By Kevin F. Brady
With the current status of the economy, the business community has been challenged to “increase efficiency, reduce costs and mitigate risks.” This is especially true for the world of electronic information with sky-rocketing costs and ever-increasing risks associated with managing such information. Today, the business world is being overrun with offers by companies to provide “cloud computing services” as a panacea for all of the ills associated with managing information technology (IT). “The future is here and it is in the clouds” sounds both comforting and confusing. And yet the concept has caught on with many companies as well as governments (federal and state) rushing to be part of this initiative.
Cloud computing is not a new concept, but rather one that has become a “hot topic” in the business world as a possible way for companies to offset the heightened pressures to cut costs and increase efficiencies regarding IT. Because this is such a hot business topic, the number of providers of cloud computing services is also growing on a daily basis and the faces are familiar—Microsoft, Google, Sun and Amazon just to name a few. And while there are significant short and long-term benefits to cloud computing, there are some serious risks and ethical challenges that must be considered.
What is Cloud Computing?
Cloud computing is the “virtualization of the computing process.” It is a type of outsourcing of IT. It separates the end user (customer) from the expensive end of the computing process—the capital investment needed for applications (software and hardware) to perform the computing—which are operated by a third-party service provider. The customer’s data is stored “in the cloud” (on the Internet) on information systems owned and operated by third-parties. End users or customers can access their data whenever and wherever they chose through the Internet. Customers pay for what they need to perform the function at hand; they don’t pay for services until they need to use them. This “pay as you go” process makes cloud computing scalable and flexible so that customers, for example, can use as much or as little storage as they need.
What are the Advantages?
Cost. Cloud computing greatly reduces the large capital expenses associated with electronic data management—software, hardware and services. From acquisition costs to maintenance costs to IT personnel costs, cloud computing services enable the customer to shift those expenses on to the third-party providers.
Convenience and Flexibility. The cloud computing service provider gives its customers instant access to his or her data through the Internet. As the customer’s business needs change, the cloud computing service provider can help the customer keep pace with those changes because the resources the customer needs are already “in the cloud.” Timing and magnitude of the changes become irrelevant because the cloud computing service provider has those resources to meet those needs on demand. This can be very important in helping smaller companies compete with larger companies.
Location. Companies that manage their own data dedicate significant physical and financial resources making sure that their data is stored in a location that is compatible for the needs of the organization. This includes redundancy systems for disaster-recovery. With cloud computing, the customer does not have to concern itself with those issues because the company’s data is centrally stored at some remote location.
What are the Risks?
Security/Privacy. This is the number one concern for most cloud computing customers. While the customer legally owns its data in the cloud, it does not have the level of “control” over its data that it would if the data were handled in the traditional sense—stored within the customer’s infrastructure. Customers have to contact the third-party cloud computing service providers to get access to the company’s data which can certainly create some challenging and unusual issues that would need to be addressed before the data is stored.
Data Location/Movement. While data stored in the clouds resides on a server, the third-party service provider generally has the right to move data to maximize storage concerns. However, that could leave the owner of the data wondering where its data resides? It is not uncommon for third-party providers to store one company’s data at a location where many companies’ data (maybe even the data of a competitor) is also stored. There must be protocols in place to ensure that one company’s data is not commingled with data from another company. Moreover, there must be systems in place to prevent data being improperly accessed or removed by an unauthorized user. For purposes of litigation, location of data might be a critical factor in determining what law applies to the dispute or how easy it is to access the information.
The Service Provider. An integral part of the security issue is the third-party service provider. It is imperative that the service provider not only be reputable, it must be a reliable and dependable. The customer should spend time doing its due diligence before it entrusts its valuable information with the service provider.
Outsourcing and Ethical Concerns
With any emerging technology, there are a number of ethical issues that lawyers must address and cloud computing is no exception. Because of the complex technical issues that are associated with using cloud computing, lawyers are and will be challenged to provide competent advice that safeguards their client’s most important information.
