Cloud computing is rapidly transforming the way entire industries conduct business, and the legal field is no exception. Like the rest of us, lawyers have been quick to embrace the cloud, but what happens when new technology bucks the very regulations governing professional conduct?
The benefits of cloud storage for most users far outweigh the security and privacy risks inherent to storing information remotely, but these concerns carry particular gravity for those working with privileged information. How does a lawyer reconcile the many benefits of cloud storage with the legal obligation to safeguard client information from unauthorized access?
This was a question posed last week during “Privacy and Your Practice: Data Sovereignty for Lawyers,” a panel discussion held at CUNY Law School.
Law and order in the digital era
The digital revolution has engendered ethical gray areas in the legal industry for decades, with cloud computing only the most recent example. Panel speakers recalled the apprehension that surrounded the use of email and cellphones in the ’90s and remarked how “quaint” those concerns seem in retrospect. That context underscored the point that many in the law profession continue to grapple with the implications of digitizing information.
“It used to be that in the 1600s, a monk would have to redraw a book by hand and it would take decades,” said Grainne O’Neill, a criminal defense attorney. “Now you just push a button and everything gets copied.”
Lawyers are quick to admit this shift to digital records was a necessary advent. The first line of a New York City Bar report on the ethics of cloud storage discusses the enormous amount of money and space required to store a law firm’s information and research materials in hard copy. The report calls the Internet Age “an answer to prayer.”
Cloud storage provides lawyers a new tool, but like email, it also presents a new set of moral quandaries. How do you guarantee the confidentiality of information that isn’t stored on-site?
“These services enable many lawyers to be able to practice law in an efficient, economic way that they wouldn’t otherwise be able to do,” said Nicole Hyland, a legal ethics and intellectual property lawyer. “There are people out there who make the argument that [sacrificing some security is] the bargain we’ve made, and as long as we understand, we shouldn’t make a big deal about this. But for lawyers, it’s different because we have these ethical obligations.”
Some contend that cloud storage is fundamentally incompatible with a lawyer’s responsibility to safeguard confidential information. But, ironically, lawyers can cite an analog precedent to using remote data storage.
“You used to send your boxes to Iron Mountain Storage. There were third parties there. There was a warehouse guy,” Hyland said. “As long as you’ve taken reasonable steps, you’re not going to be ethically on the hook.”
Abi Hassen, a mass defense coordinator with the National Lawyers Guild, said one of the consequences of recent high-profile data breaches has been a general loss of trust in encryption, which he believes is unwarranted to an extent.
Hassen said encryption works as a system, but “any time someone’s holding your keys, that’s not real end-to-end encryption.”
He says a secure system is one in which information is encoded by the sender and decoded by the recipient, with no one along the way who can access the decryption key. If you can retrieve your key in case you forget it, it was never really safe in the first place.
Data security for lawyers doesn’t end with encryption though, and Hyland points out that it doesn’t automatically start there either. The relevant ethics opinions stipulate that lawyers aren’t always obliged to encrypt data, but highly sensitive information is subject to a higher standard and may not even be appropriate for cloud storage.
“If you’re representing a Guantanamo prisoner, maybe you don’t want to store that information in the cloud,” Hyland said.
According to the experts on the discussion panel, common sense, due diligence and an understanding of the technology are perhaps the most relevant tools for a lawyer in evaluating a cloud storage solution. Don’t choose just any service, and don’t simply scroll through to the bottom of the end-user agreement.
Hyland suggests that lawyers interested in deploying a cloud solution should ask the following questions: What’s the provider’s track record? Who owns the data as stipulated in the terms and conditions? What happens if the provider gets subpoenaed — is your data simply turned over, or are you notified first?
Some are concerned that contentious technology issues, such as the adoption of cloud computing, are forcing many lawyers into the role of technologist, but Hyland believes innovation in the industry will eventually address these challenges.
“I think what we need to start seeing is more service providers that are specifically geared to lawyers, and we’re probably going to start seeing that because that will normalize a lot of these questions,” Hyland said. “That’s probably an opening in the marketplace for someone.”
This story originally appeared on Tech Page One.
Dmitry Sheynin is a technology journalist based in New York whose work has appeared in numerous IBT Media/Newsweek publications.