This is one big problem with cloud computing

Cloud computing offers a number of advantages: access your data from anywhere, off site backups—just to name two. What happens, though, when real clouds produce storms? Is your cloud computing safe?

On Friday of last week, a lot of Internet users found out the answer the hard way when Amazon’s web servers went down due to a power outage. Amazon offers web servers as a service, and big names like Netflix and Instagram use them. Could you imagine the stress of a lawyer who has a brief due in a federal court of appeals and whose cloud computing provider uses Amazon’s—or anyone else’s—servers if those servers go “bloop” and stop responding? Better get that motion for leave to file instanter prepared… In all fairness, this incident was probably one of those “one in a million” events. Still, it happened.

This unfortunate event at Amazon is a good lesson in choosing a cloud computing provider wisely. Does the provider’s server system have co-location, so that if the power goes out at one server farm, other server farms are still up and running? Be sure to ask your cloud computing provider this question. Disaster at a server farm never strikes at a good time, but when it happens at a bad time you don’t need that kind of stress.

Cloud computing gets green light in two states (with conditions)

Cloud computing has been conditionally approved for use by lawyers in North Carolina and Pennsylvania, according to a new column by Bob Ambrogi. The ethics opinions from both states say that lawyers can use cloud computing services to store client information so long as the lawyer takes certain steps to make sure that client information is safely stored. In particular, attorneys are expected to be careful in selecting their cloud computing vendor and to carefully review the vendor’s terms of service to make sure the terms have adequate safeguards for handling confidential information.

All of this makes sense, of course. The real problem lies in reading terms of service that are often arcane and do not directly address lawyers’ concerns. For example:

  • What steps does the vendor take to ensure that only the lawyer can access the data?
  • What steps does a vendor take to notify the lawyer if the vendor receives a subpoena that may require the turnover of data that belongs to the lawyer?
  • If the vendor goes out of business, how easily can the lawyer retrieve the client’s information and ensure it is deleted from the vendor’s servers?

Those are perhaps the primary concerns lawyers have when it comes to cloud computing. So far, no vendor I’m aware of has clear terms of service that address these issues head on, although SpiderOak comes closest.

Of course, there’s nothing that says a lawyer can’t rely on some self-help when it comes to using some cloud computing options. In an upcoming column, I’ll detail a work-around that can be used with one of the most popular cloud computing services. It’s far from perfect, but it is a viable option for some lawyers.

Cloud computing and client confidentiality

Because of my upcoming presentation on cloud computing for lawyers, the issue of client confidentiality has been bouncing around in my mind. The rules that govern attorneys (in most jurisdictions, including Indiana, we call them the Rules of Professional Conduct), particularly Rule 1.6 [link to Model Rule 1.6] require us to maintain client information in confidence. In other words, no blabbing your client’s secrets to your golfing buddies.

Many lawyers, with good reason, are reluctant to use services like DropBox for client information because of the possible disclosure of the client’s information to third parties, namely the service’s employees or possibly others as allowed by the company’s terms of service.

This all makes sense, of course, but as I’ve thought about it recently, I wonder if we’re being overly paranoid. Let me say at this point that what follows are not my conclusions or my recommendations. The rest of this post is simply a set of musings, and I hope that readers will leave their thoughts so we can have a conversation about this issue.

If a lawyer decides not to use DropBox because of the possible security/confidentiality “holes,” is the lawyer being consistent with his or her everyday practice? For example, does that lawyer:

  • Have and enforce a “clean desk” policy that requires all client files and materials be returned to a central storage facility at the end of the day?
  • Secure access to the central facility after the files and materials have been returned?
  • Have and enforce protocols concerning who has keys to the central facility?
  • Use a file storage service for the maintenance of archived files? If so, are boxes taped shut before being transferred to the storage facility?
  • Use Pretty Good Privacy or other data encryption when sending emails?
  • Use an encryption scheme for printing correspondence before putting the correspondence in the U.S. Mail?
  • Use an office cleaning service?
  • Allow repair persons into the office without removing files or materials from viewable areas?

