As the tools of the office evolve and migrate away from traditional filing cabinet storage to cloud computing, there are concerns over the use of the cloud to store documents, especially by lawyers who are guardians of confidential information.
There’s no disputing its cost-savings. And there is a practical matter to operating in the cloud — access to information from anywhere.
But, if a third party has access to private legal records, that could eliminate confidentiality and pose a liability risk or even violate state law.
Doctors are restricted from storing patient records online by the Health Insurance Portability and Accountability Act. The federal law sets out requirements that prevent physicians from relying on Google and other sites to keep records confidential, absent individual contracts.
“Cloud computing does potentially impact some ethical rules,” said Phil Pattee, assistant bar counsel with the State Bar of Nevada. “We are 13 years into the new century and we are navigating from paper to digital. But there are issues that need to be worked out.”
In Nevada, the question being asked is, does a lawyer violate Supreme Court Rule 156 by storing confidential client information — without client consent — on a server or other device that is not exclusively in the lawyer’s control?
In an opinion issued by the Nevada State Bar, a lawyer’s duty to protect client confidentiality under SCR156 is not absolute. To comply with the rule, the lawyer must act competently and reasonably to safeguard confidential client information or communications from inadvertent and unauthorized disclosure.
The State Bar wrote cloud storage possesses no greater risk than the storage of traditional paper documents containing confidential client information in a warehouse operated by a company or person outside the lawyer’s direct control.
The six-page opinion even stated that if the “third party can be reasonably relied upon to maintain the confidentiality and agrees to do so, then the transmission is permitted by the rules without client consent.”
“The client may consent to the storage of confidential information in any manner,” the bar wrote.
However, terms of service are constantly changing, and especially given recent revelations about the reported extent of government review of telephone and email communications, the assumption that material stored online can’t be reviewed by third parties is open to question.
Despite the State Bar’s opinion, the facts and circumstances surrounding any breach of confidentiality could put the client, and his or her lawyer, at risk.
“We rarely store data in the cloud,” said Rob Sawyer, IT director at McDonald Carano Wilson LLP in Las Vegas. “We store all documents internally on our own private network. We still have access to the data, but it’s not stored on a public network.”
Ask Sawyer why he’s not a fan of cloud storage and the answer is simple: Edward Snowden.
“Since the (National Security Agency) leaks by Edward Snowden, there is generally a mistrust of what is stored in the public domain,” Sawyer said. ”We have a DOD level of encryption. If it is good enough for the Defense Department, it is good enough for us.”
Most attorneys believe if you are representing white-collar defendants who do business in Saudi Arabia or Yemen, it is probably best for both parties not to use a cloud service at all.
Likewise, Timothy Toohey, a partner with the law firm Morris Polich & Purdy LLP, said much of the worry comes from the storage of information and “maintaining attorney-client privilege.”
Toohey said one of the keys to safely using cloud storage is encryption. Encryption may not specifically be required, but it “is a best practice,” he said.
Most major law firms in Las Vegas have their own IT departments, while small firms may need to rely on third-party operators. Toohey said Morris Polich & Purdy has its own IT department for its 100 lawyers in Los Angeles, Las Vegas and other offices.
Toohey said in the end it’s the “business that still owns the data whether it’s in the cloud or not.” He said the “owner may be liable” for breach of confidentiality.
In the wake of Snowden’s revelations of NSA spying, several countries are considering enacting laws to require in-country storage of any data generated by their citizens or companies.
The calls come as the European Union deliberates new data protection regulations to restrict the transfer of personal data to any country that lacks adequate data protection safeguards.
One country debating stricter laws is Brazil. James Snow, Google’s apps products strategist, doubted Google would establish a data center in Brazil.
“We operate 13 data centers worldwide,” said Snow, one of about a dozen presenters at the four-day Information Security and Risk Management Conference this month at The Cosmopolitan of Las Vegas.
Snow hosted an hourlong seminar titled “Is Cloud Computing the End of Security and Privacy As We Know It?” His immediate answer was “no.”
He said most data resides on unsecured endpoints like laptops or tablets. Snow said if the data aren’t “managed centrally, it is not secure,” noting that companies spend more than $2 billion on patches annually.
Snow said what we’ve learned from Snowden is nothing is safe anymore. He said Internet “security is an arms race … it is us against the government, and the government against private business.”
Snow said there has to be a solution that prevents government agencies from “going in through the back door,” and allowing “them to come in through the front door.”
He said at the moment Google was “not happy with the transparency” shown by the federal government.
Contact reporter Chris Sieroty at firstname.lastname@example.org or 702-477-3893. Follow @sierotyfeatures on Twitter.