Chris Gonsalves| Channelnomics
Like most other verticals, law firms are attracted to cloud computing for its combination of functionality and reduced cost. Befitting a barrister, the legal profession’s use of cloud computing is getting a fair bit of scrutiny, with state bar groups and even the American Bar Association chiming in on the ethics and permissibility of legal cloud computing technologies.
After all, lawyers handle a great deal of sensitive information and are under fairly strict regulatory mandates to protect client confidentiality, chain-of-information custody, and data security and integrity. And they’re lawyers, so crafting Byzantine guidelines comes rather naturally.
If there’s a recurring theme in the legal vertical’s cloud directives, it’s that cloud service providers need to show — beyond a reasonable doubt, one presumes — their cloud and SaaS offerings meet strict minimum standards. Any solution provider hoping to add legal cloud computing to their lawyerly clients’ bill of fare should take note of the industry’s main concerns.
So far, 15 state bar associations have issued opinions guiding the professional use of legal cloud computing. All have concluded cloud computing is suitable for lawyers to handle most of the work of their firms. Where they differ most is in the definition of “reasonable care” that all of the industry groups say needs to be applied to the adoption of cloud computing in law offices.
Three state bar groups — Maine, New Jersey and New York — put the heaviest burden on legal cloud computing vendors, including language in their opinions that say the vendor, and possibly its employees, should have an enforceable obligation to maintain confidentiality.
At the other end of the spectrum are states bar association like the one in Connecticut, the most recent to opine on the cloud computing question, which said “The ultimate responsibility for insuring the privacy and security of the data resides with the user purchasing the cloud services. While much of the physical, technical, and administrative safeguards are handled by the cloud service provider, the user will still retain responsibility for a significant portion of these safeguards.”
Most fall somewhere in the middle, with guidelines that encourage dialog between lawyers and service providers so that the client understands how data is handled, who is responsible for it when problems arise and how security and privacy protocols are enforced or updated.
In a formal ethics opinion on the matter, the North Carolina State Bar makes some specific references to the legal cloud computing SLA.
Given the rapidity with which computer technology changes, law firms are encouraged to consult periodically with professionals competent in the area of online security. Some recommended security measures are listed below.
Inclusion in the SaaS vendor’s Terms of Service or service-level agreement, or in a separate agreement between the SaaS vendor and the lawyer or law firm, of an agreement on how the vendor will handle confidential client information in keeping with the lawyer’s professional responsibilities.
If the lawyer terminates use of the SaaS product, the SaaS vendor goes out of business, or the service otherwise has a break in continuity, the law firm will have a method for retrieving the data, the data will be available in a non-proprietary format that the law firm can access, or the firm will have access to the vendor’s software or source code. The SaaS vendor is contractually required to return or destroy the hosted data promptly at the request of the law firm.
Careful review of the terms of the law firm’s user or license agreement with the SaaS vendor including the security policy.
Evaluation of the SaaS vendor’s (or any third party data hosting company’s) measures for safeguarding the security and confidentiality of stored data including, but not limited to, firewalls, encryption techniques, socket security features, and intrusion-detection systems.4
Evaluation of the extent to which the SaaS vendor backs up hosted data.