(US law/generally) Lawyers have an obligation to their clients to maintain their clients’ confidential information. Lawyers in the United States also have an express obligation to act competently in regard to the technology available to maintain their client’s confidential information. Given the evolution of technology available in the legal software environment, which has evolved from a physical location-dependent to a cloud-based physical location irrelevant environment, what considerations are involved in competently securing client information in the cloud environment?
The obligation of American lawyers regarding maintaining client confidential information stems from the adoption of all 50 states and the District of Columbia of the ABA Model Code of Professional Responsibility. Rule 1.6 (c) of the Code provides:
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
The obligation to act competently in light of existing technology is spelled out in greater detail in Comment 18 which provides:
Acting Competently to Preserve Confidentiality
 Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1 and 5.3. The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
So, a lawyer is obligated to take reasonable steps to ensure, but is not a guarantor against the disclosure of, their clients secrets. What are those reasonable steps in the age of cloud computing?
The simplest way to look at the issue in the world of cloud computing is by analogy to what were considered reasonable steps in the pre-digital age.
Pre-Cloud Reasonable Efforts
Prior to the cloud, say 1980, what did law firms look like that reasonably protected client confidentiality? Having worked at that time in such a firm, this is a trip down memory lane.
There was general physical security. The law firm had a lock on its front door and made sure its physical space was locked when the lawyers left at night. The only people who had keys were the lawyers and the office manager.
There was additional security for the documents kept at the law firm. Documents within the law firm were kept in a central secure location within the firm which was additionally locked at night and the most sensitive documents in the firm were kept there in a locked safe.
There was security of materials kept on line. Computers were powered off at night. Access to computers was regulated by assigned usernames and pass-codes.
There was security within offices so that one could not overhear what was being said within a lawyer’s office.
There was training of lawyers and staff about keeping client’s information confidential and not discussing those matters outside of the office.
Reasonable Efforts in the age of Legal Cloud Management Software
Today’s law firm needs to take the same physical security efforts and training efforts in the Cloud computing age identified above, but also needs to apply security efforts to issues not present in the pre-cloud era such as those remote locations where their clients documents and confidential information now reside. So how do they do that?
When you put a document in the cloud what the really means is you transfer the information to a server at a remote location. So the additional security issues are 1) security of transmitting the information; 2) the security of the server at the remote location and 3) a host of issues about the remote location.
The standard which has evolved in the legal cloud based software industry for transmitting information is 256-bit encryption. Encryption means all of the data that leaves your device is essentially scrambled to a high level and then reassembled at the destination server. It makes it less likely that your information can inadvertently show up at the wrong location in a recognizable form. Another way of looking at encryption is it is the virtual envelope that hides the content of your email in the same way a physical envelope hid the content of your mail.
Some legal software companies provide lesser security, like Rocket Matter using 128 bit security, and others, like Clio, indicate in their terms of service agreement that your information “may be transmitted unencrypted”. A lesser level of encryption or using no encryption at all is like leaving the law office door unlocked or open in terms of reasonable efforts of security. You are asking for trouble.
Most legal software companies store client data on a server farm. The physical security of those locations is intense. Online Legal Software stores its data at such a site which also houses West’s servers. The information is again backed up at a second server farm in a geographically remote location. The transmission of data uses 256 bit level encryption. You should be able to obtain information as to where your data is stored how it is transmitted from any prospective legal software provider.
An often ignored security issue is the location of the server, no matter how well protected. When you use a cloud based system to keep track of time and other management data on line, where is the meta data? That’s right: on the server in the cloud. If there came a time when you needed the metadata how do you get it back? If it is kept in a jurisdiction that honors a subpoena that you can conveniently get issued, not a problem. If it is kept in a different country, it could be a problem.
Always make sure of the location of the servers that hosts your data. If you have a choice never have your data hosted in a country different from where you practice. Any reputable legal software provider will give you that information. If the legal software company is located in a different country, like Clio, and they will not tell you where their servers are located, that is probably all you need to know.
Reasonable efforts to ensure security require reasonable inquiry and a basic understanding of the role technology plays in security. An installed solution can be secure, but does not allow remote access. A cloud solution can be secure, if thought through and planned. At Online Legal Software we transmit lawyers data using 256 bit level encryption to a set of servers in Michigan backed up instantaneously by another set of servers in California which we believe is the appropriate way to ensure US lawyers comply with their obligations to competently act reasonably to protect their client’s information.