Attorneys try to keep up with the cloud
May 11, 2012
Attorney ethics authorities are scrambling to keep pace with the technology of cloud computing, a method for storing volumes of client documents that can be cost-effective to use but vulnerable to hacking.
Bar associations in New York, Pennsylvania, North Carolina and Iowa recently issued guidelines for lawyers who use the cloud, and the American Bar Association is considering a proposal to modify its model ethics rules to address cloud computing. Dozens of bar groups across the country are training attorneys on how to use the cloud without tripping over their ethical duty to maintain client confidentiality…
The bar groups are warning lawyers that in a rush to embrace the technology, they need to be careful not to leave cracks in security that hackers can exploit.
"Many law firms are still trying to figure out what the necessary fences are," said Alan Wernick, a partner in the Chicago offices of law firm FSB FisherBroyles whose practice focuses on intellectual property, information technology and data privacy. "We’re at the early stages in the evolution of this technology, and the privacy and security issues are not always appropriately addressed."
Cloud computing, in essence, is a way of storing electronic information, from emails to personnel information to client files. It eliminates the necessity for law firms to house their own servers. Instead, data is stored with other companies’ data in the "cloud," owned by giants like Amazon and Google, and it is typically accessed through a Web browser like Firefox or Internet Explorer. Email and Smartphone correspondence is kept there, too.
The technology is convenient and usually cheaper to use than onsite servers, but there are security problems. More than 80 major law firms in the United States have been hacked since 2009, according to Mandiant, an electronic security company based in Washington, D.C., and most of the incidents involved at least some information stored in the cloud. Mandiant, which tracks hacking based on its clients’ experiences and on media reports, does not have comparable data from previous years.
MORE CYBER ATTACKS
Cyber attacks are on the upswing, and the cloud creates a heightened risk because client data is stored offsite, said FBI special agent Trent Teyema, who is in charge of cyber crimes in the FBI’s Washington, D.C., field office.
"As firms use it more and more, it presents a new security concern," he said.
About 65 percent of major law firms use the cloud to hold at least some information, according to a 2011 survey by The American Lawyer. Forty-seven percent of the firms said they were using the cloud more last year than in 2010, and 61 percent cited security concerns as the biggest drawback.
Hacking can be especially traumatic for law firms because attorneys have an ethical duty to keep client information confidential. Moreover, the stored data — from emails to contracts — often relates to live disputes, so there’s an adversary with a real incentive to get that information.
"It’s a scary world out there," said the chairman of a major U.S. law firm, who requested anonymity due to security concerns about client information. This lawyer said that his firm, which stores some data on in the cloud, has beefed up encryption coding and overall electronic security in recent months.
Haytham Faraj had more than a scare earlier this year. His former law firm, Puckett & Faraj, was hacked in February by Anonymous, a renegade Internet group that has hacked into the websites and emails dozens of government sites, politicians and enforcement agencies.
Faraj’s firm represented Staff Sgt. Frank Wuterich, who pleaded guilty to helping orchestrate the 2005 killing of Iraqi civilians in Haditha. The group apparently was looking for information on Iraqi war crimes.
Faraj said that once Anonymous tapped into the cloud administrator’s account that held all the passwords for employees’ email accounts, hackers had a trove of data to mine.
Anonymous also posted on the law firm’s website a manifesto that decried "the brutality of U.S. imperialism." Faraj said he didn’t discover that the email accounts had been hacked until friends called him about the website.
"We still don’t know the extent of how much they stole," Faraj said.
Most hacking incidents at law firms are not reported, partly because law firms are not aware that they’ve been hacked or because they don’t want to publicize breaches, said Joshua Gold, a partner at Anderson Kill & Olick who advises clients on data security and insurance issues.
Besides Faraj’s incident, some other law firm hacking incidents have surfaced. In Toronto, several law firms were the target of Chinese hackers who, starting in 2010, tried to get their hands on information stored in the cloud about business deals the firms were handling, according to a November 2011 report in Toronto’s Globe and Mail.
The cloud has also given rise to litigation. Philadelphia law firm Elliott Greenleaf alleged in a Feb. 8 lawsuit that its former managing partner, William Balaban, before he left in January, removed 78,000 electronic files by tapping into the firm’s cloud. His alleged motive was to take a ready-made client list for his new firm. Balaban did not respond to messages seeking comment.
ETHICS AUTHORITIES WEIGH IN
To address the problem, an ABA ethics commission in September proposed changes to the Model Rules of Professional Conduct, the template for attorney ethics rules in nearly every jurisdiction. The recommendations call for including client data stored in the cloud under the rules of confidentiality — a basic tenet of legal ethics requiring lawyers to not reveal anything about their relationship with their clients unless they get the clients’ consent.
Written broadly, the proposal directs lawyers to make reasonable efforts to prevent unauthorized access and inadvertent disclosure of client data. In short, lawyers have to understand how information stored in the cloud is kept safe and what steps their cloud providers are taking to make it so.
Jack Newton, acting president of the Legal Cloud Computing Association, a trade group of technology vendors, said he doesn’t question the intent of the proposal. But he wondered whether lawyers will invest the time needed to understand how the cloud works and how to protect information.
"It can be a very high bar to be setting for lawyers," Newton said.
Ethics opinions issued by bar authorities in New York, Pennsylvania, North Carolina and Iowa go into more detail than the ABA proposal about attorneys’ responsibilities.
For example, Pennsylvania’s opinion states that anyone using web-based email like Gmail, Yahoo or AOL, or filing-sharing software Dropbox is in essence participating in cloud computing.
Attorneys in those jurisdictions now have an explicit responsibility to make sure client information in encrypted, password protected, not accessible to anyone else and perhaps identified as confidential.
That’s a growing challenge, given that iPads and Smartphones provide more avenues into the cloud, said Mark McCreary, a partner at Fox Rothschild who advises clients on data security matters.
McCreary said while his firm is in the process of moving more of its information to the cloud, he’s aware of the risks. More ways of getting into the cloud with mobile devices mean greater chances of breaches, he noted.
"It’s everything in between that gets sticky," he said. "You can lose control in the exchange of information."