callena-castardo final2.doc
TRANSCRIPT
THE USE OF “CLOUD COMPUTING” BY LAWYERS TO STORE
CLIENT INFORMATION
Research Paper for the Subject
PROBLEM AREAS IN LEGAL ETHICS
Submitted by:
Rey Castardo
Roselito Callena
Submitted to:
Atty. Celestial A. Gonzales
I. INTRODUCTION
Lawyers have a duty to their client to ensure that information divulged by
the latter remains confidential even after the attorney-client relationship ends.
This is also true even for prospective clients to whom the lawyer have given legal
advice/s.
The conventional method of ensuring confidentiality of information was
keeping them in safes usually located at the lawyer’s office or firm.
However, the advancement of technology have drastically changed how
lawyers store clients’ information which includes sensitive data. Commonly, most
data are stored in the personal computers or laptops usually accessible only to
the lawyer and/or his or her secretary or a trusted person.
As the internet age becomes more and more advanced, many lawyers
made use of this technology to exchange information, both personal and legal.
Many lawyers may not realized it but by storing or sending documents and other
information in the internet by using email services such as Hotmail, Yahoo! or
Google or social networking sites such as Facebook or Twitter, they are
essentially using “cloud computing” or “cloud”. This term is coined to mean
accessing data in your computer which are stored somewhere else. Other cloud
services also includes storing any types of documents remotely, termed cloud
storage.
The use of a “cloud computing” has many advantages since data can be
accessed anytime and anywhere. It is especially useful for firms with multiple
lawyers as partners since the data accessed are assured to be up-to-date.
However, “cloud computing” also have inherent risks. Primary of these
are data integrity, accessibility and most importantly, the possibility of
unauthorized access to sensitive client information.
For lawyers with many clients or many partners which are always on the
go, cloud storage is a convenient technological tool which can reduce the time to
study clients’ cases, prepare pleadings or prepare for hearings.
II. DEFINITION OF TERMS
(a) Cloud computing refers to general term for anything that involves
delivering hosted services over the Internet.
(b) Computer refers to an electronic, magnetic, optical, electrochemical, or
other data processing or communications device, or grouping of such
devices, capable of performing logical, arithmetic, routing, or storage
functions and which includes any storage facility or equipment or
communications facility or equipment directly related to or operating in
conjunction with such device. It covers any type of computer device
including devices with data processing capabilities like mobile phones,
smart phones, computer networks and other devices connected to the
internet.
(c) Hacking is the practice of modifying the features of a system, in order to
accomplish a goal outside of the creator's original purpose.
(d) Hardware refers to the collection of physical elements that comprise
a computer system. Computer hardware refers to the physical parts or
components of a computer such as monitor, keyboard, hard drive disk,
mouse, printers, graphic cards, sound cards, memory, motherboard and
chips, etc all of which are physical objects that you can actually touch.
(e) Software refers to the collection of instructions that enables a user to
interact with the computer or have the computer perform specific tasks for
them.
III. CASE STUDY
Attorney John S. Ramos is a young brilliant lawyer who has many clients
and is always on the go. He is also a frequent user of the internet for research
concerning the many cases that he is handling.
In his law office, they have a setup of elaborate computer equipments
wherein they store all of their client information as well as related documents for
easy access. They have practically made an electronic data of almost every
document about every case.
However, since Atty. Ramos is always away from the office, he is
considering storing the files to a cloud so that he can access it anytime wherever
he is so that he can answer queries made by his clients as well as prepare
necessary documents for litigation.
IV. STATEMENT OF ISSUES
A. Is it ethical for Atty. Ramos to store client information in the “cloud” without
violating the Code of Professional Responsibility?
B. Is it viable for a lawyer to use the “cloud” for storing and accessing client
data in the Philippine setting?
V. DISCUSSION
Attorneys using “cloud computing” are under the same obligation to
maintain client confidentiality as attorneys who use offline documents
management.
It is imperative then that a lawyer that wishes to use “cloud computing”
must have at least a basic understanding of the rewards and the risks involved in
using such service.
