A recent article in the Florida Bar News, August 1, 2012, written by Gary Blankenship brings up an interesting problem being discussed by the Bar's Professional ethics committee regarding the confidentiality of client information and the use of cloud computing.
"On the cloud computing issue, committee members said there are concerns because attorneys are placing confidential client information in the custody of third parties. . . . "This is an emerging area that lawyers are reading into without any idea of what they are getting into," said Steven Teppler. "There are no guidelines, because there are no standards out there for security, and there's no real way you can do your homework to be sure you are comporting with the ethical rules."
The article also stated that it was unlikely the committee would rule that cloud technology is improper to use, but that regulations needed to be put in place.
Judge Jim McCune in Marion county summed up the issues best when he stated: "There's a lot more to [the ethical issues] than meets the eye. Cloud computing gets outsourced to India and other places, and there's issues about whether you can repatriate your data that has been sent to those foreign places. Really, we all need some guidance on this."
When the HIPPA act was produced, technology was at its infancy. HIPPA has been a blessing or a curse to many within the health care industry. It created numerous regulations which has lead to numerous impractical and unforeseen results due to overbearing policies that do not change along with technology. Other than just another pointless rumination within a blog post, the purpose of this article is at least voice a protest in the event that knee jerk reactions to ridiculous results in the future, and to avoid the costs of regulation and increased technology costs for law firms.
What is the Cloud, really?
The "Cloud" is a buzzword designed to create excitement around ye olde internet. Even though it is a buzz word designed for the sale of products, it is no different than the internet of old. Every Florida bar member who conducts business through e-mail by logging into a Yahoo account or Gmail account is already conducting business in the cloud. If you use that e-mail account to communicate with clients, then you are using cloud based storage of confidential client communication.
In fact, if you have an internet line running into your office, and it is connected to computers that use the internet for research you are using "the Cloud." If you use the internet for research through sites like Westlaw or Lexis-Nexis, you are leaving tracks behind (your browsing history) and these tracks are in possession of Westlaw or Lexis-Nexis's "cloud." These searches could reveal confidential concepts and ideas pertaining to defenses of cases, and if these are labeled by case or client, as is such a feature on both websites, Lexis-Nexis and Westlaw could be storing more information about intended litigation arguments and issues than would be noted in a typical client file.
Cloud computing, in general, is based in the idea that as internet speeds increase, entire programs can be run from a web browser. The content created with those programs, can be stored remotely, and generally gives options to create a local copy. Soon, with the increase in speed, we will see a world where the installed software on a PC will be limited to providing access to the internet so that cloud based applications can be accessed. Although they will be much more powerful devices than the dumb terminal, of old times, the essential concept of the computer being simply a conduit to display information from other more powerful computers is the same as a "dumb terminal." The benefit of the cloud is an expected savings to the consumer by replacing the need to host a server, purchase software. It provides for easy collaboration, and easy access, generally, from multiple kinds of devices.
Even though the concept behind the cloud is new, the technology that drives the ideas behind "the cloud" is nearly fifteen years old. However, due to slow internet speeds, these products and programs were not feasible for use by the general public. Because the technology and idea behind cloud computing is "old" (in technology terms) it has solidified for me that "Cloud" is a buzzword. The popular adoption of the term "Cloud" is simply a word for "Data stored on the internet, not stored on local drives."
Common Cloud Services
Cloud services are in their infancy. Currently, most Cloud services are used for backup of local data. As time progresses, more and more edits will be done remotely on that data by web applications. These would include Dropbox, Google Drive, iCloud, and other related services which allow for the storage of documents. iCloud use to operate differently than it does now, as the "iDisk" portion of that service has now been removed and they have switched to more of a "Google Docs" approach. Google Docs on the other hand has changed their service to be more like the now defunct iDisk.
Backing Up Data
Guidelines regarding the backing up of data on a webserver do not exist currently for attorneys. Many attorneys are looking more to the cloud to share information. The key issue of the security of data lies in the ability to encrypt transmission and communications.
