1 7th Annual Solo and Small Firm Conference and Expo 2012 Practicing Safely and Ethically in the “Cloud”: It Can Be Done

Safe and Ethical Practice in the Cloud: a Q & A David Whelan, Manager, Legal Information

The Law Society of Upper Canada

Cloud computing provides a specific set of technology features that lawyers can adopt within their

practice. Most solos and small firms will be able to use one of the three cloud computing models,

known as software-as-a-service.1 There are some common ethical concerns about software-as-a-service

that may impact whether you do or do not decide to adopt cloud computing.

I Can’t Satisfy the Professional Rules in the Cloud A few lawyer regulators have looked at this issue in Canada and the U.S. and they have ended up finding

that the duty in the cloud is the same as out of it: act competently to safeguard information and use

reasonable care.2 One lawyer once asked me whether cloud computing providers were able to

withstand an attack from the (U.S.) National Security Agency (NSA). I responded that I didn’t know if

they could or not – the NSA is a bit secretive about that sort of thing - but that I expected creating

encryption that defeated the NSA might go beyond what was “reasonable”.

Reasonable steps and competent acts require context. Criminal lawyers may have information that they

do not want to place on servers, encrypted or otherwise, that might be subject to government intrusion.

There may be documents in a particular client’s legal matter that cannot be stored electronically on your

1 The other two are “platform-as-a-service” and “infrastructure-as-a-service”. It’s a bit of a food chain. Your law

firm may use a software-as-a-service provider who themselves rely on an infrastructure as a service provider. 2 State Bar of Arizona, Ethics Opinion 09-04: Confidentiality; Maintaining Client Files; Electronic Storage; Internet <

http://www.myazbar.org/ethics/opinionview.cfm?id=704 > “take reasonable precautions to protect the security and confidentiality of client documents and information” and discusses encryption and passwords; State Bar of California, Formal Ethics Opinion 2010-179 < http://ethics.calbar.ca.gov/LinkClick.aspx?fileticket=wmqECiHp7h4%3D&tabid=836 > “An attorney’s duties of confidentiality and competence require the attorney to take appropriate steps to ensure that his or her use of technology in conjunction with a client’s representation does not subject confidential client information to an undue risk of unauthorized disclosure.” and discusses 6 factors to consider when using any technology; North Carolina State Bar, 2011 Formal Ethics Opinion 6 Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property < http://www.ncbar.gov/ethics/printopinion.asp?id=855 > The rule “requires the lawyer to make reasonable

efforts to ensure that the services are provided in a manner that is compatible with the professional obligations of the lawyer. “ The opinion also sets out some possible elements of that reasonable effort.

Law Society of British Columbia, Report of the Cloud Computing Working Group < http://www.lawsociety.bc.ca/docs/publications/reports/CloudComputing_2012.pdf > “[I]t is the lawyer’s responsibility to ensure their use of technology and business models comply with these obligations” and sets out an extensive list of questions to consider when selecting cloud providers. Pennsylvania Bar Association, Formal Opinion 2010-200: Ethical Obligations for Attorneys Using Cloud Computing / Software as a Service while Fulfilling the Duties of Confidentiality and Preservation of Client Property < http://www.padisciplinaryboard.org/newsletters/2012/pdfs/2011-200-Cloud-Computing.pdf > The Rules “require attorneys to make reasonable efforts to meet their obligations to ensure client confidentiality.” The committee has an extensive reference list of other U.S. jurisdictions that have considered the same or similar issues, as well as a list of what might be included on a “standard of care for ‘cloud computing’”.

2 7th Annual Solo and Small Firm Conference and Expo 2012 Practicing Safely and Ethically in the “Cloud”: It Can Be Done

office computer or in the cloud. Cloud computing will not work for all lawyers and even for those who

embrace it, there may still be certain types of files or documents or information that do not leave your

physical office.

A number of the ethics opinions have also emphasized that lawyers remain educated on the technology

they use, whether it’s the cloud or not. What is reasonable and competent is likely to change over time,

and it is likely to become an element of taking reasonable steps to understand how your technology

impacts your practice. Similarly, it was common for lawyers to use free software-as-a-service providers

in the early days of cloud computing. Those companies have now created premium paid services with

enhanced features, realizing that revenue enables them to continue to operate. It’s likely that a lawyer

who uses a free service that is unencrypted rather than paying $5 a month for an encrypted account is

probably not acting competently.

