by Peter W. Summerill
What Is Cloud Computing?
Cloud computing can be defined in a variety of different ways. These definitions can include a number of arcane and difficult to understand computing concepts. However, the simple definition is that cloud computing means your stuff is stored somewhere other than the computer in front of you. A very simple example is everyday e-mail. If you use a service such as Yahoo!, Google’s Gmail, or Microsoft’s online services, all of your e-mail is stored online, in “the cloud.” More recently, services have successfully expanded beyond e-mail. The advancement of technology allows companies to provide a vast array of hosted, online, 24-7 availability to your information and software from anywhere. The services have expanded to include legal specific practice management software such as time and billing, calendaring, messaging, and file sharing. These cloud services allow smaller firms and solo practitioners to access and deploy high-end software solutions at an affordable price, and also provide more efficient and economical services to their clients.
You Can’t Teleport to the Information, But You Can Teleport the Information to You.
Imagine sitting in court and pulling up your entire client file, including all contact information, all phone calls that you have made, all e-mail that you may have sent, and any documents associated with the file, including pleadings, correspondence, and evidentiary materials. Imagine being able to log new billable hours and activities associated with the client matter automatically and before you ever even returned to the office. Finally, imagine that all of this information, your e-mail, phone notes, billing entries and file documents, are fully indexed and searchable, from an interface available on your smart phone such as an iPhone or Android. RocketMatter (www.rocketmatter.com) and Clio (www.goclio.com), the two main players in the cloud-based practice management arena, offer this very functionality. Each of these services exist entirely in “the cloud.” Because each service exists in the cloud, all of your client-matter information is available anywhere that you can gain Internet access. Additionally, each has optimized its online interface for access via smartphones.
Other services can seamlessly synchronize all of the files on your laptop with those of your paralegal, secretary, and law partners. Any change made to a file by your paralegal is almost instantaneously synchronized to your laptop over the Internet. This means you could be in a client meeting in Phoenix while your paralegal makes alterations and finalizes a contract/pleading in Salt Lake City. So long as you have an Internet connection, the changes your paralegal makes will be synchronized to your laptop almost immediately for review and approval by the client. An additional benefit to such synchronization services is that you have now effectively backed up that same file across all computers using the service. If your office scans all incoming mail, you will always have a redundant backup of your entire paper file. Even if an earthquake were to level your law office and destroy every desktop computer in the office, all of your client file documents would still exist independently both “in the cloud” and on your laptop. Under this scenario, your laptop could even be destroyed and, so long as you are able to regain Internet access at some point, you would be able to access and retrieve every document scanned or created by you and your firm.
Dropbox (www.dropbox.com), Box (www.box.com), and SugarSync (www.sugarsync.com) all provide cloud-based synchronization services that leverage the Internet. Considering that these services provide a seamless off-site backup to all of your designated client-matter folders, it may be malpractice to refuse to consider these services as part of your law office practice management strategy. The question, of course, is to what extent use of a cloud service can be done in compliance with both the rules of professional responsibility and the ability to maintain privacy and security.
Professional Responsibility Rules and Malpractice Considerations of Cloud Computing.
Of course, as with any new technology, there is a fear of the unfamiliar. Objections raised against using cloud-based technology fall into two broad categories: security and privacy. Under the first category, Luddites complain that the services are by definition “insecure” because they are cloud-based and therefore subject to hacking; i.e., unauthorized access by third parties. Additionally, the security objection claims that cloud services might fail, thereby causing either the inability to access or sudden disappearance of your information. The second category of objection, privacy, suggests that individuals outside of the law firm may gain access to or view sensitive client information as part of a service agreement with the provider. This privacy objection stems from the belief that employees of the cloud service may have access to client information as a result of simply maintaining the servers on which the information is stored. However, neither security nor privacy concerns preclude the ability to leverage cloud-based technologies for the benefit of your practice and your clients. A review of the relevant rules of professional responsibility demonstrates that you can use these services without becoming a “technology expert.”
Lawyers have an ethical obligation to maintain the confidentiality and security of their clients’ property. Cloud computing implicates, at the very least, Rule 1.6(a) of the Utah Rules of Professional Conduct: “A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.”
