Your data is in the cloud. Somewhere, sanctioned or not. Your fellow lawyers and employees are using traditional business applications from 3rd parties in parallel with (or in place of) your company’s offerings — e-mail, text messaging, telephone, calendar, document creation, file storage. Think Google offerings (Gmail, Google Drive, Google Docs, Google Calendar), DropBox, Box, iCloud, Office365, Skype, and WebEx.
Separately, your law firm/department may use other applications to support the practice of law. Think budget, matter, eBilling, eDiscovery, project management, litigation management, knowledge management, and contract management systems, eSignature services, and deal rooms. Perhaps you have something in place now or are contemplating a new licensed offering. What should you be asking? What should you be thinking about?
Your people are simply trying to get their work done, understandably demanding mobile access and ease-of-use. If you cannot offer this (or they don’t think you do), your people find resources in the cloud. As you manage your law firm/department, you must balance these demands in relation to your existing services and resources, client and ethical obligations, and accompanying security concerns. Given these pressures, risk management or information technology professionals may counsel avoidance (“Clouds, go away, go away…”), while others may press for adoption given cost and other practical benefits (“just plug me in, all on, oh wow”).
As a lawyer, you have various ethical obligations relating to the cloud, confidentiality and communication sitting at the top of the list. There are over 20 ethics opinions stating, more or less, that you can use the cloud as long as you take “reasonable” care when selecting a cloud provider. Although there is no precise definition of what is “reasonable,” existing ethics opinions indicate that lawyers must (1) include contract terms that require the provider to preserve the confidentiality and security of the data and (2) conduct due diligence to understand how your data will be managed.
The following checklist presents issues to help you form a reasonable approach through your due diligence and contract negotiation phases. This list is based on a review of existing ethics opinions and experience delivering knowledge management and other systems via the cloud.
|Access||Understand who will have access to your data and what access limits can be implemented (e.g., provider employees, contractors). Consider separately whether the provider will commit to delivering you unrestricted access to your data.||☐|
|Antivirus||Understand if the provider offers antivirus on its servers, how often is it updated, and how it will protect your data.||☐|
|Auditing (logs)||Confirm that the provider can deliver logs (or data in your desired format) identifying who has accessed your data. Determine if these logs should be delivered on a regular basis and/or available on demand. Consider if you someone in your organization should be responsible for a periodic review of these logs. Consider if these logs should include a confidentiality notice.||☐|
|Auditing (periodic review)||Conduct periodic reviews of the provider and available options to ensure that use of the provider remains reasonable in light of evolving technology, potential risks and legal requirements.||☐|
|Authentication||Determine if the provider offers two-step authentication, and that this approach is appropriate in relation to your internal security measures and the provider’s offering.||☐|
|Backups||Confirm that the provider has an affirmative contractual obligation to back up your data. Understand how the backups will be managed, maintained, and deleted (e.g., media type, security measures, location, duration). Understand who will have access to your backups.||☐|
|Bankruptcy||Determine how you will retrieve your data if the provider goes out of business or if there is a break in service. Confirm that your data will be delivered and/or accessible in a non-propriety format.||☐|
|Breach||Understand how the provider will notify you in event of security breach or suspected breach. Confirm when you will receive notice (e.g., promptly, within 24 hours). Ask the provider what breach notification statutes it follows.||☐|
|Client consent and disclosure||Discuss with your clients the storage of their data and/or your use of a cloud provider to support them. Consider if this is an appropriate issue to include in your engagement letter.||☐|
|Confidential Information||Define the term “confidential information “and understand how it will be managed. Consider if the provider’s obligation is enforceable and what remedies will be available. Consider the nature of your client’s confidential information; certain client data may be so sensitive that it may not be appropriately stored with third parties.||☐|
