E-Discovery Search Blog

Two New Legal Ethics Opinions Suggest Clear Skies Ahead for Cloud Computing

by Bob Ambrogi | November 28, 2011

Here is the latest legal-ethics forecast for cloud computing in the legal profession: Clear skies ahead.

Two new ethics opinions in recent weeks on lawyers’ use of the cloud add further weight to what has so far been the consensus of state ethics panels–that it is ethical for lawyers to store client documents in the cloud and use cloud-based applications, provided the lawyers take reasonable safeguards to ensure the safety and security of the data.

The first of the two latest opinions is yet another in a series of proposed opinions from the North Carolina State Bar. As I wrote in an earlier post here, the North Carolina Ethics Committee deserves credit for the careful and thoughtful consideration it is giving this issue. On Oct. 20, it issued Proposed 2011 Formal Ethics Opinion 6, Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property. [Hat tip to Jack Newton at Slaw.]

This is the committee’s third version of this proposed opinion. The first version, issued in April 2010, said that a lawyer may ethically use SaaS, “provided steps are taken effectively to minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property, including file information, from risk of loss.”

Although commentators generally praised that opinion, the Ethics Committee withdrew it and, on April 21, 2011, filed a revised proposed opinion. While this second proposed opinion again endorsed lawyers’ use of cloud computing, it also set out mandatory minimum requirements a lawyer should adhere to in selecting a cloud provider. This time, the comments were less favorable, with many in the legal computing arguing that the requirements were so onerous as to effectively block the use of many cloud applications.

Clearly, the North Carolina Ethics Committee heard and was swayed by those arguments. In this latest opinion, it once again endorsed a lawyer’s use of SaaS, provided the lawyer takes care to protect confidential information:

[A] law firm may use SaaS if reasonable care is taken to minimize the risks of inadvertent disclosure of confidential information and to protect the security of client information and client files. A lawyer must fulfill the duties to protect confidential client information and to safeguard client files by applying the same diligence and competency to manage the risks of SaaS that the lawyer is required to apply when representing clients.

This time, however, the opinion omits any list of specific requirements a lawyer must follow in selecting a SaaS provider. Instead, it cautions lawyers to “make reasonable efforts to ensure that the services are provided in a manner that is compatible with the professional obligations of the lawyer,” taking into consideration “the experience, stability, and reputation of the vendor.” It then goes on to list five “recommended” security measures to consider:

  • Agreement with the vendor on how it will handle confidential client information.
  • Ability to retrieve the data if the lawyer terminates the vendor or the vendor goes out of business.
  • Careful review of the terms of the lawyer’s agreement with the vendor, including its security policy.
  • Evaluation of the vendor’s measures for safeguarding the security and confidentiality of data.
  • Evaluation of the vendor’s back-up procedures.

The opinion suggests that lawyers, in considering these issues, may want to consult with “professionals competent in the area of online security.”

Pennsylvania Says ‘Yes’ to the Cloud

The second new opinion comes from the Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility (with a hat tip to Dan Pinnington at Slaw for posting it). In Formal Opinion 2011-200, the Pennsylvania committee address the ethical obligations of attorneys using cloud computing and SaaS while fulfilling their duties of confidentiality and preservation of client property.

The short answer it gives (within a lengthy and thoughtful opinion) is this:

Yes. An attorney may ethically allow client confidential material to be stored in “the cloud” provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks.

In addressing the reasonable safeguards a lawyer should follow, the committee follows the lead of other states in declining to list mandatory standards. “This Committee acknowledges that the advances in technology make it difficult, if not impossible to provide specific standards that will apply to every attorney,” it explains. Even so, it provides a fairly detailed list of the steps that a standard of reasonable care “may include.” Some of these steps address internal law firm measures–such as backing up data, installing firewalls, and using encryption–and others address measures a law firm should ask of a vendor. In the latter category, the opinion recommends that a lawyer ensure that the provider:

  • Explicitly agrees that it has no ownership or security interest in the data.
  • Has an enforceable obligation to preserve security.
  • Will notify the lawyer if requested to produce data to a third party and provide the lawyer with the ability to respond to the request before the provider produces the requested information.
  • Has technology built to withstand a reasonably foreseeable attempt to infiltrate data, including penetration testing.
  • Includes in its terms of service or service level agreement an agreement about how confidential client information will be handled.
  • Provides the firm with right to audit the provider’s security procedures and to obtain copies of any security audits performed.
  • Hosts the data only within a specified geographic area.
  • Provides a method for the lawyer to retrieve the data.
  • Provides the ability to get data off the vendor’s servers for the lawyer’s own use or in-house backup offline.

