Every field has its own unique constraints; the things the owner of a small manufacturing business worries about will have some overlap, but many differences, compared to what the CEO of a multi-billion-dollar energy company is concerned with. The legal industry is no exception; one major area of concern for lawyers is ethics. No, I don’t mean that they’re concerned about not having any. (I will try to refrain from adding any further lawyer jokes in this post unless, you know, they’re funny).
Disclaimer: I am not a lawyer. This is not legal advice. Seriously.
The entire US legal system is based on a number of core principles, including that of precedent, or what laymen might call “tradition”. For that reason, as well as the stiff professional penalties that may result from a finding of malpractice or incompetence, many in the legal profession have been slower to embrace technology than their peers in other industries. When there is no settled precedent to answer a question, someone has to generate precedent, often by taking a case to court. Various professional standards bodies can generate opinions that are considered to be more or less binding on their members, too. To cite one example of what I mean, here’s what the Lawyers’ Professional Responsibility Board of the state of Minnesota has to say about one small aspect of legal ethics, the safeguarding and use of metadata:
…a lawyer is ethically required to act competently to avoid improper disclosure of confidential and privileged information in metadata in electronic documents.
That seems pretty straightforward; the body responsible for “the operation of the professional responsibility system in Minnesota” issued an opinion calling for attorneys in that state to safeguard metadata and refrain from using it in ways that conflict with their other ethical obligations. With that opinion now extant, lawyers in Minnesota can, presumably, be disciplined for failing to meet that standard.
With that as background, let me share this fascinating link: a list of ethics opinions related to the use of cloud services by lawyers and law firms. (I found the list at Sharon Nelson’s excellent “Ride the Lightning” blog, which I commend to your attention.)
Let that sink in for a minute: some of the organizations responsible for setting ethical standards for lawyers in various states are weighing in on the ethics of legal use of cloud services.
This strikes me as remarkable for several reasons. Consider, for example, that there don’t seem to be similar guidelines for e-mail admins, or professional engineers, or cosmetologists, or any other profession that I can think of. In pretty much every other market, if you want to use cloud services, feel free! Oh, sure, you may want to consider the ramifications of putting sensitive or protected data into the cloud, especially if you have specific requirements around compliance or governance. By and large, though, no one is going to punish you for using cloud services in your business if that choice turns out to be inappropriate. On the other hand, if you’re a lawyer, you can be professionally liable for failing to protect your clients’ confidentiality, as might happen in case of a data breach at your cloud provider.
The existence of these opinions, then, means that in at least 14 states, there are now defined standards that practitioners are expected to follow when choosing and using cloud services. For example, the Alabama standard (which I picked because it is simple, because I live in Alabama, and because it was first in the alphabetical list) says:
…a lawyer may use “cloud computing” or third-party providers to store client data provided that the attorney exercises reasonable care in doing so… The duty of reasonable care requires the lawyer to become knowledgeable about how the provider will handle the storage and security of the data being stored and to reasonably ensure that the provider will abide by a confidentiality agreement in handling the data. Additionally, because technology is constantly evolving, the lawyer will have a continuing duty to stay abreast of appropriate security safeguards that should be employed by the lawyer and the third-party provider. If there is a breach of confidentiality, the focus of any inquiry will be whether the lawyer acted reasonably in selecting the method of storage and/or the third party provider.
The other state opinions are generally similar in that they require an attorney to act with “reasonable care” in choosing a cloud service provider. That makes Microsoft’s recent relaunch of the expanded Office 365 Trust Center a great move: it succinctly addresses “appropriate security safeguards” that are applied throughout the Office 365 stack. Reading it will give you a solid grounding in the physical. technical, and operational safeguards that Microsoft has in place.
Compared to its major SaaS competitors, Microsoft’s site has more breadth and depth about security in Office 365, and it’s written in an approachable style that is appropriate for non-technical people… including attorneys. In particular, the top-10 lists provide easily digestible bites that help to reassure customers that there data, and metadata, are safe within Microsoft’s cloud. By comparison, the Google Apps security page is limited in both breadth and depth; the Dropbox page is laughable, and the Box.net page is basically a quick list of bullets without much depth to back them up.
The Office 365 Trust Center certainly provides the information necessary for an attorney to “become knowledgeable about how the provider will handle the storage and security of the data being stored”, and it is equally useful for the rest of us because we can do the same thing. If you haven’t already done so, it’s worth a few minutes of your time to go check it out; you’ll probably come away with a better idea of the number and type of security measures that Microsoft applies to Office 365 operations, which will help you if a) you go to law school and/or b) you are considering moving to Office 365.