Future firm: Raining on the cloud computing parade

Cloud computing is an increasing option for hosted services over the internet and data storage, but law firms should ask some serious questions before embracing the trend, writes Patrick Oliver.

Two of the ethical duties owed by a solicitor to a client are, first, to act honestly, fairly and with competence and diligence, and, second, not to disclose confidential client information.

These duties are contained in all the respective state professional conduct and practice rules, subject to slight differences in wording. How then does the use of technology by law firms sit with these duties? It is timely to highlight the potential areas of conflict between these duties and the use of cloud computing, as opposed to traditional IT outsourcing.

Cloud computing is gaining acceptance as it becomes less expensive and more widely understood. In general, it refers to the sharing and/or storage of data by users of their own information on remote servers owned or operated by third-party providers and accessed via the internet. Access to applications and data is on demand.

The three cloud delivery models are: infrastructure as a service; platform as a service; and software as a service. Clouds can be ‘public', ‘private', ‘community' or ‘hybrid'. This article focuses on public clouds, which allow the general public and commercial users to store their data on a shared server or servers.

The storage of a solicitor's own data on a cloud has clear privacy and security issues, and the transfer and storage of the solicitor's client's data raises issues about ethical duties. Assuming that current ethical duties allow the transfer and storage of client data on the cloud, what then are the confidentiality concerns? Here are some questions to consider.

Data sovereignty: does the solicitor know where the data and the back-ups are located? Is it stored in Australia or overseas? If it is the latter, the information will probably be subject to the privacy laws, if any, of that jurisdiction. For example, data that is stored in the European Union is subject to EU data-protection laws.

Data disclosure: is the data stored on the cloud likely to be subject to access requests or seizure by law enforcement agencies, in Australia or abroad? If yes, will the cloud provider resist the request for access or acquiesce? Will the cloud provider inform the solicitor of the access request or the seizure? If the access request relates to another portion of the cloud, how can the solicitor or cloud provider ensure that the solicitor's client's data is not inadvertently, or deliberately, accessed?

Data security: who has access to the data on the cloud provider side? What controls exist to limit access? If there is a security incident or data breach, how quickly will the solicitor be informed, if at all? What levels of encryption are sufficient?

Data preservation or destruction: after the termination of the client retainer, will the relevant data be preserved for the appropriate timeframe? Alternatively, if the solicitor terminates the agreement with the cloud provider, will the client data be irrecoverably purged from all the servers?

Legal professional privilege: if privileged information is transferred to the cloud, is LPP waived?

Rogue cloud providers: criminal organisations may be tempted to become cloud providers because of the profitability and access to confidential data it provides.

The duty to act with competence and diligence includes how legal services are provided to the client. How might storage of client data on the cloud impinge on this duty?

Service interruption: data may become temporally inaccessible during upgrades etcetera, which might impact on work on a client matter.

Service level agreements and terms and conditions: unlike a traditional IT outsourcing contract, there appears to be limited scope to negotiate the SLA and T&Cs from cloud providers. Also, the variations of the T&Cs may be unilaterally changed and without notice.

Data back-up: does the solicitor keep a back-up of the critical data stored on the cloud?

Risk assessments: difficulties may arise in assessing the risks of placing client data on a particular cloud due to lack of precise information from the cloud provider.

Data damage or destruction: if client data stored by the solicitor on the cloud is damaged or destroyed, there may be potential liability for the destruction of "data that is, or is reasonably likely, to be required as evidence in a legal proceeding".

There has been much recent discussion in the United States around potential problems in the ever-evolving ICT environment and related ethical duties and associated guidance. The discussion in Australia has been more muted. The reality is that firms must continue to meet their ethical duties, and therefore they should consider carefully how they utilise the cloud.

Further ethical guidance around the reasonableness and due diligence in selecting third-party providers, while helpful, will not take the responsibility away from the solicitor to ensure that ethical duties are not breached.

Has the time come for solicitors to really understand the technology that they utilise?

 

Patrick Oliver is the managing director of Lexcel, a firm of experienced legal practice management consultants who provide advice on areas such as business structures, management systems, risk management and regulatory issues.
www.lexcel.com.au