By Adam Cohen
Second of two parts - View part 1 here.
One of the most basic steps a lawyer can take in strengthening the security of client data held by cloud services providers is to negotiate a contractual obligation on the part of the provider to take reasonable security precautions.
The difficulty of defining such standards notwithstanding, there should be a term acknowledging the security issue and requiring attention to it. This should not be thought of as a shifting of responsibility but rather a sharing.
Further, several ethics opinions advise lawyers to pay careful heed to any agreements with their clients that cover confidentiality, or any instructions from their clients regarding how their data is to be handled. Special caution is advised where data is particularly sensitive.
In such cases, it is recommended that lawyers obtain prior approval from their clients before storing the data in the cloud. Obtaining informed consent is a suggested precaution even where the level of sensitivity of the data does not appear to be particularly elevated.
Mirroring developments in other technology-related legal ethics opinions, the cloud opinions instruct lawyers to stay abreast of relevant technology, as well as legal developments relating to technology. Alabama goes so far as to indicate more specifically that lawyers should stay abreast of best practices regarding data safeguarding, including “reasonable security precautions” like passwords and encryption.
With respect to certain basic security measures, such as authentication through the use of passwords, there are numerous implementations that lawyers should consider with which most users of networked services are familiar, including automatic logouts after periods of inactivity and network access termination after a designated number of login attempts.
However, the utilization of more technically complex measures, such as encryption, ventures into a highly complex, technical field that requires substantial expertise on behalf of the evaluating party.
Some ethics opinions intimate an even greater requirement of technical sophistication, inherent in some of the steps that the opinions would have lawyers take to evaluate third-party cloud service providers. Such steps include evaluation or verification of a vendor’s security environment.
- An Arizona opinion directs lawyers to evaluate the nature of the vendor’s technology and periodically review its security measures.
- Iowa asks lawyers to determine the degree of protection the vendor provides to its clients’ data.
- New Jersey wants lawyers to make sure that vendors are using available technology to guard against foreseeable infiltration attempts.
- North Carolina requires the evaluation of the vendor’s security and backup strategy.
Lawyers aiming to achieve this level of diligence will have to learn some basics about network security defenses such as firewalls, intrusion detection systems and patches, as well as physical or environmental security for data centers.
While these types of mandates may seem cumbersome and unreasonable to many lawyers, they are really no different in nature from the level of technical knowledge that electronic discovery requires. For example, with respect to the same duty of confidentiality that is the subject of this article, ethics opinions require lawyers to be familiar with the workings of metadata so that they do not inadvertently provide privileged information when sharing electronic documents.
Moreover, these demands on a lawyer’s technical competence can be viewed in light of another important suggestion contained in many of the opinions; that lawyers make use of technical experts. It should be cautioned, however, that hiring an expert does not shift the lawyer’s ethical duty to the expert.
In fact, the lawyer not only retains the duty of confidentiality, but he or she takes on the additional duty to supervise, which requires oversight of and responsibility for the expert’s work. This duty to supervise may also extend to cloud service providers.
Access to data is part of the hallowed cybersecurity triad of confidentiality, integrity and availability. Lawyers are advised to confirm, through enforceable agreements, that they will have unfettered access to their client’s data, including in situations where service is terminated or the provider goes out of business. Similar concerns exist with respect to steps taken by a service provider in the event of nonpayment. Access should be defined so that it is not limited to data in a proprietary format that cannot be read or used other than by someone with particular, inaccessible technology.
A corresponding obligation that should be imposed on the provider is to purge the client’s data upon termination of service. This is more easily said than done, as the steps necessary to achieve true data cleansing can be onerous. For example, purging a specific client’s files from backup tapes containing data from multiple clients can be difficult and expensive.
As demonstrated by the news headlines, data breaches may be unavoidable. If a breach does occur, the vendor should be required to notify the lawyer. The lawyer in turn should investigate and determine whether and to what extent any client data was compromised.
With consideration for the common threads discussed in the ethics opinions on cloud use by lawyers, certain further steps are suggested. While it is tempting to ignore the risks of data hacking, regardless of firewall or encryption implementations, lawyers cannot simply avoid data security, as this is not a viable business solution in our networked world.
Given that surrender is not an option, lawyers must choose carefully when evaluating cloud options. Even before confirming that contract terms with cloud providers and other data storage vendors contain general terms mandating certain levels of security, careful consideration should be paid to the selection of providers.
Choosing carefully may, as a practical matter, address many of the concerns regarding the appropriateness of security measures. A critical consideration here is whether the service provider is a reputable company with a strong record of serving other similarly positioned parties.
Moreover, the common theme across many ethics opinions addressing the cloud provider issue make it clear that lawyers may require assistance from experts in cybersecurity who can explain concepts and help make informed decisions on how to secure client data.
While increased cybersecurity measures are now necessary in the face of the aforementioned threats, not all information needs to be kept in the electronic equivalent of Fort Knox. Accordingly, counsel will have to weigh the confidentiality considerations in particular circumstances against the costs of available protection measures.
Adam Cohen is a Principal in the Forensic Technology and Discovery Services practice of Ernst & Young LLP. Adam is co-author of the annually updated treatise Electronic Discovery: Law and Practice (Wolters Kluwer Publishers), which has been cited as authority in several landmark Federal Court opinions involving electronic discovery.
The views expressed herein are those of the author and do not necessarily reflect the views of Ernst & Young LLP. This material has been prepared for general information only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.
State Bar of California Standing Committee on Professional Responsibility and Conduct: Formal Opinion 2010-179 (2010).
 Penn. Op. 2011-200 (2011).
 See, e.g., ABA MODEL RULES OF PROF’L CONDUCT R. 1.1 cmt.  (2013).
 N.H. Op. 2012-13/4.
 Alabama Ethics Opinion 2010-02.
 State Bar of Arizona Ethics Opinion 09-04 (December 2009).
 Iowa Bar Ethics Opinion 11-01 (9 September 2011).
 New Jersey Ethics Opinion 701 (2006).
 North Carolina 2011 Formal Opinion 6 (27 January 2012).
 State Bar of Arizona Ethics Opinion 07-03 (November 2007).
 The Pension Committee of the University of Montreal Pension Plan, et al. v. Banc of America Securities LLC, et al., No. 05 Civ. 9016 (SAS), 2010 WL 184312 (S.D.N.Y. Jan. 15, 2010) (Judge Scheindlin reiterating her series of decisions in Zubulake).