Lawyers Should Not Be Wary of SaaS and Cloud Computing

legal-cloud-computingOnline services for lawyers are becoming increasingly common. For many lawyers, they are an attractive alternative to the traditional law practice management software installed and maintained on a local server within a law office.

The one thing these various platforms have in common is that the data created and managed by these services are stored offsite, in the “cloud.” The offsite data storage issue has resulted in much speculation among lawyers regarding issues of data security and attorney-client confidentiality.

In my opinion, the data security and confidentiality concerns regarding cloud computing should not prevent lawyers from using these services.

Investigate security and backup

Of course an attorney has an obligation to research how an SaaS provider will handle confidential information, and should determine how securely the data is stored. It is important to ensure the company stores the data on servers that meet current industry standards, performs back-ups regularly, and that you are satisfied data will not be lost should a catastrophic event occur.

Don’t worry about snoops

Concerns that third parties could access the data while traveling through the “cloud” are downright silly, in my opinion. Third parties always have had access to confidential client information, including process servers, court employees, document processing companies, external copy centers, and legal document delivery services.

Employees of the building in which a law office is located also have had access to confidential files, including the cleaning service and other employees who maintain the premises. What about summer interns, temporary employees, and contract attorneys?

The employees who manage and have access to computer servers are no different. In order to practice law effectively, third parties necessarily must have access to certain files. Assurances that the company in question will make reasonable efforts to ensure employees will not access confidential information is all that’s required.

The New York State Bar Association Committee on Professional Ethics reached a similar conclusion in Opinion 820-2/08/08, where it answered: “May a lawyer use an e-mail service provider that scans e-mails by computer for keywords and then sends or displays instantaneously (to the side of the e-mails in question) computer-generated advertisements to users of the service based on the e-mail communications?”

The committee concluded:

Unless the lawyer learns information suggesting that the provider is materially departing from conventional privacy policies or is using the information it obtains by computer-scanning of e-mails for a purpose that, unlike computer-generated advertising, puts confidentiality at risk, the use of such e-mail services comports with DR 4-101…A lawyer may use an e-mail service provider that conducts computer scans of e-mails to generate computer advertising, where the e-mails are not reviewed by or provided to other individuals.

In other words, common sense prevails. Lawyers must resist the urge to overreact to emerging technologies.

Common sense dictates that the same confidentiality standards applicable to physical client files likewise apply to computer-generated data. To conclude otherwise would be to prohibit lawyers from using computers in their law practices—an unrealistic and, quite frankly, ridiculous alternative.

(photo: Martha?)


  1. Avatar Andrew Flusche says:

    Well said! I particularly like your point about the cleaning staff. Everybody’s worried that employees at the Googleplex are a bunch of criminals. Sure, it’s possible. I’ve always been suspicious of that Matt Cutts guy. ;)

    But it’s also possible (and I’d argue more likely) that the cleaning and maintenance staff at any office building the country would stumble across something juicy and disclose it.

    I guess we should all clean our own offices and change our own light bulbs.

  2. Avatar Greg Charland says:

    I can’t disagree more.

    Sure, you may not be legally culpable in the case of a “cloud services” data breach. Excuses won’t protect your reputation and clients deserve better than “it wasn’t my fault, really!” There have been several high-profile cases of y! and google mail compromises and account shutdowns. Banks have been the targets of phishing and man-in-the-middle attacks.

    Any major security breach involving hosted services will become a national media event. If your clients’ data is compromised then your practice will get lots of attention!

    Knowing you employ a dodgy cleaning service, do you leave your filing cabinets unlocked? Sensitive papers on your desk? Passwords written on post-its on your monitor? I would hope not!

    On a higher level, you’re advising folks waiting to cross a street to ignore the geo metro and watch only for the rocket fuel trucks. The presence of a bigger risk doesn’t negate a smaller (yet substantial) risk.

    Obviously, some work product is public record. Your internal notes aren’t typically filed, though. Someone in your office reviews filings before they’re submitted. Romanian hackers aren’t waiting to eavesdrop your conversations at the local courthouse. Most offices aren’t bugged to compromise your activity.

    Cloud services introduce new areas of risk that haven’t been clearly delineated, and best practices are still in development. There are certainly ways to mitigate the risk. The first step, though, is to acknowledge that as an attorney you must maintain a different tolerance for data risks than the local flower shop.

  3. Avatar Project Pankaj says:

    Nice article. Though the concerns over data security are genuine, there are concerns the entire corporate world shares. Any business, legal or other, wants to keep its data secure from breaches. And as the SaaS approach gains momentum, the business world is learning to trust it with important business data. Established SaaS companies with years of clean records handling sensitive data have contributed to it.

    Data concerns also underline that before you opt for a SaaS company, you analyze them thoroughly from a security standpoint – past record, infrastructure, protocols, encryption, facilities etc.

  4. Avatar Danny Johnson says:

    Great article and very insightful comments.

    I agree with Greg that with SaaS comes different risks (I hesitate to use new risks, as it eliminates other risks inherent in legacy software), however, Project Pankaj offers a solid point that well established firms, such as, have proven that SaaS is safe and has become mainstream, and is a very attractive option for law firms of all sizes.

  5. Avatar Alex T says:

    This discussion raises the basic question: Can a law firm still claim attorney client privilege if it intentionally and knowingly transmits a communication to a client through a 3rd party provider? This issue that will rear its ugly head as more and more cloud computer services are utilized by businesses to cover data intensive applications from file transfer, storage, disaster recovery, archiving and work collaboration. I’ve done some research on this and would like to share with your readers.

