Trellis White paper Ad 770 Spot #6
dealing with burnout
share TWEET PIN IT share share 0
On Balance

Cloud Computing and the NSA: The U.K. Weighs In

By Megan Zavieh

Cloud computing in the practice of law has been a hot topic recently. Regulators in the United Kingdom have issued guidance to solicitors commenting on the practice as it stands in the United States and — of far greater interest — devoting a page to concerns about the potential insecurity of data stored here in light of our National Security Agency surveillance scandal. (See “Silver Linings: Cloud Computing, Law Firms and Risk.”)

I find it particularly enlightening to hear another country’s perspective — in fact, it leads me to add to my recommended criteria for evaluating any cloud computing provider.

Cloud Computing in the U.S. Legal Ethics World

As many tech-savvy law school graduates are hanging out their own shingles, and a good number of lawyers are deciding to go virtual, storing client files and sensitive data in the cloud is becoming quite common. U.S. ethics rules are chasing the technology and trying to adapt.

Thus far, 17 of the 50 states have weighed in on the practice of utilizing cloud computing in law practice. Most have adopted some form of a reasonableness standard: Attorneys must thoroughly vet any cloud computing provider with whom we contract, recheck the provider’s security measures periodically and ensure that any sensitive data held in the cloud is adequately secured. The standards are really a digital version of the standards always applicable to off-site storage of documents, such as with vendors like Iron Mountain.

The U.K.’s Guidance – Similar Concerns but Benefits, Too 

When the U.K. issued its recent guidance, it identified many of the same risks about which we in the U.S. have been concerned. But it also identified several benefits that have often been overlooked when U.S. regulators issue guidance. 

The U.K. identified three key topics of concern:

  • Breach of confidentiality
  • Failure of the vendor to cooperate with regulators as required by U.K. rules
  • Structural instability

The U.S. currently has no rules requiring vendors to cooperate with legal ethics regulators. Structural instability concerns are largely the same as those identified here — that third-party servers can be down or the provider could go out of business. Still, the likelihood of something going wrong on the external platform is not much different than a law firm’s risk of its own internal system failing.

What is really interesting, though, is the U.K.’s discussion of the risk of breach of confidentiality. The concern is the key one discussed in the U.S. — that putting client data in the cloud exposes it to the risk of unauthorized disclosure

Of particular note, however, is that the U.K. explicitly identifies a benefit to cloud computing, which is that it is far more secure than the technology most solicitors are otherwise employing to share client data. The U.K. specifically compares the use of cloud computing to the use of flash drives (easily lost and highly susceptible to viruses) and laptops (frequently stolen). 

It also points out that cloud access makes employee theft of data more difficult because accessing the cloud leaves an electronic trail.

In the U.S., I’ll hazard a guess that most lawyers use similar technology, particularly storing data locally on laptops and sharing through the exchange of flash drives. We also overuse email, including sending sensitive attachments, a notoriously under-secure means of communication. The identified benefit to using the cloud is just as applicable here.

The U.K. Calls Out the NSA

The U.K. regulators say the U.S. requires separate mention for two reasons:

  1. The high concentration of technology companies, including cloud providers, that are based in the U.S.
  2. Weak U.S. protections for personal data, coupled with strong data seizure powers and intrusive surveillance

The guidance goes on to specifically discuss the NSA wire-tapping and data collection scandal, detailing how little is currently known about the extent of the government’s ability to collect data, the type of data being collected, its security once in the hands of the government, and what exactly is being done with the collected data. 

These are concerns many of us in the U.S. have as well. But, given our government’s far-reaching hand and our inability to know the details or how to avoid our data being monitored, our regulators have not yet said that we must avoid the cloud to avoid the NSA. In fact, I would question whether avoiding the cloud would even work to avoid the NSA, given the apparently limitless surveillance it is carrying out.

For the U.K.’s part, it is taking the NSA concerns seriously enough that its guidance says:

“Given the risk to confidentiality from data seizure and surveillance policies, law firms should give serious consideration to the risks of storing data in countries with weak data privacy protections.” 

This is stated specifically as to the U.S. It goes on to say, “If firms do intend to use U.S. providers, then they must at a minimum ensure that the provider can meet the terms” of the U.K.’s safe harbor provision. 

Would a U.S. Regulator Be So Bold?

No U.S. regulator has yet set foot in the territory of taking on the NSA program directly, and I openly question whether any would venture to do so given the potential ramifications from the government. Legal ethics commentators question whether any of our “secure” client data is secure, no matter where it is stored. 

Perhaps we should be giving extra weight to the surveillance concern when evaluating our choice of cloud providers. The 17 states that have commented on cloud computing agree that we must evaluate a cloud provider’s security; the provider’s cooperation with the NSA should really be one of the criteria by which we evaluate that security.

Illustration ©ImageZoo.

share TWEET PIN IT share share
Megan Zavieh Megan Zavieh

Megan Zavieh is the creator and author of “The Playbook: The California Bar Discipline System Practice Guide.” At Zavieh Law, she focuses her practice exclusively on attorney ethics, providing representation to attorneys facing disciplinary action and guidance on questions of legal ethics. Megan is admitted to practice in California, Georgia, New York and New Jersey, as well as in multiple federal courts and the U.S. Supreme Court. Her latest book, “The Modern Lawyer: Ethics and Technology in an Evolving World,” (ABA 2021 ) covers how to run a modern practice while staying in line with current ethics rules. She podcasts on Lawyers Gone Ethical, blogs on ethics at California State Bar Defense and tweets @ZaviehLaw.

More Posts By This Author
MUST READ Articles for Law Firms Click to expand

Welcome to Attorney at Work!

Sign up for our free newsletter.


All fields are required. By signing up, you are opting in to Attorney at Work's free practice tips newsletter and occasional emails with news and offers. By using this service, you indicate that you agree to our Terms and Conditions and have read and understand our Privacy Policy.