The Pennsylvania opinion also includes a discussion of lawyers’ use of Web-based email services such as Gmail and Hotmail. While cautioning that such services carry risks “that attorneys should be aware of and mitigate,” the opinion nonetheless indicates that lawyers are free to use such services. In most cases, these services may be used without encryption, although certain matters may require heightened security, including encryption, the committee says.

The Pennsylvania committee cites with approval a 1998 ethics opinion in which the District of Columbia Bar concluded: “In most circumstances, transmission of confidential information by unencrypted electronic mail does not per se violate the confidentiality rules of the legal profession. However, individual circumstances may require greater means of security.”

What this Means for Cloud Computing

On this blog, we have been following and writing about the ethics of cloud computing for a year now. To date, not a single ethics panel has found any ethical concern with lawyers’ use of cloud computing, provided the lawyer exercises reasonable care in selecting and vetting a vendor. The Pennsylvania opinion includes a state-by-state review of relevant ethics opinions and sums them up this way:

Generally, the consensus is that, while “cloud computing” is permissible, lawyers should proceed with caution because they have an ethical duty to protect sensitive client data. In service to that essential duty, and in order to meet the standard of reasonable care, other Committees have determined that attorneys must (1) include terms in any agreement with the provider that require the provider to preserve the confidentiality and security of the data, and (2) be knowledgeable about how providers will handle the data entrusted to them.

The measures these various ethics panels suggest are reasonable and sensible. For the most part, lawyers should select cloud vendors that have proven themselves to be reputable, stable and competent. Lawyers should expect agreements with these vendors that clearly address issues of confidentiality and security.

That said, these latest opinions underscore what we said at the outset: The forecast for cloud computing in the legal profession is clear skies ahead.

If you are interested in reading our prior posts on this topic, see:

Filed Under: Cloud Computing, Ethics Tagged With: ,

What the Fulbright Litigation Survey Says about E-Discovery

by Bob Ambrogi | October 21, 2011

The annual Fulbright & Jaworski Litigation Trends Survey provides a revealing yearly snapshot of the state of corporate litigation. Now in its eighth year, the survey polls corporate law departments in the U.S. and U.K. on the state of their disputes. For this year’s survey, Fulbright gather input from 405 in-house counsel, including 275 in the U.S.

The big headline from this year’s survey, which was released Oct. 18, is that litigation was down slightly for businesses on both sides of the pond. At the same, they saw an increase in regulatory actions and internal investigations. More than a third of corporate counsel reported an increase in external regulatory inquiries and more than a quarter predicted that the coming year will be even worse.

Even though litigation was down slightly, litigation spending was up. For U.S. companies, the median spend in 2011 was $1.4 million, up from a median of $1 million the year before. Spending will continue to go up, the survey says, driven in part by the cost of e-discovery. Nearly a fifth of all companies and a quarter of large caps expect to see budget increases for e-discovery.

Cloud Computing: Up, Up & Away

For the first time, the survey asked about the use of cloud computing and the result suggests–as the survey put it–that cloud computing is “up, up and away.” More than a quarter of all respondents said that their companies use cloud computing. Among companies in the tech sector, 48% use it. Among public companies, 34% use it. In the manufacturing sector, 325 use it. A quarter of U.S. companies and 13% of U.K. companies said that they expect to move software to the cloud.

As use of the cloud increases, so does the frequency with which companies encounter issues relating to data preservation, collection and security in the cloud. Overall, 31$ of U.S. respondents and 50% of U.K. respondents said that they had to preserve or collect data from the cloud in connection with actual or threatened litigation. Of companies using cloud computing, 71% had to preserve data and 61% had to collect data from the cloud. Of the companies using the cloud, 28% reported having had a security breach.

Cooperation Procrastination

We all know that cooperation is supposed to be the watchword in e-discovery, but the Fulbright survey found mixed results on the cooperation count. The survey asked respondents whether, in the past year, they had “made a concerted effort to be more cooperative or transparent with opposing counsel in your conduct of discovery.” There was an almost even split between those who said “yes” (34%) and those who said “no” (36%). The other 29% said they’d had no opportunity to be more cooperative.

Notably, one industry stood out for its efforts to improve cooperation among opposing counsel, the survey found. In the energy industry, 45% of respondents answered yes to the cooperation question. In contract, the insurance and real estate industries were at the low end of the cooperation scale, with only 17% and 19%, respectively, answering yes.

Among other findings of the survey related to e-discovery:

  • 91% of U.S. and 55% of U.K. companies allow employees to use mobile hand-held devices.
  • 30% of U.S. and 36% of U.K. companies have had to preserve or collect data from their employees’ mobile devices for litigation or an investigation.
  • 45% of all companies have no restrictions on social media use.
  • 18% of all companies have had to collect data from an employee’s personal social media account in a company litigation.

