By Jim Calloway

“Is it really OK for a lawyer to use the cloud?” is one of the most commonly asked questions I hear from lawyers both today and over the years.

The answer is what has been referred to as every lawyer’s favorite answer to any legal question – “It depends.”

In my opinion, the expanded answer to that question is, today not only is it appropriate for lawyers to use the cloud for both the lawyers’ and clients’ information, but there are many situations where using the cloud is the absolute best method of storing, utilizing and protecting both lawyer and client data. (Let me note that I am not the OBA ethics counsel nor does my opinion constitute any policy of the Oklahoma Bar Association.)

Of course, being a lawyer, I’m also quite certain I am correct about the subject.

Let’s begin with a very simple definition of cloud computing:

Cloud computing is a fancy way of saying stuff’s not on your computer. It’s on a company’s server, or many servers, possibly all over the world. Your computer becomes just a way of getting to your stuff. Your computer is an interface, but not where the magic happens.

This definition is from “Byte Rights” by Quinn Norton, published in a now-defunct magazine Maximum PC in September 2010. She wrote articles for Maximum PC for five years and has written on hacker culture and technology topics. She probably had no idea when she wrote the above words that she would be cited in state bar ethics opinions and many other publications for lawyers.

Most computer users use cloud computing every day. Some services are obvious examples of cloud computing like Dropbox, iCloud, Gmail (and everything else provided by Google) and Facebook (along with all other social media).

If one wants to dive into the weeds, there are now many types of cloud service models including Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) or Infrastructure-as-a-Service (IaaS), but we are not going into the weeds today.

WHEN IS THE CLOUD THE ABSOLUTE BEST CHOICE?

To me, it is online backup.

Since the beginning of cloud computing, lawyers were concerned whether these services appropriately protected confidential and privileged client information. That is clearly an important concern, which I’ll cover momentarily.

There are other types of risks to our practices and our clients as we use technology tools. A hard drive crash could wipe out important and valuable client documents. If a brief that was 90 percent done and is due tomorrow is lost, it would create a problem for the lawyer and possibly for the client. Today, we are all just one ill-advised click on a link or attachment from a potentially devastating malware attack. At worst, the attack could wipe out not just one computer hard drive, but every computer hard drive, portable hard drive and server attached to the network.

If you practice in a large firm with full-time IT staff and they have a different backup strategy, that’s fine. However, for most, a continuously operating cloud-based backup service should be one of your two backup methods. (Yes, two backup plans, operating independently, is the standard of care today.) Since most online backup services both compress the data and hold it very securely, the chances of an information data breach are quite limited.

Online backup works well if you have computers corrupted by malware or a hard drive with corrupted data that is undamaged.

Restoring from an online backup is more challenging if the computer has been destroyed by natural disaster and you cannot purchase the exact same model as a replacement. The lawyer is still in far better shape than if there was no backup, but you will first have to buy a new computer and then professional assistance may be required to retrieve the data and make it usable. Some customizations will likely be lost.

You may also want to inquire with your backup provider on how long a complete data restore might take. I once heard from a lawyer who used the “home” grade of a backup service rather than the business class and, in his second day of an estimated three days to restore the data, he wasn’t exactly a satisfied customer.

PRACTICE MANAGEMENT IN THE CLOUD

Every OBA member who has heard me discuss this subject knows I am a big fan of cloud-based practice management solutions. I particularly like cloud-based practice management for solo and small firm lawyers because the tech support is handled by the provider as a part of the subscription. In addition to making law firm operations run more smoothly and efficiently, these tools serve as the cloud-based backup service that doesn’t need to be restored.

Just imagine you are looking at firefighters pouring water on what is left of your smoldering law office or you are on high ground looking down on your flooded place of business. Having a backup is great comfort then, but you are a few steps away from having access to your files. With cloud-based practice management tools, you can be logged in with your phone looking at documents in client files and rearranging your calendar for tomorrow while watching the firefighters.

Many lawyers now sometimes work from home. Many lawyers also travel frequently as a part of their practice and work from hotel rooms or other locations. Using a VPN to securely log in to a practice management solution is a much more secure way of remote working than emailing documents back and forth with the office. This provides access to every document in every client file (assuming you scanned them into the digital client file) and other things you need like time and billing tools.

