Cloud Computing: Who Owns the Servers That House Law Firm Data?

The following is an excerpt from Cloud Computing for Lawyers, Chapter 5: Privacy Laws and Security Considerations.

It is imperative to determine the cloud-computing provider’s relationship to the servers that will house your law firm’s data. Does the cloud- computing provider own the servers or do they lease the servers? Do they lease the actual servers or have they contracted with a company that pro- vides Infrastructure as a Service (IaaS).

If the provider owns the physical servers, then determine who has access to the facility, the servers, and the data located on the servers. For example, see the description of the measures taken by Amazon Cloud Services to secure the facilities that house their cloud servers, as described in the sidebar on pages 95–101. You must ascertain what security measures are in place to limit access to the servers and the facility that they are housed in. The answers to these questions will assist you in assessing whether you are comfortable with the security measures that your provider is taking in regard to its own facility.

If your provider leases the physical servers from another party, you must ensure that the owner of the facility has measures in place that will pre- vent unauthorized access to your law firm’s data. This is important because you need to ensure that the cloud-computing provider is familiar with the facility and the procedures and security measures being followed in regard to the servers located on site.

Another necessary part of the process of assuring that adequate measures are being taken is to review the lease agreement between the cloud-computing provider and the company that leases the servers. Does the agreement address security measures? Does it include terms specifying who will have access to the physical building, the servers, and your data? Does it cover the steps that will be taken in the event of a security lapse? Does it specify who is liable in the event of a security breach? Review the agreement carefully and ask questions of the provider. Make sure that you exercise due diligence in fleshing out the security issues and that the answers provided are satisfactory, thus assuring you that reasonable steps will be taken to ensure that your firm’s data is secure.

Likewise, if the cloud-computing provider has contracted with a company that provides IaaS (such as Amazon EC2), meaning it stores your data on cloud servers and owns neither the servers nor the facility where your data is stored, review the cloud-computing provider’s agreement with the IaaS provider and ask many of the same questions…

The more companies that are involved in the storage of your data, the greater the risk that security may be compromised. Ascertaining the mechanisms that are in place to prevent unauthorized access at each level, from the IaaS provider to your cloud-computing vendor, is the first step in meeting your obligation to exercise due diligence before using a new technology in your practice.

Excerpted from Cloud Computing for Lawyers by Nicole Black. Published by the American Bar Association, 2012.


  1. Avatar Steven Hubert says:

    Ms. Black tells it true. At least partly. There’s a lot of due diligence involved. Only one more thing. Even after you’ve done that due diligence, you still can’t guarantee to yourself or your clients that firm and client info is inviolate. One of the things that makes relationships special, note here for our purposes, the Lawyer-Client relationship, is the ability to assure complete privacy and confidentiality. The internet, SaaS, online storage, all great inventions. It’s the Lawyer that has to have the only keys to the store and the info. None of even the best offerings, or combinations thereof allow that climate of privacy and confidentiality to happen.

  2. Avatar Nicole Black says:

    Thanks for your comment, but I’m going to have to respectfully disagree with your assertion that lawyers must assure “complete privacy and confidentiality.”

    In fact, the applicable ethics standard is that lawyers take reasonable steps to ensure that confidentiality be maintained since absolute security is an impossibility.

    By way of example, the most recent ethics opinion on lawyer using cloud computing was issued by the New Hampshire Bar (Ethics Committee Advisory Opinion #2012-13/4) and in that opinion, the Committee addressed this very issue.

    First, the committee acknowledged that lawyers have always outsourced the management of confidential data to third parties: “As noted in NH Bar Ethics Op. 2011-12/5, ‘Lawyers regularly engage companies to provide support services. Banks hold client funds; telephone companies carry privileged communications; credit card companies facilitate the payment of bills; computer consultants maintain necessary technology.’ When engaging a cloud computing provider or an intermediary who engages such a provider, the responsibility rests with the lawyer to ensure that the work is performed in a manner consistent with the lawyer’s professional duties.”

    Next, the committee wisely noted that lawyers have never been required to ensure absolute security when it comes to confidential client data, and lawyers’ use of cloud computing services does not trigger a higher standard of care: “It bears repeating that a lawyer’s duty is to take reasonable steps to protect confidential client information, not to become an expert in information technology. When it comes to the use of cloud computing, the Rules of Professional Conduct do not impose a strict liability standard. As one ethics committee observed, ‘Such a guarantee is impossible, and a lawyer can no more guarantee against unauthorized access to electronic information than he can guarantee that a burglar will not break into his file room, or that someone will not illegally intercept his mail or steal a fax.’”

Leave a Reply