The Pennsylvania Bar Association has established a Formal Opinion that explains an attorney’s ethical obligations when using ‘cloud computing’ to communicate and store privileged client information.
Cloud computing is a broad term used to describe internet-based communication and data storage. It applies to the use of smartphones, web-based email (like Gmail, Yahoo!, etc.), Google Docs, Dropbox and more. This concept has raised a number of ethical questions, prompting the PBA to issue the Formal Opinion. Although there are not strict parameters on how the cloud should be used in a legal capacity, there are general guidelines that must be followed.
In simplest terms, attorneys are permitted to store privileged client material in the cloud, but must guarantee that such materials remain confidential and apply necessary safeguards to ensure the protection of the data. Some acceptable efforts include regularly backing up data, installing firewalls and staying educated on technology trends.
Some potential concerns surrounding the use of cloud computing, in reference to a list compiled by the American Bar Association Standing Committee of Ethics and Professional Responsibility, are as follows:
- Potential for disruptions in service, data loss or dissolution of the cloud computing provider;
- Unclear policies regarding data ownership, data breach, back-ups and protocol for switching providers;
- Server crashes, hackers, viruses and insufficient encryption;
- Data corruption or destruction, and;
- Business disruption or complete loss of data due to a man-made or natural disaster.
Depending on the capacity of representation, an attorney may need “informed consent” from their client before storing their confidential information in the cloud by first educating the client on the accepted risks of cloud computing. The attorney also needs to establish an understanding with the vendor of the cloud solution in order to ensure the information is backed up, available to the attorney involved in the case, and protected from unauthorized users. In some cases, if the cloud server that holds the data is located in another country, the attorney will need to confirm the data on the server is protected by privacy laws that correspond with those of the United States.
In a legal context, cloud computing also pertains to mobile devices and web-based email. Attorneys are also obligated to take preventative measures to ensure the security of confidential information and communications. According to the Pennsylvania Bar Association’s Formal Opinion, some encouraged methods of safeguarding are:
- Using strong passwords on email accounts and mobile devices;
- Purging data from replaced devices;
- Virus and spyware protection;
- Updating operating systems;
- Encrypting email;
- Regular backups of data, and;
- Avoiding public wireless Internet when sending confidential information, and more.
Although there are not distinct guidelines explaining the proper use of cloud computing, attorneys are generally expected to stay within certain parameters of data protection. They should stay current with technology and cloud computing trends in order to understand the level of protection from a vendor. Attorneys are expected to get “informed consent” from their clients to store their confidential data in the cloud. It is also encouraged that attorneys take preventative measures to ensure the integrity of sensitive data, like regular backups and encryption. In conclusion, attorneys may use cloud computing to store and transmit data but they are required to make efforts to protect client data and ensure that any third-party vendors do the same.
Read about safeguarding mobile devices here.