Cloud computing in the practice of law has been a hot topic recently. Regulators in the United Kingdom have issued guidance to solicitors commenting on the practice as it stands in the United States and — of far greater interest — devoting a page to concerns about the potential insecurity of data stored here in light of our National Security Agency surveillance scandal. (See “Silver Linings: Cloud Computing, Law Firms and Risk.”)
I find it particularly enlightening to hear another country’s perspective — in fact, it leads me to add to my recommended criteria for evaluating any cloud computing provider.
Cloud Computing in the U.S. Legal Ethics World
As many tech-savvy law school graduates are hanging out their own shingles, and a good number of lawyers are deciding to go virtual, storing client files and sensitive data in the cloud is becoming quite common. U.S. ethics rules are chasing the technology and trying to adapt.
Thus far, 17 of the 50 states have weighed in on the practice of utilizing cloud computing in law practice. Most have adopted some form of a reasonableness standard: Attorneys must thoroughly vet any cloud computing provider with whom we contract, recheck the provider’s security measures periodically and ensure that any sensitive data held in the cloud is adequately secured. The standards are really a digital version of the standards always applicable to off-site storage of documents, such as with vendors like Iron Mountain.
The U.K.’s Guidance – Similar Concerns but Benefits, Too
When the U.K. issued its recent guidance, it identified many of the same risks about which we in the U.S. have been concerned. But it also identified several benefits that have often been overlooked when U.S. regulators issue guidance.
The U.K. identified three key topics of concern:
- Breach of confidentiality
- Failure of the vendor to cooperate with regulators as required by U.K. rules
- Structural instability
The U.S. currently has no rules requiring vendors to cooperate with legal ethics regulators. Structural instability concerns are largely the same as those identified here — that third-party servers can be down or the provider could go out of business. Still, the likelihood of something going wrong on the external platform is not much different than a law firm’s risk of its own internal system failing.
What is really interesting, though, is the U.K.’s discussion of the risk of breach of confidentiality. The concern is the key one discussed in the U.S. — that putting client data in the cloud exposes it to the risk of unauthorized disclosure.
Of particular note, however, is that the U.K. explicitly identifies a benefit to cloud computing, which is that it is far more secure than the technology most solicitors are otherwise employing to share client data. The U.K. specifically compares the use of cloud computing to the use of flash drives (easily lost and highly susceptible to viruses) and laptops (frequently stolen).
It also points out that cloud access makes employee theft of data more difficult because accessing the cloud leaves an electronic trail.
In the U.S., I’ll hazard a guess that most lawyers use similar technology, particularly storing data locally on laptops and sharing through the exchange of flash drives. We also overuse email, including sending sensitive attachments, a notoriously under-secure means of communication. The identified benefit to using the cloud is just as applicable here.
The U.K. Calls Out the NSA
The U.K. regulators say the U.S. requires separate mention for two reasons:
- The high concentration of technology companies, including cloud providers, that are based in the U.S.
- Weak U.S. protections for personal data, coupled with strong data seizure powers and intrusive surveillance
The guidance goes on to specifically discuss the NSA wire-tapping and data collection scandal, detailing how little is currently known about the extent of the government’s ability to collect data, the type of data being collected, its security once in the hands of the government, and what exactly is being done with the collected data.
These are concerns many of us in the U.S. have as well. But, given our government’s far-reaching hand and our inability to know the details or how to avoid our data being monitored, our regulators have not yet said that we must avoid the cloud to avoid the NSA. In fact, I would question whether avoiding the cloud would even work to avoid the NSA, given the apparently limitless surveillance it is carrying out.
For the U.K.’s part, it is taking the NSA concerns seriously enough that its guidance says:
“Given the risk to confidentiality from data seizure and surveillance policies, law firms should give serious consideration to the risks of storing data in countries with weak data privacy protections.”
This is stated specifically as to the U.S. It goes on to say, “If firms do intend to use U.S. providers, then they must at a minimum ensure that the provider can meet the terms” of the U.K.’s safe harbor provision.
Would a U.S. Regulator Be So Bold?
No U.S. regulator has yet set foot in the territory of taking on the NSA program directly, and I openly question whether any would venture to do so given the potential ramifications from the government. Legal ethics commentators question whether any of our “secure” client data is secure, no matter where it is stored.
Perhaps we should be giving extra weight to the surveillance concern when evaluating our choice of cloud providers. The 17 states that have commented on cloud computing agree that we must evaluate a cloud provider’s security; the provider’s cooperation with the NSA should really be one of the criteria by which we evaluate that security.