The NSW Office of Legal Services Commissioner (“the OLSC”) recently (January 2013) issued a “Guide on Practice Issues: Cloud Computing” (“the OLSC guidelines“*). Given the increased use of cloud services such as Microsoft Office 365, SkyDrive, Dropbox, Google Drive, and new services such as Leap Office Cloud, a review of the OLSC guidelines by legal practitioners is prudent. Recently there have been other papers or discussions published discussing the same issues:
It is clear from a review of the above discussions, and as a practical matter, the legal practitioner must take reasonable steps to ensure that the cloud service provider has adequate guards in place to:
- preserve the confidentiality of the stored material; and
- the retention of that material (particularly if it is the primary store of that material).
An Unfortunate History of Security Beaches Regrettably, as Terrence O’Brien reports there have been many reports where there have been breaches of online services in the last twelve months. A legal practitioner cannot ignore that those beaches occur. The reports include:
Despite, the many instances where breaches have occurred, are cloud services any less secure than the data stored locally? Most legal practitioners need to access local data remotely. Microsoft to there credit make that access extremely easy and depends solely upon having a secure password. If the practitioner uses the same password for other sites the local data may become quite vulnerable (for example see the poor position that Mat Honan found himself in). Some of the services above will no doubt have learned from their mistakes. Despite these security breaches any of the cloud service providers that a legal practitioner are likely to use would have security features far more advanced than safeguards maintained in the local office. Most overseas cloud providers are also required to comply with EU and US directives of Data Protection (for an introduction in to this area please sees Welcome to the U.S.-EU & U.S.-Swiss Safe Harbor Frameworks). McCauley’s Cloud Service Best Practices McCauley’s Paper suggest that the legal practitioner should look for the following practices in a legal cloud provider (“the Wish List“)
- Transparency: Cloud computing platforms should explain their information handling practices and disclose the performance and reliability of their services on their public web sites.
- Use limitation: A cloud provider should claim no ownership rights in customer data and should use customer data only as its customers instruct or to fulfil contractual or legal obligations.
- Disclosure: A cloud provider should disclose customer data only if required by law and should provide affected customers prior notice of any compelled disclosure.
- Security management system: A cloud provider should maintain a robust security management system that is based on an internationally accepted security framework (such as ISO 27001) to protect customer data.
- Customer security features: A cloud provider should provide customers with configurable security features to implement in their usage of the cloud computing services.
- Data location: A cloud provider should tell customers the countries in which customer data is hosted.
- Breach notification: A cloud provider should notify customers of known security breaches that affect the confidentiality or security of the customer data.
- Audit: A cloud provider should use third-party auditors to ensure compliance with its security management system.
- Data portability: A cloud provider should make available to customers their data in an industry-standard, downloadable format.
- Accountability: A cloud provider should work with customers to designate appropriate roles for privacy and security accountability.
Inherent in the above, is the obligation that the cloud service provider maintains the confidentiality of the documents and limits the purpose and access to the stored material. Preferably processing of the stored data and information should be restricted to automated services. Not all of McCauley’s wish list will be needed in all cases. The casual use of Dropbox or SkyDrive to forward a large document to an opposing party or client is far less critical then use of the cloud services which is the primary storage medium for a firms practice. In the latter situation, data portability, and back up become much more important. An example of Cloud Service Providers Service Agreement is Microsoft Service Agreement relevantly makes the following provision regarding privacy
5.1. Does Microsoft collect my personal information? Your privacy is important to us. We use certain information that we collect from you to operate and provide the services. Additionally, as part of the services, we may also automatically upload information about your machine, your use of the services, and services performance. We may use technologies, such as placing cookies on your machine, to help us gather such information. Please read the Microsoft Online Privacy Statement (http://go.microsoft.com/fwlink/p/?LinkId=253457) to learn how we use and protect your information.
5.2. Does Microsoft disclose my personal information outside of Microsoft?
You consent and agree that Microsoft may access, disclose, or preserve information associated with your use of the services, including (without limitation) your personal information and content, or information that Microsoft acquires about you through your use of the services (such as Internet Protocol address or other third-party information) when Microsoft forms a good faith belief that doing so is necessary (a) to comply with applicable law or to respond to legal process from competent authorities; (b) to enforce this agreement or protect the rights or property of Microsoft or our customers; or (c) to help prevent a loss of life or serious physical injury to anyone.
