Back when cloud computing was more of a novelty, lawyers questioned whether there were any ethical impediments to storing client information in the cloud. These were legitimate concerns because using the cloud necessarily requires the use of a third party to provide services and involves the storage and use of data at a remote location. This raises concerns about confidentiality of the information, competence, and proper supervision of non-lawyers.
Because of these concerns, the bar associations in various states addressed the issue and generally determined that, yes, there are ethical concerns regarding confidentiality of information, but a lawyer may still use the cloud if the lawyer takes reasonable steps.
In Florida, the bar determined that lawyers may use cloud computing if they take reasonable precautions to ensure that:
confidentiality of client information is maintained,
the service provider maintains adequate security, and
the lawyer has adequate access to the information stored remotely.
With the recent pandemic of cyber attacks in the form of ransomware, it was only a matter of time before a cloud service provider was forced into the awkward position of telling clients (meaning law firms) that they can't access information. As a result, law firms who rely on these cloud services would not be able to access their client information.
It Happened
In October 2019, there were reports that TrialWorks, one of the top-rated providers of legal case management software for law firms and attorneys, became the victim of a ransomware attack. As reported by bleepingcomputer, TrialWorks notified its customers of a hosting outage at their data center. At some point, TrialWorks sent an email to customers that stated:
Some law firms were forced to request extensions to court deadlines because the law firms could not access client data.
No Harm?
I don't know the outcome of this ransomware attack and, hopefully, it was quickly resolved with no harm to any law firms or their clients.
But, this situation raises an interesting question, how does an attorney who uses a cloud provider take reasonable precautions to ensure that:
confidentiality of client information is maintained,
the service provider maintains adequate security, and
the lawyer has adequate access to the information stored remotely.
Seriously, what are "reasonable precautions" and what is "adequate security." The US government is having difficulty securing its information, so how can a small to medium size business stop the inevitable?
At some point, a Court or the bar may have to make these decisions. For now, we all have to guess as we go along.
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP
