Online services for lawyers are becoming increasingly common. For many lawyers, they are an attractive alternative to the traditional law practice management software installed and maintained on a local server within a law office.
The one thing these various platforms have in common is that the data created and managed by these services are stored offsite, in the “cloud.” The offsite data storage issue has resulted in much speculation among lawyers regarding issues of data security and attorney-client confidentiality.
In my opinion, the data security and confidentiality concerns regarding cloud computing should not prevent lawyers from using these services.
Investigate security and backup
Of course an attorney has an obligation to research how an SaaS provider will handle confidential information, and should determine how securely the data is stored. It is important to ensure the company stores the data on servers that meet current industry standards, performs back-ups regularly, and that you are satisfied data will not be lost should a catastrophic event occur.
Don’t worry about snoops
Concerns that third parties could access the data while traveling through the “cloud” are downright silly, in my opinion. Third parties always have had access to confidential client information, including process servers, court employees, document processing companies, external copy centers, and legal document delivery services.
Employees of the building in which a law office is located also have had access to confidential files, including the cleaning service and other employees who maintain the premises. What about summer interns, temporary employees, and contract attorneys?
The employees who manage and have access to computer servers are no different. In order to practice law effectively, third parties necessarily must have access to certain files. Assurances that the company in question will make reasonable efforts to ensure employees will not access confidential information is all that’s required.
The New York State Bar Association Committee on Professional Ethics reached a similar conclusion in Opinion 820-2/08/08, where it answered: “May a lawyer use an e-mail service provider that scans e-mails by computer for keywords and then sends or displays instantaneously (to the side of the e-mails in question) computer-generated advertisements to users of the service based on the e-mail communications?”
The committee concluded:
Unless the lawyer learns information suggesting that the provider is materially departing from conventional privacy policies or is using the information it obtains by computer-scanning of e-mails for a purpose that, unlike computer-generated advertising, puts confidentiality at risk, the use of such e-mail services comports with DR 4-101…A lawyer may use an e-mail service provider that conducts computer scans of e-mails to generate computer advertising, where the e-mails are not reviewed by or provided to other individuals.
In other words, common sense prevails. Lawyers must resist the urge to overreact to emerging technologies.
Common sense dictates that the same confidentiality standards applicable to physical client files likewise apply to computer-generated data. To conclude otherwise would be to prohibit lawyers from using computers in their law practices—an unrealistic and, quite frankly, ridiculous alternative.