THE USE OF CLOUD COMPUTING BY LAWYERS TO STORE CLIENT INFORMATION

Research Paper for the Subject PROBLEM AREAS IN LEGAL ETHICS

Submitted by: Rey Castardo Roselito Callena

Submitted to:

Atty. Celestial A. Gonzales

I.

INTRODUCTION Lawyers have a duty to their client to ensure that information divulged by

the latter remains confidential even after the attorney-client relationship ends. This is also true even for prospective clients to whom the lawyer have given legal advice/s. The conventional method of ensuring confidentiality of information was keeping them in safes usually located at the lawyers office or firm. However, the advancement of technology have drastically changed how lawyers store clients information which includes sensitive data. Commonly, most data are stored in the personal computers or laptops usually accessible only to the lawyer and/or his or her secretary or a trusted person. As the internet age becomes more and more advanced, many lawyers made use of this technology to exchange information, both personal and legal. Many lawyers may not realized it but by storing or sending documents and other information in the internet by using email services such as Hotmail, Yahoo! or Google or social networking sites such as Facebook or Twitter, they are essentially using cloud computing or cloud. This term is coined to mean

accessing data in your computer which are stored somewhere else. Other cloud services also includes storing any types of documents remotely, termed cloud storage. The use of a cloud computing has many advantages since data can be accessed anytime and anywhere. It is especially useful for firms with multiple lawyers as partners since the data accessed are assured to be up-to-date. However, cloud computing also have inherent risks. Primary of these are data integrity, accessibility and most importantly, the possibility of unauthorized access to sensitive client information. For lawyers with many clients or many partners which are always on the go, cloud storage is a convenient technological tool which can reduce the time to study clients cases, prepare pleadings or prepare for hearings.

II. (a)

DEFINITION OF TERMS Cloud computing refers to general term for anything that involves delivering hosted services over the Internet.

(b)

Computer refers to an electronic, magnetic, optical, electrochemical, or other data processing or communications device, or grouping of such devices, capable of performing logical, arithmetic, routing, or storage functions and which includes any storage facility or equipment or communications facility or equipment directly related to or operating in conjunction with such device. It covers any type of computer device including devices with data processing capabilities like mobile phones, smart phones, computer networks and other devices connected to the internet.

(c)

Hacking is the practice of modifying the features of a system, in order to accomplish a goal outside of the creator's original purpose.

(d)

Hardware refers to the collection of physical elements that comprise a computer system. Computer hardware refers to the physical parts or components of a computer such as monitor, keyboard, hard drive disk, mouse, printers, graphic cards, sound cards, memory, motherboard and chips, etc all of which are physical objects that you can actually touch.

(e)

Software refers to the collection of instructions that enables a user to interact with the computer or have the computer perform specific tasks for them.

III.

CASE STUDY Attorney John S. Ramos is a young brilliant lawyer who has many clients

and is always on the go. He is also a frequent user of the internet for research concerning the many cases that he is handling. In his law office, they have a setup of elaborate computer equipments wherein they store all of their client information as well as related documents for

easy access. They have practically made an electronic data of almost every document about every case. However, since Atty. Ramos is always away from the office, he is considering storing the files to a cloud so that he can access it anytime wherever he is so that he can answer queries made by his clients as well as prepare necessary documents for litigation.

IV. A.

STATEMENT OF ISSUES Is it ethical for Atty. Ramos to store client information in the cloud without violating the Code of Professional Responsibility?

B.

Is it viable for a lawyer to use the cloud for storing and accessing client data in the Philippine setting?

V.

