Please ensure Javascript is enabled for purposes of website accessibility

Ask the right questions before storing sensitive client data in the cloud

ST. LOUIS – What works for the average cloud-computing user might not be enough for lawyers when it comes to client security.

St. Louis attorney Patrick Chavez regularly gives clients guidance on document retention and cloud computing. With his own work, the Williams Venker & Sanders partner said, he takes extra precautions, and he recommends other attorneys do, too.

“I think a lot of other people can just rely on their general understanding of say, Dropbox … or whatever it is they want to use and be relatively confident that their stuff is secure,” he said. “I think attorneys have to take one step further and find out a little bit more about it.”

First things first: Understand what “cloud computing” means. The term refers to the practice of using remote online servers to store and manage data, rather than storing it on a personal computer. It can be a practical and economical choice for many small businesses, including law firms. But because your data likely will be stored on servers far away, the practice can raise ethical questions for attorneys regarding the security of sensitive client information.

Experts have raised concerns about the security of cloud computing as it has become more prevalent. And breaches have happened: For example, a few years ago, the company that owns the Nasdaq exchange confirmed that the network for its web-based service Directors Desk was broken into, according to a 2011 report from the Wall Street Journal. More recently, there have been concerns about the cloud service Dropbox, namely that hackers used it to deliver malware.

Chavez suggested making direct contact with a vendor that stores data, or at least going to the vendor’s website to find out more about where data is stored, how often it is backed up and what kind of security is in place.

Professional guidance

Several states’ bar associations have issued ethics opinions for attorneys on cloud computing. Most allow for the practice and call for attorneys to hold to a certain standard of care, such as understanding the security of data and making sure a confidentiality agreement is followed.

Missouri has not issued an opinion on the topic. Neither has Illinois or Kansas. Melinda Bentley, Missouri legal ethics counsel, said her office has some guidelines for law practices using cloud computing, though.

As with any kind of emerging technology, lawyers need to exercise due care, Bentley said. Her office doesn’t recommend any particular service but encourages lawyers to be cautious in choosing a vendor. They are also advised to ensure they are preserving confidential client information in accordance with Missouri Supreme Court rule 4-1.6.

“We tell them they should read the terms and conditions of that vendor very carefully,” Bentley said. “They should ensure the data is being handled in a confidential way and that it is secured both going into and out of the cloud.”

She also recommended attorneys make sure the remote servers are located in the U.S. If the data is stored internationally, it could cause problems for clients with foreign exchange laws, Chavez said.If data is stored outside of the U.S., it can be subject to foreign laws instead of American laws.

He outlined a similar list of guidelines that he follows when using cloud computing, which he said he uses for about 25 percent of his work. On his list is considering what happens to data at the end of an attorney’s relationship with a cloud provider. If the relationship sours, Chavez said, attorneys need to make sure the vendor can’t keep the data.

“You have to think about that up front. It’s not something most people think about,” he said.

Chavez also said he is careful about what kinds of data he stores using cloud-based services. For medical records, for example, make sure the vendor is HIPAA-compliant.

Regardless of the precautions needed, Chavez sees many reasons to use cloud computing. Mobility tops that list, he said.

“By that, I mean you can always have access to data that you might need, [and] the ability to communicate with clients,” he said.

For example, the service ShareFile allows clients and experts to share files such as medical records instantly.

Better safe than sorry

It’s also good to back up important files, as some tornado-affected attorneys from Joplin stressed in a presentation at a Missouri Bar meeting in September 2011. That can provide another reason to look toward cloud services.

“They pointed out a need for online secure backup,” said Ray Williams, chair of the benefits committee for The Missouri Bar. The bar offers members discounts on backup services, including cloud-based options, he said.

Ethical guidelines for cloud computing are the same as with any use of technology in the practice of law, Williams said. “The obvious thing you want to be sure that you do is protect confidentiality.”

As a solo practitioner, Williams said he doesn’t use cloud computing much; he couldn’t think of a time when he stored a confidential document on a site like Dropbox. But larger law firms might have specific guidance for use of cloud computing.

Armstrong Teasdale partner John Cowling said the firm has procedures for its attorneys to follow regarding cloud computing, depending on the type of data and what the client needs. But the general ethical requirements, he said, are to “take care that clients’ info doesn’t get into the wrong hands” and to “take advantage of tools reasonably available to protect data.”

Cowling said he uses cloud computing fairly often.

“Everybody uses it some now, it’s hard to get away from it,” he said, and many clients like it. But he said he tends to not use it for highly sensitive information.

Cowling said he suspects some attorneys aren’t using it more as a result of technophobia than of ethical concerns.

An official opinion on the topic for Missouri attorneys “would give some people some comfort that what they’re doing is deemed to be reasonable,” he said. He also noted, however, that some states have had to change fairly specific rules as technology has changed.

“If you get too descriptive, than technology outpaces the rules,” he said.

Bentley said her office hasn’t received inquiries for a formal opinion. But there are many resources and guidelines available, she said, and anyone with questions can contact her office for help.