Because data security is the number one concern, lawyers need to approach the issue of cloud computing with great care. Rule 1.6 of the ABA’s Model Rules of Professional Conduct (“MRPC”), requires that a lawyer safeguard client confidences and confidential information. Comment 16 to Rule 1.6 states that “[a] lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.” Comment 17 states that “the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.” Reasonableness is the key. A lawyer will not be required to use special security measures if the method of communication affords a reasonable expectation of privacy. As noted in Comment 17, “special circumstances, however, may warrant special precautions” and the factors to be considered include “the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.”
Outsourcing is Nothing New to Law Firms
The idea that law firms will give confidential client information to third-party vendors is not new. In the paper world, law firms routinely sent documents to vendors for the preparation and copying of discovery documents for production. Client confidences were kept secure through contractual arrangements between the law firms and the vendors. As a result, there is nothing unethical about a lawyer outsourcing non-legal services provided that the outsourcing lawyer provided competent representation under MRPC Rule 1.1—meaning that lawyer possessed “the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” MRPC Rule 1.15 also requires a lawyer to preserve client property, which includes client information, from risk of loss due to destruction, degradation or loss. Therein lies the challenge with cloud computing.
Under MRPC Rule 5.3(b) a lawyer having direct supervisory authority over the non-lawyer shall make reasonable efforts to ensure that the person’s conduct is compatible with the professional obligations of the lawyer. If a law firm retains a cloud computing service provider to store client confidential information, the lawyer is required to provide appropriate instruction and supervision concerning the ethical aspects of their employment, particularly regarding the obligation not to disclose information relating to representation of the client. But how does the lawyer advise the client with respect to the risks of data security, unauthorized access or negligence on the part of the cloud computing service provider? How can the lawyer advise the client as to security risks or reasonably supervise the operations of the cloud computing service provider when the lawyer (and the client) may not know where the data resides or if it is being commingled. If the risk cannot be eliminated, can it be minimized?
There is some guidance available for lawyers. The North Carolina Bar Association in April 2010 issued a Proposed Ethics Opinion on cloud computing. See, (http://www.ncbar.gov/ethics/propeth.asp). Under that Proposed Opinion, “a law firm may contract with a vendor of software as a service provided the risks that confidential client information may be disclosed or lost are effectively minimized.”
Steps to Protect Your Information
The most critical part with respect to cloud computing is the agreement between the customer and the third-party service provider. Great care should be taken in drafting such an agreement. To avoid costly mistakes, a customer must craft an agreement that addresses anticipated problems such as:
- Who owns the data?
- Where will the data reside and will it be backed up?
- Does the customer have the right to approve in advance any transfer of the data to another state or country?
- Who will have access to the data and will there be different levels of access?
- Who will supervise the project and will there be monitoring and auditing of the policies and procedures?
- What procedures will be followed when the contract terminates?
- What security measures are in place?
For reference purposes only, an example of Google’s cloud computing contract, Google Apps Premier Edition Online Agreement can be found at: (http://www.google.com/apps/intl/en/terms/education_terms.html)
While the future of cloud computing is bright, there are some cloudy issues lurking about especially for lawyers. The potential for great savings is very real and at the same time there is potential for great risk. Protocols and best practices still need to be developed. Lawyers would also be well-served with more input from state ethics opinions. u
Kevin F. Brady is a Litigation Partner and Chair of the Business Law Group of Connolly Bove Lodge & Hutz LLP in Wilmington, Delaware. He has been involved in the American Inns of Court locally and nationally since 1984 and is a founding member of three Inns in Wilmington including the Richard K. Herrmann Technology Inn of Court. He is also a former member of the Board of Trustees of the American Inns of Court Foundation.
© 2010 Kevin F. Brady, Esquire. This article was published in the November/December 2010 issue of The Bencher, the flagship magazine of the American Inns of Court. Inquiries about this article should be directed to the American Inns of Court.