Ethics of Utilizing Cloud Storage for Documents with Personal Identifying Information

Ellen Lockwood, ACP, RP

Ellen Lockwood, ACP, RP

More and more firms and corporations are going paperless, at least for some files and processes. This often includes utilizing cloud storage providers such as Goggle Drive, Microsoft OneDrive, Apple iCloud Drive, and Dropbox. Most providers offer encryption of documents, both while uploading and while stored with the provider. The majority of providers also offer different levels of access to the documents that are controlled by the account administrators. The levels of access may include the access to only certain documents or folders, the ability to read but not download documents, as well as full access to all documents and functions.

In addition to the standard responsibility of a firm or company to maintain the confidentiality of client and work-product documents, there is an additional responsibility to protect documents that include personal identifying information such as social security numbers, dates of birth, addresses, and similar information. This information may be included in documents provided by the client, medical records, or from other sources. Courts require that personal identifying information be redacted when filing documents that include this information. And while filing cabinets may be locked and electronic files may be password protected, there are additional issues when those documents are stored by a third-party provider, especially in the cloud.

While cloud storage providers do offer many protections for documents, including encryption and restricted access, one the primary areas of concern is when documents are downloaded, particularly onto mobile devices. Mobile devices, including laptops, are often not secured as well as desktop devices and local file servers. Theft of mobile devices is also a concern. Mobile devices are some of the most commonly lost and stolen items and are often taken from vehicles, at airports, and other public places. Users may also forward downloaded documents from their mobile devices to others, whether intentionally or accidentally. Most cloud storage systems have no method for tracking this kind of activity.

While firms and companies could prohibit download of confidential documents and documents with personal identifying information to mobile devices, doing so would likely be unreasonable and not enforceable. Firms and companies could also redact all personal identifying information from documents before they are uploaded to cloud storage, but that could be time-consuming if not impossible to accomplish, as well as the potential for issues if those documents must be produced to opposing counsel.

One option would be to encrypt documents on download and require they are only unencrypted when actively working on the document and be encrypted again when saving them on the user’s computer or device. There are also software options that work with a user’s cloud storage accounts and put the documents in an additional “safe zone” as well as permit administrators to deactivate access immediately by a particular mobile device, among other features. However, each of these alternatives also has drawbacks and potential complications.

If a firm or company chooses to store documents with personal identifying information in the cloud, the firm or company will continue to have the responsibility of ensuring that they have taken reasonable steps and precautions to protect that information from unauthorized access. This includes researching all security features of cloud storage providers and determining what additional precautions, if any, must be taken, and how those precautions will be handled and enforced.

Ellen Lockwood, ACP, RP, is the Chair of the Professional Ethics Committee of the Paralegal Division and a past president of the Division. She is a frequent speaker on paralegal ethics and intellectual property and the lead author of the Division’s Paralegal Ethics Handbook published by Thomson Reuters.