On August 1, you purchased additional storage space on icloud.com. Proud as punch, you eliminated your backup server in your office, the need for a VPN code —which we all know is slow as molasses—and moved all your client files to the au courant cloud storage solution. You also feel pretty good about security. After all, most hackers go after Windows and Android systems.
In early September, you sit down with a cup of coffee to read your digital edition of The Denver Post. The blood drains from your face as you try to differentiate between a coronary incident and a panic attack. The news is full of an Apple/icloud security breach. After you are assured that you are not suffering a heart attack, you thank the stars that celebrities are still dumb enough to save naked pictures of themselves on their iPhones—and, hence, iCloud—making your client files comparatively unattractive for viewing. But it makes you think—it makes us all think: What could we be doing better? What if it were our clients’ confidential information being spread across Twitter?
As attorneys, we are generally very aware of our obligations to our clients, to our profession and to the courts. Could we be sued for malpractice for maintaining files in the cloud? It certainly could happen. Whether the suit would be successful is another issue. With the advent of cloud storage solutions, many attorneys and clients store information this way, wisely or not. The cloud can be an effective tool, but we have to understand how best to use it. We must comply with ethical obligations regarding competency, maintaining client confidences, safeguarding client property and appropriately retaining client records.
Shh. Everyone’s listening and watching
We used to worry about attorneys who talked loudly about clients in an elevator or restaurant. While every attorney must still learn to hold her tongue in public, storing information in the cloud or distributing information through the Internet could be a breach of our ethical obligations as well. It is well established that attorneys must use reasonable care in not sending email transmissions containing confidential metadata. Under ordinary circumstances, emails from attorneys need not be encrypted. But not all emails involve ordinary circumstances. Some email transmissions involve highly confidential information. In these situations, attorneys may need to consider encrypting that information. The same is true of storing client documents in the cloud.
It is established that attorneys are not responsible for improperly intercepted emails. A logical expansion to cloud storage would indicate that if we take reasonable care in storing client information in the cloud, attorneys should not be held responsible for third party hacking. Responsible or not, if hacked, that release would certainly injure our clients.
What we really want is to avoid panic attacks and to best protect our clients’ information.
If we have reason to know that a particular cloud storage site is prone to being hacked, maybe our use of that storage site without further encryption would be a breach of our competency and professionalism obligations. As with early cordless telephones that could be easily intercepted with an AM radio, attorneys should inform clients that documents or information stored in the cloud may be hacked and such disclosure could cause a loss of the attorney-client privilege. Client consent should therefore be obtained prior to any cloud storage of documents.
Even if the attorney–client privilege is maintained, highly confidential information may lose its value if it is disclosed to the public. For example, information on an unfiled patent application or client trade secrets may be so valuable that it should not be stored in the cloud or should be more heavily encrypted prior to storage.
Exercise reasonable care. It can’t get easier. The recent hacking of Apple’s cloud storage occurred because of a weakness in Apple’s software allowing for unlimited password and username guesses in the “Find My iPhone” application.
These hacks cannot be controlled and this should make us nervous enough to be very careful. Even if our clients do not consider some stored information to be highly confidential, attorneys breach several ethical obligations if we have reason to think information could be hacked.
Cloud storage is relatively inexpensive. It is convenient. It is generally fairly quick, as long as we have a good Internet connection. Ultimately, it is incumbent on each attorney to balance the risks and benefits of cloud storage in deciding whether to use it.
In making that decision, there are steps we can take to improve the safety and security of that information.
1. Provider Access
Does the provider have access to the information stored? After the recent icloud hack, both Apple and Google announced a default encryption protocol. Apple’s protocol would encrypt your cloud storage information—even from Apple. If the information is regularly and frequently re-encrypted so that even the provider cannot get access, this would assist in maintaining the security of information stored. This type of encryption is also provided by some other cloud storage solutions, like Spideroak. If the provider does not encrypt data, there are hardware and software encryption solutions that attorneys can use. While there are still risks with hardware and software encryption technologies, new options are being introduced into the market constantly. Once an encryption solution is selected, the attorney should regularly review new technology. It is probably self-evident, but technology is a moving target. There is no one-time solution.
Ask your cloud storage provider to give you regular, confidential audits of data access logs. Monitor activity to ensure that employees or independent contractors are the only individuals accessing your information.
Confirm with the provider how backups will be managed, maintained, deleted and accessed.
4. Client Disclosure
An engagement agreement with each client should contain details on how information will be stored in the cloud and allow the client to either authorize or disallow such storage.
5. Client Access
Clients may like the idea of being able to access their files through a cloud service. Any cloud provider must have a way to create a ‘share’ point that is unique to that client and password-protected. No client should be able to view other share points or even see that other share points exist. Some providers also require two-step authentication that may be helpful. For an extra layer of protection, specific files can be separately encrypted.
6. Document Destruction
Documents stored in the cloud should be subject to the same document destruction policies as hard files.
7. On-Site Backup
Regardless of the cloud solution selected, every law office should maintain an on-site, secure, electronic backup of all files. What if the cloud goes down? What if a terrorist attack on the cloud occurs?
Ethics rules aren’t complicated. Most of them are based in plain common sense.
That being said, as attorneys we are counselors to our clients. We are provided detailed information so that we can help guide clients in conducting business, protecting hard work or helping them prove their innocence in court. Our ethical obligations relate not just to matters the client discusses in confidence, but also to our entire representation of that client, regardless of source. If a client wishes to share information with third parties, that is her prerogative. We cannot disclose client information unless the client authorizes it. Even if information is outside “attorney–client privilege,” we have an ethical obligation not to share that information. This includes client names, fee payments and whether an individual or entity is even a client.
In deciding how to reasonably protect information stored in the cloud, we can look to what other states have advised in this area. In California, the State Bar put forth several factors for attorneys to analyze when considering using various types of technology: (1) assess the level of security offered, (2) consider the legal ramifications of unauthorized access, (3) determine the degree of sensitivity of the information, (4) consider the impact on the client if unauthorized access occurs, (5) consider the urgency of the situation and (6) determine client instructions.
In elevators, restaurants, bathrooms, gyms or other public places, we would not reference our clients in any way that a third person might recognize about whom we are speaking. We would never publicly discuss our clients’ confidential information. This careful behavior should extend to the cloud.
This article is not intended to be legal advice or to sponsor any cloud storage solutions.
Judith Rosenblum has practiced law in the intellectual property arena for more than 27 years. As Senior Counsel with HolzerIPLaw, PC, her practice emphasizes the development and protection of each client’s unique intellectual property portfolio. She may be reached at 720-684-5375 or firstname.lastname@example.org.