PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Law firm data security

There is a significant degree of confusion and lack of awareness about attorney confidentiality and cybersecurity obligations.  This issue is especially acute when it comes to using the cloud to store privileged documents.  A common myth is that storing privileged documents in the cloud is a breach of attorney-client confidentiality.  In other instances, many attorneys and firms are not paying sufficient attention to their obligation to protect the confidentiality and security of the client data they maintain.

Attorney Ethical Rules in the Digital Age

The general rules of professional conduct are written broadly, without specifically addressing privacy and cybersecurity issues.  Under Rule 1.6 of the ABA Model Rules of Professional Conduct, “a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.” Lawyers must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

The application of this rule to digital technologies has been dealt with by resolutions and commentary.  Fairly recently, the ABA published Resolution 109, calling for firms to “develop, implement, and maintain an appropriate cybersecurity program.” And few years ago, the ABA amended Comment 8 to Model Rule 1.1 (requiring “competent representation to a client”) to state that “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” (added language italicized).

Attorney-Client Privilege in the Cloud

Is it ethical for attorneys and law firms to store privileged documents in the cloud?  After all, they are storing such documents on a third party’s computer.

Cloud

This question has been a widespread concern, enough so that several state bar associations have issued guidance.  Their consistent conclusion is that it is ethical to store privileged documents in the cloud.  For example, according to the Pennsylvania Bar Association Formal Opinion 2011-200: “An attorney may ethically allow client confidential material to be stored in ‘the cloud’ provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks.”

According to the Florida Bar Association Opinion 12-3, “Cloud computing is permissible as long as the lawyer adequately addresses the potential risks associated with it.” The Massachusetts Bar Association Opinion 12-03 provides that lawyers “may store and synchronize electronic work files containing confidential client information across different platforms and devices using an Internet based storage solution” if they undertake “reasonable efforts to ensure that the provider’s terms of use and data privacy policies, practices and procedures are compatible with the lawyer’s professional obligations, including the obligation to protect confidential client information.”

The New York Bar Association Ethics Opinion 842 concludes that “a lawyer may use an online ‘cloud’ computer data backup system to store client files provided that the lawyer takes reasonable care to ensure that the system is secure and that client confidentiality will be maintained.”

Other state bars have reached similar conclusions.  The ABA maintains a page that tracks what state bars are holding on this issue.  The states in blue have all issued opinions on the use of the cloud, and all state essentially the same thing: Using the cloud is ethical as long as reasonable care is taken.

US Map

In many situations, data stored in the Cloud might have stronger security protections than when stored on the attorney or firm’s own network.  This is because some of the best cloud service providers have more sophisticated security practices and more robust technical and other resources to protect the data than a law office or firm.  For example, the Panama Papers breach at Mossack Fonseca occurred on the firm’s network, which had numerous security vulnerabilities.

Attorneys don’t have a blank check to store anything with any third party.  There still are cybersecurity obligations.  According to widespread standards in other industries, there are certain essential practices when selecting and contracting with a cloud service provider.  The Pennsylvania Bar Association guidance notes that “reasonable safeguards” must be used “to ensure that the data is protected from breaches, data loss and other risks.”  What are such reasonable safeguards?  I will discuss that in the part below.

Confidentiality and Cybersecurity Responsibilities

Attorneys and law firms have significant confidentiality and cybersecurity responsibilities.   These typically involve using “reasonable care,” which is a standard grounded in common best practices and norms.  These standards are mentioned in various state bar opinions and guidance, as well as in data security regulation of other industries.

For example, the FTC cases on data security are useful to study to learn about common best practices across a wide array of industries.  The FTC typically enforces standards that are commonly accepted as the norm for reasonable security practices.  I have written about the FTC extensively in my article, The FTC and the New Common Law of Privacy, 114 Columbia Law Review 584 (2014) (with Woodrow Hartzog), and this piece includes a listing of the data security deficiencies that the FTC has identified as problematic.

I have written an earlier post about the cybersecurity risks that law firms face and about how a number of firms and attorneys need to step up their efforts to protect data.

State bars have also provided many useful examples.  Some of these include (1) eliminating metadata when documents are transmitted to adverse parties; (2) taking precautions when using public wireless connections to communicate with clients, such as using firewalls and encryption; (3) backing up data; (3) implementing audit logging to monitor who is accessing data; (4) having a data breach response plan; and (5) having a firewall on the firm or office network.

With regard to using cloud service providers, relevant responsibilities of attorneys include (1) performing due diligence in selecting a cloud service provider; (2) having an appropriate contract in place with the cloud service provider; (3) exercising good security practices on their own network and when accessing data stored in the cloud; and (4) engaging in continued monitoring of the cloud service provider to ensure that the provider is living up to its obligations.

Due Diligence When Selecting a Cloud Service Provider

Law firm data security

Due diligence should involve examining whether a cloud service provider has:

  • adequate safeguards in place to maintain accessibility of data in the event of disasters
  • sufficient stability and resources
  • appropriate procedures to comply with a litigation hold
  • appropriate written policies and procedures to protect confidentiality and security
  • appropriate back up
  • appropriate security protections, including employee training, penetration testing, etc.

Appropriate Provisions in Contracts with Cloud Service Providers

Law firm data security

Contracts with cloud service providers should require, among other things:

  • Ownership of the data remains with the attorney or firm, not the cloud service provider.
  • Attorneys must have adequate access to the data.
  • Data should be routinely backed up.
  • There should be an enforcement provision if the provider fails to meet its obligations.
  • The cloud service provider should provide reasonable and appropriate security protections.
  • The data is hosted in countries with sufficient legal protections of privacy and security and adequate rules regulating government access.
  • The data is returned in the event of termination of the contract.

Good Data Security Practices

Additionally, attorneys and support personnel have obligations for their own behavior when using cloud service providers such as being trained about data security best practices, use of strong passwords, safe practices when using public Wi-Fi, avoiding falling for phishing scams, and so on.

Ongoing Vigilance of Cloud Service Providers

Finally, attorneys or firms must continue to monitor any cloud service provider they use to ensure that the provider is complying with the agreement and to ensure that the provider is keeping up with new technological developments and protecting against emerging security threats.

The above are not exclusive lists, but are examples of some of the kinds of things that are encompassed by the duty to exercise “reasonable care.”

Conclusion

It is clear that attorneys and firms can use cloud services consistent with their obligations to maintain the confidentiality of client information.  Reasonable care must be exercised in the process, and that involves due diligence when selecting a cloud service provider, having the appropriate contractual provisions in the agreement with the cloud service provider, and continuing to be vigilant about how well the provider is living up to its obligations.

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics.  This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 950,000 followers.

Privacy+Security ForumProfessor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security. 

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
*
 LinkedIn Influencer blog
*
 Twitter
*
 Newsletter

TeachPrivacy data security training 07