5.3. How does Microsoft respond to legal process? Similar to other providers of Internet services, Microsoft is served with legal demands and requests from law enforcement, government entities, and private litigants for content stored on our network. This information may relate to an alleged crime or civil matter and is usually requested pursuant to the normal legal process of the country or locality where the activity occurred. Microsoft may be obligated to comply with requests for your information or your content as part of such investigations or legal proceedings.
Links to other Service Provider policies and Agreements are
Other Safe Guards A legal practitioner should consider encrypting sensitive data in appropriate circumstances. However, where reasonable security measures are otherwise in place I would only suggest encryption in very special circumstances; it is generally not worth the trouble. More importantly encryption becomes a trade of with maintainability. If you loose the key to unlock the encryption the data is good as lost. The New South Wales Perspective The OLSC guidelines points out that the guideline is not binding and should be read in conjunction with the Legal Profession Act, 2004 (NSW), the Legal Profession Regulations 2005 (NSW) and the Revised Professional Conduct and Practice Rules 1995 (“the Solicitor Rules“). The guidelines as with the other papers referred to above refer to following main issues:
- Confidentiality (Rule 2 of the Solicitor Rules)
- File Retention (Rule 8 of the Solicitor Rules)
- Competence and Diligence (Rule 1 of the Solicitor Rules)
The practitioner’s primary concern is to ensure that cloud services do not compromise the confidentiality of client documents. Solicitor Rule 2.1 provides
2.1 A practitioner must not, during, or after termination of, a retainer, disclose to any person, who is not a partner or employee of the practitioner’s firm, any information, which is confidential to a client of the practitioner, and acquired by the practitioner during the currency of the retainer, unless –
2.1.1 the client authorises disclosure;
2.1.2 the practitioner is permitted or compelled by law to disclose; or
2.1.3 the practitioner discloses information in circumstances in which the law would probably compel its disclosure, despite a client’s claim of legal professional privilege, and for the sole purpose of avoiding the probable commission or concealment of a felony.
I do not consider that a legal practitioner’s use of Cloud computing services will constitute “disclosure“ of confidential information or documents unless that information could be viewed by others without reasonable security or controls being in place. More relevantly, however, Solicitor Rules 2.2 restates the legal practitioners more general obligation to ensure the confidentiality of client documents. That rule provides:
2.2 A practitioner’s obligation to maintain the confidentiality of a client’s affairs is not limited to information which might be protected by legal professional privilege, and is a duty inherent in the fiduciary relationship between the practitioner and client.
The obligation is again restated in Solicitor Rule 8.2.1 which relevantly provides
8.2.1 A practitioner must retain, securely and confidentially, documents to which a client is entitled, for the duration of the practitioner’s retainer and at least seven (7) years thereafter, or until such time as the practitioner gives them to the client or another person authorised by the client to receive them, or the client instructs the practitioner to deal with them in some other manner.
While Rule 8 is primarily directed at the retention of hard copy document it would also apply to documents whose only record of which is stored electronically (including for example a matter file stored in Leap Office Cloud). The OLSC correctly points out that practitioner to comply with his fiduciary duties to his client must carry out proper diligence to ensure that his use of cloud services does not prejudice his ability to maintain the confidentiality of the client documents. Notwithstanding it seems to me however, that Rule 2.1 of the Solicitors Rule may be unduly restrictive having to normal business practices existing today. A literal interpretation of the rule would prevent the disclosure of any confidential documents to:
- barristers briefed in the proceedings,
- staff used by legal practitioners employed by a service company, or
- staff engaged by the legal practitioner as a sub-contractor.
I note that in McCauley’s Paper (referred to above), the Virginia Rules of Professional Conduct permits the sharing of information “with third parties as needed to perform necessary office management functions, if the lawyer exercises reasonable care in the selection of the third party and secures an agreement that the vendor will safeguard the confidentiality of the information shared“. Similar amendments should be considered to our Solicitor Rules to address changing work practices and advancement in the use of technology. Changes to the Legal Practice Retainer Agreement? The OLSC Guidelines recommend that the legal practitioner obtains the “informed” consent of the client to “disclose client information”, or should consider including clauses in their standard retainers. As stated above, I do not believe that normally the use of cloud services by a legal practice amounts to a disclosure of any of information that is stored on that service, however I would recommend that legal practitioner should consider the inclusion of express provision in their retainers to remove any doubt. The express provisions should specifically state what cloud service providers the practitioner proposes to use.
JDC 22 January 2013
I revised this Post on 16 March 2013 in Practice Guidelines for the use of Cloud Computing by Lawyers – revisited.
I posted a related post on 26 February 2013 Information Security for Lawyers
*Updated 2 October 2013 to fix link to the Guidelines as per Nick’s comment.