Ideas and suggestions are always welcome. Please let us know how we can improve your newsletter! We welcome your feedback.
LexisNexis® for Corporate Counsel
LexisNexis® Webinar Center
LexisNexis® Legal Newsroom
Live CLE Webinars | OnDemand Webinars
Advances In Cloud Computing Raise New Legal and Ethical Issues
There is no dispute that the advent of cloud computing has been one of the most significant technological advances in recent years. Despite its enormous benefits, cloud computing has also raised new legal and ethical issues for attorneys and corporations.
Recently, the National Institute of Standards and Technology (NIST) defined cloud computing as follows: “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
P. Sean d’Albertis, an electronic discovery specialist with Faegre Baker Daniels, speaking on a recent LexisNexis® Webinar, finds this definition a good one. “The scale, the efficiency and the size of the infrastructure that we’re now seeing in these cloud deployments have gone to a whole new level. So where as you might think of traditional outsourcing as a jumping off point in trying to conceptualize what cloud computing is, it’s going to a whole new dimension and I think that this definition captures that,” he said.
New Legal Obligations
Amy Fiterman of Faegre Baker Daniels also said during the Webinar that cloud computing carries unique considerations for preserving and producing Electronically Stored Information (ESI) in litigation, . Rule 34(a) of the Federal Rules of Civil Procedure defines cloud computing as a term of art and specifically calls out as generally discoverable in litigation.
“Long before the notion of electronic discovery came into play, parties have always been under an obligation to start preserving data when they can reasonably anticipate litigation and so ESI now falls into that,” Fiterman said. She added, though, that while word processing documents, spreadsheets, email and databases are almost always discoverable, the discoverability of other types of data such as instant messages, voicemail, backup tapes, social media pages, and metadata may come into play as well.
In the context of a legal hold, Fiterman said, if you can rightfully access your information without undue burden, courts usually will consider you to have custody or control over that data for purposes of producing it in litigation. With the advent of cloud computing, questions about how to access certain data and how it is maintained can no longer be answered in-house, she said. She advised companies and counsel to plan for litigation holds, and know the answers to questions such as: How will you access data? What is the burden of preserving or producing data (i.e., cost of space)? How relevant is the data to the matter? Who maintains it?
“A best practice is to try to know the answers to as many of these questions as possible before you ever have to go into a meet-and-confer type of situation,” she concluded.
Service and Deployment Models
Sean d’Albertis listed the three service models for cloud computing: Software as a Service (SaaS), Platform as a Service (Paas) and Infrastructure as a Service (IaaS). “A helpful way to think of that is, ultimately, when you look at the resources that the cloud provider has at the lowest level, there will be a physical facility. Now, the next level will be the actual hardware – all of the servers that are used to provision the resources that the consumer will use. The next level . . . is the virtualized infrastructure, and layered on that are the platform architecture and applications” he said. A consumer will have more or less control of the top layers in this configuration depending on the service model chosen.
He also said there are four deployment models for cloud computing: the private cloud, the community cloud, the public cloud, and the hybrid cloud—all with varying levels of control and security.
Jason P. Eckerly of Segal McCambridge Singer & Mahoney said there are two main ethical issues related to cloud computing: The selection of the technology or services that are going to be used, and the daily risks once the technology is put in place.
Two primary ethical rules that come into play for attorneys are American Bar Association Model Rules of Professional Conduct Rule 1.6 (Duty of Confidentiality) and Rule 1.15 (Duty to Safeguard Client Property).
“There is a proposed amendment to Rule 1.6. The amendment is that ‘A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of or unauthorized access to information relating to the representation of a client,’” said Eckerly. “As we can see” . . . “this a direct result of cloud computing and data hosting.”
Under this proposal, the factors to be considered in determining the reasonableness of the lawyer’s efforts are the sensitivity of the information, the likelihood of disclosure and the cost of employing other safeguards.
The ABA has also commented that the question of whether a lawyer may be required to take additional steps to safeguard a client’s information to comply with other laws is beyond the scope of these Rules, Eckerly said.
“This has to do with changes in international laws if we’re now dealing with hosting overseas. These Rules are saying, ‘this is an area we’re not going to go into,’” Eckerly said.
“Another comment to proposed change has to do with a lawyer taking reasonable precautions to prevent the information from coming into the hands of unintended recipients,” Eckerly continued.
Eckerly said Pennsylvania has been the most instructive in defining reasonable precautions. According to the state bar’s formal opinion No. 2011-200, “an attorney may ethically allow client confidential material to be stored in ‘the cloud,’ provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure the data is protected from breaches, data loss and other risks.”
“The cloud is unique because it’s essentially operating outside of attorney control,” Eckerly said, “but there are still client confidences and client secrets that are part of it.” Pennsylvania looked much closer and basically concluded, Eckerly said, that “well, we’re saying ‘reasonable precautions,’ but let’s give some guidance to what reasonable precautions are.”
Among the ways the Pennsylvania Bar Association defined “Reasonable Care” are:
• Backing up data to allow the firm to restore data that has been lost, corrupted or accidentally deleted;
• Installing a firewall to limit access to the firm’s network;
• Limiting information provided to others to what is required, needed or requested;
• Avoiding inadvertent disclosure of information;
• Verifying the identity of individuals to whom the attorney provides confidential information;
• Refusing to disclose confidential information to unauthorized individuals without client permission;
• Protecting electronic records containing confidential data by encryption;
• Implementing electronic audit trial procedures to monitor who is accessing the data; and
• Creating plans to address security breaches.
Another important ethical question that has arisen is whether a law firm can pass the costs of using a cloud service onto the client, Eckerly said. “The ABA hasn’t looked at cloud computing specifically, but it has looked at, for example, photocopying and the use of messenger services, so I think we can read into what they’ve said there,” said Eckerly. Charges for photocopying, for example, are fine with the ABA as long as they are agreed to up front and in the client agreement with the client. Eckerly offered the opinion that if the client agrees to a charge-per-gigabyte fee up front in the client agreement, there is probably no reason that the expenses could not be charged back.
Eckerly provided the following advice to attorneys using cloud computing: “Understand the rules that you’re playing within, understand what the federal rules require, and try to stay current in the case law in the courts that are dealing with e-discovery.”