Lynda C. Shely 0000-00-00 00:00:00
Ethics in the Clouds: Tips Before Storing Law Firm Records Remotely Lawyers have an ethical obligation to “safeguard” client property, including files, according to Ethical Rule 1.15. But storage facilities are expensive! This means that unless a lawyer returns the entire file to a client at the end of a representation (practice tip: good idea! add this to the engagement letter), the lawyer must keep the entire file until it becomes “abandoned property.” Lawyers also ethically must preserve certain records for their firms, including trust account records (Supreme Court Rule 43) and MCLE records (Supreme Court Rule 45). May a lawyer – ethically - store law firm records electronically and remotely in the “cloud”? “Cloud” storage (also known as “SaaS,” which stands for “software as a service”) generally means remote storage of data and documents on another company’s server/equipment from which the law firm accesses documents through the Internet. For instance, Dropbox and GoogleDocs are two “cloud” based services where a firm may upload documents and then give authorization to other lawyers or clients to retrieve the documents and view or even edit them. Services like Clio, Rocket Matter, and LawRD provide case management online. There are many other cloud services for billing, virtual offices, remote access, and project management. The ABA Opinions do not address cloud computing specifically. ABA Opinion 11-459 only addresses emails and permits electronic communications with clients as long as the lawyer warns the client about the possibility of third-party access. (practice tip: include this in your engagement letters!). Remember – if your email is stored remotely on another company’s server (Cox, Google, etc.) so that you may access email on your smart phone or laptop, that also is cloud computing. Arizona ethics opinions generally authorize the storage of client documents electronically (scanned) – as long as the lawyer returns the originals to the client and takes reasonable steps to assure that the electronic copies will be safeguarded. Ariz. Op. 07-02(another practice tip: put this in your engagement letter or you will need to provide clients with paper copies of the file). Ariz. Op. 05-04 authorizes remote storage of electronic law firm records as long as the firm takes “reasonable steps” to assure that the information is not lost or stolen. The ABA is considering amendments to Ethical Rule 1.6 (confidentiality) that would require lawyers to take “reasonable steps” to protect electronic confidential information. The recommendations explain the: Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule. [. . .] Here are suggestions on the questions a lawyer really should ask before agreeing to any cloud computing services: 1. Ask clients to consent to remote electronic storage of their documents and information. Confirm in engagement letter that you will only keep electronic copies of everything. 2. Check with your malpractice carrier. Most policies do not cover theft or destruction of electronic information but there is “cyber” insurance. 3. Create law firm procedures to address what happens if your servers go down, your office is destroyed or the vendor’s servers are down (confirm staff understand procedures and have emergency contact information) 4. Get recommendations from lawyers you trust about their cloud providers. 5. Read the SLA. If you do not know what an “SLA” (service level agreement with the vendor) is or what should be in the agreement, hire someone who understands the technology. 6. Ownership of data: confirm that only the law firm will own the data and that the vendor will not have any right to copy, reproduce, or store the information after the contract is terminated. Also confirm that the law firm may keep a copy of your data at your office. 7. Security measures: a. Basic stuff should be mandatory – firewalls and other internet security measures (intrusion detection), redundancies, backups (how is it done, how often, how long does it take, and how are they tested), encryption (what type), and electronic as well as physical facilities security systems - Examine the provider’s physical and electronic security and confidentiality policies. b. Confirm the location of the physical offices and equipment and the theft, fire, electrical outage and security systems they use to protect the property. c. How does the vendor screen their employees? No convicted identity theft employees? Are they bonded? Will they have direct access to the law firm data? What is the vendor’s training on confidentiality? d. How does the vendor respond to subpoenas for information about your firm or your clients? (hint: they need to notify you immediately and not produce any information without your express authorization). e. What theft/loss insurance does the vendor carry? f. Have they ever had a data breach/theft and if so, when and how? 8. “Down” time: what is their schedule for routine maintenance and what options exist if the vendor’s system crashes? How often do they test their back-ups to confirm data can be restored? 9. Tech support: how responsive are they with technical support needs on a 24 hour basis? Do they automatically notify you of any problem? Is there an extra charge? 10. Termination: a. Once the contract is terminated, will the vendor continue to store a copy of your data for a period of time? how long? b. How long will it take to return the data to you? c. What happens if the vendor goes out of business/declares bankruptcy/has its assets seized? 11. Pricing: Compare the standard costs, the extra costs for restoring data, emergency services, early contract termination, and storage beyond the contracted amount. Remember that lawyers are responsible for taking reasonable steps to assure that all vendors and agents (accountants, bankers, IT companies, cloud providers, storage facilities, copy centers, temporary help) maintain the confidentiality and security of client information. “Reasonable steps” to assure that client information is kept confidential and safeguarded means checking the qualifications of any provider before jumping onto the cloud.
Published by Target Market Media . View All Articles.
This page can be found at http://digitaleditions.walsworthprintgroup.com/article/ETHICS/1138171/121304/article.html.