You are here

The Cloud and the NSA

In November 2013, the Committee on Small Law Firms of the New York City Bar issued a comprehensive report titled “The Cloud and the Small Law Firm: Business, Ethics and Privilege Considerations.” This report is an excellent summary of the current status of the thinking on this subject. Over the years, several of these columns have discussed the evolving ethical issues involved in lawyers storing and using information in the cloud, so there is no reason to repeat them now.

However, the report concludes with eight suggested guidelines for lawyers to apply in using the cloud, which merit summarizing here:
1. Use only reliable providers.
2. Document your due diligence.
3. Read the contract, then decide your risk tolerance.
4. Be sure the contract contains certain key terms covering ownership of data, back-ups, data storage location, access to data, security, breach notice, subpoena notice, access to data without Internet connection, and meaningful support.
5. Get client consent for using the cloud.
6. Understand the technology used.
7. Keep the data encrypted.
8. Establish data management policies and procedures.

The report concludes:
“[T]he answer to the question [“should I use the cloud?”] is an ultimately personal one. The authors recommend that each lawyer analyze his or her own decision matrix, balancing costs versus benefits, and risks versus rewards.” The implication being that there is a rational balance under which storage of information in the cloud complies with New York’s Rules of Professional Conduct and is otherwise ethical and appropriate.

Let us now add another complication. On February 16, 2014, The New York Times ran an article that began: “The list of those caught up in the global surveillance net cast by the National Security Agency and its overseas partners, from social media users to foreign heads of state, now includes another entry: American lawyers.” This information was disclosed in the documents released by Edward J. Snowden, and is related to eavesdropping on communications between the government of Indonesia and its American counsel. The article noted that this matter “is of particular interest because lawyers in the United States with clients overseas have expressed growing concerns that their confidential communications could be compromised by such surveillance.”

Comment 16 to Illinois Rule of Professional Conduct 1.6 states: “A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.” And Comment 17 states: “When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. … Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.”

I believe that Snowden’s disclosures make it is safe to say that nothing that is transmitted through or stored in the cloud is confidential. The information can be and is intercepted, copied, stored and read by service providers, hackers, and governments. All the lawyer can do to create a reasonable expectation privacy is to apply the guidelines suggested by the New York City Bar.

But is this enough? In the risk analysis suggested by the authors of the City of New York Bar report, you must now add as a risk that the government has access to your communications and files. While you might be protected in the United States by the Fourth Amendment and the exclusionary rule from having your client prosecuted based on the pilfered information, you have to recognize that the information is no longer secret. There is now an entire category of information that is best kept on paper records locked inside a metal file drawer.