Upload
david-whelan
View
722
Download
2
Embed Size (px)
DESCRIPTION
This paper was submitted for the 2012 Solo and Small Law Firm Conference in Toronto in June 2012 and discusses ethical guidelines for using cloud technology as well as other practical suggestions for lawyers who are considering whether or not to put their practice information on remotely hosted systems.
Citation preview
1 7th Annual Solo and Small Firm Conference and Expo 2012 Practicing Safely and Ethically in the “Cloud”: It Can Be Done
Safe and Ethical Practice in the Cloud: a Q & A David Whelan, Manager, Legal Information
The Law Society of Upper Canada
Cloud computing provides a specific set of technology features that lawyers can adopt within their
practice. Most solos and small firms will be able to use one of the three cloud computing models,
known as software-as-a-service.1 There are some common ethical concerns about software-as-a-service
that may impact whether you do or do not decide to adopt cloud computing.
I Can’t Satisfy the Professional Rules in the Cloud A few lawyer regulators have looked at this issue in Canada and the U.S. and they have ended up finding
that the duty in the cloud is the same as out of it: act competently to safeguard information and use
reasonable care.2 One lawyer once asked me whether cloud computing providers were able to
withstand an attack from the (U.S.) National Security Agency (NSA). I responded that I didn’t know if
they could or not – the NSA is a bit secretive about that sort of thing - but that I expected creating
encryption that defeated the NSA might go beyond what was “reasonable”.
Reasonable steps and competent acts require context. Criminal lawyers may have information that they
do not want to place on servers, encrypted or otherwise, that might be subject to government intrusion.
There may be documents in a particular client’s legal matter that cannot be stored electronically on your
1 The other two are “platform-as-a-service” and “infrastructure-as-a-service”. It’s a bit of a food chain. Your law
firm may use a software-as-a-service provider who themselves rely on an infrastructure as a service provider. 2 State Bar of Arizona, Ethics Opinion 09-04: Confidentiality; Maintaining Client Files; Electronic Storage; Internet <
http://www.myazbar.org/ethics/opinionview.cfm?id=704 > “take reasonable precautions to protect the security and confidentiality of client documents and information” and discusses encryption and passwords; State Bar of California, Formal Ethics Opinion 2010-179 < http://ethics.calbar.ca.gov/LinkClick.aspx?fileticket=wmqECiHp7h4%3D&tabid=836 > “An attorney’s duties of confidentiality and competence require the attorney to take appropriate steps to ensure that his or her use of technology in conjunction with a client’s representation does not subject confidential client information to an undue risk of unauthorized disclosure.” and discusses 6 factors to consider when using any technology; North Carolina State Bar, 2011 Formal Ethics Opinion 6 Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property < http://www.ncbar.gov/ethics/printopinion.asp?id=855 > The rule “requires the lawyer to make reasonable
efforts to ensure that the services are provided in a manner that is compatible with the professional obligations of the lawyer. “ The opinion also sets out some possible elements of that reasonable effort.
Law Society of British Columbia, Report of the Cloud Computing Working Group < http://www.lawsociety.bc.ca/docs/publications/reports/CloudComputing_2012.pdf > “[I]t is the lawyer’s responsibility to ensure their use of technology and business models comply with these obligations” and sets out an extensive list of questions to consider when selecting cloud providers. Pennsylvania Bar Association, Formal Opinion 2010-200: Ethical Obligations for Attorneys Using Cloud Computing / Software as a Service while Fulfilling the Duties of Confidentiality and Preservation of Client Property < http://www.padisciplinaryboard.org/newsletters/2012/pdfs/2011-200-Cloud-Computing.pdf > The Rules “require attorneys to make reasonable efforts to meet their obligations to ensure client confidentiality.” The committee has an extensive reference list of other U.S. jurisdictions that have considered the same or similar issues, as well as a list of what might be included on a “standard of care for ‘cloud computing’”.
2 7th Annual Solo and Small Firm Conference and Expo 2012 Practicing Safely and Ethically in the “Cloud”: It Can Be Done
office computer or in the cloud. Cloud computing will not work for all lawyers and even for those who
embrace it, there may still be certain types of files or documents or information that do not leave your
physical office.
A number of the ethics opinions have also emphasized that lawyers remain educated on the technology
they use, whether it’s the cloud or not. What is reasonable and competent is likely to change over time,
and it is likely to become an element of taking reasonable steps to understand how your technology
impacts your practice. Similarly, it was common for lawyers to use free software-as-a-service providers
in the early days of cloud computing. Those companies have now created premium paid services with
enhanced features, realizing that revenue enables them to continue to operate. It’s likely that a lawyer
who uses a free service that is unencrypted rather than paying $5 a month for an encrypted account is
probably not acting competently.