One brief real world illustration of potential pitfalls of cloud computing: I created legal forms which I sold for $19.95 to anyone interested in purchasing the forms. Because I first designed them to be shared with attorneys, I placed my documents onto Google Docs so that other attorneys could have free reign to edit and copy the material as needed for their particular case. The documents that I uploaded to Google Docs were shared among a large group of attorneys, for anyone to edit, share, or collaborate on.
An attorney in another state then used Google Docs to make changes to my motions, adding his client name, the case number. Because Google Docs automatically saves the changes, his online edits were published to any and every other attorney that had access to the forms. Ultimately the changes made by the attorney to my documents were to become public record in litigation, and I am a disinterested party but the real world example illustrates a need for file permissions.
Two common sense rules that emerge from both of my comments:
1) All data that is concerning client information transmitted over the internet shall be transferred, in secure fashion, using 128 bit or 256 bit encryption for transmission.
2) All data concerning client confidential information should be set with permissions so that it is only accessible by employees of the firm.
HIPPA pointed out that e-mails or web traffic sent which contain patient information should be encrypted. See http://www.ama-assn.org/resources/doc/psa/hipaa-phi-encryption.pdf Along those lines, they have also suggested that the method of storing data should be such that it is in an encrypted form. They make suggestions as to the encryption of local folders. The publication I linked, also contains information concerning the fact that if transmissions are encrypted, and if local documents are encrypted, then a security breach does not need to be disclosed to patients.
In fear of HIPPA compliance, and increasing reliance on the internet, most small health practices have adopted a policy of not allowing ANY communication from their servers that is not encrypted. Encryption, however, is good policy for data security, but if a hacker wants the data, they will obtain the data despite the encryption by obtaining the encryption key or the password which is associated with the data. HIPPA's requirement or suggestion of local encryption of data is overkill, as local file permissions should be sufficient to prevent "casual intruders." Most hacks concerning locally stored data will not be overly concerned with encryption (especially like Microsoft EFS) because once access is gained to the account that encrypted the information in the first place, all of that data will be decrypted. To put it in the simplest of terms, your Yahoo or Gmail account is "Encrypted" so that others can not view it. However, once a hacker has your email password or otherwise has access to your account, he can view all your e-mails in an unencrypted form.
Gdrive, dropbox, and other "cloud based" backup tools generally provide for encryption of uploaded and downloaded material. They do not provide encryption of data, but they do not allow for the free dissemination of information, unless such permissions is checked.
In short, unencrypted storage of data should be permissible, even in the cloud, as long as such information is stored in a manner where it is not freely available to the outside world and steps are taken for prevention.
In the middle of writing this blog post, a fellow by the name of Bradley Wallace, in Raleigh, NC, whose number is 919-809-7121, called me. It was such a coincidence, that thought I had to mention him. He was calling and trying to sell me on the fact that his cloud based system, sharefile, would assist in the new e-service rules that take effect September 1st. He began discussing about how the incoming e-mails can be automatically indexed and stored.
I began quizzing him relentlessly about the methods of encryption, and as to whether the storage was encrypted as well as the traffic. He sweated through my interrogation with a positive attitude and confidence of a man who had been on the phone all day being rejected by Florida attorneys who were uninterested in taking on a new expense. I include his phone number here not to punish him, but instead to say: Hey, this guy has a product that might be ethical per se. It is HIPPA compliant. They are filling a niche by providing encryption of both data and traffic, and have a customized agreement suited for that purpose, unlike Google Drive. I do not believe attorneys need a full HIPPA compliance, but I do think that if it is HIPPA compliant it would be per se ethical. So, you Florida attorneys out there can call Bradley and see if he can show you what the system can do as far as automatic sorting of e-served documents into file folders. I have my own ideas on the matter.
It is August 1st, 2012, and while my e-mail address is on all my pleadings, I have approximately 50 cases where I do not have an e-mail address for service on opposing counsel. I have no belief that I will receive an e-mail address from these attorneys before September 1st. Especially the Plaintiff's foreclosure lawyers, where in pleadings the names of many attorneys appear, but not one real point of contact.
