ISCG4500 – Introduction to Corporate Counsel CLE Seminar ABA Section of Litigation Corporate Counsel Committee Trump National Doral Miami/Doral, FL Ethical, Privilege, and Practical Issues in Cloud Computing, Privacy, and Corporate Data Protection (Ethics) February 13, 2015; 1:45 pm – 2:45 pm 1 Cloud Computing & Ethical Obligations of Lawyers Associate Professor Veronica Root Notre Dame Law School I. The August 2012 revisions to the ABA Model Rules of Professional Conduct provide guidance regarding a lawyer's use of technology and confidentiality.1 These revisions, while not yet incorporated into many state rules of professional conduct, provide a helpful starting place in determining what lawyers should be considering when utilizing technology like cloud computing. "Because cloud computing places data—including client data—on remote servers outside of the lawyer's direct control, it has given rise to some concerns regarding its acceptability under applicable ethics rules."2 A. Revisions to Model Rule 1.1 Competence, Comment [6].3 1. Comment [6] to Model Rule 1.1 was amended to require competent representation to include keeping abreast of the "benefits and risks associated with relevant technology." 2.This requires lawyers to understand the risks associated with utilizing cloud computing services as part of their duty to provide competent representation to their clients. A basic understanding of what cloud computing is and how it could be of importance to your clients is extremely important. 3.Over the past few years, the use of cloud computing has increased exponentially, and it has "chang[ed] the way much of the technology business works."4 Lawyers must understand and keep up-to-date regarding these changes.5 1 American Bar Association, Commission on Ethics 20/20 Report to the House of Delegates (Aug. 2012) [hereinafter "Ethics 20/20 Report", available at http://www.americanbar.org/content/dam/aba/administrative/ethics_2020/20120808_revised_resolution_1 05a_as_amended.authcheckdam.pdf. 2 American Bar Association Law Practice Division, Cloud Ethics Opinions Around the U.S. [hereinafter, "Ethics Opinions"], available at http://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyi s/cloud-ethics-chart.html. 3 Ethics 20/20 Report, supra note 1. 4 Quentin Hardy, Coming of Age in Cloud Computing NYTimes.com Bits Blog (Oct. 22, 2014), available at http://bits.blogs.nytimes.com/2014/10/22/coming-of-age-in-cloud-computing/. 5 Quentin Hardy, The Era of Cloud Computing NYTimes.com Bits Blog (June 11, 2014) ("Industry analysts . . . figure that if largely cloud-based things like mobile apps, big data, and social media are counted, over the next six years almost 90 percent of new spending on Internet and communications technologies, a $5 trillion global business, will be based on cloud-based technology."), available at http://bits.blogs.nytimes.com/2014/06/11/the-era-of-cloud-computing/.Corporate Counsel CLE Seminar ABA Section of Litigation Corporate Counsel Committee Trump National Doral Miami/Doral, FL Ethical, Privilege, and Practical Issues in Cloud Computing, Privacy, and Corporate Data Protection (Ethics) February 13, 2015; 1:45 pm – 2:45 pm 2 4. Questions to consider:  Do you know if your employer or client(s) utilize cloud computing?  Does the employer or client utilize its own cloud or is it using a cloud computing service provider?  Is the information being stored in the cloud something that is sensitive or that should remain confidential?  Do you know what industry security standards and precautions are for the utilization of cloud computing? Does your employer or client?  Does the service being utilized comply with industry security standards and precautions?  Does your employer or client(s) routinely reassess their cloud computing security precautions to ensure that they are adequately considering new potential threats? B. Revisions to Model Rule 1.6 Confidentiality of Information.6 1.Rule 1.6 was amended to add the following language: "A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."7 2.Comment [16] was also revised and it provides guidance on how to determine whether a lawyer's efforts were in fact reasonable. It states that Factors to be considered in determining the reasonableness of the lawyer's efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safe guards, and the extent to which the 6 Ethics 20/20 Report, supra n. 1. 7 ABA Model Rule of Professional Conduct 1.6(c).Corporate Counsel CLE Seminar ABA Section of Litigation Corporate Counsel Committee Trump National Doral Miami/Doral, FL Ethical, Privilege, and Practical Issues in Cloud Computing, Privacy, and Corporate Data Protection (Ethics) February 13, 2015; 1:45 pm – 2:45 pm 3 safeguards adversely affect the lawyer's ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). 3.Comment [16] to Rule 1.6 goes on to explain that "A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule." 4.The rule text requires "reasonable efforts" to be taken to protect client information. That said, if information is hacked or leaked in some manner, there could be serious consequences even if reasonable efforts have been taken by the attorneys involved to protect information related to the representation. 