I wrote about cloud computing in an earlier post and discussed some of the general pros and cons involved with the idea. For attorneys, doctors and other professionals that are regulated, cloud computing creates some new wrinkles. For attorneys, protecting the confidences of clients is an ethical obligation. The unauthorized disclosure of client secrets can lead an attorney to disciplinary action and disbarment. For physicians and other health care providers, federal laws on the privacy of patient information put providers at risk for substantial fines for inappropriately disclosing patient health information (or otherwise not complying with HIPAA’s privacy and security rules). Using the cloud for applications that might have such confidential information adds a layer of uncertainty for the practitioner.
On the other hand, cloud computing is coming to a practice near you whether you like it or not. For example, an increasing number of attorney practice management systems are cloud-based, such as Clio. Legal research tools like FastCase, LexisNexis, Westlaw and Google Scholar are all cloud-based systems (in the sense that the information being searched is not stored on your local network but in internet-based database repositories that you access through your web browser). And a growing number of email providers, including Google Apps for Business, Mailstreet.com, and others have been providing cloud-based email solutions for custom domain names.
State bar ethics groups and the ABA have been working on ethics opinions about these cloud-based systems. North Carolina’s Bar had initially proposed a restrictive rule on the use of cloud computing systems by attorneys in the state. The NC Bar had suggested that the use of web-based systems like directlaw.com (which allows clients to complete a questionnaire online for specific legal documents which are reviewed by an attorney before becoming final) represented a violation of the state’s ethics rules. However, the NC Bar later revised its opinion and indicated that cloud computing solutions can be acceptable, so long as the attorney takes reasonable steps to minimize the inadvertent disclosure of confidential information. “Reasonable,” a favorite word of attorneys for generations, has the virtue and vice of being subject to interpretation. However, given the pace of change of technology, a bright line rule that favors one system over another faces prompt obsolescence.
In the context of the NC Bar 2011 Formal Opinion 6, for software as a service providers, ethics considerations include: (a) what’s in the contract between the vendor and the lawyer as to confidentiality, (b) how the attorney will be able to retrieve data from the provider should it go out of business or the parties terminate the SAAS contract, (c) an understanding of the security policy and practices of the vendor, (d) the steps the vendor takes to protect its network, such as firewalls, antivirus software, encryption and intrusion detection, and (e) the SAAS vendor’s backup and recovery plan.
Can you penetrate past the marketing of a vendor to truly understand its security practices? For example, Google does not even disclose the total number of physical servers it uses to provide you those instant search results (though you can learn where its data centers are – there is even one in Finland as of the writing of this article – here). And, in spite of Google’s security vigilance, Google and the applications it provides have periodic outages and hack attacks, such as the Aurora attack on gmail that became known in 2010. Other data centers and service providers may be less transparent concerning these security issues. In some cases, the opacity is a security strategy. Just as the garrison of a castle wouldn’t advertise its weak spots, cloud providers aren’t likely to admit to security problems until either after the breach is plugged, or the breach is irreparable.
What’s your alternative? For you Luddites, perhaps paper and pencil can’t be hacked, but good luck if you have a fire, or a disgruntled employee dumps your files in a local dumpster for all to see one weekend. For those of you that want computer system in your practice, can you maintain these systems in-house in a cost-effective manner? Do you have the resources to keep up with the software and hardware upgrades, service contracts, backup & recovery tests, and security features to reasonably protect your data? How does that stack with professional-grade data centers? Are you SAS-70 or SAS-16 compliant? Do you know how data you access is encrypted? In functional terms, do you really exercise more effective control over your security risks if you have IT people as employees rather than a data center under a reasonable commercial contract?
There are a lot of considerations. And the best part? They keep changing!