Clients initial interaction, at least for me, generally start at my website. I currently have about four active domain names that I am running, and only one of them has 256 bit SSL encryption. I use this domain name that currently has an SSL certificate installed for all client communications through the web. Needless to say, any client communication which takes place through a website should be encrypted. It is incredibly rare for me to find any attorney website which has an SSL certificate installed. It can cost a lot of money.
It should be equally as rare for me to find an attorney site which has a "Contact us" or "Chat now" button, but it is not. Any site with this sort of function should For an illustration, if I look at the websites of the two top personal injury attorneys (or at least the top advertisers for personal injury cases) in Jacksonville, all of them have a "Contact us" page where client information is to be filled out. Neither of them have their contact form encrypted, and neither of them have the suggested disclosure to potential clients, that information submitted through the website is submitted in an unencrypted form which may be viewed by third parties.
As of the time of this writing, I clicked on the "Chat now" button on one of the websites, and looked at the protocol and confirmed that the chat session that was initiated was insecure, and had no SSL encryption or other security protocols. These "chat now" functions are web based applications which use old protocols that used to be driven by software which would be located on your computer. Now that web based applications have been invented, they are being placed on attorney websites as a way to create more customer interaction. Implementation, even among the most apparently wealthy and well to do attorneys, has been done in a manner of shoot first and ask questions later. Feeling like they need to adapt or die, attorneys are paying for web development and customer interaction integration, without asking the typical questions that would normally be required.
The fantastic entity under the Florida Bar named LOMAS has issued statements regarding unencrypted communication and have been advising attorneys to disclose a lack of encryption, for almost as long as "Contact Us" forms existed on websites. This leads to some more guidelines which are repeats of the first one, but with a slight additions and clarifications.
3) Client communications initiated through an attorney website should be encrypted or contain information regarding the lack of encryption.
4) This rule should not be made to require that the domain level encryption certificates are purchased, but rather that if any content or application is embedded or included in an attorney website without a security certificate, it should be sure to run over a secure socket layer. (A chat application can be on a website that does not have a pretty green padlock next to the URL, and still be secure if it is embedded within an insecure webpage, or somehow included in an insecure webpage.)
The McCune Conundrum
I do not personally know Judge McCune, but I hope that he has a sense of humor regarding the title of this section. He has presented, with his statement concerning cloud based computing hosted in India, an interesting problem which to my knowledge has never been faced. However, it is indeed a possible issue, given that "storage locker" type websites are often shut down for fear that they will be used for the purposes of piracy. By his concern over repatriation of the data, his fear seems to be that a cloud service may host data, and then decide, for any number of reasons, not to release that data back to its original source and owner.
I didn't ask Bradley regarding the question of, "Is my data safe, even if I stop paying you?" McCune is well positioned in his fear. As a hypothetical, take the case of a disbarred attorney who used cloud based storage. If the attorney simply stopped paying, and digital copies of important documents were all that existed, and the client needed a copy of that document, obtaining the data could be difficult. I could tell you one thing, however. If the data was encrypted, and the person who had the password died, it would cease to be just difficult to recover the data- it would instead be next to impossible. A "permission" based password system of security should be sufficient for cloud storage. A permission based system of security should not be sufficient for cloud storage, if it is not over an encrypted connection.
For this situation to occur, it would require an over reliance on cloud based architecture, without the existence of local backups. This is the sort of concept and idea that makes all old attorneys cringe and hesitate to embrace the future. Communication and access to client information is key to the operation of a law firm. Anyone who has ever handled technology for a law firm will tell you that when the internet goes down, they are hindered temporarily. However, when the phones go down, the law firm is outraged. One Paralegal said to me, "When the internet goes down, at least our phones still work. Our local server still stays up so that we can do work." With the internet goes down, or access to the internet is not available, client information may also be unavailable. Using a cloud based "backup" system should not change the local servers information, but as we progress more and more away from local services, the McCune conundrum becomes more clear. What this shows is that web services should not be used as a sole method of data storage. Unpaid bills to hosting services might mean that you can not retrieve your data or that it is deleted. Each hosting service has its own policies regarding these matters. If I took the time to review them it would be more like the earlier commercial when I mentioned sharedrive.
