The Bar Associations Have Their Head In The Clouds When It Comes To The Ethics Of Cloud Computing
In a recent post at Catalyst Secure , my friend Bob Ambrogi not only summarizes Massachusetts’ recent ethics ruling on lawyer use of cloud platforms, but provides a valuable public service with a round up of ethics decisions from 11 other jurisdictions. Like most states, Massachusetts permits lawyers to use cloud based products so long as (1) lawyers make reasonable efforts to ensure that the vendor selected operates in a manner consistent with a lawyer’s professional obligations and (2) obtain clients’ express consent to use cloud products.
Since it seems that the state bars are never going to come to their senses and adopt my oft repeated recommendation that the 50 states pool their resources to develop sound, technology-based guidance for lawyers who wish to use the cloud, we’re now stuck with a dozen copy cat rulings that basically say “It’s OK for you lawyers to use the cloud if you’re reasonable in selecting a secure provider – but just to be on the safe side, you’d better make sure that your clients expressly consent.” Not only does this kind of requirement throw up a red flag that can heighten clients concern, but it makes us lawyers look as if we’re trying to pass the buck on security.
I’ve said this before but I’ll say it again and again and again until someone listens. First, why do the bars discriminate against the cloud when it comes to client disclosure? I’m not required to tell clients which bank I use to house my trust account, or seek special approval for use of online banking services. I’m not required to obtain client approval to conduct research on LEXIS or Westlaw even though it’s conceivable that someone could hack into my account and discover certain search strings that give away my strategy. I’m not required to seek my clients’ consent to store unencrypted information on my computer or use a certain type of lock on my office door or to leave the cleaning service in my office unattended. All of these practices that I’ve listed can potentially compromise the confidentiality or security of client documents or property (in the case of bank accounts). So why is only the cloud singled out?
Second, why must we burden clients with an obligation that should be our responsibility alone. When clients come to us for representation, they’ve got enough on their plate – maybe they’re facing a 20 year jail sentence or they’re about to lose their home or they’re trying to leave an abusive relationship. The last thing they need is to read through a 40 page retainer letter with millions of caveats and “initial here, please.”
Moreover, clients aren’t stupid. Many of them use online banking or patronize doctors’ offices that store files in the cloud. Yet, even though banks and doctors are subject to far more stringent statutory requirements (like HIPPA or consumer credit laws), users aren’t required to sign a special consent form authorizing those entities to store data in the cloud. So when their lawyer requires consent, clients will either wonder (1) whether the cloud products that we lawyers use are inferior to those of banks and doctors (because otherwise, why would a special consent be required), or (2) how they’re expected to know whether the cloud is safe enough for their data to provide informed consent when their lawyer apparently can’t figure it out. Neither scenario makes us look very good.
Oh and by the way, have you ever tried to draft consent language for a retainer agreement? I’ve been going through that exercise as part of preparation of materials on my 21st Century Retainer Agreement and am hard pressed to come up with a clause that doesn’t make it seem like I’m trying to slough off liability for careless security practices to clients. At the very least, if the bars are going to come up with this nonsense, why not provide some stock language to include in our retainer agreements?
Though I’m coming out swinging at the bars, I’m not unsympathetic. Most disciplinary committees are overworked and underpaid, and drafting an ethics ruling, even one that essentially lifts the reasoning from another jurisdiction’s opinion is a time consuming task, involving research, analysis and endless rounds of review. Moreover, many committee members simply don’t use this technology and they’re intimidated by the unknown. So rather than do what real scientists do in the face of uncertainty (gather data, learn more and adapt course to new developments), the bars do what lawyers do (after all, regulators are lawyers!) which is to figure out a way to CYA.
The cloud is here, and it’s here to stay. If the bars are serious about protecting client data, instead of wasting already scarce resources to draft stupid opinions that scare lawyers and clients away from the cloud, each bar should each fork up $20,000 for a total of $1 million and then use the money to interview doctors, banks, government officials and technology companies (heck, Google itself uses googledocs) on best practices in their industries and to hire bonafide security consultants to test various cloud products and identify those suitable for use by lawyers. Taking this approach will help lawyers and our clients gain additional clarity on using the cloud.
A final note – isn’t this just completely and utterly obvious? Isn’t there anyone else out there who agrees with that the approach that the bars are taking is utterly ridiculous? Ethics experts? Technology gurus? Anyone?