An interesting side note is that, when asked about their company’s social-media blocking policy, 10% of corporate counsel said they did not know. While this is down from two years ago–when 19% said they didn’t know–it is surprising that even a tenth of corporate counsel would not know their company’s policy.

Download the Survey

The full, 60-page survey covers much more than just e-discovery. You can download the complete survey for free at www.fulbright.com/litigationtrends. A Fulbright press release summarizes the survey’s key findings. From the download page, you can also register for a Nov. 1 Fulbright webcast that will present an overview of the survey.

Filed Under: Cloud Computing Tagged With:

Article: Cloud-Based E-Discovery is in Your Future

by Bob Ambrogi | September 21, 2011

Hot off the presses is the 2011 Survival Guide for New Attorneys published by Los Angeles Lawyer, the magazine of the Los Angeles County Bar Association. It includes an article that I wrote, Cloud Based Electronic Discovery is in Your Future. (This is a scan from the hard copy; it appears not to have been posted yet online.)

The gist of the article is that, for the new lawyer, the future of law practice will be driven by data and the cloud is particularly well suited to dealing with all that data, specifically with regard to discovery.

Over the last few years, legal professionals have begun using the cloud for everything from practice management to client relations. Even so, one area of legal practice stands out as particularly well suited to the cloud–electronic discovery and the handling of electronically stored information (ESI).

In electronic discovery, the cloud offers distinct advantages: power, flexibility, mobility, economy of use, and ease of deployment. In fact, in a 2010 report on electronic discovery, the technology research firm Gartner, Inc. concluded that the future of electronic discovery technology is in the cloud. A cloud-based e-discovery platform, Gartner said, “offers benefits that on-premises software or applications cannot.”

To find out more about why I believe the future of e-discovery is in the cloud, read the article.

 

Filed Under: Cloud Computing Tagged With:

NC Bar Goes Back to the Drawing Board on Cloud Ethics

by Bob Ambrogi | July 22, 2011

One thing seems certain about the Ethics Committee of the North Carolina State Bar—it is trying hard to get its opinion right on the ethics of cloud computing.

In April 2010, the committee issued a proposed opinion that addressed the question of whether a law firm may ethically use Software as a Service in light of a lawyer’s duty to safeguard confidential client information and protect client property from destruction or loss. The opinion answered the question in the affirmative, “provided steps are taken effectively to minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property, including file information, from risk of loss.”

The proposed opinion generally elicited praise from lawyers who use cloud-based applications and from vendors that provide such applications. (See what we at Catalyst had to say about it in two posts, The Legal Ethics of Cloud Computing and N.C. Ethics Opinion on SaaS Merits Broader Inquiry.) But after putting the proposed opinion out for public comment, the Ethics Committee withdrew it and, on April 21, 2011, filed a revised proposed opinion (Proposed 2011 Formal Ethics Opinion 6).

While this second proposed opinion again endorsed lawyers’ use of cloud computing, it also proposed minimum requirements a lawyer should adhere to in selecting a cloud provider. This time, the comments were less favorable, with many in the legal computing arguing that the requirements were so onerous as to effectively block the use of many cloud applications. On behalf of several cloud vendors, the Legal Cloud Computing Association filed written commentsobjecting to the proposed opinion. The comments said:

[W]e believe that the additional minimum requirements imposed on lawyers as mandatory requirements will, as a practical matter, limit the ability of North Carolina lawyers to use cloud computing services in their practices, causing North Carolina’s lawyers to become less competitive with lawyers from other states.

Rather than “mandatory requirements”, we believe that it makes more sense to establish basic principles and suggested guidelines, leaving to the individual attorney to use their best judgment to exercise reasonable care under the particular circumstances of their practice, in choosing a SaaS provider.

The International Legal Technology Standards Organization also filed comments opposing the proposed opinion, as did a number of individual attorneys.

Against this backdrop, the Ethics Committee recently voted to send the proposed opinion back to the subcommittee that drafted it, according to North Carolina lawyer Stephanie Kimbro, in a post at her blog Virtual Law Practice. The subcommittee will reconsider the opinion in light of the comments that were filed. The outcome of the reconsideration should be known by the end of October, Kimbro said.

What Does this Mean for E-Discovery in the Cloud?

The short answer to that question is: Not much. Let me explain.

The objections to the proposed opinion focused on the fairly rigorous vetting process it required lawyers to go through before entrusting client data to a cloud provider. The opinion would require a lawyer, for example, to investigate the vendor’s financial stability and review its security audits. This was seen as unfair to solo and small firm lawyers in particular, who would have neither the time nor the resources to follow each of the recommended steps. Even if a lawyer was in a position to follow each of the steps, getting all the required information would be virtually impossible from consumer-focused vendors such as Google or Dropbox.