Local backups solve the McCune conundrum,
Help! My confidential client data is in the hands of a fellow in India.
I poke a little bit of fun regarding the Judge's statement that the data might be located on a server in India. However, he is only slightly wrong, and the truth might have scared him even more. Most "cloud" data storage isn't located on one server in India. In fact, the confidential client data is probably located on multiple servers throughout India, and being shifted around to different geographic locations all over the world at the whim of the cloud system administrator. I understand that that this can make things a little more scary, but it is the truth. See how the software, "openstack" works by visiting their website.
All of these online providers generally have agreements Google Drive states: The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. http://www.trainsignal.com/blog/public-cloud-storage-privacy
In the face of the license, Google Drive has reassured all business customers that their "Private" data will remain private. Other than the license agreement which plainly appears to state otherwise, I would imagine this would be akin to a computer technician who needs to have access to all the files, and makes you sign a waiver to that effect, but does not disclose that information.
A bizzare hypothetical: Someone decides to sue Google and stores client confidential information on their Google Drive. Google decides to open it under the terms of their license. I would hate to be a judge in this situation.
The uploading of encrypted files would easily satisfy any requirements for client confidentiality. Even to Google, this files would appear to be gibberish. File names, however, would be able to be indexed and scanned. How much information can be gleaned from a list of file names? You would be surprised. As an added complication, the great reasons to use these tools (easy search of documents, quick and effective client research and drafting, etc.) would also be negated by the encryption.
Gmail and Yahoo web based accounts are commonly used among attorneys. That information is all scanned and used to advertise to you. Is it necessarily a leak of confidential information? Doubtful.
Help! My confidential client data is in the hands of a data center in Jacksonville. Or, why we attorneys might overreact about confidential data in the cloud.
Before cloud based services became publicly available, it was (and still is) common for Data Centers to "co-locate" a machine running Microsoft Exchange. Those who firms armed you with blackberry's at one point or another, and had frequent connection problems to their server, probably had a co-located machine. I could, for example, take my own web server and host it at Peak 10, my favorite jacksonville data center. (I do not co-locate my machine though, just a shameless plug for some good folks.)
They would have access to the hard drive, and all client data if they decided to crack open the machine and take out the hard drive. Of course, Peak 10 and other reputable establishments would never do this. It is more likely that they would offer services software which would inspect all client data to for evidence of a lack of integrity of the data. An absolute loss of data scares me more than my data being located in India.
Currently, cloud services are outperforming my hard drives in reliability, but I would never be without a local backup. I don't think any attorney at this point completely trusts cloud architecture to the point where he would migrate an entire business.
In essence, cloud services, and others like it, should be allowed to be your IT guy in the sky. You should be allowed to trust your IT guy not go snooping around where he doesn't belong, or to use or abuse private information. Same could be said of the mailman taking important documents. "Do they open the envelope and peek inside?"
You should, however, be able to negotiate with your cloud provider, just as you could with Peak 10 or other independent establishments who do not require click to accept, one size fits all user agreements. The necessity for manpower to accomplish these tasks means that the large cheap providers do not have the time to custom negotiate a contract with you to protect your data.
Using a data center, or a high speed internet connection, can allow you to create your own "cloud" based services, without the need for relying on "click to accept" functions.
Help! My confidential client data is in the hands of my employees and accessible through a local server! And, I e-mail back and forth with my clients and employees concerning secure matters. Or, why we as attorneys are generally underreacting to confidential electronically stored data in general.
This HELP! section is probably how your firm is already set up. You are communicating with your clients via e-mail. While you might use an encrypted connection, you have no idea if they are using an encrypted connection unless you pre-shared a key and pre-arranged the message sending.
Original messages and data stores are kept in plain text for numerous reasons. Some of these data stores are kept on your webserver in an SQL database. Your "Contact Us" button, might actually contact you, but it might also be storing those incoming messages in an SQL database for later retrieval, on your website, vulnerable to hackers, through your website. If your company intranet website uses a web based data system, accessible through a browser, your client information is being stored there in an SQL database, you might be vulnerable. As far as data interception methods are concerned, database leaks are one of the biggest security flaws and vulnerabilities that can be experienced by a law firm. If your law firm website is on Google, it is being scanned at least three times a week for security holes by people all over the world, no matter how small and insignificant you may think your practice would be.
