other procedures to determine if they are adequate;
- Employ available technology to guard against reasonably foreseeable attempts to infiltrate the data; and/or
- Investigate the provider’s ability to purge and wipe any copies of the data, and move data to a different host if the lawyer becomes dissatisfied or otherwise wants to change providers.
So, as the NYSBA’s committee rightfully concluded, and as I’ve repeatedly stated in the past, lawyers cannot blindly utilize cloud computing technologies without first understanding and researching the services provided by the cloud computing provider.
I’m encouraged that New York and North Carolina are developing rational, well-measured opinions on legal cloud computing that protect the interest of attorneys and establish a level of reliability for the vendors themselves.
However, the ABA’s recent suggestions that cloud providers are essentially outsourced providers requiring oversight seems a little impractical to me. The point of cloud computing for lawyers is to make life easier and eliminate headaches.
Just like electricity, lawyers using Internet-based practice management and time and billing simply plug in and use a utility. Since lawyers are outsourcing their power supplies to electric companies, should they be forced to oversee their operations as well?