By contrast, with regard to e-discovery, the opinion’s proposed requirements make perfect sense. A lawyer selecting a cloud provider to serve as a hosting and review platform for litigation documents would be remiss not to engage in this sort of vetting process. Further, any established e-discovery vendor will be prepared for just such an inquiry and will have due-diligence documentation readily available regarding its security, systems and facilities.

I’ve read some criticism of one aspect of the proposed rule that would require lawyers to look into the financial history and stability of the SaaS vendor. Granted, vendors are not likely to want to share all their financials with every lawyer who asks. But I do not believe that this is what the rule envisions. Surely, the rule was not intended to require lawyers to dig into a company’s finances beyond information that is publicly available.

My friend and fellow Boston College Law School alumnus Erik Mazzone made a similar point in his post about this latest proposed opinion. Mazzone, who is director of the Center for Practice Management at the North Carolina Bar Association (a separate entity from the State Bar), highlights one of the opinion’s proposed requirements as worthy of particularly close attention:

The agreement with the vendor must specify that firm’s data will be hosted only within a specified geographic area. If by agreement the data is hosted outside of the United States, the law firm must determine that the hosting jurisdiction has privacy laws, data security laws, and protections against unlawful search and seizure that are as rigorous as those of the United States and the state of North Carolina.

This could be a real problem with respect to vendors who do not focus on the legal market, Mazzone writes. Major vendors such as Google, Dropbox and Evernote are not likely to change where their data is hosted in response to one state’s ethics requirements, he argues. At the same time, he writes, “I expect that this provision will not cause a great deal of difficulty for the legal-specific … cloud software out there.”

His point about legal-specific cloud software is particularly true within the context of e-discovery. Here again, a lawyer would be remiss not to pin down at least the country in which the data will be hosted. The physical location of the data can implicate the host country’s privacy and security laws, regardless of where the company that owns the data is headquartered or of where the litigation is situated. That could open a can of worms separate and apart from the litigation at hand.

The North Carolina Bar should be commended for the careful thought and study it is devoting to this issue. We will look forward to seeing what comes of this latest reconsideration. Meanwhile, within the very specific context of e-discovery in the cloud, we are confident that established practitioners and established vendors already adhere to the most rigid of policies and practices. In e-discovery, the confidentiality and security of client data is already a matter of the highest order.

Filed Under: Cloud Computing, Ethics Tagged With: , ,

NIST Issues Draft Recommendations on Cloud Computing

by John Tredennick | June 1, 2011

Earlier this month, the Computer Security Division of the National Institute of Standards and Technology (NIST) issued draft recommendations on cloud computing (PDF). As many of you know, NIST is an agency of the U.S. Department of Commerce. Founded in 1901, the agency was the nation’s first physical science research laboratory.

In the e-discovery field, we know it better for its list of 65 million hash values of system and program files (the “NIST” list). We use the list to remove unwanted files before we process documents and other data. The NIST list is the gold standard for our industry and we use it every day.

NIST is involved in many other areas of inquiry, including the International System of Units (as discussed in my recent post, How Many Bytes in a Gigabyte? My Answer Might Surprise You). It also recently issued draft guidelines on security and privacy in cloud computing and launched the NIST Cloud Computing Collaboration wiki to encourage collaboration in refining its cloud standards.

What is Cloud Computing?

In the 84-page draft, Cloud Computing Synopsis and Recommendations, published May 12, the NIST team set out to write a primer on the cloud—types, deployment models, service models, cloud security and, ultimately, the benefits of cloud computing. They start with NIST’s definition of cloud computing, which is tricky because:

Cloud computing is not a single kind of system, but instead spans a spectrum of underlying technologies, configuration possibilities, service models, and deployment models.

Thus, while the term “cloud” is often used as a synonym for the Internet, cloud computing means more than simply the transmission of data over the Internet.

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

According to the NIST definition, cloud computing has five essential characteristics:

  • On-demand self service.
  • Broad network access.
  • Resource pooling.
  • Rapid elasticity.
  • Measured service.

Following this logic, one could argue either way for many of the e-discovery providers who bill themselves as cloud providers. While they may offer a hosted product via the Internet, they may not meet NIST’s requirements for on-demand self service, resource pooling and rapid elasticity.

There are several service models for cloud computing, each with different strengths and weaknesses:

  1. Cloud Software as a Service (SaaS): Cloud e-discovery providers would fall under this category. They offer a product accessible via a browser but manage the underlying infrastructure including network, servers, operating system, storage and applications.
  2. Cloud Platform as a Service (PaaS): This allows consumers to deploy their applications on top of a cloud infrastructure.
  3. Cloud Infrastructure as a Service (IaaS): Consumers essentially rent the infrastructure but determine their own software and even the OS they will use.

