Informed Consent & Cloud Computing Joshua Lenon, esq. Clio – Practice Management Simplified
Jun 14, 2015
Informed Consent & Cloud ComputingJoshua Lenon, esq.Clio – Practice Management Simplified
Cloud Computing Ethics Opinions
Traditional Computing Model
The Internet Local Area Network
Software-as-a-Service Model
The Internet Local Area Network
MODEL RULES OF PROFESSIONAL CONDUCT
6
Lawyers’Duties• Communication
• Respond to or acknowledge client communications• Diligence
• On behalf of your client• Competence
• Awareness of changes in the law & practice• Benefits and of relevant technology
• Continuity• Records retention
• Confidentiality
6
R. 1.6 - Confidentiality• Lawyers must make reasonable efforts to prevent the
inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
• Exemptions exist• Disclosure is impliedly authorized in order to carry out
representation of the client’s interests• Duty extends to the use of nonlawyers assisting the lawyer• R. 5.3
Rules specifically allow lawyers to disclose confidential client
information with informed consent.
Informed Consent• “The agreement by a person to a proposed course of conduct
after the lawyer has communicated adequate information and explanation about the material risks of and reasonably available alternatives to the proposed course of conduct.”
• Affirmative Response is Required
• Written Affirmation NOT Required on Disclosing Confidential
Information
Informed Consent• Requirements• Lawyer must make reasonable efforts to inform• Client possesses information reasonably adequate to make an
informed decision • Reasonable Standard• Reasonably prudent and competent lawyer
• R. 1.0(H)
Reasonable and Cloud Computing
• Basic understanding of electronic protections afforded by technology
• Consultation with experts• Use providers that have • Reasonable security procedures • Understanding of lawyers’ professional obligations
Security Procedures• explicitly agrees that it has no ownership or security interest in the data;
• has an enforceable obligation to preserve security;
• will notify the lawyer if requested to produce data to a third party, and provide the lawyer with the ability to respond to the request before the provider produces the requested information;
• has technology built to withstand a reasonably foreseeable attempt to infiltrate data, including penetration testing;
• includes in its “Terms of Service” or “Service Level Agreement” an agreement about how confidential client information will be handled;
• provides the firm with right to audit the provider’s security procedures and to obtain copies of any security audits performed;
• will host the firm’s data only within a specified geographic area. If by agreement, the data are hosted outside of the United States, the law firm must determine that the hosting jurisdiction has privacy laws, data security laws, and protections against unlawful search and seizure that are as rigorous as those of the United States and Pennsylvania;
• provides a method of retrieving data if the lawyer terminates use of the SaaS product, the SaaS vendor goes out of business, or the service otherwise has a break in continuity; and,
• provides the ability for the law firm to get data “off” of the vendor’s or third party data hosting company’s servers for the firm’s own use or in-house backup offline.
Server Security
• How is sensitive information being handled?
TRUSTe – Privacy Policy
“TRUSTe’s program requirements are based
upon the Fair Information Principles and OCED
Guidelines around notice, choice, access,
security, and redress - the core foundations of
privacy and building trust. Sealholders are
required to undergo a rigorous review process
to assess the accuracy of privacy disclosures and
compliance with TRUSTe’s requirements in order
to obtain certification.”
Data Escrow
saas provider escrow provider
saas user
Conclusion
• Lawyers’ duty of confidentiality can be a mine field
• Reasonable efforts on the part of the lawyer are required to use any tool that may risk disclosure – including cloud computing
• Informed consent protect lawyers from misconduct claims