Cloud computing is less secure When you place your law firm’s operations and client information on the Web, you change the way you

think about securing your data. It is not actually different from how you should already be securing

information within your practice. Information stored within your office should, among other things:

Be protected by strong passwords or passphrases to protect your computer account when you

are away from it,

Restrict internal access to only those staff or lawyers who should have access to files, databases,

and e-mail accounts stored in your firm,

Use encryption to secure the files on your hard drive, in case the hard drive and computer are

ever stolen, and when you are transmitting information over the Web, and

Be isolated from the Internet by network hardware that limits external access and blocks

unauthorized use of your Wi-Fi wireless network.

Your cloud provider will provide these same services and they should be mandatory on any software-as-

a-service provider you use that stores confidential or private information. In many cases, cloud

computing companies offer stronger security than you may be using in your firm.

Google Apps users (Google Docs, Mail, Calendar, Drive, Vault) can use two-step authentication to ensure

that only certain computers can access your online information.3 Not only can you use a strong

password to protect your account, you can configure your account to require a second code that, if it’s

remembered, will be renewed by a text to your wireless phone every 30 days.

Software-as-a-service companies rely on their security reputation for part of their success in the cloud.

Nearly all will support secure sockets layer so that all information you send to their site and receive

from it in your Web browser is encrypted.4 Encrypting the information you transmit over the Web is

important whether you are working in your office or your client’s.

3 Google Apps: http://apps.google.com Two Step Verification: http://bit.ly/google-two-step

4 Secure Sockets Layer: http://en.wikipedia.org/wiki/Secure_Socket_Layer

3 7th Annual Solo and Small Firm Conference and Expo 2012 Practicing Safely and Ethically in the “Cloud”: It Can Be Done

You should ensure that your information is also encrypted at rest, when it’s just sitting on the cloud

provider’s servers. In many cases, this is a default feature for the service, especially if you are paying for

it.

The encryption of your data should protect it from access by employees of the cloud company. Some

companies will explain what access their employees have to your information:

Dropbox employees are prohibited from viewing the content of files you store in your

Dropbox account, and are only permitted to view file metadata (e.g., file names and

locations). Like most online services, we have a small number of employees who must be

able to access user data for the reasons stated in our privacy policy (e.g., when legally

required to do so). But that’s the rare exception, not the rule. We have strict policy and

technical access controls that prohibit employee access except in these rare

circumstances. In addition, we employ a number of physical and electronic security

measures to protect user information from unauthorized access.5

Sometimes you may need to change how you practice. For example, if you save a document

with your client name and matter in the file name ( Smith-Charles-Motion-for-Exclusion-of-

Donut-Container-2012-05-10.doc ), that is the type of metadata that Dropbox employees can

see even though they can’t see what is in that file. If you are concerned that your file naming

convention is oversharing information, you may want to rethink it.

You can even take the belt and suspenders method, where you encrypt the information on your

computer before placing it on the Web. You can do this with discrete files but cannot do it with

database data like that stored in your online calendar, e-mail account, or practice management

system. Use a program like Truecrypt.org’s eponymous encryption tool to encrypt files first.

That way, even if the encryption on your cloud provider’s service is violated, your second level

of encryption provides additional protection. This is not necessary for most information placed

on cloud systems but it may make you feel more confident.

Cloud Computing Requires Constant Access to the Internet This seems pretty counter-intuitive but many software-as-a-service systems provide options for you to

store your information on your local computer. When you are away from the Internet, you can continue

to do your work and when you reconnect, your updated files and information are synchronized so that

the information on your computer matches that at your cloud computing site.

Dropbox and other file storage services are a great example of this.6 When you add a file to your

computer, it is uploaded to your Dropbox account at the same time. If there is no Internet access, the

file waits until your computer reconnects and then uploads it. You can also access your files directly

over the Web, away from your computer. Any changes – you can upload a file from another computer,

5 “How Secure is Dropbox” < https://www.dropbox.com/help/27 >

6 Dropbox: http://www.dropbox.com. Sugarsync: http://www.sugarsync.com. Box: http://www.box.com Apple

iCloud: http://www.icloud.com Microsoft SkyDrive: http://skydrive.live.com

4 7th Annual Solo and Small Firm Conference and Expo 2012 Practicing Safely and Ethically in the “Cloud”: It Can Be Done

for example – are then synchronized down to your office computer. File storage services provide both a

redundant copy of your files as well as an alternative access point if you are away from the office.