The comments to this rule indicate that a lawyer “must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure.” See Utah R. of Prof’l Conduct 1.6, cmt. 16. When transmitting a communication, the lawyer “must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure.” Id. R. 1.6, cmt. 17. At about this point, lawyers start to get nervous about using cloud services. All manner of bogeymen start to come to mind: “hackers” and the “wild west” nature of the Internet; third-party cloud service providers gaining access to client information, to name a few. Some go so far as to claim that “informed consent” of the client becomes necessary prior to using such services and that the services implicate Rule 5.3, “Responsibilities Regarding Nonlawyer Assistants.” Id. R. 5.3. These positions either fundamentally fail to understand the nature of cloud services or overstate the duties of lawyers.
First, the duties of a lawyer to maintain confidentiality are not boundless. Rule 1.6 “does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy.” Id. R. 1.6. Additionally, Rule 1.0 defines “reasonable” or “reasonably” when used in relation to conduct by a lawyer to mean “the conduct of a reasonably prudent and competent lawyer.” Id. R. 1.0. Ethical and pragmatic considerations simply do not impose upon a lawyer an obligation to undertake herculean measures. In short, to comply with the rules of professional responsibility, a lawyer need not safeguard client information like a penguin on an egg at the North Pole. So long as the lawyer has used available security measures and acted reasonably with regard to maintaining privacy and security, their obligations and duties have been met.
Second, the misunderstanding regarding cloud services further conflates the problem. Using a cloud-based service that provides secure connections to your data and prohibits direct access to the information by their employees represents reasonable compliance with a lawyer’s obligations to maintain confidentiality. Any lawyer who connects to the federal court PACER system is already engaged in a “cloud” service. The PACER system offers a “secure connection” between the system and your computer. Any lawyer who uses online banking is similarly conducting business through a cloud-based service. Any lawyer who has taken a phone call on their cell phone is employing technology not directly subject to their control. Indeed, any lawyer who mails a letter is using a service with employees who are not subject to their direct control. No one would seriously consider the mailman to be a “non-lawyer assistant,” and it is equally absurd to impose supervisory duties over the providers of cloud-based software.
Real world, and reasonable, considerations that a lawyer should employ when evaluating a cloud service should include the following:
• Is my information safe while in transit? This is typically referred to as Secure Sockets Layer (SSL) and it ensures that all data is encrypted prior to transmission and sent in a secure form until it is unlocked and stored at the service side.
• Is the information secure once it is stored on the cloud service? You must read the privacy, service level agreement and terms of service by the cloud provider. Although not a guarantee of privacy/security, reviewing these agreements is a necessary step. Think of it as analogous to reading your lease prior to moving into new office space. Can your landlord walk into your office at any given time? Or, do you have a reasonable expectation of privacy based upon the leasing agreement?
• Is the information “captive” to the cloud provider? This question requires determining whether your information is available “outside” the cloud service. If you can download and open a local copy of your information or access it through another application, then the information is not captive.
Real World Application – Dropbox as an Example
Some may balk at the “guarantee” that Dropbox will not share your files with others. Indeed, this is perhaps the “weakest” link in the privacy, confidentiality, and security chain. However, the same argument that “anyone” could hack their way onto Dropbox servers and gain access to the data is the same argument that can be made for the front door, back door, or side window of your office. Given the ease with which someone could access your physical office, it is far more likely that there would be a loss of confidentiality, privacy, or security through the physical files themselves than through a highly encrypted and secured computer storage server. Or, as a more direct analogy, if a thief broke into your office and stole your “private” server, could you replicate your files at all? In a way, Dropbox provides a service which makes your practice more secure without compromising confidentiality in any meaningful way. At the very least, a reasonable analysis of the service confirms that you can not only meet your professional responsibilities, but you can also improve the efficiency of your practice and ability to serve clients by using such cloud computing options.
Cloud-based computing is quickly reaching a level of maturity at which it will become ubiquitous. Cloud computing allows access to client-matter information regardless of platform and often accommodates newer, more portable forms such as iPads and smartphones. Further, the affordability of cloud computing allows small firms and solos to leverage the technology and provide a higher quality, more efficient service to their clients. Finally, in many instances, the simple fact that cloud computing automatically employs encryption and creates a redundant copy of information actually helps lawyers stay in compliance with their obligations to maintain privacy and security of client information.