|Connectivity||Explore the provider’s redundant Internet access measures to ensure continued access to your data. Understand how you will access your data during interruptions to your Internet access.||☐|
|Copies||Understand if the provider can provide an easy method to retrieve your data in bulk. Consider if you can mirror a copy of your data internally in case your internet access is unavailable. Confirm that data will be delivered to you in a non-proprietary format.||☐|
|Data (disclosure)||Include provisions in your contract regarding third party requests for data. Understand if the provider has an affirmative obligation to notify you and if you have an opportunity to respond to the request before your data is produced. Consider if the provider has an affirmative obligation to refuse to disclose confidential information to unauthorized individuals/third parties without your permission.||☐|
|Data ( encryption)||Understand the provider’s encryption capabilities. Specify how your data should be encrypted and at what level (e.g., in transit and at rest, SSL internet transmissions, backups). Understand if you can choose a higher level of encryption.||☐|
|Data (ownership)||Include specific provisions in your contract affirming that the provider has no ownership or security interest in your data. Understand if the provider’s standard terms of service, EULA, and privacy policies apply to your use or your data. Consider if you can modify these terms or include affirmative contractual language that overrides the application of these standard terms and policies with respect to your data and use.||☐|
|Data (removal)||Include provisions in your contract to specify how the provider will return and destroy all of your data at your request. Understand the length of this process (including backups).||☐|
|Data (storage)||Understand how and where your data will be stored (i.e., in a separate physical database/server, separate from other provider clients, separate from the provider’s program). Understand if the provider will be using multiple storage centers for your data, who owns those centers, and where your data will be located.||☐|
|Disaster recovery, retrieval & restoration||Consider the provider’s disaster recovery procedures. Consider if your contract includes an affirmative obligation for the provider to restore data that is lost, corrupted or accidentally deleted.||☐|
|Due diligence (internal)||Understand the type of data you will put in the cloud (e.g., SSN, employee information, personally identifiable information (PII) covered by EU data protection, trade secrets). Consider if any of the data is subject to privacy or other laws and regulations (e.g, HIPPA, GLBA, SOX). Consider if you have competent technical personnel to review the provider’s systems.||☐|
|Due diligence (provider)||Review the provider’s practices, history, reputation and financial posture. Evaluate the provider’s physical and logical security measures, disaster planning and recovery measures, backup systems, data center security, breaches, and security audits. Understand the number of clients using the product, including the number of lawyers/law firms/legal departments. Consider if the provider is certified to manage data subject to applicable regulatory obligations. Determine if you can conduct security audits or non-invasive scans.||☐|
|Education (internal)||Provide appropriate training for your employees, covering security measures, password strength, use of your systems, and use of the provider’s system (particularly how to apply and manage security on content stored with the provider).||☐|
|Education (provider)||Confirm that the provider will brief all its employees and contractors that will have access to your data regarding your (and the provider’s) confidentiality obligations.||☐|
|Firewalls||Consider the provider’s (and your) firewall protections. Consider if it is appropriate to restrict access to your identified IP addresses. Understand if the provider guards against reasonably foreseeable data infiltration and conducts period penetration testing.||☐|
|Incident response plans||Consider creating, implementing, and maintaining policies and procedures relating hosted data incidents. Consider the communications that may need to be sent internally and to clients. Understand the provider’s incident response plans and how they align with your plans.||☐|
|Information Security Requirements (ISRs)||Consider establishing standard Information Security Requirements (ISRs) to include as an appendix to any provider contract. Review the provider’s security management procedures (i.e., personnel training, physical security, system security, data security, disaster recovery and reporting obligations).||☐|
|Insurance||Determine the levels and type of insurance coverage you require in your contracts.||☐|
|Litigation hold||Understand and specify how the provider will comply with data that is subject to a litigation hold. Consider if the provider can manage portions of your data under different backup and deletion rules.||☐|
