Every field has its own unique constraints; the things the owner of a small manufacturing business worries about will have some overlap, but many differences, compared to what the CEO of a multi-billion-dollar energy company is concerned with. The legal industry is no exception; one major area of concern for lawyers is ethics. No, I don’t mean that they’re concerned about not having any. (I will try to refrain from adding any further lawyer jokes in this post unless, you know, they’re funny).
Disclaimer: I am not a lawyer. This is not legal advice. Seriously.
The entire US legal system is based on a number of core principles, including that of precedent, or what laymen might call “tradition”. For that reason, as well as the stiff professional penalties that may result from a finding of malpractice or incompetence, many in the legal profession have been slower to embrace technology than their peers in other industries. When there is no settled precedent to answer a question, someone has to generate precedent, often by taking a case to court. Various professional standards bodies can generate opinions that are considered to be more or less binding on their members, too. To cite one example of what I mean, here’s what the Lawyers’ Professional Responsibility Board of the state of Minnesota has to say about one small aspect of legal ethics, the safeguarding and use of metadata:
…a lawyer is ethically required to act competently to avoid improper disclosure of confidential and privileged information in metadata in electronic documents.
That seems pretty straightforward; the body responsible for “the operation of the professional responsibility system in Minnesota” issued an opinion calling for attorneys in that state to safeguard metadata and refrain from using it in ways that conflict with their other ethical obligations. With that opinion now extant, lawyers in Minnesota can, presumably, be disciplined for failing to meet that standard.
With that as background, let me share this fascinating link: a list of ethics opinions related to the use of cloud services by lawyers and law firms. (I found the list at Sharon Nelson’s excellent “Ride the Lightning” blog, which I commend to your attention.)
Let that sink in for a minute: some of the organizations responsible for setting ethical standards for lawyers in various states are weighing in on the ethics of legal use of cloud services.
This strikes me as remarkable for several reasons. Consider, for example, that there don’t seem to be similar guidelines for e-mail admins, or professional engineers, or cosmetologists, or any other profession that I can think of. In pretty much every other market, if you want to use cloud services, feel free! Oh, sure, you may want to consider the ramifications of putting sensitive or protected data into the cloud, especially if you have specific requirements around compliance or governance. By and large, though, no one is going to punish you for using cloud services in your business if that choice turns out to be inappropriate. On the other hand, if you’re a lawyer, you can be professionally liable for failing to protect your clients’ confidentiality, as might happen in case of a data breach at your cloud provider.
The existence of these opinions, then, means that in at least 14 states, there are now defined standards that practitioners are expected to follow when choosing and using cloud services. For example, the Alabama standard (which I picked because it is simple, because I live in Alabama, and because it was first in the alphabetical list) says:
…a lawyer may use “cloud computing” or third-party providers to store client data provided that the attorney exercises reasonable care in doing so… The duty of reasonable care requires the lawyer to become knowledgeable about how the provider will handle the storage and security of the data being stored and to reasonably ensure that the provider will abide by a confidentiality agreement in handling the data. Additionally, because technology is constantly evolving, the lawyer will have a continuing duty to stay abreast of appropriate security safeguards that should be employed by the lawyer and the third-party provider. If there is a breach of confidentiality, the focus of any inquiry will be whether the lawyer acted reasonably in selecting the method of storage and/or the third party provider.
The other state opinions are generally similar in that they require an attorney to act with “reasonable care” in choosing a cloud service provider. That makes Microsoft’s recent relaunch of the expanded Office 365 Trust Center a great move: it succinctly addresses “appropriate security safeguards” that are applied throughout the Office 365 stack. Reading it will give you a solid grounding in the physical. technical, and operational safeguards that Microsoft has in place.
Compared to its major SaaS competitors, Microsoft’s site has more breadth and depth about security in Office 365, and it’s written in an approachable style that is appropriate for non-technical people… including attorneys. In particular, the top-10 lists provide easily digestible bites that help to reassure customers that there data, and metadata, are safe within Microsoft’s cloud. By comparison, the Google Apps security page is limited in both breadth and depth; the Dropbox page is laughable, and the Box.net page is basically a quick list of bullets without much depth to back them up.
The Office 365 Trust Center certainly provides the information necessary for an attorney to “become knowledgeable about how the provider will handle the storage and security of the data being stored”, and it is equally useful for the rest of us because we can do the same thing. If you haven’t already done so, it’s worth a few minutes of your time to go check it out; you’ll probably come away with a better idea of the number and type of security measures that Microsoft applies to Office 365 operations, which will help you if a) you go to law school and/or b) you are considering moving to Office 365.
Paul's Down-Home Page 
One of the issues not really addressed well is the concept of “conflict of interest” and how a cloud provider may create a conflict problem. For example: If a lawyer hosts his email on Microsoft’s cloud service and is then asked to represent someone who is adverse to Microsoft, would the fact that his data is stored by Microsoft constitute a conflict of interest that then excludes him from being able to ethically take on the new case? This concept is one of the major hurdles to clear in how law firms go about making these sorts of decisions.
Conflict of interest?… No… Incompetent attorney tho. Why? A very real hypothetical here… For example I have an attorney and I hired him on retainer. And he represents me in various business transactions over. Of several years. Little do I know that the moron has been putting photo copies of my documents on Microsoft disk drives in the Microsoft cloud. Then one day I get into a beef with Microsoft and is worth arguing about. Now my attorney can’t represent me because he was a dipshit. Microsoft already has a copy of all of my business documents and correspondence with him for the last several years. One word… Stupid!!!!
That’s an excellent point, Chad. My layman’s opinion is that this wouldn’t be a problem, any more than hiring a lawyer who uses AT&T cellphone service to work on your cases against AT&T. But I freely admit that I don’t know much about the nuances of conflict-of-interest rules, so I could well be wrong. It’s a fascinating area to explore, not least because none of the cloud services want to be treated as a common carrier, which would protect them in some ways but burden them in others.
…. P. S…. Microsoft, having been served with the filed court documents, looks at the email address of my attorney. Seeing that it is on Microsoft cloud, Microsoft attorneys intern delete all of those documents from the Microsoft servers. Of course my attorney expected Microsoft to make all the backups. Oops. Case dismissed
Lol that’s better than a a claim of sovereign immunity