Is legal confidentiality, or attorney-client privilege, assured for data stored via cloud computing?
The state of cloud computing in the current era of near-ubiquitous online access has led to some important legal considerations. This is particularly true with regard to online security, expectations of privacy, and the preservation of attorney-client privilege.
A metaphor created by online marketers, "The Cloud" simply refers to services that store data for customers on the Internet. Any particular cloud’s scope – whether private, community, or public – determines the extent to which other online users have access to this information. These levels of privacy, however, necessarily rely on the implementation of adequate online security.
Over the past several years, a number of large and recognizable computing companies (including Google, Apple, Microsoft and others) have begun to offer cloud-based services to consumers worldwide. Still, many of the early innovators in the field have been smaller, free-service companies.
Take Dropbox.com. A leading provider of cloud-based services, San Francisco-based Dropbox, Inc. offers its clients cloud storage and online file synchronization. Its free (up to a certain storage capacity), relatively simple and easy-to-use software allows authorized users access to shared data online. But, since its founding in 2007, the company’s practices have raised privacy concerns with regard to internal access to customer data by Dropbox employees, and with respect to leaks of private data should the company suffer another security breach.
In the summer of 2012, ZDnet.com reported that the company had discovered suspicious activity on its servers and, in mid-August of that year, the company suffered a serious breach in which stolen passwords were apparently used to access employee Dropbox accounts.
In both cases, Dropbox informed the public of these breaches and took measures to shore up its online security. Nevertheless, incidents such as these serve to remind cloud users of the importance of online privacy and the security of their data. Moreover, attorneys and their clients have an additional responsibility to secure sensitive information stored or exchanged by means of a cloud storage provider. Such a situation could compromise one of the cornerstones of the legal profession: attorney-client privilege, or the client’s legitimate expectation that any information exchanged with his or her lawyer will be kept confidential.
Users might rightly question the extent to which the privacy of their data and communications are protected within the cloud. Companies, additionally, may have concerns about the security of trademarked or proprietary data stored there. And, in some cases, there may exist a dispute about who actually “owns” data that resides on cloud servers, the customer or the custodial cloud provider.
Allan W. Krantz, an attorney writing for the law firm of McDonnell Boehnen Hulbert & Berghoff LLP (www.mbhb.com), has considered some of the issues related to cloud providers (particularly Dropbox) with respect to attorney-client privilege.
Krantz outlines the major concerns that arise as attorneys shift from local to online data storage, including the potential access of a third party or perhaps a corporate competitor to sensitive information stored online. While he asserts that security at firms such as Dropbox is a valid area of interest, the company’s overall level of file encryption far exceeds the security routinely observed by most law firms. According to a 2010 legal technology survey cited by Krantz, for example, “only 10 percent of law firms automatically encrypt outgoing emails.” (“Attorney-Client Privilege in the Cloud.”)
A more pressing legal consideration explored by Krantz is the subject of e-discovery, or access to privileged data stored on the cloud by means of subpoena. Krantz observes that US courts have, thus far, consistently refused to waive attorney-client privilege in recent cases, “so long as the communicating party reasonably believed that the information was safe from access by third parties.”
In his final estimation, Krantz concludes that,
Dropbox and other cloud storage services present little (if any) additional risk of disclosure to third parties ... and may present even less of a risk than other methods of communication.
Nevertheless, as a recent legal ethics panel on “Technology’s Threat to Confidentiality, Attorney-Client Privilege, Marketing, and Researching Jurors” has pointed out,
The duty of competence requires lawyers who use [electronic documents and] mobile devices to take reasonable measures to protect against disclosing information relating to the representation of a client.
Thus, the responsibility to secure privileged information ultimately rests with attorneys, who likewise have a professional obligation to educate themselves about issues of technological security, and to inform their clients accordingly.