Kimberley Hoff 11 Nov 2011 PAR 114 Makeup Assignment #5 One element of the opinion on cloud computing issued

by the Pennsylvania Bar Association is their determination that online service providers are a form of outsourced office labor, much like a freelance paralegal helping the firm handle their caseload would be1. Like that freelance paralegal cloud computing service providers are governed by Pennsylvania Legal Ethics Rule 5.3, which holds nonlawyer assistants to the same ethical standards as lawyers, as well as holding their supervising lawyers responsible for any breach of professional ethics on the part of their subordinates. Therefore, lawyers must take reasonable measures to ensure that their outsourced office labor is being carried out by responsible and competent professionals. At a minimum, cloud service providers must be able to limit access to confidential client data to as few employees as necessary in order to provide their services, provide adequate backup mechanisms to protect data integrity, take measures to prevent unauthorized intrusion, and assure timely access to the information even in adverse circumstances. In order to ensure that providers are actually meeting the standards required for law practices, firms may need to have specific agreements spelling out the obligations to the client and how they must be met in practice. In some cases, clients must be proactively notified that outsourcing will take place and given the identities of the third-party service providers will have access to their data. Some non-traditional reasonable care steps must be taken when vetting cloud computing providers, as the nature of the cloud puts much of the infrastructure completely out of the lawyers personal control. For example, a diligent, qualified provider will take steps such as installing firewalls to prevent malicious intrusion through Local Access Networks, using encryption on all confidential data at rest, requiring audit trails for all data access events, and maintaining alternate methods of Internet access in case of primary outage. However, security in the digital realm also rests just as heavily on common sense non-technocratic safeguards as brick-and-mortar security. Measures such as limiting release of information to matters of necessity, making ownership of all data explicit in provider service agreements, locking storage through passwords or physical keys, keeping local access backup for all remotely located documents, providing security audits to clients, maintaining worst-case data retrieval agreements, selecting outsourcing partners based on their stability and proven track record, and providing all service users with adequate training are the backbone of data security, virtually and corporeally.

Pennsylvania Bar Association. Ethical Obligations for Attorneys Using Cloud Computing/Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property. Formal Opinion 2011-200.