Head in “the Clouds” … And Don’t Know It?
Pennsylvania Lawyers Must First Assess Whether the Lawyer Is “In the Cloud” Before Complying with a Lawyer’s “Reasonable Efforts” Ethics Obligation When Using the Cloud
Is your firm using Gmail, Google Calendar, Dropbox, Hotmail, Windows LIVE!, GoogleDocs, RocketMatter, MobileMe/iCloud, Quickbooks Online, LexisNexis FirmManager, AbacusSky, or Clio? Are you synchronizing a smartphone, (e.g., an iPhone or Android), with office files, calendars, or email? Are you using hosted email or email through your Internet provider (e.g., Comcast, AOL, or Verizon)? Are you using a tablet computer (e.g., an iPad) with “apps” that access firm-related files or email? Are you storing Internet accessible e-discovery materials at an e-discovery provider? Be aware, all might be instances of cloud computing.
Why should you care if you are “in the cloud” as a lawyer? Pennsylvania Ethics Informal Opinion 2010-60 (Jan. 10, 2011) concludes that use of cloud computing by lawyers requires “reasonable efforts” to assure client confidentiality, to protect a lawyer’s materials stored in the cloud, and to assure continued access to cloud-based data.
Lawyers should also be aware of the business reasons for maintaining security and confidentiality of materials stored in the cloud—savvy clients increasingly demand such protections, a breach may result in significant damage to a firm ‘s reputation, and a breach may require formal reporting. See, e.g., Pennsylvania’s, Breach of Personal Information Reporting Act (73 P.S. §§ 2301, et seq.).
But before you can take “reasonable efforts,” you must first identify whether you are even in “the cloud.” And that task is not easy due to the nebulous nature of “cloud computing.”
What Is Cloud Computing?
As the examples above demonstrate, cloud computing implicates a broad set of services and technologies. Unfortunately, a concise definition remains elusive. Even the technology industry still struggles to define cloud computing. Nevertheless, we need a working definition.
Cloud computing generally involves
- computing devices (including mobile devices such as smartphones or tablets),
- the Internet (including WI-FI and cellphone access),
- some type of remotely accessible computer resource or service, and
- (usually) storage of some type of data in the cloud.
While these attributes help with initial identification, it is not enough to generally know that “the cloud” might be implicated. While “the” cloud implies a cohesive, single entity, cloud computing actually exists in many different forms. Distinguishing the specific category of cloud computing is also essential because each type raises its own unique issues.
Common Cloud Categories—SaaS, STaaS, PaaS, and IaaS
Cloud computing instances fall into four, broad categories:
- Software-as-a-Service (SaaS),
- Storage-as-a-Service (STaaS), [FN1]
- Platform-as-a-Service (PaaS), or
- Infrastructure-as-a-Service (IaaS).
Most lawyers encounter cloud computing as either variations of SaaS or STaaS. Thus, most of the discussion here focuses on these types. But, lawyers should be aware of PaaS and IaaS.
Think of PaaS as “cloud software kits” that are assembled into end-user applications. IaaS largely involves the physical infrastructure of the cloud such as remote, scalable servers and the high-bandwidth Internet access needed to host cloud applications (such as PaaS applications). Furthermore, SaaS and STaaS applications might be built using PaaS or IaaS components (I call this sub-clouding or layered clouds).
Identifying Software-as-a-Service (SaaS)
A SaaS application functions similar to traditional software. But instead of installing the software on your local computer, you typically log-in to the SaaS application, usually owned and controlled by the SaaS provider, using a web browser (or sometimes via a thin-client application). For example, rather than installing MS Word on your local computer, you might access the SaaS version of Word using your web browser. Most traditional software applications now have SaaS analogs: MS Office 365, SalesForce.com, QuickBooksOnline, Google Apps for Business, RocketMatter (firm management), and Clio. The number of SaaS offerings have increased exponentially in the past two years.
Helpfully, many vendors now specifically advertise a product as SaaS. But even if not expressly stated by the vendor, if you are using an application (some type of “software” functionality) accessed through the Internet and owned by someone else, the application might be SaaS and thus might trigger cloud computing issues.
Think abstractly when assessing potential SaaS use. For example, Gmail fits the definition of SaaS—an email-client application, accessed via the Internet, and with data stored remotely by Google. Thus, generalization may help a lawyer to identify latent SaaS uses.