DISCUSSION Attorneys using cloud computing are under the same obligation to

maintain client confidentiality as attorneys who use offline documents management. It is imperative then that a lawyer that wishes to use cloud computing must have at least a basic understanding of the rewards and the risks involved in using such service. The risks of cloud computing may be summarized as follows: 1. Network dependency. Perhaps the most basic drawback of cloud computing is its dependency to the internet infrastructure. You need internet connection in order to access the cloud, and like anything connection based, it is prone to outages and service interruptions at any time. This means that it could occur during a very important task or transaction, either delaying it or losing it entirely if it was time constrained. As opposed to in-house servers that are

hardwired. Though users will be unable to access these servers outside of the office, you can be sure that connectivity will be constant within the office premises; 2. Centralization. Because organizations typically outsource their data and application services to a centralized provider, a dependency is formed towards that company. If ever the provider is for some reason unable to provide service, then all clients are affected and this could cost money for everyone. This is especially troubling if it occurs for extended periods; and 3. Data integrity. Data security is always paramount to any

organization. There is already a huge risk when the data is hosted in-house, this is then compounded when it is placed offsite. This opens up new avenues for attack and just makes sure that data is traveling a lot ensuring that attackers will be able to intercept it in one way or another. Better encryption is required in this case, but technology is always evolving and you can bet that if a person came up with it, another person can break it. Privacy is another big concern in data integrity. You are handing data over to a third party and even with a privacy contract, whats to stop anyone from that organization from taking a peek at the data and using it for self gain. The rewards you get from cloud computing utilization on the other hand includes: 1. Cost reduction. The low barrier of entry and the pay-per-use model that cloud computing has makes it very scalable for large corporations yet still very affordable for small ones. This allows the smaller firms access to the big guns, a powerful computing infrastructure that previously could only be afforded by large corporations. This is because of virtualization and the application of

the concept of economies of scale. Since not everyone will need massive amounts of resources, these can be leased to other clients, and the more clients there are, the cheaper the cloud operation becomes as the costs are being divided among the clients. This allows a cloud provider to offer virtually unlimited resources; 2. Increased efficiency. Because of reduced costs and time savings, firms can devote their time to other more important aspects. This is also because of the increased throughput that cloud applications can bring in the business processes; 3. Flexibility. Because organizations are not locked in by IT infrastructure they spent millions of 5 years ago, they can actually quickly change technologies and implementations without much risk and cost. If it does not work out for the new implementation then they can just switch back just as quickly, and this allows experimentation in the side of clients and gives developers and providers reasons to also experiment with new services and applications that their clients would need, even if they do not know it yet; 4. Security gains. But wait, didnt we say that security was a risk? Well it can be both since security in cloud computing is just as good or bad as old networking implementations. But the difference this brings to a small organization with no technical knowledge is quite outstanding. Instead of spending money acquiring and

implementing security systems training someone to run in-house implementations, the cloud provider already provides the hardware and knowledge to implement modern security measures; and 5. Reliability. Despite the fact that internet connectivity is subject to outages, not to mention the provider itself. This is still more reliable

that in-house systems because of the economies of scale. The vendor can provide 24/7 technical support and highly trained experienced personnel to handle the infrastructure and keep it at top condition, which all their clients can benefit from. Compare this to the old model where each organization would have their own team of on-site IT personnel which could be of questionable skill. While the Code of Professional Responsibility does not specifically addresses cloud computing, there are rules which, inter alia, are implicated. Rule 16.01 states: A lawyer shall account for all money or property collected or received for or from the client. Information received from clients are basically the property of the client entrusted to the lawyer for safekeeping and only for the purposes agreed upon by the lawyer and the client. When the lawyer uses the cloud, he is entrusting the information to the provider. This in turn makes it the lawyers responsibility to insure that the

provider keeps the information intact and secure. Because a server used by a cloud computing provider may physically be kept in another country, an attorney must ensure that the data in the server is protected by privacy laws that reasonably addresses the security needs of information stored by the lawyer. Also, there may be situations in which the providers ability to protect the information is compromised, whether through hacking, internal impropriety, technical failures, bankruptcy, or other

circumstances. Rule 21.01 states in relevant part:

