A New York City Bar report on cloud computing outlines the problems experienced by Puckett & Faraj, a Virginia law firm, as a “chilling example” of the risks of remote-data-storage technology. N.Y. City Bar Ass’n Report (Nov. 2103). The law firm was targeted by a hacker group, which stole the firm’s Google passwords and gained access to three gigabytes of e-mails containing several years’ worth of confidential client information. While the Bar report does not discourage lawyers’ use of cloud computing, it outlines potential problems with cloud computing and the precautions that should be taken before storing sensitive information on remote servers. The Report notes that the risks of cloud computing pertain “to two critically important functions”:  “storing client data where it might be accessed by the wrong parties or might be inaccessible by the attorney when needed; and  exclusive reliance on software or other critical functions not housed under a lawyer’s direct control” (emphasis original). With respect to thedata security risk, the Report observes that “cloud computing implicates [Rule] 1.6 [of the Rules of Professional Conduct] in two distinct, but related ways: first, with respect to the delivery of confidential information to the vendor itself; and second, with respect to the potential disclosure to third parties once the information is outside the attorney’s control.” The Report look to a 2010 New York ethics opinion for guidance on the application of that rule, which “concludes that lawyers may ethically use online ‘cloud’ storage systems provided they take ‘reasonable care to ensure that the system is secure and that client confidentiality is maintained.’” N.Y. State Ethics Op. 842 (Sept. 10, 2010). That opinion lists four steps that a lawyer may take in exercising reasonable care: (i) ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and will notify the lawyer if served with process requiring the production of client information; (ii) investigating the online data storage provider’s security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances; (iii) employing available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored; and/or (iv) investigating the storage provider’s ability to purge any copies of the data, and to move the data to a different host, if the lawyer wants to change storage providers. With respect to the access to data risk, the Report advises lawyers to seek providers whose Service Level Agreement provides the lawyer with reasonable assurance that their data will be accessible, either through the service provider’s primary servers, or back-up servers. According to the Report, selectivity in the selection of a cloud provider is an ethical obligation under Rule 1.1 (competence).
- Checklist Checklist: Obtaining and managing consent under the GDPR (UK) Recently updated
- Checklist Checklist: Assessing whether an organisation is a controller or processor under the GDPR (UK) Recently updated
- Checklist Checklist: Completing a data incident response plan assessment (USA) Recently updated