Whether or not to use the Cloud in your legal practice: that is the question. To be, or not to be, in the Cloud depends heavily on the ethical rules that guide our profession. Not surprisingly, those ethics commissions are having just as much difficulty grappling with the question as are the ordinary practitioners faced with the attractive option of SaaS and cloud products. Is there an ethical trap inherent in the use of these tools, just waiting to be sprung?
Fortunately, the ABA Commission on Ethics is striving to be realistic in its approach to the use of cloud computing and possible violation of client confidentiality. The Commission has drafted a proposal to assist lawyers in making decisions regarding cloud services.
The gist of the proposal, as well as the gist of the ethics opinions rendered by state bar associations, is that a lawyer need take “reasonable” steps to ensure client confidentiality and that this same standard applies to use of the cloud to transmit client data. Some opinions also combine the concept of flexibility with reasonableness, clearly a nod to the “everchanging nature” of technology. Protection level may be adjusted based on the client’s needs and nature of the information involved. And, rightly so, the onus should be on the lawyer to establish that he or she acted reasonably with respect to the use of technology for storage, manipulation and transfer of data. This includes a showing that the lawyer acted diligently by, for example, analyzing terms of service, privacy policies, security features and actively took the steps necessary to ensure the greatest level of protection available. This does not inecessarily require a complete refusal to use anything cloud in support of your practice.
Take a look at some of the reported ethics opinions. From these, you should be able to get a sense of what is required of you when you opt to look to skyward for technological assistance. And remember, just because it comes from the cloud doesn’t necessarily mean that something wicked this way comes.
- Iowa State Bar Association Committee on Ethics and Practice Guidelines: Ethics Opinion 11-01 Use of Software as a Service – Cloud Computing – September 9, 2011
- Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility: Informal Opinion 2010-60 (January 1, 2011) – no link
- New York State Bar Association Committee on Professional Ethics: Opinion 842 – September 9, 2010
- State Bar of Arizona Ethics Opinion 09-04: Confidentiality; Maintaining Client Files; Electronic Storage; Internet – December 2, 2009
- New York State Bar Association Committee on Professional Ethics: Opinion 820 – February 8, 2008)
- Maine State Bar Professional Ethics Commission: “Client Confidences: Confidential firm data held electronically and handled by technicians for third-party vendors;” Opinion 194 – June 30, 2008
- New Jersey Bar Advisory Committee on Professional Ethics: “Electronic Storage and Access of Client Files;” Opinion 701 – April 24, 2006
- State Bar of Arizona Ethics Opinion 05-04: Electronic Storage; Confidentiality July, 2005
Have a need for all the patent and trademark information you can handle? Have no money to spend? Don’t worry, Google and the U.S. Patent and Trademark Office have you covered. Available for free download are ten (count them) terabytes of patent and trademark information courtesy of the Goog and USPTO (link here). Right now, this includes all granted patents and trademarks, and published applications, both full text and images. Google and the USPTO are planning to make available in the future additional data, such as file histories and related information.
What can you do with this data? Well, if you are clever, you can track trends and apply interesting filters to cull out the data behind the data. And with a free download, it sure beats waiting for the USPTO to ship it to you via DVD or other hard media. Nicely done, boys. Read the full story on the Google Public Policy Blog here.
I haven’t picked on Wikipedia in a while, so when I got the Legal Writing Institute email this morning with a link to the article entitled Wikipedia in Court: When and How Citing Wikipedia and Other Consensus Websites is Appropriate, I figured it was time for another go-around with the authority-by-crowd-compromise site. Authors Hannah Murray and Jason Miller undertake to define a process to determine when citing to Wikipedia is o.k., despite its faults, failings and questionable authority. The authors premise their article with an explanation of the difference between citing sources like Wikipedia or, egad, the Urban Dictionary for the meaning of slang terms and relying on such sources for the “contours of the xyphoid process.” In short, the authors believe that appropriate citation of Wikipedia is driven by the legal context in which the citation will be used and the structural limitations of Wikipedia in that same context. I say there is no such thing as appropriate citation to Wikipedia in the context of a legal brief or judicial opinion.