Cloud computing is less secure When you place your law firm’s operations and client information on the Web, you change the way you
think about securing your data. It is not actually different from how you should already be securing
information within your practice. Information stored within your office should, among other things:
Be protected by strong passwords or passphrases to protect your computer account when you
are away from it,
Restrict internal access to only those staff or lawyers who should have access to files, databases,
and e-mail accounts stored in your firm,
Use encryption to secure the files on your hard drive, in case the hard drive and computer are
ever stolen, and when you are transmitting information over the Web, and
Be isolated from the Internet by network hardware that limits external access and blocks
unauthorized use of your Wi-Fi wireless network.
Your cloud provider will provide these same services and they should be mandatory on any software-as-
a-service provider you use that stores confidential or private information. In many cases, cloud
computing companies offer stronger security than you may be using in your firm.
Google Apps users (Google Docs, Mail, Calendar, Drive, Vault) can use two-step authentication to ensure
that only certain computers can access your online information.3 Not only can you use a strong
password to protect your account, you can configure your account to require a second code that, if it’s
remembered, will be renewed by a text to your wireless phone every 30 days.
Software-as-a-service companies rely on their security reputation for part of their success in the cloud.
Nearly all will support secure sockets layer so that all information you send to their site and receive
from it in your Web browser is encrypted.4 Encrypting the information you transmit over the Web is
important whether you are working in your office or your client’s.
3 Google Apps: http://apps.google.com Two Step Verification: http://bit.ly/google-two-step
4 Secure Sockets Layer: http://en.wikipedia.org/wiki/Secure_Socket_Layer
3 7th Annual Solo and Small Firm Conference and Expo 2012 Practicing Safely and Ethically in the “Cloud”: It Can Be Done
You should ensure that your information is also encrypted at rest, when it’s just sitting on the cloud
provider’s servers. In many cases, this is a default feature for the service, especially if you are paying for
it.
The encryption of your data should protect it from access by employees of the cloud company. Some
companies will explain what access their employees have to your information:
Dropbox employees are prohibited from viewing the content of files you store in your
Dropbox account, and are only permitted to view file metadata (e.g., file names and
locations). Like most online services, we have a small number of employees who must be
able to access user data for the reasons stated in our privacy policy (e.g., when legally
required to do so). But that’s the rare exception, not the rule. We have strict policy and
technical access controls that prohibit employee access except in these rare
circumstances. In addition, we employ a number of physical and electronic security
measures to protect user information from unauthorized access.5
Sometimes you may need to change how you practice. For example, if you save a document
with your client name and matter in the file name ( Smith-Charles-Motion-for-Exclusion-of-
Donut-Container-2012-05-10.doc ), that is the type of metadata that Dropbox employees can
see even though they can’t see what is in that file. If you are concerned that your file naming
convention is oversharing information, you may want to rethink it.
You can even take the belt and suspenders method, where you encrypt the information on your
computer before placing it on the Web. You can do this with discrete files but cannot do it with
database data like that stored in your online calendar, e-mail account, or practice management
system. Use a program like Truecrypt.org’s eponymous encryption tool to encrypt files first.
That way, even if the encryption on your cloud provider’s service is violated, your second level
of encryption provides additional protection. This is not necessary for most information placed
on cloud systems but it may make you feel more confident.
Cloud Computing Requires Constant Access to the Internet This seems pretty counter-intuitive but many software-as-a-service systems provide options for you to
store your information on your local computer. When you are away from the Internet, you can continue
to do your work and when you reconnect, your updated files and information are synchronized so that
the information on your computer matches that at your cloud computing site.
Dropbox and other file storage services are a great example of this.6 When you add a file to your
computer, it is uploaded to your Dropbox account at the same time. If there is no Internet access, the
file waits until your computer reconnects and then uploads it. You can also access your files directly
over the Web, away from your computer. Any changes – you can upload a file from another computer,
5 “How Secure is Dropbox” < https://www.dropbox.com/help/27 >
6 Dropbox: http://www.dropbox.com. Sugarsync: http://www.sugarsync.com. Box: http://www.box.com Apple
iCloud: http://www.icloud.com Microsoft SkyDrive: http://skydrive.live.com
4 7th Annual Solo and Small Firm Conference and Expo 2012 Practicing Safely and Ethically in the “Cloud”: It Can Be Done
for example – are then synchronized down to your office computer. File storage services provide both a
redundant copy of your files as well as an alternative access point if you are away from the office.
