The Risk Manager, Winter 2016
As all Kentucky attorneys are aware, the Kentucky Supreme Court Rules of Professional Conduct (SCR 3.130) impose many professional obligations on attorneys in their handling and safekeeping of client information and property. When client files, communications, documents, or other client data are stored in digital form, it becomes subject to the risks of a cyber attack. Attorneys must be aware of these risks and ensure compliance with their ethical obligations when managing them.
One technological advancement that holds appeal for many attorneys, and also implicates many ethical considerations, is ‘cloud-computing.' Cloud-computing is processing power, storage space, software, or other computing services, often accessed via a web browser.2 As one state bar association pointed out, the term cloud-computing includes the use of smartphones; iPhones; web-based email such as Gmail, Yahoo, Hotmail, or AOL Mail; and products such as Google Docs, Microsoft Office 365, or Dropbox, along with many others.3
Some of these services are email services. Others provide solely for the storage of documents in the cloud on servers owned by third party server-providers. These servers can be located in a distant warehouse, out of state, or out of country. They are accessible only on the Internet. Some are complete cloud-based programs in which the software is not installed on the user's computer, but is accessed on the Internet. Younger attorneys learned to rely heavily on cloud-computing in law school. They realize the value of cloud-computing and use some form of it every day. As useful as cloud-computing is, it introduces significant new ethical considerations for attorneys because client data is no longer in the sole possession of the attorney.
This article addresses the cyber security risks and professional responsibility duties this technology raises and offers risk management considerations in avoiding malpractice claims and bar complaints for failing to competently use technology in your practice.
Cloud Computing in Kentucky
The KBA in Ethics Opinion KBA E-437 (3/21/14) approved the use of the cloud by Kentucky lawyers as follows:
A lawyer may use cloud-based services with regard to confidential client information. In using cloud-based services, a lawyer must use reasonable care to assure that client confidentiality is protected and client property is safeguarded. See SCR 3.130(1.6(a)) & (1.15(a)). A lawyer must act consistent with his or her duty of competence in selecting and monitoring the providers of cloud-based services. See SCR 3.130(1.1). A lawyer must use "reasonable efforts" to ensure that the conduct of providers of cloud-based services assisting him or her is compatible with ethical obligations of the lawyer, and, if the lawyer is a partner or otherwise has managerial authority in a law firm, the lawyer must use "reasonable efforts" to make sure that the firm has measures in place to assure that providers of cloud-based services engage in conduct compatible with ethical obligations of the lawyer. See 3.130(5.3(a) & (b)). Finally, a lawyer must consult with the client about the use of the cloud if the matter is sufficiently sensitive such that the duty to "reasonably consult with the client about the means by which the client's objectives are to be accomplished" is implicated.
See SCR 3.130(1.4(b)).
The opinion offered this guidance in meeting professional responsibility requirements:
Just as a lawyer should review the terms of storage for a warehouse for storage of client files, so too should a lawyer review the terms of the arrangement regarding online storage or treatment of confidential client information or other cloud-based service. Some questions that a lawyer should consider in this regard include the following:
- What protections does the provider have to prevent disclosure of confidential client information?
- Is the provider contractually obligated to protect the security and confidentiality of information stored with it?
- Does the service agreement state that the provider "owns" the data stored by the provider?
- What procedures, including notice procedures to the lawyer, does the provider use when responding to governmental or judicial attempts to obtain confidential client information?
- At the conclusion of the relationship between the lawyer or law firm and the provider, will the provider return all information to the lawyer or law firm?
- Does the provider keep copies of the confidential client information after the relationship is concluded or the lawyer or law firm has removed particular client information from the provider?
- What are the provider's policies and procedures regarding emergency situations such as natural disasters and power interruption?
- Where, geographically, is the server used by the provider for long-term or short-term storage or other service located? (footnote omitted)
A Review of Applicable Kentucky Rules of Professional Conduct
A. First, an attorney must act competently and reasonably in handling and storing client data. SCR 3.130 (1.1) of the Kentucky Rules of Professional Conduct requires attorneys to provide competent representation, and to utilize the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation. Kentucky has not adopted the ABA's changes to Model Rule 1.1 that, in comment (8), advises that for an attorney to maintain the requisite knowledge and skill, the attorney must keep abreast of the changing benefits and risks of relevant technology. The ABA made it clear that this change was not a new requirement. Rather it makes explicit what was heretofore implicit. KBA E-437 removes any doubt that Kentucky lawyers must be competent in the use of technology in their practice.
B. SCR 3.130 (5.3) governs the responsibilities of attorneys for the conduct of nonlawyers employed by the attorney. The rule makes it clear that an attorney can be held responsible if a server-provider improperly handles client data. Attorneys cannot simply put client data into the cloud and blindly trust that the server-provider will protect the data. Attorneys need to investigate the server-provider to ensure the provider is reputable.
C. SCR 3.130(1.6) requires attorneys to protect the confidentiality of client data. An attorney cannot simply put client data into the cloud, and assume it will remain confidential. The storage of data in the cloud is like storing client files in an offsite warehouse. In such a case, the attorney will review the contract with the warehouse to ensure there are enforceable requirements that the warehouse keep files secure, prevent third parties from accessing the files, and that the employees of the warehouse protect the confidentiality of the files.
The same obligations and considerations apply to online storage. Attorneys must:
- Ensure that agreements do not grant the server provider proprietary interest in the data stored on its server.
- Be aware of how a server-provider will respond to subpoenas, warrants, civil search and seizure actions, or other third party requests for information to ensure client data is not improperly disclosed.