An attorney in Mississippi once told me a story about someone who would steal clients from him by hacking his voicemail. He swore up and down that a competing attorney was calling after hours, and using his default password, deleting his voicemails and taking the business. Today's equivalent might be SQL database dump like the ones so popular in the news, or even a program that would just harvest "Contact Us" requests through a website and redirect them. An insecurely programmed site is likely to be more common, among those who paid more for features within their website.
I already mentioned the website issues regarding client communication and a lack of SSL certificate, in both the contact forms and the web chat functions. Even for small businesses, HIPPA prevents this. We have no such official regulation as attorneys. Just the tiny voice of LOMAS making a suggestion. Honestly, such regulation would probably send attorneys scrambling to find ways to comply with HIPPA, and finding that their old reliable system of case management is no longer working how they would like it. I do not believe we should take HIPPA type measures, but I do believe that web access should be secure from intruders based on permissions.
5) Any attorney should take reasonable steps to ensure that client information passed over the internet is passed in an encrypted format whenever possible.
Once again, we can't be sure that the client is using an encrypted connection. The system of e-mail is to beneficial and crucial to the process of law and open communication with clients. However, it would be a shame to abandon it just because there is no way to ensure that your client is using unencrypted web based mail, or is using an insecure port to download e-mail to his "Microsoft Outlook" at a public wi-fi hotspot.
Although it sickens me to say it, Facebook is actually a more secure method of communication with a client than if they decided to e-mail using an unencrypted connection on unencrypted wi-fi. If clients were so inclined to be able to receive PGP messages, this would be a decent solution. However, this is not a solution in most cases, because most people don't know how to send "encrypted" e-mails. Implementation of such systems, right now, would be expensive and nearly impossible.
Requiring encryption of communication traffic through a website is an additional cost that attorneys do not want to incur, but such cost would be a reasonable expenditure, in light of the importance of web traffic in a law office. The truth is that attorneys will be wary to adopt these standards unless they are forced into adopting these standards. I don't blame them. The costs can be outrageous from some companies who do hosting, but a reasonable amount is more like a maximum of $100.00 per year. Depending on hosting plans, certificates can run into the thousands. And if you have multiple websites, it is time to shell out money for those as well.
More Realistic Threats
A law firm's confidential data, stored with a nice secure long password, is more likely to be breached by an employee or someone with physical access rather than a hacker. Ultimately if a hacker wanted to get into your systems, and monitor all your internal and network traffic, he would gain physical access to your office and install a device which would plug into your network and begin analyzing the network traffic and allow undetectable access from the outside.
My data is as safe as I can make it, but I admit, there may be something I am overlooking. I am not as sharp as I once was regarding the details of computer security. I have learned one thing that will not change. If it is digitized, then it is available for someone to take, if they want it bad enough. The same could be said of a paper file.
Ultimately, a safe full of paper is much safer than using computer networks to store information. But, we, as attorneys, are going a way that congress has decided that health care can not. Sometimes for the better, sometimes for the worst. The rapid communication of e-mail has changed the legal practice so much that we are adopting it for service as a preference over fax and US Mail. It has made it easier to communicate with clients, and sometimes more difficult to communicate with opposing counsel.
Now, I am preparing to design a linux based automatic filing system for saving e-served documents locally, without paying anyone. Well, maybe sometime soon.
Oh, and I would also again like to make a public apology to Bradley Wallace, in Raleigh, NC, whose number is 919-809-7121, and tried to sell me sharedrive. Mr. Wallace who did sweat through through my interrogation about their security and emerged on the other side looking like an overall decent guy. He just happened to have been unfortunate enough to catch me in the middle of this post. I swear I am not getting a kick back from sharedrive or Mr. Wallace. The timing was just perfect, and maybe this will drive him some business and payback the bad karma I gave him early on in our call.