|Locations||Understand the geographic location(s) where your data will be stored and whether you can specify one or more locations. Consider if the privacy law(s) of the hosting jurisdiction(s) (state/country) mirror(s) the laws that should apply to your and your client’s data. Consider if you should be notified if the provider moves your data to a different location.||☐|
|Non-publicity||Consider if the provider can publicize the relationship with you absent advance written approval.||☐|
|Passwords||Understand the provider’s password policies (e.g., complexity, encryption, frequency of change; access to passwords, access to encryption keys).||☐|
|Payment||Understand if non-payment could cause you to lose access to your data.||☐|
|Private cloud||Consider if a private cloud option or hybrid cloud approach is available and practical.||☐|
|Security||Review the provider’s security policies and procedures as part of your due diligence. Determine if the provider has an enforceable contractual obligation to preserve security.||☐|
|Software updates||Understand the frequency of the provider’s software updates and whether they will impact your ability to access your data.||☐|
|Support calls||Understand if the provider will provide support and if there are time or geographic limits on that support.||☐|
|Termination||Specify how long you will have access to your data in the event of termination. Consider if the provider is obligated to host the data while data (and/or services) are transferred to you or another vendor. Understand the format of that data and if the provider will assist with a data transfer.||☐|
|Service Level Agreement (SLA)||Understand the guaranteed uptime in the applicable service level agreement (SLA). Consider the consequences if those levels are not met, including whether you should receive credits.||☐|
|User management||Understand how you will manage user additions and removals. Consider if you want to receive receive regular reports identifying additions and removals, and, if so, who will review those reports.||☐|
|Virus protection||Understand if the provider offers virus protection on every server, how often it is updated, and if your data is protected.||☐|
Ultimately, it is your responsibility to determine what balance is reasonable based on the nature and location of your practice, your existing resources, and your clients. As you proceed with cloud providers, ethics opinions and best practices suggest that you should periodically review your selections to understand how technology may have changed since you adopted a particular solution. Your review will help you determine if the continued use of a cloud provider is a reasonable way to support your clients and your business and practice of law.
- Some of the ethical obligations include: Competence (Rule 1.1); Communications (Rule 1.4); Confidentiality (Rule 1.6), Safekeeping property (Rule 1.15), Responsibilities of Supervisors, Subordinates and Nonlawyers.(Rules 5.1, 5.2, and particularly 5.3). ↑
- See e.g., Alabama Ethics Opinion 2010-02; Arizona Opinion 09-04; California Bar Opinion 2012-184; California Bar Opinion 2010-179; Connecticut Bar Opinion 2013-07; Florida Bar Opinion 12-3; Illinois Bar Opinion 10-01; Iowa Bar Opinion 11-01; Maine Opinion 194; Massachusetts Bar Opinion 12-03; Nevada Bar Opinion 33; New Hampshire Opinion 2012-13/4; New Jersey Opinion 701; New York State Bar Opinion 842; North Carolina Opinion 2011-6; North Dakota Opinion 99-03; Oregon Bar Ethics Opinion 2011-188; Pennsylvania Opinion 2011-2000; Vermont Opinion 2010-6; Virginia Opinion 1872; Washington State Bar Opinion 2215. ↑
- See Pennsylvania Bar Association Formal Opinion 2011-200. ↑
- See Pennsylvania Bar Association Formal Opinion 2011-200 in particular for a relatively thorough list of suggested approaches and a summary of other cloud ethics opinions. ↑
- You have a continuing duty to stay abreast of security safeguards to be followed by you and the provider. See New York State Bar Opinion 842; Vermont Opinion 2010-6. ↑
- See e.g., Cal. Civ. Pro. §1789.82; §§1798.80-1798.84. ↑
- You may consider asking your provider to recognize your (lawyer’s) professional obligations and agree to handle your data accordingly. See North Carolina Opinion 2011-6; Vermont Opinion 2010-6. ↑
- Most of these policies can be updated by the provider at any time and the provider may not be able to remove or modify these system-level notices. ↑
- ISR requirements may vary depending on the nature of your systems, your clients’ industries and data, applicable regulatory schemes, and jurisdictions. ↑
This article originally appeared in Law Technology News on July 18, 2014. Interested readers are invited to (1) use a link below to share this article on LinkedIn, Facebook, Titter, etc. and/or (2) visit the article on LinkedIn to share the article or their comments.
©2014-2017 Peter Krakaur