In a recent post at Catalyst Secure , my friend Bob Ambrogi not only summarizes Massachusetts’ recent ethics ruling on lawyer use of cloud platforms, but provides a valuable public service with a round up of ethics decisions from 11 other jurisdictions. Like most states, Massachusetts permits lawyers to use cloud based products so long as (1) lawyers make reasonable efforts to ensure that the vendor selected operates in a manner consistent with a lawyer’s professional obligations and (2) obtain clients’ express consent to use cloud products.
Since it seems that the state bars are never going to come to their senses and adopt my oft repeated recommendation that the 50 states pool their resources to develop sound, technology-based guidance for lawyers who wish to use the cloud, we’re now stuck with a dozen copy cat rulings that basically say “It’s OK for you lawyers to use the cloud if you’re reasonable in selecting a secure provider – but just to be on the safe side, you’d better make sure that your clients expressly consent.” Not only does this kind of requirement throw up a red flag that can heighten clients concern, but it makes us lawyers look as if we’re trying to pass the buck on security.
I’ve said this before but I’ll say it again and again and again until someone listens. First, why do the bars discriminate against the cloud when it comes to client disclosure? I’m not required to tell clients which bank I use to house my trust account, or seek special approval for use of online banking services. I’m not required to obtain client approval to conduct research on LEXIS or Westlaw even though it’s conceivable that someone could hack into my account and discover certain search strings that give away my strategy. I’m not required to seek my clients’ consent to store unencrypted information on my computer or use a certain type of lock on my office door or to leave the cleaning service in my office unattended. All of these practices that I’ve listed can potentially compromise the confidentiality or security of client documents or property (in the case of bank accounts). So why is only the cloud singled out?
Second, why must we burden clients with an obligation that should be our responsibility alone. When clients come to us for representation, they’ve got enough on their plate – maybe they’re facing a 20 year jail sentence or they’re about to lose their home or they’re trying to leave an abusive relationship. The last thing they need is to read through a 40 page retainer letter with millions of caveats and “initial here, please.”
Moreover, clients aren’t stupid. Many of them use online banking or patronize doctors’ offices that store files in the cloud. Yet, even though banks and doctors are subject to far more stringent statutory requirements (like HIPPA or consumer credit laws), users aren’t required to sign a special consent form authorizing those entities to store data in the cloud. So when their lawyer requires consent, clients will either wonder (1) whether the cloud products that we lawyers use are inferior to those of banks and doctors (because otherwise, why would a special consent be required), or (2) how they’re expected to know whether the cloud is safe enough for their data to provide informed consent when their lawyer apparently can’t figure it out. Neither scenario makes us look very good.
Oh and by the way, have you ever tried to draft consent language for a retainer agreement? I’ve been going through that exercise as part of preparation of materials on my 21st Century Retainer Agreement and am hard pressed to come up with a clause that doesn’t make it seem like I’m trying to slough off liability for careless security practices to clients. At the very least, if the bars are going to come up with this nonsense, why not provide some stock language to include in our retainer agreements?
Though I’m coming out swinging at the bars, I’m not unsympathetic. Most disciplinary committees are overworked and underpaid, and drafting an ethics ruling, even one that essentially lifts the reasoning from another jurisdiction’s opinion is a time consuming task, involving research, analysis and endless rounds of review. Moreover, many committee members simply don’t use this technology and they’re intimidated by the unknown. So rather than do what real scientists do in the face of uncertainty (gather data, learn more and adapt course to new developments), the bars do what lawyers do (after all, regulators are lawyers!) which is to figure out a way to CYA.
The cloud is here, and it’s here to stay. If the bars are serious about protecting client data, instead of wasting already scarce resources to draft stupid opinions that scare lawyers and clients away from the cloud, each bar should each fork up $20,000 for a total of $1 million and then use the money to interview doctors, banks, government officials and technology companies (heck, Google itself uses googledocs) on best practices in their industries and to hire bonafide security consultants to test various cloud products and identify those suitable for use by lawyers. Taking this approach will help lawyers and our clients gain additional clarity on using the cloud.
A final note – isn’t this just completely and utterly obvious? Isn’t there anyone else out there who agrees with that the approach that the bars are taking is utterly ridiculous? Ethics experts? Technology gurus? Anyone?
I don’t disagree with anything you are saying. The one difference, however, between all your analogies is the PRESS on privacy and security breaches regarding the cloud for banks, credit card companies, LinkedIN, etc. That makes it a hot topic and failure to respond in some PRESS-worthy way makes our profession nervous even if it is ridiculous and inappropriate to put this burden on each and every individual lawyer. It’s an ‘in the moment’ reaction. What is also interesting is whether or not if this same type of disclosure accompanies banking online, etc., that we, as consumers, just gloss over when we go for convenience?
You raise a good point about the press and I don’t mean to minimize the hacking issues. But in my view, those aren’t matters where the bar should be sticking its nose in. Protection of personal privacy data is governed by state and federal law and the penalties are far greater than a slap on the wrist from the bar. The bar’s concerns should be focused on client confidentiality – and as recent studies show, that kind of information is really not of much interest to hackers (see http://www.smallfirminnovation.com/2012/01/are-we-regulating-the-wrong-problem-when-it-comes-to-the-cloud/)
I can’t speak for online banking consent, but my doctor’s office has moved to the cloud and I did not receive any special consent forms for data storage (I did however congratulate the office for coming into the 21st century!)
I would be very careful of citing an individual security survey. There are 4 or 5 “established” surveys that security professionals like myself use and one interesting thing is that they often will contradict each other.
There is no industry-agnostic survey that I as a security person would rely on.
I also trust the security bulletins from the FBI which have very clearly stated that law firms are being targeted for their IP data. The problem is there are no disclosure laws that require law firms to publicly disclose when IP data is lost. As a result, all of the breach statistics are slanted toward data types that have mandatory reporting requirements.
This is also why if you look back before California passed it’s seminal data breach notification law there were almost no public disclosure of breaches unless the disclosure happened by the hacker.
The reality is that we don’t know what percentage of hackers are motivated by what. However, there are a number of studies that will contradict the one that you cited and indicate that at least some hackers are targeting highly sensitive financial or IP data in the possession of law firms.
I apologize on the behalf of the security community for constantly reshaping these statistics to play into whatever narrative a given vendor/article wants to communicate.
http://www.carlsonwolf.com