    The early opinions are that attorney client privilege is not waived when a law firm provides a third party vendor with access to confidential client information for the purpose of allowing the vendor to support and maintain a computer software application utilized by the law firm. Massachusetts State Bar Association Opinion (issued March 3, 2005). See also Arizona State Bar Association Opinion (issued July 2005).

    The law firm’s clients are deemed to have “impliedly authorized” the firm to make confidential information accessible to the vendor in order to permit the firm to provide representation to its clients. This is consistent with California Evidence Code section 952, which provides that the privilege covers information transmitted to persons to whom disclosure is reasonably necessary for “the accomplishment of the purpose for which the lawyer is consulted.”

    Like email, the use of service providers to manage data will become an accepted way of business life and therefore better understood as simply another communication tool that is necessary to a lawyer providing legal advice. Perhaps the same legal wars will be fought, or perhaps the lawyers that bring these cases have learned from the email battlegrounds. With lawyers trained — and paid — to litigate, you can bet on the former.

  6. Avatar William Chuang says:

    Lawyers should be wary of SaaS and cloud computing. You forgot to mention downtime. If your documents are unavailable for a few hours on a weekday, you’re out of luck if the latest drafts are in the cloud, floating out of your reach. GMail was down for two hours last week. I could access my Gmail because I have Outlook pull the data down from the cloud. Can you do this with other SaaS solutions such as Clio?

    Hrm. Perhaps we should be wary and figure this out before making fun of cautious attorneys, huh?

  7. Sam Glover Sam G. says:

    Who is making fun, William?

    As for documents, I don’t think it makes sense to use cloud apps like Google Docs for most document. This is mainly mostly because apps like Google Docs are simply not good enough for creating well-formatted and good-looking legal documents.

    Downtime, on the other hand, is a problem no matter what you use. If you have a server, you have to worry about downtime, whether you are using Google Apps, PC Law, Time Matters, or anything else. But chances are good you will have less downtime with Google than with your own server.

  8. Using the cloud for documents is a dodgy proposition. I use Google Docs to store PDFs as a backup. If you use a cloud service, however, you not only take on the risk of server downtime but also downtime from your ISP. There is also the risk of security breaches.

    A simple file server has very good up-time, and you can program it to upload everything to a secure Internet server for backup/disaster recovery. Furthermore, a disaster that knocks out your file server will probably knock down your office as well, rendering the failure of the file server moot as long as you have up-to-date backups.

    Just my two cents.

  9. Avatar Nicole Black says:

    First, it was not my intention to make fun of anyone.

    Second, cloud computing is the wave of the future. Law offices should probably not rely on free cloud computing services for the storage of confidential information. It’s simply unwise. Paid services provide more checks and balances and less risk.

    Finally, as for Romanian hackers–they’re looking to access data that can be used for profit (SS#, credit card #s, etc). The vast majority of confidential information in client files and communications between lawyers and their clients are of little or no interest to these types, unless you happen to represent a celebrity of some sort.

  10. I think you need to compare the cloud risks to the existing risks in your system.

    If you are mobile lawyer working off your laptop, you need to compare the risks of using the cloud to the risk of having your laptop stolen. I think the same set of risks exists and you to implement the controls and safety to address them.

    If you work off a network and have mobile access to the network, I think the risks with the cloud are exactly the same. You need a username and password to access the information, whether the information is behind your firewall or in the cloud. You have to worry about the cloud provider as much as you need to worry about your own IT staff.

    In the end, I think mobility has really changed the way we think about security and access to our information. If you work outside the four walls of your office, you have the same risks.

    The question is whether you want to be able to yell down the hall at your own IT staff for the problems or yell at the staff of your cloud provider for the problems.

  11. Avatar Donna Seyle says:

    Cloud computing has evolved well beyond the use of google docs and gmail. The evolving Saas providers have created platforms whereby you can store privileged communications, documents, etc. on highly securitized servers. They also provide securitized email functions so that your client communications are secured. If these kinds of platforms are used, an attorney has made diligent efforts to keep the attorney/client privilege intact, and the risks are minimal at best, and I agree they are most likely less than keeping such data on traditional servers. Best practices would also include designating any document or communication as privileged, which shifts the burden to the unauthorized reader to stop reading immediately. So if you feel comfortable paying bills online, you should have no problem with a virtual law practice, assuming you do your homework.

  12. Avatar Danny Johnson says:

    I agree that one of the main concerns with SaaS is trusting a 3rd party as caretaker of critical information. I completely agree with Donna Seyle that we already do that in so many ways, like online bill pay. I’d also like to use the example of FedEx. When you send a document via snail mail you are trusting a 3rd party to store and move that document securely without taking ownership of the content.

    That is what is happening with SaaS, only the storage and delivery of the content takes place in the cloud. Ownership of the content remains with the author while the SaaS provider is storing and transporting that content.

  13. Great post! “In other words, common sense prevails. Lawyers must resist the urge to overreact to emerging technologies.” that is spot on the key summary of this great post. people resist change. media panics have prevailed for centuries – each medium has had its share of accusations and allegations of being extremely dangerous to our existence as human beings. Fear of change is normal, the benefits and value of an emerging technology can be bought into when translating the Service into daily life.

  14. Privacy & Client Confidentiality are values. How well we live up to those values is challenged by new technology. I think lawyers ought to be on the side of protecting such values (even if they work for the Government or ATT-now that’s challenging!). I don’t think we should settle for anything less than verifiable, spy/hack-proof systems. That we don’t have this at present does not mean we can’t do more, and certainly doesn’t mean we should do less.

    I read this article because I am very interested in Cloud Computing and would like to adopt it fully. I love technology. I hate the diminution and dissolution of basic values. So I want my cake and I want to eat it too.

Leave a Reply