Management Assistance Program
Safe in the Clouds
By Jim Calloway
“Safe in the clouds” sounds peaceful and dreamy, unless of course you have a fear of falling.
Lawyers, for better and for worse, are trained to examine everything with an eye toward fear of falling, or more accurately, fear of failing. This starts in law school with the high-pressure Socratic method, high-stakes single exams and class ranking. In law practice, there is an important need for critical examination skills, whether it is “Could that oddly drafted contract provision harm my client?” or “Are they trying to gain an advantage with that ambiguous phrase?”
Among the most frequently asked questions I receive from Oklahoma lawyers are questions about cloud computing. This has been true for several years. Lawyers are concerned about the risks of using cloud computing because these data security risks seem hard to appreciate and quantify for those untrained in information technology.
Is my data safe in the cloud? Can other people see my data in the cloud? Is it safe to keep my clients’ data in the cloud? Are there legal ethics concerns about keeping client data in the cloud?
The answers to these are clear, as far as I am concerned. Your digital data is safer in the cloud.
Digital data on any device you own connected to the internet in any way cannot be deemed “100% safe” because of the possibility of a user making a mistake or falling for a scam. The device might fail or there might be a breach from an outsider. This lack of 100% certainty of safety applies to data on all of your connected devices, including computers, tablets and phones.
The Oklahoma Rules of Professional Conduct (ORPC) recognize this as do the ABA Model Rules of Professional Conduct. ORPC Rule 1.6 (c) states that “a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Comment 16 to that rule provides, in part:
The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
So, the lawyer who wants to use cloud computing tools is guided by the determination of whether the tool is reasonable. It is always good lawyerly advice to read the Terms of Service, particularly as to under what circumstances, if at all, your data can be accessed by the provider.1
However, for the lawyer who doesn’t want to use cloud computing tools, my response is that these tools are safer – and why wouldn’t you want to use safer?
I should note that there are unsafe ways to implement any technology tool, including those in the cloud. If done correctly, cloud computing can be viewed as outsourcing your data security needs to someone more qualified while also making accessing your data quicker and more convenient.
OUTSOURCING YOUR DATA SECURITY
Today we are at a time where the major cloud service providers can essentially guarantee an impenetrable vault.2 A service like Amazon Web Services (AWS), Microsoft Azure or Google Cloud Platform can provide this for you – a data “fortress” which is not going to be breached by a hacker. (Most cloud computing providers lease space from one of those primary hosts.) The challenge is you oversee the drawbridge and the gate – along with everyone and everything that you allow access.
In other words, you are as secure as your most careless user and, if you have other online services connected to your vault, you are depending on them to be secure as well.
The challenge is training that most careless user— the one who keeps the passwords on Post-its near the workstation, takes the company laptop home and lets the kids play on it or clicks on attachments or links in emails from everyone, known or unknown. That person is your greatest vulnerability. A few lawyers might even admit it is them.
Recently, one cloud hosting company was itself a victim. Insynq was the target of a ransomware and malware attack in July 2019. Insynq specializes in providing cloud-based QuickBooks accounting software and services, so many accounting firms found themselves offline for time ranging from hours to days. Apparently some Insynq employee made errors allowing the attack. This is newsworthy because it is so rare. If your office network is crippled by ransomware or malware, the attack is generally not going to make the leap to encrypt your data in the cloud.
So, what about not keeping your data in the cloud?
The careless user is still your security risk, but the consequences from that person’s mistakes are arguably worse. Click on an infected file or bad link and the office network may be encrypted with ransomware or just destroyed with some other malware. There is an increasingly smaller chance you can pay the ransom and recover your data. Normally the best outcome is being down for a few days, paying an outside consultant and only losing the data created after your last backup was saved. A firm that isn’t doing regular backups may experience more catastrophic damage.
Other dangers of not using cloud computing are risks we can all easily understand: the office (and equipment) catches fire or is destroyed by natural disaster along with the backups you have been methodically creating and storing in your office, burglary or a hard drive or server dying unexpectedly.
Another set of risks associated with not using the cloud is that the lawyers and others employed by the law firm are in charge of digital security. If you have full-time IT staff, that’s one thing, but if you are doing it yourself or have a local contractor who comes to the office only when you call with a problem or you need new hardware, you likely have a less qualified security officer than the engineers and security experts on the staff of a cloud provider around the clock. You won’t be aware if some new threat emerges while you are asleep or during a two-day jury trial. It’s up to you to select and keep updated your firewall, anti-virus and other security tools. Keeping software updated is often automatic. However, if your credit card is compromised and the card’s number changed, mistaking a security provider’s renewal “bounce” notice for an advertisement could expose your law firm to the risk of out-dated protections.
LAW FIRM DOWN TIME
Let’s discuss “down time.” Taking reasonable steps to protect your clients’ confidential information is your ethical obligation, but keeping the law firm operational is important for the law firm’s interests as well as the clients.
In August in Oklahoma City, we had what some called an “inland hurricane” with straight-line winds recorded at 95 mph. In the aftermath, some were without electrical power for several days. A law firm without power is challenged. To reach cloud-based tools, one only has to locate power anywhere, along with internet access. I’ve heard of law firms temporarily without electricity sending people home to work remotely or opening up shop in a partner’s home. If all of your data and tools are powerless in the office, that approach is much less effective.
Even though the cloud is safer, a law firm should still do data backups. You keep data in the cloud, but not all of your software. A backup can restore a workstation to operating order.
Do you have to inform your clients of data stored in the cloud and obtain their consent? All of the jurisdictions that have issued ethics opinions on the issue of lawyers using cloud computing have found it to be ethical, as long as law firms take “reasonable care” when implementing a cloud service. Only a few states have opinions discussing obtaining client consent and those do say it is not routinely necessary but could be in certain sensitive situations. There’s no direct authority on point in Oklahoma. My advice is including a reference to cloud data storage in your attorney-client engagement agreement and always make certain new clients read that agreement before signing. If clients have any concerns or questions, they can be addressed at that time.
It is also noteworthy that Comment 16 to Rule 1.6 also provides: “A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule.”
Cloud computing is a critical part of most law firm operations now. In the future, more law firms will make use of cloud-based automation tools and virtual assistant services in their practice workflows and operations. Even lawyers who consider themselves low tech often use cloud-based email services like Gmail. Some Office 365 tools require online access. So, it will be increasingly difficult to avoid the cloud. This is not to say one cannot decide to keep your copies of completed clients’ estate plans in offline storage or that handling a divorce case where the opposing party regularly attends hacker conventions might not require special measures. However, all business tools will increasingly be cloud-based going forward.
Mr. Calloway is OBA Management Assistance Program director. Need a quick answer to a tech problem or help solving a management dilemma? Contact him at 405-416-7008, 800-522-8065 or firstname.lastname@example.org. It’s a free member benefit!
- Some believe the best plan is an encryption scheme where only the law firm has access and if the login credentials are forgotten or lost, all data will be irretrievably lost. Others believe there ought to be some way a lawyer can retrieve a lost password or a judge could order that an appropriate individual be allowed access to a deceased lawyer’s files.
- For readability, I am using some absolute terms in this column but the “not 100%” rule applies to all of them. Even for the ones that actually are 100% today, there might be a new development tomorrow.
Originally published in the Oklahoma Bar Journal — October, 2019 — Vol. 90, No. 8