5.Thus, a good rule of thumb is to preemptively discuss issues related to client file storage with counsel. In-house attorneys should have a strong understanding of how their outside counsel stores client files, so that they can determine if additional security precautions will be needed. Outside counsel should proactively determine whether clients require special security precautions. 6.Questions to consider:  Does your in-house staff utilize a cloud computing service like Dropbox, Box, etc., to facilitate working from home? Or do the associates at your outside counsel utilize a service like Dropbox or Box?8 (This isn't a question tied to official storage policies at your organization? It's prompting you to consider whether there is an unofficial custom to utilize cloud storage providers that are not officially sanctioned by your organization, which may not have sufficiently rigorous security precautions.) 8 See these articles for more information on why a custom of utilizing popular cloud computing services could be problematic. Josh Topal, 6 Reasons Why Dropbox Isn't Secure Enough For Business (Feb. 27, 2014), available at http://www.business2community.com/cloud-computing/6-reasons-dropbox-isntsecure-enough-business-0795298. Sumit Passary, Cloud Computing is the Future but not if Security Problems Persist Tech Times (June 15, 2014) ("When you don't own the network, it's open to the rest of the world . . .the cloud – by definition – is more insecure than storing data on premises."), available at http://www.techtimes.com/articles/8449/20140615/cloud-computing-is-the-future-but-not-if-securityproblems-persist.htm.Corporate Counsel CLE Seminar ABA Section of Litigation Corporate Counsel Committee Trump National Doral Miami/Doral, FL Ethical, Privilege, and Practical Issues in Cloud Computing, Privacy, and Corporate Data Protection (Ethics) February 13, 2015; 1:45 pm – 2:45 pm 4  If so, do they encrypt or password protect documents prior to uploading to these websites?  If your organization uses a third-party to provide cloud storage service, is it possible for the employees of the cloud storage service to access information related to the representation of clients?  If your organization provides an internal cloud storage service, is your IT Department sufficiently staffed and provided enough resources and training to keep up with various security threats? II. State Ethics Opinions. A. Several states have issued ethics opinions addressing the use of cloud computing. The states are Alabama, Arizona, California, Connecticut, Florida, Iowa, Maine, Massachusetts, New Hampshire, New Jersey, New York, Nevada, North Carolina, Ohio, Oregon, Pennsylvania, Vermont, Virginia, and Washington.9 1.Each state that has addressed the issue permits the use of cloud computing and adopts a reasonable care standard, which is in line with the reasonable efforts standard adopted by the ABA Model Rules of Professional Conduct.10 B. Examples of the type of guidance provided by state ethic opinions.11 1.The New York ethics opinion provides the following guidance regarding what constitutes "reasonable care." "Reasonable care" to protect a client's confidential information against unauthorized disclosure may include consideration of the following steps [when utilizing a thirdparty cloud computing provider]: (1) ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if 9 Ethics Opinions, supra note 2. 10 See id. 11 Summaries of the different state ethics opinions are available on the ABA website. See Ethics Opinions, supra note 2.Corporate Counsel CLE Seminar ABA Section of Litigation Corporate Counsel Committee Trump National Doral Miami/Doral, FL Ethical, Privilege, and Practical Issues in Cloud Computing, Privacy, and Corporate Data Protection (Ethics) February 13, 2015; 1:45 pm – 2:45 pm 5 served with process requiring the production of client information; (2) investigating the online data storage provider's security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances; (3) employing available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored; and/or (4) investigating the storage provider's ability to purge and wipe any copies of the data, and to move the data to a different host, if the lawyer becomes dissatisfied with the storage provider or for other reasons changes storage providers.12 2. The California ethics opinion provides guidelines lawyers should take into account before adopting the use of new technology. Before using a particular technology in the course of representing a client, an attorney must take appropriate steps to evaluate: 1) the level of security attendant to the use of that technology, including whether reasonable precautions may be taken when using the technology to increase the level of security; 2) the legal ramifications to a third party who intercepts, accesses or exceeds authorized use of the electronic information; 3) the degree of sensitivity of the information; 4) the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product; 5) the urgency of the situation; and 6) the client's instructions and circumstances, such as access by others to the client's devices and communications.13 12 New York State Bar Association Committee on Professional Ethics Opinion 842 (Sept. 10, 2010), available at http://www.nysba.org/CustomTemplates/Content.aspx?id=1499. 13 The State Bar of California Standing Committee on Professional Responsibility and Conduct Formal Opinion No 2010-179, available at http://ethics.calbar.ca.gov/LinkClick.aspx?fileticket=wmqECiHp7h4%3D&tabid=837.