The risks of “cloud computing may be summarized as follows:
1. Network dependency. Perhaps the most basic drawback of cloud
computing is its dependency to the internet infrastructure. You need
internet connection in order to access the cloud, and like anything
connection based, it is prone to outages and service interruptions at
any time. This means that it could occur during a very important
task or transaction, either delaying it or losing it entirely if it was
time constrained. As opposed to in-house servers that are
hardwired. Though users will be unable to access these servers
outside of the office, you can be sure that connectivity will be
constant within the office premises;
2. Centralization. Because organizations typically outsource their
data and application services to a centralized provider, a
dependency is formed towards that company. If ever the provider is
for some reason unable to provide service, then all clients are
affected and this could cost money for everyone. This is especially
troubling if it occurs for extended periods; and
3. Data integrity. Data security is always paramount to any
organization. There is already a huge risk when the data is hosted
in-house, this is then compounded when it is placed offsite. This
opens up new avenues for attack and just makes sure that data is
traveling a lot ensuring that attackers will be able to intercept it in
one way or another. Better encryption is required in this case, but
technology is always evolving and you can bet that if a person
came up with it, another person can break it. Privacy is another big
concern in data integrity. You are handing data over to a third party
and even with a privacy contract, what’s to stop anyone from that
organization from taking a peek at the data and using it for self
gain.
The rewards you get from “cloud computing” utilization on the other hand
includes:
1. Cost reduction. The low barrier of entry and the pay-per-use
model that cloud computing has makes it very scalable for large
corporations yet still very affordable for small ones. This allows the
smaller firms access to the big guns, a powerful computing
infrastructure that previously could only be afforded by large
corporations. This is because of virtualization and the application of
the concept of economies of scale. Since not everyone will need
massive amounts of resources, these can be leased to other
clients, and the more clients there are, the cheaper the cloud
operation becomes as the costs are being divided among the
clients. This allows a cloud provider to offer virtually unlimited
resources;
2. Increased efficiency. Because of reduced costs and time savings,
firms can devote their time to other more important aspects. This is
also because of the increased throughput that cloud applications
can bring in the business processes;
3. Flexibility. Because organizations are not locked in by IT
infrastructure they spent millions of 5 years ago, they can actually
quickly change technologies and implementations without much
risk and cost. If it does not work out for the new implementation
then they can just switch back just as quickly, and this allows
experimentation in the side of clients and gives developers and
providers reasons to also experiment with new services and
applications that their clients would need, even if they do not know
it yet;
4. Security gains. But wait, didn’t we say that security was a risk?
Well it can be both since security in cloud computing is just as good
or bad as old networking implementations. But the difference this
brings to a small organization with no technical knowledge is quite
outstanding. Instead of spending money acquiring and
implementing security systems training someone to run in-house
implementations, the cloud provider already provides the hardware
and knowledge to implement modern security measures; and
5. Reliability. Despite the fact that internet connectivity is subject to
outages, not to mention the provider itself. This is still more reliable
that in-house systems because of the economies of scale. The
vendor can provide 24/7 technical support and highly trained
experienced personnel to handle the infrastructure and keep it at
top condition, which all their clients can benefit from. Compare this
to the old model where each organization would have their own
team of on-site IT personnel which could be of questionable skill.
While the Code of Professional Responsibility does not specifically
addresses “cloud computing,” there are rules which, inter alia, are implicated.
Rule 16.01 states:
A lawyer shall account for all money or property collected or received for
or from the client.
Information received from clients are basically the property of the client
entrusted to the lawyer for safekeeping and only for the purposes agreed upon
by the lawyer and the client.
When the lawyer uses the “cloud”, he is entrusting the information to the
provider. This in turn makes it the lawyer’s responsibility to insure that the
provider keeps the information intact and secure.
Because a server used by a “cloud computing” provider may physically be
kept in another country, an attorney must ensure that the data in the server is
protected by privacy laws that reasonably addresses the security needs of
information stored by the lawyer. Also, there may be situations in which the
provider’s ability to protect the information is compromised, whether through
hacking, internal impropriety, technical failures, bankruptcy, or other
circumstances.
Rule 21.01 states in relevant part:
A lawyer shall not reveal the confidences or secrets of his client except:
a) When authorized by the client after acquianting him of the
consequences of the disclosure;
xxx
It is then imperative that before a lawyer stores information in the “cloud”,
the client must be informed of such and the latter must be apprised of its
implications and the risks involved.