I don’t disagree with anything you are saying. The one difference, however, between all your analogies is the PRESS on privacy and security breaches regarding the cloud for banks, credit card companies, LinkedIN, etc. That makes it a hot topic and failure to respond in some PRESS-worthy way makes our profession nervous even if it is ridiculous and inappropriate to put this burden on each and every individual lawyer. It’s an ‘in the moment’ reaction. What is also interesting is whether or not if this same type of disclosure accompanies banking online, etc., that we, as consumers, just gloss over when we go for convenience?
You raise a good point about the press and I don’t mean to minimize the hacking issues. But in my view, those aren’t matters where the bar should be sticking its nose in. Protection of personal privacy data is governed by state and federal law and the penalties are far greater than a slap on the wrist from the bar. The bar’s concerns should be focused on client confidentiality – and as recent studies show, that kind of information is really not of much interest to hackers (see http://www.smallfirminnovation.com/2012/01/are-we-regulating-the-wrong-problem-when-it-comes-to-the-cloud/)
I can’t speak for online banking consent, but my doctor’s office has moved to the cloud and I did not receive any special consent forms for data storage (I did however congratulate the office for coming into the 21st century!)
To make matters more confusing, the opinion requires express consent before using cloud computing services for “particularly sensitive client information.” Does MA have a definition for “particularly sensitive”? I would tend to agree with you that it’s just silly policy to require express consent to use a secure cloud storage system – particularly when so little care is taken in other areas. If state bars are going to require consent on any matter, it should be in the event that a lawyer uses a laptop. To Susan’s point, most of the breaches related to banks and credit cards have come from stolen laptops or breached hardware. In the case of linkedin, perhaps it should be per se breach of your duties if your cloud storage password is “law1234.”
Washington’s recent opinion is a little more generous than the ones you cited: http://mcle.mywsba.org/IO/searchresult.aspx?year=&num=2215&rpc=&keywords=
It seems as if Massachusetts makes every attempt to streamline or modernize the practice of law damn near impossible. Want to charge a flat fee or custom billing? You can, but it has to be relational to and equal the amount of hours you spend; and, moreover, it probably cannot be non-refundable or payable at certain milestones.
Fee Agreement language must be specific and now we must add even more if we want to use a cloud? My Fee Agreement is already five (5) pages and that is just making sure I cover myself! As for “particularly sensitive information,” I imagine that is financial and medical information, so it sounds as if every BI and Family Law attorney must have specific cloud waiver clause. Ironically, LOMAP, the Board’s law office and practice group advocates the use of them! I am probably just griping, but I swear, the Mass. BBO will drive me to drink.
(edited to fix typo)
I would be very careful of citing an individual security survey. There are 4 or 5 “established” surveys that security professionals like myself use and one interesting thing is that they often will contradict each other.
There is no industry-agnostic survey that I as a security person would rely on.
I also trust the security bulletins from the FBI which have very clearly stated that law firms are being targeted for their IP data. The problem is there are no disclosure laws that require law firms to publicly disclose when IP data is lost. As a result, all of the breach statistics are slanted toward data types that have mandatory reporting requirements.
This is also why if you look back before California passed it’s seminal data breach notification law there were almost no public disclosure of breaches unless the disclosure happened by the hacker.
The reality is that we don’t know what percentage of hackers are motivated by what. However, there are a number of studies that will contradict the one that you cited and indicate that at least some hackers are targeting highly sensitive financial or IP data in the possession of law firms.
I apologize on the behalf of the security community for constantly reshaping these statistics to play into whatever narrative a given vendor/article wants to communicate.
http://www.carlsonwolf.com
Carolyn:
I agree that a requirement that a client consent to a law firm’s use of a cloud computing service is unrealistic and not relevant. What does informed consent meaning this context. Do consumers have to consent to using LegalZoom’s cloud based service when they purchase a legal document? How about putting more road-blocks up to make it more difficult for solos and small law firm’s to practice in the cloud by bar associations. What are they thinking?
Did you delete my other comment because you disagreed with the content? You explicitly requested feedback from technology gurus but only listen to those who agree with you (and censor those who do not?) I have many years of security experience to back up my sentiments and would be happy to go over them with you in a reasoned manner. I had intended to link to your blog post as evidence of the struggles facing solo or small firm practitioners to manage these ethical obligations. I wil not do so now as I do not want to drive people to such a one-sided argument where no real discussion can occur. The fact that you are not open to dialog or discussion is troubling and shows a lack of respect for the ethical obligations these bars are trying to uphold. I am disappointed.
The legal jackasses are just beginning to recognize electronically signed documents as the equivalent of an inked “original.” Don’t confuse them with “da cloud.”
The legal jackasses are just beginning to recognize electronically signed documents as the equivalent of an inked “original.” Don’t confuse them with “da cloud.”