Law practice management software-as-a-service provider Clio offers Clio Express, which enables you to
continue to work on your time keeping even when you’re offline.7 Google Chrome Web browser users
can add an offline plug-in to provide access to their Google Mail account without Internet access.8
I Can Only Use Canadian-based Cloud Servers Many, if not most, North American software-as-a-service providers will have their servers based in the
United States. This has raised the spectre of the USA PATRIOT Act and the possibility that the American
government will gain access to the servers on which your data is stored and be able to access your client
confidential information. The threat of government intrusion is not limited to servers in the U.S.,
though, so using software-as-a-service providers exclusively in Canada will not eliminate this possible
risk. A recent Toronto program on cloud computing and the Patriot Act indicated that “most provisions
of the Patriot Act are mirrored in Canadian law.”9
The location of a cloud computing provider is one of the elements of any risk analysis you will do in
selecting a service. There are countries and continents that may offer more or less security and
protection to your information. However, in most cases, your provider will be in North America and its
servers will be located in multiple sites across the continent.
I Don’t Put Confidential Information in the Cloud so I’m O.K. Lawyers are bound by ethical rules to protect confidential information. They also have an obligation to
prevent disclosure of their representation of a client, as well as a statutory responsibility to protect
private information. The Office of the Privacy Commissioner of Canada has released guidance for
lawyers protecting their clients information, confidential or otherwise.10 In addition to PIPEDA, you may
have obligations based on which provinces you practice in and which government agencies regulate you
and your clients’ information. Information stored on your office computer, your smart phone, and in
cloud-based services may not be confidential but you may still have a responsibility to protect it.
Cloud Computing Requires Me to Use Too Many Services It used to be that, when you used the cloud, your information was spread across the Internet. Your e-
mail might be in Google Mail but your documents were in Dropbox, your practice management data was
in Clio, and so on. Integration has been the holy grail for law office technology for decades and is often
7 Clio Express: https://support.goclio.com/entries/21318542-faqs-on-the-new-clio-express
8 Google Mail Offline app in Chrome Web Store: http://bit.ly/google-mail-offline
9 David Fraser and Lindsey Finch gave a presentation on Cloud Computing and the Patriot Act: a Red Herring? <
https://www.privacyassociation.org/media/presentations/12Symposium/CS12_Cloud_Computing_and_Patriot_Act_PPT.pdf > at the International Association of Privacy Professionals’ Canada Privacy Symposium. The slides from the May 2012 presentation discuss Canadian laws comparable to the Patriot Act. 10
A Privacy Handbook for Lawyers: PIPEDA and Your Practice < http://www.priv.gc.ca/information/pub/gd_phl_201106_e.pdf >
5 7th Annual Solo and Small Firm Conference and Expo 2012 Practicing Safely and Ethically in the “Cloud”: It Can Be Done
hard to achieve. This is increasingly a feature of cloud computing. In particular, complicated systems
like practice management offer a lot of horsepower but rely on information you are creating elsewhere.
We’re seeing some of these services start to integrate with other well-known cloud providers to enable
you to connect your accounts. Clio has announced integration with Dropbox.com and Box.com file
storage sites, Google Apps, and lawyers can synchronize their time-keeping from Chrometa into their
Clio account. 11 Rocket Matter, another practice management software-as-a-service provider, also
supports Chrometa synchronization, the Evernote cloud-based research tool, and Dropbox file storage.12
There are also services that allow you to search across your cloud-based accounts, particularly Google
Apps. Greplin and CloudMagic are two of these tools.13 When you subscribe to their service, you
indicate which of your online accounts you want to have indexed. After that, you can type a search
query into your Web browser, which is probably open since you have accounts in the cloud, and the
search tool will retrieve matching results from all of your accounts. You could see relevant hits from
your Google Mail, your Dropbox files, and so on. These services will store an index of the words in your
files in order to speed up searching,
You may only decide to move one aspect of your practice – e-mail, for example, or time-keeping – into
the cloud and not need the integration. One of the decision points for your practice going forward will
be whether the service you want to use is able to work with the services you already have.
Conclusion It is not always easy to use technology in the practice of law. Whether you place some or all of your law
practice in the cloud or keep it all in your office, you will face the same type of risks. Cloud computing
removes some of the control while also shifting some of the maintenance. Lawyers will need to act
competently in using software-as-a-service and take reasonable care in selecting providers and placing
information in the cloud. As they continue to educate themselves on the technology they use and how
it is evolving, they will become better able to practice safely and ethically both in the cloud and back on
Earth.
11
Chrometa timekeeping: http://www.chrometa.com 12
Evernote: http://www.evernote.com 13
Greplin: http://www.greplin.com. CloudMagic: http://www.cloudmagic.com