- Be aware that data stored in the cloud is not really stored in the air, but is actually stored on a physical server that the attorney is accessing remotely on the Internet. The server may be located in a different country or in a different state.
- Be knowledgeable of the laws in the jurisdiction in which the server is located to ensure that the data is as protected by the law in that jurisdiction as it would be in Kentucky.
- Be aware of any potential waiver of the attorney/client privilege.4 Waiver issues may arise when emails and attachments are sent to a client using her employer's email server, especially if the employer is involved in the litigation. Waiver issues may also arise in other case-specific circumstances when a cloud-computing provider is involved in the dispute.
D. SCR 3.130 (1.15) governs the safekeeping of client property that includes client data. To comply with this rule attorneys should:
- Investigate the security measures taken by the server-provider to ensure the client data is kept safe and reasonably protected from theft and cyber attacks.
- Consider having an express agreement with the server provider to keep information confidential and secure.5
- Determine whether access to the data is sufficiently password protected, and whether the data is encrypted. The attorney is ultimately responsible for the protection and safekeeping of the client's data.
- Consider using electronic audit trail procedures to monitor who is remotely accessing the stored data.6 This allows an attorney to continually monitor who is accessing the data to ensure an unauthorized device is not accessing the data.
A. Continued Access: In addition to keeping client property safe, attorneys must ensure continued access to client data. To accomplish this attorneys should:
- Be sure that the service-provider does not destroy documents before the applicable retention period expires.
- Be aware of and consider the potential for server outages and technical issues that could prevent accessing documents or information.
- Consider the actions to be taken if the service-provider goes out of business, is bought out or merges with another company, enters bankruptcy, or otherwise suffers a break in continuity.
- Be aware of what will happen to documents in the cloud should the attorney fail to pay applicable subscription fees.7
B. What Files Should Go on the Cloud? While retention and access are concerns whether the files stored in the cloud are backups or the primary client files, special concern should be given to any client data that does not have a backup outside of the cloud. It is noteworthy that when many state bar associations issued specific opinions on storing client files in the cloud, they framed the question as whether it was proper to use the cloud as a backup.8
Whether it is reasonable to maintain the only complete copy of client files in the cloud, is a very different question. Prudence would caution any attorney to be wary of relying on the cloud as the only access to client data. The Alabama State Bar noted that while certain client documents could be destroyed after scanning and converted to digital format, the best practice is to follow the procedure used for ordinary paper documents.9 The Alabama State Bar also noted that unlike traditional paper files, a lawyer must back up all electronically stored files, and approved the use of cloud storage for this purpose.10 The easiest and best practice for Kentucky lawyers is to backup all digital client data.
C. Firing Your Server-Provider: If the attorney becomes dissatisfied with the server-provider or otherwise decides to use a different service to store the data, the attorney must be able to move the data from the server-provider to another server, whether private or in the cloud. Attorneys should investigate whether, after such a move is made, the server-provider can, and will, wipe the client data from its servers so that no data will be left with the old server. Attorneys should not merely stop using the server and leave client data on that server.
D. Special Risks of Smartphones and Tablets: Smartphones and tablets due to their cloud-connectivity pose an added risk to client data. Attorneys must be aware of whether client data stored in the cloud is easily accessed from their smartphone or tablet if it is lost or stolen.
Attorneys should ask the question: "If my smart phone or tablet is lost or stolen, how easy would it be for someone to access my client data, and how much client data would be available to them?" Documents stored in servers such as Google Drive, iCloud, and many others, can often be accessed from a smartphone without having to re-enter a password if the user remains logged in. One way to manage this risk is to always log out of cloud-based programs. Then, if your phone is compromised, the data in the cloud is still password-protected.
Attorneys should also be aware of some of the more traditional cyber defense tools to protect their smartphones, such as passwords and encryption. When a strong password is coupled with encryption, some think that the device is rendered essentially secure.11
Technology is constantly changing, with the result that attorneys will use the Internet and cloud-computing in new and different ways in the future. For this reason, there is no one solution for complying with an attorney's ethical duties associated with cloud computing and cyber security risks. Attorneys must understand the technology they choose to use in their practice and recognize they have a professional duty of obtaining and maintaining competence in the technology that now pervades the practice of law.
- Jake A. Thompson is a first year associate at Crawford & Baxter, P.S.C., Carrollton, Kentucky. He is a 2015 graduate of the University of Kentucky College of Law where he served as Staff Editor for the Kentucky Journal of Equine, Agriculture and Natural Resources, and was a member of the Moot Court Board and Trial Advocacy Board.
- "What Kentucky Lawyers Need to Know about the Ethics and Risk Management of Cloud Computing," The Risk Manager, Summer 2012, citing the (The Free On-line Dictionary of Computing).
- Pennsylvania Bar Association, Committee on Legal Ethics and Professional Responsibility, Formal Opinion 2011-200.
- New York State Bar Association, Committee on Professional Ethics, Ethics Opinion 842.
- See e.g., Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility, Formal Opinion 2011-200; The Florida Bar, Professional Ethics of the Florida Bar, Opinion 12-3; and New York State Bar Association, Committee on Professional Ethics, Ethics Opinion 842.
- See e.g., Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility, Formal Opinion 2011-200; and Maine Board of Bar Overseers, Ethics Opinion #207, The Ethics of Cloud Computing and Storage.
- Iowa State Bar Association, Ethics Opinion 11-01.
- Alabama State Bar, Formal Opinion 2010-02.
- Jeff Sallee, "Securing Client Data: A Business Reasonable Approach," Bench & Bar Magazine, Vol. 79, No. 3 (May2015).