Regular Internet users have likely heard the terms “cloud storage,” “cloud computing,” and/or “the cloud.” The “cloud” refers to electronic storage and programming resources available through the Internet instead of hosted on servers owned and wholly controlled by the owner of the stored information or the program’s user. The “cloud” consists of domains and servers accessible through a network of Internet service providers, and includes any service provided online and operated by a third party such as online data storage, Internet-based e-mail and Software-as-a-Service.
Cloud computing can benefit companies in a number of ways, particularly in reducing the cost of storing large volumes of data on-site. Cloud computing can also benefit lawyers in representing their clients. For example, online data storage can reduce the costs and inefficiencies associated with the storage and retrieval of large volumes of hard copy documents. Internet e-mail permits faster communication and the ability to transmit documents and files more quickly than express mail services. Finally, Software-as-a-Service can include useful law practice management programs that reduce costs and enhance the efficiency of client representation.
There also are concerns related to e-discovery, including whether the company owns or controls the data in the cloud and the extent to which the company has ready access to that data, particularly in the likely event that data is covered by pending discovery requests. Another concern is how the cloud vendor will respond to any third-party requests for information (e.g., a subpoena) and whether that vendor is obligated to notify the company of such requests prior to producing the requested information.
First, counsel must ensure that the company and its internal legal department use best practices to handle issues related to cloud computing, including the ethical obligations regarding privileged communications. Next, they must ensure that retained outside counsel also uses best practices to manage the company’s information and that outside counsel’s own use of cloud computing, including in connection with e-discovery, does not put any privileged communications at risk.
The opinion also points out that a lawyer must periodically audit the vendor’s security protocol to verify that the protocol still remains effective as technology changes. In addition, if the lawyer obtains information suggesting that the vendor’s security measures are no longer sufficient, or if the lawyer learns of a breach of confidentiality, the lawyer must investigate whether there has been a breach of confidentiality of its client information, must notify the client and must discontinue use of the service unless the lawyer receives assurances that the problems have been sufficiently cured.
Bar committees in other states (e.g., Alabama, Arizona, California, Nevada, New Jersey, North Carolina and Pennsylvania) have also reviewed ethical issues associated with cloud computing and have generally found the practice to be permissible. These committees all seem to agree that a lawyer’s ethical obligations have not significantly changed in view of these new technologies. Lawyers still have a duty to protect client confidential materials from third parties, whether it is stored in physical form in an on-site filing cabinet or electronically in a remote data center.
One potential option is to create a separate sub-sector in the cloud server where data, communications and documents generated by the legal department are stored and segregated from the company’s general information. This detailed knowledge would also assist in determining what search terms should be used to identify the likely authors or recipients of privileged communications.
While not absolutely foolproof, such sub-sectors and search capabilities provide a readily identifiable location and methodology for screening privileged communications during the e-discovery review.