NIST's depiction of how control is shared in a SaaS model.

There are also four different deployment models for cloud computing:

  1. Private cloud: This refers to infrastructure that is operated solely for one organization. It may be managed by a third party but is dedicated to that purpose.
  2. Community cloud: In this case, a group of users provision a cloud infrastructure for a common purpose.
  3. Public cloud: Here, the infrastructure is made available to the general public, although owned by the organization selling the service.
  4. Hybrid cloud: This would be a combination of two or more clouds (private, community or public) that are connected by technology that allows data or application portability.

Why Read the Guidelines

If you are considering the cloud for any of your applications, this is a helpful document. The authors discuss operational characteristics, standards for service-level agreements and security considerations. Ultimately, they talk about the benefits of cloud computing and why organizations like law firms and corporations businesses might consider it.

Cloud computing is relatively new to the legal community, as it is to the rest of the business world. Why use it? Here is the NIST view:

In outsourced and public deployment models, cloud computing provides convenient rental of computing resources: users pay service charges while using a service but need not pay large up-front acquisition costs to build a computing infrastructure. … By using an elastic cloud, customers may be able to avoid excessive costs from overprovisioning, i.e., building enough capacity for peak demand and then not using the capacity in non-peak periods.

Earlier this year, we dumped our Exchange servers in favor of Gmail (via Google Apps). There was some grumbling at first but the transition was a success. The service has worked as well as Exchange, the product is continually updated and we don’t have to worry about hardware or software upgrades. Although email is critical to our business, it isn’t one of our core services. So why run it ourselves? Turns out we don’t need to and we get the added benefit of Google Docs, Google Calendar and other features.

Is it right for you? I would give it a good look the next time you think about upgrading or switching providers. It is the way the computing world seems to be going.

As for NIST’s draft guide to cloud computing, the agency is seeking comments from the public. The U.S. government’s CIO has asked NIST to lead federal efforts on developing standards for data portability, cloud interoperability and security. The goal, according to NIST, “is to help the federal government reap the benefits of cloud computing.” Comments must be submitted by June 13.

Filed Under: Cloud Computing, Security Tagged With: ,

The Cloud Lets Consumers Concentrate on Service Instead of Servers

by Bob Ambrogi | March 30, 2011

Recently, the chief information officer of the United States, Vivek Kundra, published a policy document “intended to accelerate the pace at which the government will realize the value of cloud computing.” Kundra’s Federal Cloud Computing Strategy (PDF) is a ringing endorsement of the cloud, as its opening words indicate:

The Federal Government’s current Information Technology (IT) environment is characterized by low asset utilization, a fragmented demand for resources, duplicative systems, environments which are difficult to manage, and long procurement lead times. These inefficiencies negatively impact the Federal Government’s ability to serve the American public.

Cloud computing has the potential to play a major part in addressing these inefficiencies and improving government service delivery. The cloud computing model can significantly help agencies grappling with the need to provide highly reliable, innovative services quickly despite resource constraints.

A few paragraphs later, Kundra says this:

By leveraging shared infrastructure and economies of scale, cloud computing presents a compelling business model for Federal leadership. Organizations will be able to measure and pay for only the IT resources they consume, increase or decrease their usage to match requirements and budget constraints, and leverage the shared underlying capacity of IT resources via a network.  Resources needed to support mission critical capabilities can be provisioned more rapidly and with minimal overhead and routine provider interaction.

Everything I’ve quoted above and much of the rest of this report applies to the private sector as much as to the public sector. The report deserves close study and I plan to delve into it in more detail in later posts.

But I wanted to highlight something in the report that, for me, sums up the advantage of cloud computing over traditional computing environments. In a section on how to provision cloud services effectively, Kundra writes:

To effectively provision selected IT services, agencies will need to rethink their processes as provisioning services rather than simply contracting assets.  Contracts that previously focused on metrics such as number of servers and network bandwidth now should focus on the quality of service fulfillment.

The cloud changes the equation for contracting IT resources, Kundra is saying. Most notably, he is suggesting that the primary focus in selecting a provider should no longer be on “metrics,” but on “service.”

Thinking of Software as a Service

What does he mean by that? I can’t presume to speak for Kundra, but I can tell you what I think he means.

Applications delivered via the cloud are often referred to by the name “Software as a Service.” The consumer has a need and the software serves that need. The important distinction is that SaaS enables the consumer to focus on the need, not the technology. Rather than first having to wrestle with finding and installing the right hardware and software, the consumer is able to get directly to the business at hand.

