Hey, You, Get Off My Cloud

Mobile computer technology in general, and tablets in particular, have very little storage capacity (relatively, of course...my iPad has significantly more storage than my 1993 Compaq Contura laptop). That lack of storage is what allows a tablet to be so portable. Although 16 gigabytes (GB) (the storage capacity of a basic iPad) sounds like a significant amount, once the user downloads a dozen or more apps, some music, a movie, many documents, and a bunch of photographs, the tablet quickly reaches capacity. As a result, most mobile computer technology relies on “cloud”-based storage. However, when an attorney is utilizing cloud-based storage in his or her practice, the attorney needs to be aware of certain ethical considerations.

Background The term “cloud computing” refers to data storage on remote servers. In other words, cloud-based storage allows a user to store files on remote computer servers owned by third parties and to access those file from any computer with an internet connection. Many of us have been using cloud-based storage for years without thinking about it. For example, if you have a Gmail or Hotmail account, you are using cloud-based storage (if your investigator emails a confidential report to your Gmail account, that report will be stored on a cloud server). With web-based email accounts, all your emails and attachments are stored on a remote computer server. For example, in 1995 while working as a shuttle bus driver in Denali National Park, I signed up for a Rocketmail account at a computer at the Healy, AK, library (I still have that email account 18 years later). At that time, I had no idea about cloud computing (and it would be another decade before the term came into common usage), nor did I think about the ramifications of placing my emails on some remote server. Today, I probably have over a dozen different cloud servers including Rocketmail, Gmail, Kindle, iTunes, Dropbox, TurboTax, Pandora, and Westlaw.

Privilege Considerations Many of us have incorporated cloud-based computing into our practice without much thought. Although for most of us, cloud computing will remain integral to our operations, it may be time to reconsider how we use it.

The primary concern regarding the use of cloud storage in the practice of law is a potential violation of the attorney-client privilege. Oregon Rules of Professional Responsibility require an attorney to keep client information confidential. RPC 1.6(a) provides that “[a] lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation” or the disclosure is permitted by that rule. The question in Formal Ethics Opinion 2011-188 (http://www.osbar.org/_docs/ethics/2011-188.pdf), is whether an attorney may contract “with a third-party vendor to store client files and documents online on remote server so that Lawyer and/or Client could access the documents over the Internet from any remote location.” The answer is a resounding “Yes, qualified.”

The opinion begins by noting that a “Lawyer may store client materials on a third-party server so long as Lawyer complies with the duties of competence and confidentiality to reasonably keep the client’s information secure within a given situation.” The opinion explains that to do so, “the lawyer must take reasonable steps to ensure that the storage company will reliably secure client data and keep information confidential.” That duty may be satisfied through a third-party vendor’s compliance with industry standards relating to confidentiality and security. This may be done by “ensuring the service agreement requires the vendor to preserve the confidentiality and security of the materials.” The duty may also require that the vendor notify the lawyer of any “nonauthorized” third-party access to the materials. The opinion further recommends that a lawyer “should investigate how the vendor backs up and stores its data and metadata to ensure compliance with the Lawyer’s duties.” Finally, the opinion recommends that the lawyer re-evaluate the vendor’s security measures over time to ensure that the vendor is implementing technological advances in security.

When was the last time you checked on whether your cloud-based storage vendor was complying with your duties as a lawyer? Indeed, when have any of us even read the service agreement when we signed up for Dropbox or Gmail? Gmail, for example, scans all emails to search for key words to detect viruses and spam but also to provide more targeted advertisements to the user. Dropbox, a commonly used cloud server, uses third parties to help improve and maintain its services. To do so, it allows those third parties access to user data. Dropbox also reserves the right to disclose information “to protect Dropbox’s property rights.” See https://www.dropbox.com/privacy.

Another consideration when using cloud storage is the question of what laws apply. Although referred to as cloud storage, the physical servers have actual terrestrial locations. Some are in this country (in fact, several are located in eastern Oregon because of inexpensive electricity) but many are located outside of the United States. What laws apply? Does the Fourth Amendment protect those documents from a warrantless search and seizure?

Ultimately, I am not advocating against using cloud-based computing. In fact, I think it is difficult to function today without the use of cloud servers. However, when using cloud servers in the practice of law, the user needs to be aware of the potential pitfalls. Suggestions range from the obvious to the more nuanced: read the privacy policies and user agreements, modify your client forms to clarify that documents may be stored on third-party servers or simply do not store confidential information on the cloud. Other options include using internal servers (a cost-prohibitive approach for most attorneys) or contracting with a local server provider who does not use cloud-based servers. In the end, it comes down to a question of due diligence.