The benefits of having data in the cloud are likely why 52 percent of lawyers responding to the 2017 ABA Tech Report survey stated they were using cloud computing, with solo and small firm lawyers leading the way. It is probable many lawyers in larger firms who responded to the survey were unaware of the ways the firm was using the cloud. (I still chuckle about the time a lawyer sent me a strongly worded email from his Gmail account outlining why he would never use cloud computing.)

Another benefit of using the cloud is that well-designed cloud services are quite secure and provide protection for a law firm’s data and client data. Today, being connected to the internet means you are a target for online scammers, criminals and other wrongdoers. I’ve heard of many law firms having all or some of the office computers crippled by a malware attack. I have not heard of any instances where a cloud-based service designed for the lawyers has had such an attack reach their stored data.

I’ve often referred to using a good cloud computing provider as outsourcing your digital security to those better trained to handle it.

Last summer, the OBA recognized six cloud-based practice management solutions as OBA members benefits, which generally means new subscribers will get a discount. The services are Clio, CosmoLex, MyCase, PracticePanther, Rocket Matter and Zola Suite. They all provide client portals for secure communication with clients in addition to many other features.

THE RISKS OF CLOUD COMPUTING

Many lawyers are concerned about the ethics of keeping client data in the cloud. There’s no doubt that randomly using any cloud-based data storage for client information may not be the best plan, but most commercial grade cloud-storage service providers are quite concerned about security. After all, the viability and continued existence of their businesses depend on it.

I would also note that the cloud-based practice management systems were designed for lawyers to store client data and so client confidentiality and security was upmost in mind.

Legal technology journalist Robert Ambrogi compiled a list of 19 states that have issued legal ethics advisory opinions (with links to each) and he noted:

The good news here is that all 19 of the states that have considered the issue agree that lawyers may ethically use the cloud, provided they take reasonable steps to minimize risk to confidential information and client files.

I’m not going to regurgitate all of those opinions that are linked from Mr. Ambrogi’s column, but if you want to do some research I’d suggest you start with the one from Pennsylvania. There are some improved ways to protect this data, such as two factor authentication that were not commonly available when these opinions were written.

Certainly, we have all heard of hacks to online data that someone thought and hoped was secure, but that is only one risk and it applies to your office’s internet-connected computers as well as cloud-based providers.

a significant risk today is that the end user will not protect their passwords well or have adequate security tools on their computer, allowing access to their client data through that method as opposed to a hacker breaching the system. Phishing emails of all types are another substantial risk to your office computers.

Oklahoma does not have a legal ethics advisory opinion on cloud computing, but in 2010 then-OBA Ethics Counsel Travis Pickens wrote about cloud computing in the Oklahoma Bar Journal. He noted:

But rock-solid certainty is not required. Significantly, in the few ethics opinions that have addressed it, the consensus appears to be that the law firm is not required to guarantee that the system will be invulnerable to unauthorized access.

There are many risks today. I am concerned about the lawyer who has a computer crash or malware attack and hadn’t backed up his or her data. I am concerned about the lawyer who cannot handle a client emergency that requires access to documents in a client file when their law office is closed and the lawyer is out of town. I’m concerned for the lawyer who loses a briefcase with an irreplaceable client file or whose office is destroyed by a natural disaster. I’m concerned about the lawyer who loses a business client because the lawyer seems unfamiliar with secure online file management and information sharing.

As professionals, we each bring our experience and training to each engagement. Some of us have different appetites for risk. None of us would risk our client’s confidential information. Protecting our client’s confidences is a core value of our profession, but there is no completely risk-free alternative for business operations that require internet access.

I’m a lawyer who once drove off with my briefcase full of client files on the top of my vehicle’s trunk instead of inside it. I saw the resulting disaster in my rear-view mirror. I recall thinking I needed to buy a new briefcase anyway and being quite grateful it was not a windy day. That illustrates that having critical client information stored only in physical client files is not risk-free either. In earlier times that was a lawyer’s only choice. Today you need a backup of the data – and a way to keep your law practice operating in the face of any disaster.

Mr. Calloway is OBA Management Assistance Program director. Need a quick answer to a tech problem or help solving a management dilemma? Contact him at 405-416-7008, 800-522-8060, jimc@okbar.org. It’s a free member benefit!

Originally published in the Oklahoma Bar Journal — Jan., 2019 — Vol. 90, No. 1