In 2005, just after Ray Ozzie became CTO for Microsoft, he circulated a memo to top executives that he titled, The Internet Services Disruption. He described the movement towards SaaS (and Microsoft’s need to follow suit), and he summed up the movement this way:

The ubiquity of broadband and wireless networking has changed the nature of how people interact, and they’re increasingly drawn toward the simplicity of services and service-enabled software that ‘just works’.  Businesses are increasingly considering what services-based economics of scale might do to help them reduce infrastructure costs or deploy solutions as-needed and on subscription basis.

Software that “just works,” as Ozzie put it, is the best description I’ve seen of SaaS. Another description he uses frequently is “seamless” — seamless productivity, seamless communications, seamless solutions, seamless IT. The consumer has a problem to solve or a task to do and just wants something that will deliver the service of enabling it to be done.

To my reading, this is Kundra’s message to government agencies about the cloud. The cloud lets you focus on the service you need delivered — the task you need done, the problem you need solved — without having to get hung up on the metrics and logistics of how it will be delivered.

E-discovery provides the perfect illustration of the power of the cloud to deliver the services clients need. A product such as Catalyst CR is available to clients on-demand. When clients face a discovery deadline or an investigation, they can get up and running immediately. The application is scalable to virtually any size project, is powered by a grid of hundreds of servers, and can be used by anybody with an Internet connection anywhere in the world. Rather than be sidetracked by worrying about what appliances to buy or software to install, the client starts directly on meeting its deadline.

As Kundra puts it, “Cloud computing will require a new way of thinking to reflect a service-based focus rather than an asset-based focus.” For consumers, that is a way of thinking that is long overdue.

Filed Under: Cloud Computing Tagged With: , ,

New Survey Asks Lawyers about E-Discovery and Hosting in the Cloud

by Bob Ambrogi | March 1, 2011

A new survey is out of lawyers’ use of technology, and while its primary focus is on practice management, it also asks about other uses of technology, including Software as a Service, hosted e-discovery review, online document storage and outsourcing to a foreign country.

The survey, Case, Matter & Practice Management System Study, was conducted by Andrew Z. Adkins III, director of the Legal Technology Institute at the University of Florida Levin College of Law. While the overarching purpose was to study lawyers’ use of case, matter and practice management systems, the survey also asked about a wide range of technology issues, from word processing to SaaS, all with the goal of documenting the current technology environment within the legal profession.

Surveys were mailed to 27,500 lawyers using randomly selected mailing lists provided by the American Bar Association and other bar groups. Adkins received 341 completed surveys, enough to produce a 95 percent confidence level in the results.

In a series of questions pertaining to lawyers’ use of SaaS and Internet-based applications, the survey suggests that lawyers remain concerned about a number of issues. Their greatest concerns, it found, were speed and performance, followed by the danger of exposure to computer viruses. Also of significant concern were security and confidentiality.

Online Hosting

To the survey question, “Is your firm/law dept. considering hosting your software and data online?” 14 percent of respondents said they already were and another 5.2 percent said they were actively considering it. Forty-two percent said it was unlikely they would host software and data online.

Larger firms were the most likely to be already hosting software and data online. Twenty-six percent of large firms said they had already implemented online hosting and another 40 percent indicated either a strong or moderate interest.

The survey next asked, “How do you feel about hosting your attorney/client privileged data in a web-based program?” Here is how the answers broke down:

  • I think it is malpractice, nothing online is secure: 8.3%.
  • I don’t think it is malpractice, but I wouldn’t do it: 46.8%.
  • I trust my IT staff to keep data secure and cover my liability: 30.2%.
  • My clients and I are comfortable with online client data: 14.8%.

Here again, lawyers in large firms were more comfortable with hosting client data online, with 19.3 percent of large-firm lawyers saying that they and their clients are comfortable with online hosting and another 58% saying that they trust their IT staffs to keep their data secure.

Outsourcing to a Foreign Country

The survey also revealed a reluctance by many lawyers to outsource to a foreign country. Here is how they responded when asked to pick from these statements about outsourcing:

  • It is likely a breach of attorney/client privilege: 7.3%.
  • It is very cost effective due to the lower wages: 10.4%.
  • It is not cost effective due to communication difficulties: 14.6%.
  • I would never outsource: 67.7%.

Hosted Document Review

With regard to e-discovery, the survey asked, “In the past 12 months, has your firm/law dept. been through discovery of sufficient size to warrant the use of a vendor to host the document review?” Just 23 percent of respondents answered “yes,” 66 percent said “no” and 11.5 percent did not know the answer.

As you might expect, lawyers in large firms and large law departments were most likely to have used a vendor to host document review. Forty-five percent of lawyers in large firms and departments and 44.4 percent of lawyers in medium firms and departments said they had, while only 14.5 percent of small-firm lawyers said they had.