Law practice management software-as-a-service provider Clio offers Clio Express, which enables you to

continue to work on your time keeping even when you’re offline.7 Google Chrome Web browser users

can add an offline plug-in to provide access to their Google Mail account without Internet access.8

I Can Only Use Canadian-based Cloud Servers Many, if not most, North American software-as-a-service providers will have their servers based in the

United States. This has raised the spectre of the USA PATRIOT Act and the possibility that the American

government will gain access to the servers on which your data is stored and be able to access your client

confidential information. The threat of government intrusion is not limited to servers in the U.S.,

though, so using software-as-a-service providers exclusively in Canada will not eliminate this possible

risk. A recent Toronto program on cloud computing and the Patriot Act indicated that “most provisions

of the Patriot Act are mirrored in Canadian law.”9

The location of a cloud computing provider is one of the elements of any risk analysis you will do in

selecting a service. There are countries and continents that may offer more or less security and

protection to your information. However, in most cases, your provider will be in North America and its

servers will be located in multiple sites across the continent.

I Don’t Put Confidential Information in the Cloud so I’m O.K. Lawyers are bound by ethical rules to protect confidential information. They also have an obligation to

prevent disclosure of their representation of a client, as well as a statutory responsibility to protect

private information. The Office of the Privacy Commissioner of Canada has released guidance for

lawyers protecting their clients information, confidential or otherwise.10 In addition to PIPEDA, you may

have obligations based on which provinces you practice in and which government agencies regulate you

and your clients’ information. Information stored on your office computer, your smart phone, and in

cloud-based services may not be confidential but you may still have a responsibility to protect it.

Cloud Computing Requires Me to Use Too Many Services It used to be that, when you used the cloud, your information was spread across the Internet. Your e-

mail might be in Google Mail but your documents were in Dropbox, your practice management data was

in Clio, and so on. Integration has been the holy grail for law office technology for decades and is often

7 Clio Express: https://support.goclio.com/entries/21318542-faqs-on-the-new-clio-express

8 Google Mail Offline app in Chrome Web Store: http://bit.ly/google-mail-offline

9 David Fraser and Lindsey Finch gave a presentation on Cloud Computing and the Patriot Act: a Red Herring? <

https://www.privacyassociation.org/media/presentations/12Symposium/CS12_Cloud_Computing_and_Patriot_Act_PPT.pdf > at the International Association of Privacy Professionals’ Canada Privacy Symposium. The slides from the May 2012 presentation discuss Canadian laws comparable to the Patriot Act. 10

A Privacy Handbook for Lawyers: PIPEDA and Your Practice < http://www.priv.gc.ca/information/pub/gd_phl_201106_e.pdf >

5 7th Annual Solo and Small Firm Conference and Expo 2012 Practicing Safely and Ethically in the “Cloud”: It Can Be Done

hard to achieve. This is increasingly a feature of cloud computing. In particular, complicated systems

like practice management offer a lot of horsepower but rely on information you are creating elsewhere.

We’re seeing some of these services start to integrate with other well-known cloud providers to enable

you to connect your accounts. Clio has announced integration with Dropbox.com and Box.com file

storage sites, Google Apps, and lawyers can synchronize their time-keeping from Chrometa into their

Clio account. 11 Rocket Matter, another practice management software-as-a-service provider, also

supports Chrometa synchronization, the Evernote cloud-based research tool, and Dropbox file storage.12

There are also services that allow you to search across your cloud-based accounts, particularly Google

Apps. Greplin and CloudMagic are two of these tools.13 When you subscribe to their service, you

indicate which of your online accounts you want to have indexed. After that, you can type a search

query into your Web browser, which is probably open since you have accounts in the cloud, and the

search tool will retrieve matching results from all of your accounts. You could see relevant hits from

your Google Mail, your Dropbox files, and so on. These services will store an index of the words in your

files in order to speed up searching,

You may only decide to move one aspect of your practice – e-mail, for example, or time-keeping – into

the cloud and not need the integration. One of the decision points for your practice going forward will

be whether the service you want to use is able to work with the services you already have.

Conclusion It is not always easy to use technology in the practice of law. Whether you place some or all of your law

practice in the cloud or keep it all in your office, you will face the same type of risks. Cloud computing

removes some of the control while also shifting some of the maintenance. Lawyers will need to act

competently in using software-as-a-service and take reasonable care in selecting providers and placing

information in the cloud. As they continue to educate themselves on the technology they use and how

it is evolving, they will become better able to practice safely and ethically both in the cloud and back on

Earth.

11

Chrometa timekeeping: http://www.chrometa.com 12

Evernote: http://www.evernote.com 13

Greplin: http://www.greplin.com. CloudMagic: http://www.cloudmagic.com