This is a transcript of a podcast discussing Cloud Regulations, issues relating to client confidentiality, providers and tips on using the cloud.
Speaker Key: PB Phil Brown, DW David Whelan
PB: Hi it’s Phil Brown here and I’m with David Whelan and we’re going to talk about cloud regulations today.
DW: Cloud computing is the technology that seems to be on everyone’s mind and whether they should use it and if they do what they have to be thinking about when they adopt it.
PB: So before we launch into the regulations and whether or not the Law Society has any, let’s talk a bit about the cloud. What is it?
DW: Well for a long time it was a marketing term and it allowed computer providers and software providers to say that they were doing something that was entirely internet based. So if you logged onto your Google mail or to your Hotmail account you were working on a cloud system because it was out in the internet cloud, meaning that it was not locally installed on your computer and it wasn’t running on a server within your law firm.
PB: So it’s running on someone else’s computer that technically you would not have control over, possibly in another jurisdiction.
DW: Exactly and maybe in another country and maybe in multiple countries if they spread their services out so they are available all the time they might have to have coverage in different continents or at least different countries.
PB: One of the reasons people should be aware of this is because most lawyers and paralegals are already using the cloud whether they’re aware of it or not.
DW: In many cases, you’re using it for your personal life but you may be using it for some aspect of your professional life as well.
PB: For instance if you’re using Gmail or Hotmail or Sympatico mail, all of those are cloud based delivery.
DW: Yes and if you’re not there’s a good chance your clients are because they may be receiving e-mail which you sent from inside the law firm on a web-based e-mail application in their house.
PB: So one of the things that’s been coming up often in conversation amongst lawyers and paralegals is, does the Law Society have any regulations with respect to cloud computing?
DW: The answer is no.
PB: There are no regulations as such. There are Rules of Professional Conduct however, which would apply to cloud computing situations.
DW: They are the same rules that you’ve had all along and what we found with Bar Associations and other ethics groups that have looked at this and then come out with formal opinions, particularly in the United States, is that the expectation for lawyers and paralegals is that they continue to act reasonably and competently and follow the rules that they have been provided in the past.
PB: Specifically with respect to Ontario lawyers and paralegals, rule 3.3 for lawyers and the equivalent rule for paralegals is that the lawyer or paralegal shall keep all of the client’s information confidential and that’s in all situations, whether it’s stored somewhere else or not. The other question that often comes up is does the Law Society regulate or approve of any particular cloud provider?
DW: There are many cloud providers who would love to have a Law Society or a regulator sign off on the product that they provide but the answer is no, the Law Society does not certify or recommend any particular cloud provider.
PB: In fact not just cloud providers, we don’t recommend or approve any particular software or vendor or anything. So one of the fundamental issues here in dealing with cloud computing and confidentiality is you are trusting client information to someone other than yourself.
DW: Right and it’s a threshold question. If you work in a particular area of law where it doesn’t make sense for your client information to be located on a computer, whether it’s a computer in your office or someone else’s computer, you need to avoid cloud computing. And then if you do have client information, you may decide you have certain information you’re comfortable having in the cloud and certain information that you aren’t. So it’s not an all or nothing decision to go into the cloud. Whether you choose to put your to do list up in the cloud or your e-mail or whether you decide to synchronize documents that relate to the operations of your law firm and aren’t client confidential at all or whether you decide to put your entire practice up in the cloud, the rules that apply will still apply no matter which type of content you put out there.
PB: So one of the things you have to be aware of when you’re putting anything in the cloud is the user agreement you have with this third party. You need to own the information as the lawyer or the paralegal.
DW: Yes, and it’s important that you have the ability to get access to that information at any time. So if your cloud provider has a way for you to export or download the information, you should be doing so on a regular basis just in case they become unavailable for whatever reason. And if they don’t have that, then you should be able to synchronize it down to your computer so you will always have a copy, whether you have internet access or not.
PB: So within that use agreement there will be other information that will be very important which includes what happens if there’s a dispute with you about fees and the cloud provider? Who is their information being stored with? What happens to your information if their business goes under? What happens if you terminate your relationship with them? How long do you have to recover that information?
DW: Those are critical aspects of the relationship you have with the provider and you should also be aware of how they’re going to be managing your information while it’s stored on their system. For example, if I upload files to a file storage site and those files are encrypted according to that provider then I want to make sure that they are encrypted until I download and access them and that their employees can’t access the server from within the organization and access files that I think are encrypted and therefore protected.
PB: Right and in terms of the encryption, it’s really just protecting the information on site because an authority could come along with lawful authority and says “here’s my search warrant”, they’re going to turn over the encryption keys immediately.
DW: Someone once asked me if the encryption used on one of the cloud providers I was discussing was enough to block the National Security Agency, the NSA in the US, from getting access to it. The reality is probably not – this is the answer to almost any encryption utility on any cloud service, but we have a reasonable expectation that you will act competently and so you really have to approach it from that perspective. What is reasonable? What is competent for your practice and for your confidential information?
PB: There’s also the option if you’re only using the cloud to store information, if you’re not using software as a service or something, you can encrypt the information on your end before you load it up into the cloud.
DW: Yes and that would prevent anybody from being able to crack through the egg of encryption that is provided by the provider from the cloud site because you would have a belt and suspenders encryption approach.
PB: You mentioned this at the beginning. It’s really important to give clients the option if you’re using a cloud service to store their information. It’s important clients know that and they also have the option possibly to opt out of that if they want.
DW: That’s a great idea and to put that in writing I think helps everybody to understand where that information is. I’ve heard of a lawyer who has a drop box folder for each of his clients and so he is really committed to moving all of his clients out into the cloud and to have them interact with the cloud because those files are being synchronized to their computers. I think one of the interesting things that cloud computing has raised is the idea that we are leaving confidential information, potential information that talks about the client matters and maybe client personal information on the web when we do searches using Google, which is now encrypting, but it does save search history or when we are sending e-mails and other things that we might now have thought about in the past.
PB: When we say make client aware of it, it’s a good idea to put that information in a retainer agreement, which is your contract with the client so that they know what your policy is with respect to storing your information and protecting their information as well as what your policy is in terms of the disruption of that information later.
DW: And that can help them to understand how they might already be interacting with a cloud or storing information out there - that although you are protecting it for them, they might be exposing it and hurting their own interests.
PB: Thanks very much David.
DW: Good seeing you Phil.