Cloud computing is one of the relatively new technology tools available to lawyers and their practices. But it can have pitfalls as well as advantages.
The Bar’s Board of Governors approved Ethics Opinion 12-3 in July to help guide lawyers using cloud computing. (Cloud computing is defined as “Internet-based computing in which large groups of remote servers are networked so as to allow sharing of data-processing tasks, centralized data storage, and online access to computer services or resources.”)
The opinion can be read in its entirety on the Bar’s website, floridabar.org.
The Bar’s Law Office Management Assistance Service (LOMAS) has prepared the following advice and checklists for lawyers using cloud computing:
The benefits of cloud storage and cloud computing have been well known over the last few years. These benefits include business continuity advantages, mobility, less reliance on IT staff, IT cost reductions, and additional services heretofore not available to many small firms and solos, which can give them a competitive advantage. But there are also security concerns of which law firm owners and administrators should be concerned. It is the lawyer’s responsibility to stay abreast of updates in security precautions.
LOMAS has observed that many firms have moved to cloud computing. Our best recommendation is that law firms make certain they are dealing with an established provider, and:
*That the provider will abide by a confidentiality agreement;
* That firm management has clear written guarantees on who owns the firm’s data that is stored in the cloud;
* The provider and the firm have a written agreement on how the firm will remove its data if it leaves the service or if the provider goes belly up;
* That the firm is kept abreast of what security measures the provider uses;
* The firm is kept apprised of who can access the data on the provider’s end;
* That the firm will be notified of any request from a third party to produce the firm’s data; and
* That the firm will be kept apprised of where the firm’s data will be stored on the other end of “the cloud.” For obvious reasons, make certain that the server firm is located in the United States.
LOMAS offers these additional cloud computing checklists for lawyers. At a minimum, and in order to meet the standard of reasonable care, attorneys should:
* Be knowledgeable about how cloud providers will handle the data entrusted to them. This also means that lawyers cannot merely click “I Agree” to electronic/online contracts (generally called “service level agreements” or SLAs) or fail to obtain appropriate advice about cloud security;
* Include terms in any SLAs stating that the data is owned by the client/law firm, is not owned by the cloud provider, and that the cloud provider affirmatively agrees to this condition;
* Include terms in any SLA or other agreement requiring the provider to preserve the confidentiality and security of the data; and
* Include terms in any SLA or other agreement requiring the provider to assure, should data be removed or the contract terminated, that all confidential data will be destroyed (as will any copies or backups) using a method that guarantees that no other persons can ever access data. Otherwise, a firm’s data could reside on a server indefinitely and fall prey to a savvy hacker.
Basic cloud computing checklist for lawyers:
* Network configured with the appropriate setup and security settings;
* Verify your internal network settings to ensure the most efficient and secure levels of access;
* Verify your Internet service provider’s (ISP) security and data storage and management settings;
* Understand the rules and general practices of your cloud vendors’ ISPs;
* Review and regularly monitor your SLA (service-level agreements) with your cloud vendors;
* Keep an updated list of your cloud services and vendors’ main contact information with alternate means of contact;
* Create internal office policies and procedures for accessing and using cloud systems in your office;
* Incorporate your cloud usage into the overall firm disaster recovery plan and business continuation models;
* Perform regular (daily preferred) backups and run regular test restores of all data;
* Request a sample retrieval from the cloud vendor (ask for your data back in the way you’d get it in the event you discontinued the service or there were other occasions when you need your data back);
* Create a policy that limits the information provided to others to what is required, needed, or requested;
* Avoid inadvertent disclosure of information;
* Implement electronic audit trail procedures to monitor who is accessing the data;
* Create plans to address security breaches, including the identification of persons to be notified about any known or suspected security breach involving confidential data.
Lawyers should ensure that the provider:
* Explicitly agrees that it has no ownership or security interest in the data;
* Has an enforceable obligation to preserve security;
* Will notify you if it is requested to produce data to a third party, and provide you with the ability to respond to the request before the provider produces the requested information;
* Has technology built to withstand a reasonably foreseeable attempt to infiltrate data, including penetration testing;
* Includes in its “terms of service” or “service level agreement” how confidential client information will be handled;
* Provides the firm with right to audit the provider’s security procedures and to obtain copies of any security audits performed; will host the firm’s data only within a specified geographic area. If by agreement, the data are hosted outside of the United States, the law firm must determine that the hosting jurisdiction has privacy laws, data security laws, and protections against unlawful search and seizure that are as rigorous as those of the United States;
* Provides a method of retrieving data if the lawyer terminates use of the SaaS product; the SaaS vendor goes out of business; or the service otherwise has a break in continuity; and
* Provides the ability for the law firm to get data “off” of the vendor’s or third-party data hosting company’s servers for the firm’s own use or in-house backup offline.
* Provides training to all employees who will use the services, along with written acknowledgment that every employee will abide by all end-user security measures, including, but not limited to, the creation of strong passwords and the regular replacement of passwords.
* Establishes an alternate way to connect to the Internet, since cloud service is accessed through the Internet.
The LOMAS Practice Management Advisors thank their colleagues on the ABA’s LPM Section Practice Management Advisors Taskforce for its help in compiling this checklist.