Commission on Law & Technology
|Working Group||The Cloud|
|Topic||Law Firm Usage of The Cloud|
|Date of Publication||November 20, 2013|
|Summary||Law firms should determine if usage of the cloud to store firm/client files is permissible. As the Rules of Professional Conduct require protecting the confidentiality of client information, using the cloud to store information raises a concern as to whether the information is protected from being viewed. Law firms need to consider the risks involved in cloud storage solutions and have a definitive position communicated to the attorneys and staff of the firm.|
|Applicable DLRPC (Rules)||TBD|
Disclaimer: The purpose of this leading practice is to provide the Delaware Bench & Bar with an understanding of an appropriate manner in which this technology may be used. There may be more appropriate uses; and the leading practice discussed might not be appropriate for a specific purpose. It is up to the individual to use well-reasoned judgment in making that decision. The Commission is not responsible for the consequences of the decision-making process.
Law Firm Usage of The Cloud
1. Law firms should determine if usage of the cloud to store firm/client files is permissible.
Law firms should determine if usage of the cloud to store firm/client files is permissible. As the Rules of Professional Conduct require protecting the confidentiality of client information, using the cloud to store information raises a concern as to whether the information is protected from being viewed. Law firms need to consider the risks involved in cloud storage solutions and have a definitive position communicated to the attorneys and staff of the firm.
2. Law firms should implement a standard policy as to the types of documents that are permitted to be stored on the cloud.
Delaware law firms should implement a standard policy as to the types of document that are permitted to be stored on the cloud. As cloud based storage solutions may involve 3rd parties, protection of confidential client information is at risk of being disclosed. If client information is stored on the cloud, sufficient measures should be taken to ensure that the information is protected from unauthorized viewing by using encryption tools.
3. When using cloud based document management solutions, law firms should thoroughly research the vendor's policy as to who has access to the documents.
When using cloud based document management solutions, law firms should thoroughly research the vendor's policy as to who has access to the documents. The ABA explains that "Online document management services allow you to access files and documents from any computer with an Internet connection, as well as share them with clients, team members and others." Many of the service providers have policies which allow technical support staff to view documents under specific conditions. Law firms should avoid using these services and/or restrict usage to that of non-confidential records.
4. Law firms should explain to clients the risks of using the cloud with regards to discovery requests and other litigation issues.
Law firms should explain to clients the risks of using the cloud with regards to discovery requests and other litigation issues. As many cloud services are located at a third-party locations, this raises the potential issue of who is the owner of the hardware the stores the information. Additionally, when anticipating litigation, 3rd party providers may be subject to litigation holds, as well as become additional parties to an action.
5. Data Ownership
Be sure your vendor agrees that you own the data being hosted on their servers/storage. Sample language might include: As between the parties, Customer owns all right, title and interest in and to all Files and related data hosted by Vendor ABC on Customer's behalf. Customer hereby grants to Vendor ABC the right to transmit, store, use and disclose Customer Files and related data solely to provide the Services to Customer or an Authorized User.
6. Hosting Location (HIPPA, EU Data Protection Directive, Safe Harbor)
Make sure you are aware of where your data is being hosted and if hosting 'out of country' (or even out of state) is a concern add contract language accordingly. Sample language might include: Vendor ABC represents that it currently hosts all Files and related Customer data only at facilities located in the United States (or perhaps only in Delaware if state is of concern). Vendor ABC will provide reasonable prior notice to Customer before transferring the storage location of Files and related data to any facility outside the United States (or outside of Delaware) at which time Customer shall have the right and reasonable time required to export its data from Vendors network and terminate the relationship without penalty to ensure said data is not transferred outside of the US.
More background: When data is hosted on site at a clients location or at the clients law-firm there is defined control and access to that data and where it sits. However, with cloud storage that control is lost and therefore some basic guidance should be agreed to. See Forbes Article by Alan Murphy - Storing Data In The Cloud Raises Compliance Challenge for more detail.
Also See export.gov for more information on the U.S.-EU & U.S.-Swiss Safe Harbor Frameworks.
7. Subpoenas or Court Orders to Access Client Data in Cloud (Important if a clients IP or other confidential data is stored in the Cloud)
In the event Vendor ABC is compelled to comply with any request of a governmental or regulatory body (including subpoenas or court orders), or as otherwise required by law and/or Vendor ABC receives such a governmental request for data of Customer or any Authorized User, Vendor ABC will notify Customer of the request as soon as practicable after receipt of same in order to provide Customer with a reasonable opportunity to modify or quash the request.
8. Data Location.
Require vendor to keep an index showing what they take in and where it is stored. See reference to GlaxoSmithKline LLC v. Discovery Works Legal, Inc.
9. Privacy and Security
As with Data Ownership be sure to have detailed language in your contract that identifies all of your data hosted with the Cloud Service provider should be considered confidential. Consider selecting a Cloud service provider that adheres to SSAE 16 standards (Statement on Standards for Attestation Engagements (SSAE) No. 16). See ssae16.com for complete details.
Sample language might include: Vendor ABC has implemented administrative, technical and physical safeguards, systems and procedures that meet or exceed industry standards to ensure the security, integrity and confidentiality of Customers Files and related data. All of Vendor ABC's data center hosting facilities are audited and compliant under SSAE 16 standards.