One of the issues is that Wikipedia articles are open to constant revision from any source. The authors believe that some of this concern can be addressed by qualifying the citation by date and time, and explain how to find the time-stamp for the particular page. The authors also believe that Wikipedia is a fine resource for determining the community or consensus perspective on a non-legal concept. Thus, the more technical and formalistic a concept, the less appropriate it is to cite Wikipedia.
While I am right there with the authors on their caution against citing the big Wiki for technical concept, scientific or biographical data, I am still not convinced it is a reasonable source for crowd consensus on the meaning of common phrases such as “business day.” Take, for example, the fact that women are highly underrepresented on Wikipedia as editors and contributors and you are missing half of the population that might have an opinion on what a business day is. The field is further narrowed when you consider that Wikipedia contributors are a fairly small (and shrinking) subset of on-line denizens – those that would even consider taking the time to edit a group Wiki. This small subset cannot and should not be considered to be even a remote facsimile of a public “consensus” on any subject, let alone one that might drive the opinion of a court.
The authors opine that the Wikipedia entry is likely more reliable when it is “common wisdom [that] is more likely to be correct.” If so, then why cite Wikipedia at all? Why wouldn’t it be the subject of judicial notice at that point? I say, back away from the Wikipedia and look to the underlying sources. I challenge their conclusion that Wikipedia is a “great source” in this context – go ahead and use it to look up information to settle a quick argument at the bar or to pull links or lists of other resources that might actually be curated and reliable. But don’t even think about going there to support something as important as a legal decision.
For what it is worth, and to sit on the other side of the fence for a moment, any citation to Wikipedia that relies solely on date and time is insufficient – I would hope that anyone citing the source as authority would also consider attaching a copy of the actual language on the page at the time of citation. Consider using a handy Internet Explorer or Firefox tool like iCyte, which freezes a page in time for later review. Then, be prepared to defend your use of this highly questionable resource.
File under interesting, secondary research resource – the Library of Congress has released an on-line tutorial on how to find and use census data. Topics in the 10-minute flash based tutorial include: population statistics; locating data on people and households by subject; using census products; information about the Census Bureau’s American FactFinder search engine; and, finding materials through the LOC’s Business Reading Room and the online Business Reference Services website. There is alsoa great list of Bureau resources. Check out the tutorial and learn more about how the Census Bureau collects, organizes and shares its valuable information.
I have notice a lot of attention paid lately to issues regarding data security and online privacy issues. Today, from a somewhat unlikely source, I read an article regarding some of the laws affecting how to handle data and privacy issues . David Perkins writes at the Insurance Journal about What to Know About Red Flags, Notification Laws and the Hi Tech Act. The article is not exhaustive, but it does offer a primer for the practitioner interested in where privacy laws are now and where they appear to be headed.
Perkins hits on the Hi-Tech Act, enacted as part of the Stimulus package, which establishes a federal layer of protection for patients. On the one hand, the Act mandates electronic transmission of more patient information, ostensibly to modernize the manipulation of medical information, while at the same time tightening up the notification process in the event of data breach.
Perkins also hits on a broad Massachusetts regulation enacted one year ago, 201 C.M.R. 17.00, which applies to persons anywhere who “own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.” Protections are expanded under the regulation and fines can be imposed. At least 44 states have enacted their own data privacy and notification laws and regulations, with mechanisms for fines and penalties.
The “Red Flags Rule” also applies broadly to “financial institutions” and “creditors” with “covered accounts” and addresses the establishment of identity theft protection programs.
Coming down the road is the Data Accountability and Trust Act, which appears imminent. The Act contains notice requirements when data breaches occur and sensitive information is tapped.
The article does not deal with the ethical burdens and additional losses occasioned by data breach in the context of a legal practice. Client confidences are akin to patient privacy; in the case of legal representation, the potential downside of a breach may implicate both the data privacy and notice rules and professional codes of ethics.
While much of the data privacy and notice area remains uncharted, it certainly helps to understand the legislated concerns and the mechanics of how our electronic systems operate in order to assess and address the potential risks.