A lawyer must always bear in mind that the provider might have
employees which have access to the information, whether direct or indirect. This
is specially compounded if the provider stores the information on different places
whereby increasing the number of employees handling the data stored.
Finally, Rule 21.04 provides that:
A lawyer may disclose the affairs of a client of the firm to partners or
associates thereof unless prohibited by the client.
By availing himself of the “cloud”, a lawyer makes the provider as his
associate, hence making the former responsible for all the actions the latter may
do or not do.
Hence, the lawyer must be able to control the provider’s actions with
regards the information stored. This means that the service provider who
handles client information needs to be able to limit authorized access to the data
to only necessary personnel, ensure that the information is backed up,
reasonably available to the attorney, and reasonably safe from unauthorized
intrusion.
Also important is that the vendor understands, embraces, and is obligated
to conform to the professional responsibilities required of lawyers, including a
specific agreement to comply with all ethical guidelines. Attorneys may also need
a written service agreement that can be enforced on the provider to protect the
client’s interests.
Therefore, a lawyer must ensure that tasks are delegated to competent
people and organizations.
Another thing to consider are the relevant laws regarding “cloud
computing” in the Philippines. Just recently, Republic Act 10175 or Cybercrime
Prevention Act of 2012 was passed. The relevant parts applicable to “cloud
computing” are as follows:
SEC. 4. Cybercrime Offenses. — The following acts constitute the offense
of cybercrime punishable under this Act:
(a) Offenses against the confidentiality, integrity and availability of
computer data and systems:
(1) Illegal Access. – The access to the whole or any part of a
computer system without right.
xxx
This law however is at it’s infancy and enforcement is yet to be determined
in the Philippines and other countries. There is also some controversies in the
abovementioned law and it is not guaranteed that said provision might be
retained altogether.
VI. CONCLUSION
In other countries, particularly the United States, most Bar Associations
opined that the use of “cloud computing” is permissible to be used by lawyers
provided that some safeguards must be met.
In the Philippines, the idea of the use of “cloud computing” by lawyers is a
relatively new issue that should be addressed. Many lawyers may have been
using it without realizing the risks involved on such service usage.
It is the researchers’ position that the use of the “cloud” by a lawyer is
ethical provided that the at least the following standard of reasonable care are
followed:
Backing up data to allow the firm to restore data that has been lost,
corrupted, or accidentally deleted;
Installing a firewall to limit access to the firm’s network;
Limiting information that is provided to others to what is required,
needed, or requested;
Avoiding inadvertent disclosure of information;
Verifying the identity of individuals to whom the attorney provides
confidential information;
Refusing to disclose confidential information to unauthorized
individuals (including family members and friends) without client
permission;
Protecting electronic records containing confidential data, including
backups, by encrypting the confidential data;
Implementing electronic audit trail procedures to monitor who is
accessing the data;
Creating plans to address security breaches, including the
identification of persons to be notified about any known or
suspected security breach involving confidential data;
Aside from the reasonable standard provided, the lawyer must also
ascertain that the provider:
explicitly agrees that it has no ownership or security interest in the
data;
has an enforceable obligation to preserve security;
will notify the lawyer if requested to produce data to a third party,
and provide the lawyer with the ability to respond to the request
before the provider produces the requested information;
has technology built to withstand a reasonably foreseeable attempt
to infiltrate data, including penetration testing;
includes in its “Terms of Service” or “Service Level Agreement” an
agreement about how confidential client information will be
handled;
provides the firm with right to audit the provider’s security
procedures and to obtain copies of any security audits performed;
will host the firm’s data only within a specified geographic area. If
by agreement, the data are hosted outside of the United States, the
law firm must determine that the hosting jurisdiction has privacy
laws, data security laws, and protections against unlawful search
and seizure that are similar to that of the country;
provides a method of retrieving data if the lawyer terminates use of
the service, the provider goes out of business, or the service
otherwise has a break in continuity; and,
provides the ability for the law firm to get data “off” of the vendor’s
or third party data hosting company’s servers for the firm’s own use
or in-house backup offline.
Although internet services in the Philippines are not that advanced and are
sometimes constantly experience outages in internet service, “cloud computing”
can still be used provided the above guidelines are observed. It must be also
noted that although the only law applicable to breaches of data security in the
cloud are at its infancy, it can still be enforced.