IP, Legal Ethics, And The Cloud: 3 Things To Consider Regarding Client Confidential Information

We must hold ourselves to a high standard when using cloud services for clients' confidential information and valuable IP capital that is in our care.

Computer technology has been a boon to the practice of law.  From the advent of word-processing (sorry, typewriters) to sophisticated eDiscovery software, we now have the capability to process expansive amounts of information faster, more efficiently, and with greater accuracy.  As an intellectual property lawyer who handles a great deal of technology matters for my clients, I can tell you from first-hand experience that such technological innovation has been exciting to witness and even more exciting to implement in my practice.  That said, it is not without its unique challenges.   The advent of software-as-a-service (SaaS) models represent one of these challenges, and if you are not careful, such “cloud” services may end up raining on your practice and your client’s valuable information (and not in a good way).
A little background is in order.  Although there are different types of cloud services (such as those providing complete platforms or infrastructure), SaaS providers generally allow users to register for online services (many times for free for basic services) that permit them to use the software “service” as opposed to running the software natively on their computer.  By design, such subscription services allow users to share information across devices or platforms.  Also referred to as the “cloud” services, such services can be extremely helpful.  For example, services like Dropbox allow users to save files in their “virtual dropbox” to be accessed by other devices (and in some cases, by other users).  This may allow for more seamless access to files and information, but may also impose a greater burden on maintaining the safety and confidentiality of such information.  It is this problem that requires practitioners to be far more careful than they may realize.
As practitioners, we are bound to ethical rules of conduct. Although each state implements its own ethical rules for the members of its bar, most states have implemented some form of the American Bar Association’s Model Rules of Professional Conduct (“Model Rules”). These Model Rules prescribe the baseline standards for the ethical practice of law, to which all practitioners are required to adhere as implemented by their state bar.   The Model Rules discuss everything from the attorney-client relationship to the unauthorized practice of law; however, one of the seminal rules of conduct involves the confidentiality of client communications.  It is no surprise that this rule is held as sacred — confidentiality is the cornerstone of the attorney-client relationship, and violating such trust can be detrimental to both the client and counsel.  For intellectual property attorneys, this is especially important…and not just with respect to trade secrets.  Inventors will disclose highly confidential information to patent counsel that, if improperly disclosed, may bar potential patent rights.  Moreover, transactional  IP counsel may have valuable information regarding pre-release product development that can impact the stock of a publicly-traded client.  The examples are many, but the result is the same — a devaluation or loss of IP rights. When presented with storing this information in a cloud environment, the impact of a breach of confidentiality remains all too real.
With the advent of these technologies, confidentiality of client communications can no longer be assumed… and you can thank a downpour of hackers for it.  For example, Dropbox was hacked in 2013 by way of third-party apps, and then again in 2016 (to the tune of 68 million user login credentials).  Google, Yahoo, Evernote — the list goes on.  Practitioners can no longer assume that using such services will be safe.  In fact, the issue is becoming so prevalent that 24 states currently espouse advisory ethics opinions addressing the use of cloud services.  Although there are differences among these opinions, the bottom line is that use of cloud providers for storage of client files is permissible so long as a reasonable standard of care is exercised.  If you don’t practice in one of these states, you are not off the hook — those jurisdictions that have not issued such opinions arguably interpret their existing ethical rules to require no less than a reasonable standard off care regarding the handling of such client confidential information. The question, however, is whether that standard is enough for you and your clients.  Here are 3 things to consider when using cloud services regarding the storage and use of client confidential information:

Sponsored

  1. Beware of Free SaaS Services.  It is easy to fall victim to the lure of “free” services that provide valuable time-saving features for your practice — these services do not guarantee that the content you upload will  be safe. Worse, these services have almost all been hacked to some degree.  As result, I would argue that any practitioner that uses such services to store and access client confidential information may be in breach of their ethical duty to maintain the confidentiality of client information and communications.  Why?  Because they either know or should know that such cloud services have been breached.  If you like the cloud service, then look to pay for the premium versions that provide heightened authentication and protections.
  2. Encrypt, Encrypt, Encrypt.  For the record, I remain uncomfortable with placing client confidential information that represents valuable client IP within any cloud service.  The terms of use for such services do not (and cannot) guarantee against breach, do not provide mechanisms to indemnify you (or your client) from any claims resulting from the breach, and almost always limit the liability of the provider in the process.  That said, if you seek to do so, look for platforms that will encrypt the data — encryption will render the data useless without the appropriate access key.  This provides not only a “safe harbor” from data breach notifications should an incident occur, but also helps ensure that client confidential information doesn’t fall into the wrong hands.
  3. Be Aware of How You Use Cloud Services.  This may surprise you, but a vast majority of the time the risk to client confidential information in the cloud is not from hackers, but you.  That’s right — you.  I cannot stress this enough — strictly guard passwords to access such services.  To the extent assistants are provided access, they must adhere to strict policies and procedures governing access and use. Use dual-factor authentication where available.  This is especially important where information may be accessed from devices that are not under the control of the firm.  Again, I would argue that a failure to do so does not adhere to a reasonable standard of care for the handling of such client confidential information, thereby running afoul of your professional obligations.
These points are not exhaustive, but I think you get the point.  As practitioners, we should hold ourselves to a high standard when using cloud services for clients’ confidential information and valuable IP capital that is in our care.  Using cloud services can help but also hinder your practice if you are not careful.  By taking common sense steps, you can create an umbrella of protection for your clients that will help maintain client confidentiality as well as your ethical obligations.  If you don’t do so, you are inviting a different type of cloud to hang over your practice and your clients’ confidential information, and that is a storm you (and your clients) do not want to weather.

Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at tom.kulik@solidcounsel.com.

Sponsored