The survey then asked, “If not, how likely is it within the next twelve months that your firm/law dept. will consider using a hosted document review to manage case information?” Just over a quarter of respondents indicated they were likely to do so, while nearly three-quarters said they were unlikely to consider using a hosted review tool.

Yet again, the responses to this question varied widely by size of firm or law department. Of lawyers in large firms and departments, 62 percent said that they were likely to consider using hosted document review. Of lawyers in medium firms and departments, 72 percent said they were likely to consider it. Only the responses from lawyers in small firms and small departments were weighted against hosted review.

The full survey report is a 312-page PDF. If you are a member of TechnoLawyer, you can download a copy from its library. If you are not a member, it costs nothing to sign up, and then you can download a copy. Information on how to obtain it is available here.

Filed Under: Cloud Computing, Review Tagged With: ,

The California Bar Weighs in on Legal Ethics in the Cloud

by Bob Ambrogi | February 25, 2011

Cloud computing raises unique ethical issues for lawyers with regard to ensuring the confidentiality and security of client documents and communications. At this blog, we’ve written several posts addressing these issues and noted the handful of state ethics boards that have addressed this issue. (See our posts herehere and here.)  So far, the consensus of the states is that it is ethical for lawyers to store documents in the cloud and use cloud-based applications, provided the lawyers exercise common sense in vetting the security and stability of the providers of these services.

Now, the State Bar of California has issued an ethics opinion that provides further guidance for lawyers who work in the cloud. The opinion (Formal Opinion No. 2010-179) is not specifically directed at cloud-based applications. Rather, it outlines the analysis lawyers should apply whenever they evaluate whether to use a particular form of legal technology, particularly any technology that uses the Internet.

“Rather than engage in a technology-by-technology analysis, which would likely become obsolete shortly,” explained the committee in its opinion, “this opinion sets forth the general analysis that an attorney should undertake when considering use of a particular form of technology.”

Factors Attorneys Should Consider

The actual issue raised by the California attorney who sought the committee’s guidance involved wireless access to the Internet. Was it ethical for him, he wanted to know, to conduct legal research on behalf of clients and send e-mail to clients using a public wireless Internet connection in a coffee shop or using his home wireless network?

In addressing this question, the committee set out six general factors that attorneys should take into account when considering any new technology:

  • The attorney’s ability to assess the level of security afforded by the technology.
  • The legal ramifications to third parties of intercepting, accessing or exceeding authorized use of another person’s electronic information.
  • The degree of sensitivity of the information.
  • The possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product, including any possible waiver of the privileges.
  • The urgency of the situation.
  • Client instructions and circumstances.

Applying these factors to the question at hand, the committee concluded that the attorney’s use of public wireless connections would be risky unless the attorney took appropriate precautions.

With regard to the use of a public wireless connection, the Committee believes that, due to the lack of security features provided in most public wireless access locations, Attorney risks violating his duties of confidentiality and competence in using the wireless connection at the coffee shop to work on Client’s matter unless he takes appropriate precautions, such as using a combination of file encryption, encryption of wireless transmissions and a personal firewall. Depending on the sensitivity of the matter, Attorney may need to avoid using the public wireless connection entirely or notify Client of possible risks attendant to his use of the public wireless connection, including potential disclosure of confidential information and possible waiver of attorney-client privilege or work product protections, and seek her informed consent to do so.

Finally, if Attorney’s personal wireless system has been configured with appropriate security features, the Committee does not believe that Attorney would violate his duties of confidentiality and competence by working on Client’s matter at home. Otherwise, Attorney may need to notify Client of the risks and seek her informed consent, as with the public wireless connection.

The committee concluded its opinion with a cautionary note. “Because of the evolving nature of technology and differences in security features that are available,” it said, “the attorney must ensure the steps are sufficient for each form of technology being used and must continue to monitor the efficacy of such steps.”

The committee’s opinion goes into much greater detail in discussing the factors that attorneys should consider, particularly with regard to assessing a particular technology’s level of security. Even though the opinion does not expressly consider cloud computing and Software as a Service, its discussion of these factors should provide useful guidance for any lawyer considering computing in the cloud.

A hat tip to Perry Segal who mentioned the opinion at his blog, e-Discovery Insights. Also, Segal points to an in-depth analysis of the opinion written by lawyers at Mayer Brown.

Filed Under: Cloud Computing, Ethics Tagged With: ,

NIST Issues Draft Guidelines on Security and Privacy in the Cloud

by Bob Ambrogi | February 15, 2011

While everyone who uses cloud computing should be alert to security and privacy issues, lawyers and litigation support professionals have a special responsibility in that regard. Not only are they entrusted with preserving the confidentiality of client communications, but they also play key roles in ensuring that their clients comply with a myriad of laws and regulations pertaining to data. Even so, legal professionals often have far more questions than they do answers about how to evaluate the privacy and security of cloud providers.

