The Move to Cloud City the Benefits and Risks of Cloud Computing

• Jurisdiction: United States,Federal
• Citation: Vol. 84 No. 1 Pg. 22
• Pages: 22
• Publication year: 2015

The Move to Cloud City:^[1] The Benefits and Risks of Cloud Computing No. 84 J. Kan. Bar Assn 1, 22 (2015) Kansas Bar Journal January, 2015

By J. Nick Badgerow

An attorney's duties of confidentiality and competence require the attorney to take appropriate steps to ensure that his or her use of technology in conjunction with a client's representation does not subject confidential client information to an undue risk of unauthorized disclosure. Because of the evolving nature of technology and differences in security features that are available, the attorney must ensure the steps are sufficient for each form of technology being used and must continue to monitor the efficacy of such steps.^[2]

I. What is Cloud Storage?

Cloud computing is a phrase used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication network, such as the Internet. In science, cloud computing is a synonym for distributed computing over a network, and means the ability to run a program or application on many connected computers at the same time. The phrase also more commonly refers to network-based services, which appear to be provided by real server hardware, and are in fact served up by virtual hardware, simulated by software running on one or more real machines. Such virtual servers do not physically exist and can therefore be moved around and scaled up (or down) on the fly without affecting the end user arguably, rather like a cloud.^[3]

As technology advances, the practice of law lurches forward though sometimes a few steps behind the rest of the world. The move to storing digital records in a remote location or using remote computers to operate software (the "cloud") is one which has developed over the past decade or more, and is increasing exponentially. A recent ABA survey concluded that lawyers increasingly use the "Software as a Service" (also known as "SaaS") cloud-based law practice management systems because those systems increase both productivity and profits.

Cloud computing: it's the future of computing. That's why so many businesses, including law firms, are moving to the cloud more quickly than ever before. Cloud computing isn't a fad it's here to stay, and law firms are now using cloud-based applications for every part of their business, like optimizing customer relationships, billing, and document management. In fact, the results of the American Bar Association's 2013 Legal Technology Survey found that lawyers' use of cloud computing software to manage their law firms increased by more than 30% in 2013, with nearly one third of all lawyers surveyed reporting that they used cloud computing software in their law practices.^[4]

From the point of view of data storage, when referring to cloud computing, a law firm does not spend capital to invest in servers (and pay rent to house the servers, and pay staff to run and maintain the servers), the law firm instead contracts with a provider which provides storage space for data, as well as the ability to access and manipulate the data stored there, and often provides software for such access and manipulation of the data stored there. Put more simply, "Cloud computing is a type of computing that relies on sharing computing resources rather than having local servers or personal devices to handle applications."^[5]

As long ago as 2009, The Economist predicted this phenomenon.

Much of computing will no longer be done on personal computers in homes and offices, but in the "cloud": huge data centers housing vast storage systems and hundreds of thousands of servers, the powerful machines that dish up data over the Internet. Web-based email, social networking and online games are all examples of what are increasingly called cloud services, and are accessible through browsers, smart-phones, or other "client" devices.^[6]

Substituting smaller operating expenses for larger capital expenditures seems an easy choice. But, as with any change, there are both benefits and ethical and practical risks to the development. It is the purpose of this article to explore both the benefits and risks of cloud storage for a law firm, and to suggest some ways to address or alleviate the risks, thereby maximizing the benefits.

II. Benefits of Cloud Storage: Why Use It?

In the ABA survey referred to above, 75 percent of the lawyer-respondents cited convenient access, all day, every day, as one of the larger benefits of cloud storage. In addition, 56 percent cited affordability as a strong factor in its favor.^[7]

A Pennsylvania Bar Association ethics opinion has stated:

The benefits of using "cloud computing" may include:

• Reduced infrastructure and management;

• Cost identification and effectiveness;

• Improved work production;

• Quick, efficient communication;

• Reduction in routine tasks, enabling staff to elevate work level;

• Constant service;

• Ease of use;

• Mobility;

• Immediate access to updates; and

• Possible enhanced security.^[8]

Another ethics opinion on cloud computing observes:

The obvious advantage to "cloud computing" is the lawyer's increased access to client data. As long as there is an Internet connection available, the lawyer would have the capability of accessing client data whether he was out of the office, out of the state, or even out of the country. In addition, "cloud computing" may also allow clients greater access to their own files over the Internet.^[9]

Storing records in the cloud thus provides to a lawyer and her client easy access to lawyer and client records in a remote location, at any time of the day or night, on any day of the week. It also saves the cost of buying and maintaining storage servers, as well as the space where those servers sit.

III. Rules, Risks, and Concerns

A. Rules

Lawyers' ethics and professional conduct are governed by the American Bar Association's Model Rules of Professional Conduct, adopted in Kansas as the Kansas Rules of Professional Conduct (KRPC).^[10] Most recently, the Kansas Supreme Court has adopted many of the changes brought about by the ABA's Ethics 20/20 Commission, and that adoption was made effective in Kansas on March 1, 2014.^[11]

1. Competence

Rule 1.1, KRPC, requires all lawyers to act with competence and provides:

A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.^[12]

That is normally interpreted to mean that the lawyer must represent each client competently, either through his/her own knowledge and ability, or by associating with others who have such knowledge and ability.^[13] While that is understood to apply to the areas of substantive and procedural law where the lawyer chooses to practice, a new Comment to Rule 1.1 extends it to technology:

To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.^[14]

Thus, in order to stay competent, each lawyer should keep abreast of changes in relevant technology, including the benefits and risks associated therewith.

To the extent that a lawyer uses technology in his or her practice, the lawyer has a duty to keep informed about the risks associated with that technology and to take reasonable precautions. The lawyer's duties discussed in this opinion do not rise to the level of a guarantee by the lawyer that the information is secure from all unauthorized access. Security breaches are possible even in the physical world, and a lawyer has always been under a duty to make reasonable judgments when protecting client property and information. Specific practices regarding protection of client property and information have always been left up to individual lawyers' judgment, and that same approach applies to the use of online data storage. The lawyer must take reasonable steps, however, to evaluate the risks involved with that practice and to ensure that steps taken to protect the information are up to a reasonable standard of care.^[15]

2. Confidentiality

Rule 1.6 requires lawyers to maintain the confidentiality of all information pertaining to the representation of each client. Rule 1.6(a) provides:

A lawyer shall not reveal information relating to representation of a client unless the client consents after consultation, except for disclosures that are impliedly authorized in order to carry out the representation, and except as stated in paragraph (b).^[16]

Thus, a client can consent to the release of its confidential information, if it "consents after consultation."^[17] The same is true of client documents stored in the cloud.

Similarly, given that Cloud Computing involves storage of information in the hands of a third party, a lawyer handling particularly sensitive client property, like trade secrets may conclude after consultation with the client that remote SaaS storage is not sufficiently secure.^[18]

A new section (c) added by the Ethics 20/20 changes to the KRPC now provides:

(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.^[19]

And the Ethics 20/20 Comments 26 and 27 to Rule 1.6 explain this in much more detail, including:

Paragraph...