Identifying Storage-as-a-Service (STaaS)
STaaS serves as a remote data storage—think of a hard-drive-in-the-cloud. Thus, STaaS involves file backups, file storage, or file synchronization. MozyPro, SpiderOak, CoreVault, CommVault, Nasuni, and Dropbox are popular examples.
While identifying STaaS is usually straight-forward, be aware that STaaS might be combined with a SaaS application. For example, Windows LIVE! Essentials combines Hotmail (a SaaS email application) with a SkyDrive (STaaS).
Pre-Cloud Computing Forms
The issues with cloud computing actually existed well before “the cloud.” Some of these pre-cloud providers, usually termed Application Service Providers (ASP), still exist and some are shifting from ASPs to “clouds.” However, an ASP essentially meets the general attributes of cloud computing as posed above (and only some inconsequential technicalities still distinguish ASPs from SaaS providers). Thus, for example, hosted email (e.g., MS Exchange Servers) and email services offered by many Internet providers might trigger cloud computing, “reasonable efforts” duties.
You Opened Pandora’s Dropbox … Now What?
Complying with the ethical duties (and to reduce business risk) involves assessing, classifying, investigating, and potentially mitigating non-compliant cloud applications.
- Assess your firm’s whole computing environment using a general definition of cloud computing such as provided here. Think broadly and creatively.
- After identifying suspected cloud uses, attempt to classify the cloud uses—is this a SaaS application, a STaaS application, or some pre-cloud application (e.g., an ASP)?
- Once classified, develop a checklist of risk factors and issues for each suspected type of cloud use. Remember, each category of cloud computing might have distinct checklist items. While Informal Opinion 2010-60 contains some general guidance on the areas of potential risk and areas for potential investigation, lawyers should be aware that such general advice might conflate important distinctions inherent in the different types of cloud services.
- Implement a detailed investigation into each suspected cloud application using the checklist. Probe for specific details from providers, and document the responses. In my experience, cloud providers are generally responsive to such requests if asked nicely and if the reason for the inquiry is explained.
- Take action as needed. If the firm cannot meet the “reasonable efforts” criteria while using a specific cloud application, then implement a mitigation plan to promptly move from the non-compliant situation to a compliant situation.
Your initial reaction might be, “I’m just avoiding the cloud.” But as this article notes, you already might be using cloud computing and simply are not aware of it. Claiming lack of awareness is probably not an adequate defense should something go wrong. After all, the Pennsylvania Rules of Professional Conduct define “reasonableness” objectively. See Rule 1.0(h).
Furthermore, when used properly and knowledgeably, some types of cloud computing can provide compelling benefits to a law firm. But, as with many situations in the legal profession, we, as lawyers, have heightened duties to our clients and to our profession. These duties might foreclose some cloud computing options—such as consumer-focused rather than professional-focused offerings.
Ultimately, while addressing the potential issues with cloud computing is not easy, the task can be done with good planning, good information, and diligent implementation.
- Decrypting Encryption for Pennsylvania Lawyers: Understanding Encryption Basics Before Considering Cloud Computing
- Navigating the Fog of Cloud Computing
- Navigating the Fog of Cloud Computing: An Unofficial Supplement to The Pennsylvania Lawyer Article
- Cloud Computing for Lawyers: Understanding the Difference Between Private and Public Clouds
- Storing Files in the Cloud: Storage-as-a-Service for Lawyers—Encryption
- Avoiding Being “Bit”ten: Bandwidth Issues With Cloud Computing Backups
- Pennsylvania Ethics Advisory Opinion on Cloud Computing
First Publication: Fourth Quarter [December] 2011 by the Lancaster Bar Association
Publication Online: 03 January 2012
Shannon Brown, Head in “the Clouds” … And Don’t Know It?, In Brief (Lancaster County [Pa.] Bar Assoc.), Fourth Quarter 2011, at 3, 13, available at http://www.shannonbrownlaw.com/cms/?p=1139.
FN1—Definitions of cloud computing categories remain fluid at the time of this writing (Nov. 2011). I distinguish STaaS and SaaS because the two forms differ in significant and compelling ways. STaaS, typically, is a single-purpose offering and can provide compelling benefits (when done right) to a law firm such as backups and secure, offsite data storage. SaaS, as a much broader set of offerings covering almost any type of traditional software functionality, poses some significant and unique challenges for lawyers considering the “reasonable efforts” criteria. Thus, I believe it fair to distinguish STaaS from the broader SaaS offerings. Other authors may conflate the two.