The Ethics of Cloud Computing and Client Data

Ellen Lockwood, ACP, RP

Ellen Lockwood, ACP, RP

What is cloud computing? The National Institute of Standards and Technology (NIST) defines cloud computing as follows:

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models. (NIST Definition of Cloud Computing,Version 15, 10/07/2009)

Even if you have never heard of cloud computing or "the cloud," you probably have used cloud services. Webbased email offered by Internet Service Providers, Google, Yahoo, and others allows users to access their email from any Internet connection because some of the users’ email is stored on the providers’ servers. Google Documents allows users to share documents with others. Dropbox is a service that synchronizes the data stored on the user’s servers on Dropbox’s serves, and synchronizes the user’s data among the user’s computers.

While cloud computing is often a cost-effective, efficient way to store data, use software, and provide access to data and documents by members of a firm and its clients, there are ethical considerations. The Texas Disciplinary Rules of Professional Conduct require competent representation (Rule 1.01), keep information confidential (Rules 1.06), and to adequately supervise non-attorney staff to ensure they conform to the Disciplinary Rules.

Competent representation likely includes knowledge of technology used, and/or the use of experienced and capable staff or vendors. While paralegals cannot be expected to become experts on all technology, paralegals should make an effort to gain at least the basic skills for the technology they use.

Of course, paralegals should be aware of the rules regarding confidentiality. In regard to cloud computing, this includes researching the provider to determine the provider’s assurances regarding the following:

• Physical security of the provider’s data center; this could include video surveillance, staff authentication, control of access by visitors and contractors, and intrusion detection systems
• Security of the data; this could include encrypted communication as security during data transmission, encrypted storage, storage in multiple storage centers as security from regional disasters, multiple environmental and power failure protections

Regardless of the security offered by a cloud computing provider, the law firm or legal department is responsible for controlling access to its data by its employees, vendors, and clients. Most systems permit configuring specific permissions and access rights depending on the type of user. Someone should also have responsibility for deleting permissions of those no longer allowed access. Firms and companies should also incorporate firewalls and application filters, and all computers should include antivirus and anti-spyware software with automatic updates.

Security precautions should also be taken for servers and backup media. Often these items are unsecured and located under a desk, near windows, or in the same room as the copier/printer. Access to these items should be limited to key employees and kept in a secure area.

While nothing can be absolutely guaranteed secure, paralegals are an important part of the efforts to keep client information confidential, whether in the office, or in the cloud.

Ellen Lockwood, ACP, RP, is the Chair of the Professional Ethics Committee of the Paralegal Division and a past president of the Division. She is a frequent speaker on paralegal ethics and intellectual property and the lead author of the Division’s Paralegal Ethics Handbook published by Thomson Reuters.