Many attorneys have taken to the cloud, but others are hanging back, primarily because of concerns about security and accessibility of their documents. Here are some things you should know before using cloud computing in your law office.
Let’s start with defining what we mean by cloud computing: Cloud computing (or software as a service (SaaS)) is a service accessed via the Internet that allows businesses and individuals to create, edit, and store data and documents online. Instead of buying and installing software on your computer system, users upload information onto the Internet—“the cloud”—where it is stored with a software service.
When thinking about using cloud computing services, you need to give significant thought to:
- what information you plan to produce and store there,
- your statutory, ethical, and fiduciary responsibilities related to that information, and
Keep in mind that many cloud computing providers store data from multiple clients on a common server and won’t modify standard contractual terms for particular clients. This means that you have to be sure that your statutory, ethical, and fiduciary requirements as well as your business needs can be fully met before choosing to use a particular cloud vendor or using cloud computing at all.
These issues can become even more complicated if a cloud computing service provider subcontracts parts of its service to third parties. The privacy, confidentiality, and security of the information may be further impacted by the policies and procedures of these additional parties, which could be located in different states or even different countries and be subject to varying standards for everything from government access to trade secret protection.
Here’s another issue: with greater accessibility comes the potential for inaccessibility. Cloud computing offers the ability to remotely access documents and data through any Internet connection, but if these documents or data become temporarily inaccessible due to an outage or corrupted in some way, the impact on a client can be profound. And it’s happened. A series of outages affecting Google’s cloud computing services affected many of its cloud services customers. Attorneys should consider the service level guarantees of a particular cloud provider, including its uptime guarantees, remedies, and disaster recovery provisions.
There’s also the issue of disclosure. Many cloud computing services reserve broad latitude for disclosure, stating that they may respond to any “legal process,” and do not promise to provide notice to the customer that information has been sought. See Cloud Computing: Storm Warning for Privacy?, ACLU of Northern California (Feb. 2010).
And there’s unintended disclosures. As the ABA Journal reports, Dropbox, an online document-sharing service, experienced a programmer’s error that enabled any password to access any Dropbox site. Attorney Arlen Tanner told the ABA Journal that, although Dropbox stated it fixed the problem,
if an internal programmer’s error could create that vulnerability, a disgruntled insider or one with an agenda could do similar damage to data stored for a law firm using a service like Dropbox.
Attorney Tanner advises that “[a]dding your own encryption to data gives another layer of security, especially from internal risks.”
So, before you go floating on a cloud, think about the potential problems and plan for them. If you don’t feel comfortable with the risks, the cloud might not be the place for your law office. At least not yet.
For a discussion of the legal and business issues relating to cloud computing, go to CEB’s Internet Law and Practice in California, chap 6. On internet and electronic privacy issues, turn to CEB’s Privacy Compliance and Litigation in California, chap 4. On the ethical issues of cloud computing, check out CEB’s program Lawyers in the Cloud: Professional Responsibility Issues Raised by Cloud Computing, available On Demand.
© The Regents of the University of California, 2012. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.