Earlier this month, the National Institute of Standards and Technology (NIST) published a draft document, Guidelines on Security and Privacy in Public Cloud Computing (PDF), that provides an overview of the security and privacy challenges pertinent to public cloud computing and suggests factors organizations should consider when outsourcing data, applications and infrastructure to a public cloud environment.

At the same time, NIST launched a new NIST Cloud Computing Collaboration wiki to enable those involved in cloud computing to collaborate in refining the NIST’s standards.

NIST also released a draft that updates its work to create a definition of cloud computing, The NIST Definition of Cloud Computing (Draft) (PDF). NIST is seeking feedback on this draft, as well.

NIST’s Recommended Guidelines

The NIST draft guidelines pertain only to the “public cloud,” which NIST defines this way:

A public cloud is one in which the infrastructure and other computational resources that it comprises are made available to the general public over the Internet. It is owned by a cloud provider selling cloud services and, by definition, is external to an organization. At the other end of the spectrum are private clouds. A private cloud is one in which the computing environment is operated exclusively for an organization. It may be managed either by the organization or a third party, and may be hosted within the organization’s data center or outside of it.

The 60-page draft provides a fairly in-depth discussion of the key security and privacy issues and NIST’s recommendations for how to address them. In summary, NIST recommends:

  • Carefully plan the security and privacy aspects of cloud computing solutions before engaging them.
  • Understand the public cloud computing environment offered by the cloud provider and ensure that a cloud computing solution satisfies organizational security and privacy requirements.
  • Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing.
  • Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.

“In general,” NIST adds, “organizations should have security controls in place for cloud-based applications that are commensurate with or surpass those used if the applications were deployed in-house.”

The Security Upside

Even as it addresses security precautions related to the cloud, the NIST report also takes note of what it calls “the security upside.” For many companies, particularly smaller organizations, the cloud holds the prospect of improving their overall security.

Companies may have only a limited number of IT administrators and security personnel. Cloud providers, by contract, offer a number of features that promote security, NIST says:

  • Staff specialization. Cloud providers have staff that specializes in security and privacy.
  • Platform strength. The structure of cloud computing platforms is typically more uniform than that of most traditional computing centers. That enables better automation of security management activities like configuration control, vulnerability testing, security audits and security patching.
  • Resource availability. Redundancy and disaster recovery capabilities are built into cloud environments. Scalable, on-demand resource capacity can be used for better resilience when facing increased service demands or distributed denial of service attacks, and for quicker recovery from serious incidents.
  • Backup and recovery. The backup and recovery procedures of a cloud provider may be superior to those of a company or firm. Data maintained within a cloud can be more available, faster to restore, and more reliable than that maintained in a traditional data center.
  • Mobile endpoints. Because the main computing resources are with the cloud provider, they can be accessed using lightweight and easy-to-maintain computers such as laptops, notebooks and netbooks, as well as embedded devices such as smart phones, tablets and PDAs.
  • Data concentration. Data maintained and processed in the cloud can present less of a risk to an organization with a mobile workforce than having that data dispersed on portable computers or removable media out in the field, where theft and loss of devices routinely occur.

NIST has put its development of final guidelines on a fast track at the request of Vivek Kundra, the U.S. government’s chief information officer. He wants to accelerate the federal government’s adoption of cloud computing and ensure that it is done securely.

NIST has set Feb. 28, 2011, as the deadline for submitting comments on these drafts.

Here’s where to read more:

Filed Under: Cloud Computing, Security Tagged With: ,

Is it Ethical to Store Client Data in the Cloud?

by John Tredennick | December 13, 2010

As lawyers move from paper into the digital age, we create new strains on the ethical fabric of the law. Are cell phone conversations privileged? Will that email from my client be protected from a claim of waiver?

Many of us can remember those debates as we waited patiently for opinions from state bar ethics committees that would either hinder or help the advance of these new technologies in the law. Of course, the answer was yes. Lawyers are free to use cell phones and email to communicate in confidence with their clients. How could it be otherwise?

Today the ethical debate has moved to the cloud. The Ethics Committee of the Alabama State Bar recently issued Ethics Opinion 2010-02, Retention, Storage, Ownership, Production and Destruction of Client Files, and for the first time addressed the issue of cloud computing. Is it ethical to store client files in the cloud? Does it matter that client files would be under the control of a non-lawyer third party who could have its way with them? What are the rules and requirements if I want to get rid of my own servers?

[Read more...]

Filed Under: Cloud Computing, Ethics Tagged With: ,
« Older Posts