Client Data in the Cloud

Excerpted from “Ethics 20/20, Security, and Cloud Computing” TECHSHOW 2014

By Catherine Sanders Reach, ABA TECHSHOW Board 2015

One of the defining -- and for lawyers, the most alarming -- characteristics of SaaS (Software as a Service) or “Cloud Computing” is that SaaS solutions store data with a third party rather than on the user's computer.  In other words, when you use a web-mail service like Gmail, your actual emails reside on a remote served hosted by Google rather than on your own hard drive.  If the emails in question are confidential client communication, or if they contain sensitive document attachments relating to an ongoing case, some concern is understandable.  

Defining “Reasonable” in Rule 1.6

The standard of care for confidentiality has long been determined by what is reasonable, however it was left to the discretion of attorneys to determine the definition of “reasonable”. In the updated Comment [16] to Rule 1.6 of the ABA Model Rules a five point “checklist” for determining reasonableness of lawyer efforts to maintain confidentiality was established, including:

  • Sensitivity of information
  • Likelihood of disclosure without safeguards
  • Cost of additional safeguards 
  • Difficulty of implementing safeguards
  • Extent to which the safeguards adversely affect lawyer’s ability to represent clients

In discussing the duties under Rule 1.6 the ABA Ethics 20/20 Commission made it clear that they understand that lawyers can’t guarantee electronic security any more than they can guarantee the physical security of documents stored in a file cabinet or offsite storage facility.   Just like fires and floods, computer systems can suffer catastrophic events or they can be hacked.  The new Rule does not impose a duty on lawyers to achieve the unattainable. 

Importantly, mere inadvertent or unauthorized disclosure of, or unauthorized access to this information does not, by itself, constitute a violation of the Rule.  As we’ve seen recently, even the most security conscious entities can be hacked.


Entrusting confidential client data and personally identifiable information to a third party has always held risk. Even in the days of paper and offsite storage of physical files there has been risk of exposure. The risks have shifted, have become more complex, and may have somewhat grown. However, per the updated comment [8] to the ABA’s Model Rule 1.1 Competence the duty is “to maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology”.   In addition to maintaining awareness of any relevant ethics opinions on cloud computing and a thorough investigation of any company you do business there are steps you can take to mitigate risk in the cloud, and using technology in general.

Maintaining firewalls and up-to-date anti-virus and anti-malware, maintaining vigilance when opening attachments and surfing the Internet, scrutinizing the security protocols of cloud providers, maintaining adequate backup files, and keeping operating systems patched are all vital whether or not your firm uses cloud based SaaS or on premise storage.   


Your first line of defense is a good password – and lots of them. No matter how convenient using the same password for Gmail, Facebook, your online practice management, and your computer can put you at great risk. Good passwords are over 12 characters long, and include symbols and numbers.  Don’t use dictionary words and don’t store your passwords on your desktop! There are a variety of password managers to help you with this hurdle. Some come with the security suites. Others, such as LastPass, KeePass, Roboform and 1Password are separate and have different features and functions. 


Another option to safeguard access to your accounts is two factor authentication. Available for Gmail, Dropbox, LastPass, WordPress and more,  two factor authentication allows someone to access a program armed with something they know (a password) and something they have (usually a mobile phone). In order to access your account you would need both, reducing the chance that someone who is NOT you will access your account.  


There are third party encryption tools that allow you to encrypt documents and emails as necessary, especially when using free, consumer based products like Dropbox or Gmail that may have terms of service and privacy policies that run counter to confidentiality concerns. For encrypting files stored in online repositories such as Dropbox, Google Drive, or SkyDrive tools like Viivo or BoxCryptor let you easily encrypt and decrypt documents you save with an online service provider.  SendSecure, Enlocked, SecureGmail, Rpost and others let you encrypt email –and its attachments – easily and for free.  If the data you are sending or storing is highly confidential consider these means of extra protection. See the “How To” videos on using easy email encryption tools and using BoxCryptor to encrypt files stored in Dropbox, Google Drive, etc..


Recently headlines have been buzzing with zero day exploits, including those for Java and Internet Explorer. While these exploits have made news, many others do not. It is essential to keep all applications, add-ons, and applets patched on your machine. Easy targets for hackers include Adobe Flash, Apple’s QuickTime, Adobe Reader, and the aforementioned Oracle Java.  These programs run in the background most of the time in your browser and are usually called up only when needed by a web site. Do not ignore reminders to update these applications. If you are unsure whether the message to update is in itself a virus a quick Google search will usually confirm whether a patch has been issued. 


In many large organizations end users do not have administrative privileges on their machines. IT departments can reduce security threats by locking down computers on the network so that they do not have the permission to actually install anything.  Most people are resistant to this policy, so IT is constantly battered with requests to make an exception, just for them. However, this is one of the best ways to keep a computer from unintentionally installing malware or viruses in the background. While Apple’s OS X and Windows 7/8 have made major strides in alerting the user to provide permission to install software, these alerts will also be bypassed by smart viruses. By removing administrative rights, this threat is significantly reduced. Even solos running non-networked computers should set up the system so that the primary login does not have administrative rights. 

Another tactic, which is considered “security through obscurity” rather than an actual security software or policy, is to change administrative defaults and privileged accounts.  When possible change the default administrative name, ports, or directory names for things like routers, network installed software, individually installed software, or network shared ports.

All mobile devices that have the ability to connect with the firm’s network (including via Outlook Exchange or Dropbox) must have strong password protection, and the firm must be able to remotely wipe the date.  Firm policy should require that users notify IT staff or the office administrator if the device is lost or stolen immediately.


Firms must maintain constant vigilance against social engineering, and train all staff and lawyers to be wary.  Social engineering is a method of tricking a person to open the door for malicious attacks, and usually prey on fear, vanity, or the desire to help someone in need. You have all seen them: the direct message from Twitter from someone you know asking “what are you doing in this video?”; the email from a friend needing you to send money via electronic transfer because she lost her wallet while traveling outside of the country;  the email from the Better Business Bureau requesting you to click through to see a negative report that has been filed; and the list goes on. Learn to recognize the signs, practice defensive computing, and exercise skepticism to avoid having one of these tricks best you. 


Most of the time if Google or Dropbox or other large provider has a security issue the news will make the headlines. At the very least take a quick look at the technology section of the daily news (site/show/program) you consume for any breaking headlines. Legal technology and security blogs, like Sharon Nelson’s Ride the Lightening, or the free daily ABA Journal email are also fantastic resources for the current thought on “is it secure enough for a lawyer?”.  Technology, technology companies, terms and conditions, privacy policies, and services are in a constant state of motion.  For those products/services you use keep an eye on their press releases, social media outlets, and blogs for information you may need to know.




Reprinted with Permission. 2014© by the American Bar Association.  All rights reserved.  This information or any or portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association