A lawyer shall not reveal the confidences or secrets of his client except: a) When authorized by the client after acquianting him of the consequences of the disclosure; xxx It is then imperative that before a lawyer stores information in the cloud, the client must be informed of such and the latter must be apprised of its implications and the risks involved. A lawyer must always bear in mind that the provider might have employees which have access to the information, whether direct or indirect. This is specially compounded if the provider stores the information on different places whereby increasing the number of employees handling the data stored. Finally, Rule 21.04 provides that: A lawyer may disclose the affairs of a client of the firm to partners or associates thereof unless prohibited by the client. By availing himself of the cloud, a lawyer makes the provider as his associate, hence making the former responsible for all the actions the latter may do or not do. Hence, the lawyer must be able to control the providers actions with regards the information stored. This means that the service provider who

handles client information needs to be able to limit authorized access to the data to only necessary personnel, ensure that the information is backed up, reasonably available to the attorney, and reasonably safe from unauthorized intrusion. Also important is that the vendor understands, embraces, and is obligated to conform to the professional responsibilities required of lawyers, including a

specific agreement to comply with all ethical guidelines. Attorneys may also need a written service agreement that can be enforced on the provider to protect the clients interests. Therefore, a lawyer must ensure that tasks are delegated to competent people and organizations. Another thing to consider are the relevant laws regarding cloud computing in the Philippines. Just recently, Republic Act 10175 or Cybercrime Prevention Act of 2012 was passed. The relevant parts applicable to cloud computing are as follows: SEC. 4. Cybercrime Offenses. The following acts constitute the offense of cybercrime punishable under this Act: (a) Offenses against the confidentiality, integrity and availability of computer data and systems: (1) Illegal Access. The access to the whole or any part of a computer system without right. xxx This law however is at its infancy and enforcement is yet to be determined in the Philippines and other countries. There is also some controversies in the abovementioned law and it is not guaranteed that said provision might be retained altogether.

VI.

CONCLUSION In other countries, particularly the United States, most Bar Associations

opined that the use of cloud computing is permissible to be used by lawyers provided that some safeguards must be met.

In the Philippines, the idea of the use of cloud computing by lawyers is a relatively new issue that should be addressed. Many lawyers may have been using it without realizing the risks involved on such service usage. It is the researchers position that the use of the cloud by a lawyer is ethical provided that the at least the following standard of reasonable care are followed: Backing up data to allow the firm to restore data that has been lost, corrupted, or accidentally deleted; Installing a firewall to limit access to the firms network; Limiting information that is provided to others to what is required, needed, or requested; Avoiding inadvertent disclosure of information; Verifying the identity of individuals to whom the attorney provides confidential information; Refusing to disclose confidential information to unauthorized individuals (including family members and friends) without client permission; Protecting electronic records containing confidential data, including backups, by encrypting the confidential data; Implementing electronic audit trail procedures to monitor who is accessing the data; Creating plans to address security breaches, including the identification of persons to be notified about any known or suspected security breach involving confidential data; Aside from the reasonable standard provided, the lawyer must also ascertain that the provider: data; has an enforceable obligation to preserve security; explicitly agrees that it has no ownership or security interest in the

will notify the lawyer if requested to produce data to a third party, and provide the lawyer with the ability to respond to the request before the provider produces the requested information;

has technology built to withstand a reasonably foreseeable attempt to infiltrate data, including penetration testing;

includes in its Terms of Service or Service Level Agreement an agreement about how confidential client information will be handled;

provides the firm with right to audit the providers security procedures and to obtain copies of any security audits performed;

will host the firms data only within a specified geographic area. If by agreement, the data are hosted outside of the United States, the law firm must determine that the hosting jurisdiction has privacy laws, data security laws, and protections against unlawful search and seizure that are similar to that of the country;

provides a method of retrieving data if the lawyer terminates use of the service, the provider goes out of business, or the service otherwise has a break in continuity; and,

provides the ability for the law firm to get data off of the vendors or third party data hosting companys servers for the firms own use or in-house backup offline. Although internet services in the Philippines are not that advanced and are sometimes constantly experience outages in internet service, cloud computing can still be used provided the above guidelines are observed. It must be also noted that although the only law applicable to breaches of data security in the cloud are at its infancy, it can still be enforced.