Many law firms do not have a clean desk policy, but I am aware of at least one Indiana law firm that implemented such a policy after tornado-force winds blew out the windows in the firm’s office. Client files and documents were strewn around the streets of that city in the aftermath of the storm. While a clean desk policy is a good practice, many times lawyers may simply feel it’s too much of a hassle to pack up the files, return them, and pull them out again the next morning.

I have no data on this point, but my guess is that locking file cabinets and storage facilities are hit and miss in law firms. Some use the locks on the file cabinets, and some do not. I think a common practice is to lock things that go in a fire-proof cabinet (such as wills) but to not lock other cabinets. Still, even if all filing cabinets are locked, the locks tend to be standardized and replacement keys easy to obtain.

Continuing to guess about common practices, I’m betting that most firms do not have and enforce protocols about who has access to keys (or key codes) for the central file storage location(s). Having a limited number of trusted employees who can open your file cabinets is secure, but if those few employees happen to be out sick, on vacation, or just running late it can put a real crimp in productivity. As security expert Bruce Schneier has noted, security measures always involve trade-offs. The more secure we make something, the less convenient (or more expensive) it is to use.

The culture in which lawyers work makes lawyers into packrats. We keep client files, copies of everything, “just in case we need it later.” Of course, storage space is always limited, so off-site storage is often necessary. Packing files into bankers boxes and storing them is a common practice. How many of us take the extra step of sealing the boxes to prevent (or prove) tampering is a good question.

Electronic mail is rather insecure as a means of communication. Anyone who has engaged in electronic discovery knows that copies of email messages can live on any number of email servers at various places around the world. (Not to mention the backup copies of those servers!). People who work for the companies that maintain those servers have access to those messages. In twenty years of practice, however, I have had only one client insist on using Pretty Good Privacy to encrypt our email communications. Although unencrypted email communications can be accessed by third parties, most people assume it will not happen—and probably correctly so. As a practical matter, some employee maintaining a server farm in North Carolina is probably not going to be interested in digging through my mediation notes from a case.

Of course, the idea of using some encryption scheme to encrypt correspondence in the U.S. Mail is silly. No client is going to be happy having to spend time decoding something like 5c6ffbdd40d9556b73a21e63c3e0e904. The point, however, is that even the U.S. Mail is not completely secure. While there are federal laws that prohibit postal workers from snooping into sealed envelopes, we’ve all heard of stories where postal workers have been found with hoards of mail in their apartments or trunks. If the U.S. Mail was completely secure, we wouldn’t need to have the postal inspectors.

Every office needs cleaning, copiers repaired, and so on. Delivery people and repair technicians come into our offices, and only the most diligent pre-visit efforts will remove all files and materials from their potential view during the visit. I would be surprised to learn of any firms that assign an employee to escort and remain with a delivery person or repair technician at all times. This is so even though it would be quite easy for a repair person to stop in an office (to purportedly look at the pictures on the wall more closely) and take a quick look at files.

The point of all these examples is not to increase anyone’s level of worry or paranoia about preserving client information in confidence. Rather, the point is to illustrate that we lawyers regularly allow gaps in our security as a matter of convenience. We also recognize that in many instances, the sheer volume of data makes it harder to stumble across something of interest to a third party. (Unless, of course, that third party happens to be on a mission to find specific documents or files.)

Arguably, services like DropBox—even with their imperfect confidentiality—probably provide as much security for client information as our own office practices. DropBox, for example, uses Amazon’s secure servers to store data. At this point, I’m comfortable using a service like DropBox as a convenience (for example, putting certain files in the DropBox so I can access them at home, and then removing them when finished). I’m not so sure I’m comfortable with using DropBox for long-term storage of client information—yet given what I’ve said above, I wonder if my discomfort is not well-grounded.

Please tell me your thoughts in the comments. This is an important issue for lawyers, and we need to be discussing it so we can make sure our professional conduct rules adequately address the issue in future revisions.

Cloud computing for lawyers

I will be speaking at the St. Joseph County Bar Association‘s biennial Local Practice Seminar this Thursday, November 10, on the topic of cloud computing for lawyers. Chuck Leone and I will cover some basic information and the ethical issues raised by cloud computing. If you’re in the area, stop in to say hello.