Security Concerns Spark a Controversy Over a Bar Association's Endorsement of Cloud Computing.
North Carolina Bar's attempts to establish an ethical roadmap for attorneys interested in cloud computing services.
August 19, 2010 at 08:00 PM
15 minute read
Storing data on remote servers in a vendor's data center and accessing it via the Internet through various forms of “cloud computing” or Software as a Service (SaaS) can be a cost-effective solution for companies that don't want to invest in their own technical infrastructure. A SaaS vendor owns and maintains the infrastructure while the customer pays a periodic fee for that use.
But critics concerned about the security of data stored in vendors' data centers have thrown a curve ball at the North Carolina Bar's attempt to establish an ethical roadmap for attorneys interested in employing SaaS solutions. The setback comes even as the popularity of cloud computing grows.
Cloud-based vendor Mimecast released a survey in July, revealing that 51 percent of U.S. and U.K. organizations surveyed are now using some form of cloud computing service. Of those businesses using these services, 74 percent say that cloud computing has alleviated internal resource pressures, and 72 percent report an improved end-user experience, according to the survey.
But security holes in some systems make them vulnerable to cyber attacks and well-publicized online data breaches continue to occur periodically. Security flaws have raised questions about the ethics of storing clients' information in the cloud, given a lawyer's obligation to protect confidential client information from disclosure.
Addressing questions on this point, the Ethics Committee of the North Carolina State Bar in April published for comment a proposed, first-of-its-kind ethical opinion that would give lawyers in that state the green light to employ cloud computing solutions, while suggesting the importance of due diligence in hiring a vendor. It also provides an extensive set of questions that corporate law departments nationwide can adopt to determine if they've exercised due diligence.
Many legal technology experts heralded the proposed opinion for providing guidance on the evaluation of SaaS vendors while opening the door to using the cost saving technology. But after receiving comments questioning the security of SaaS-based solutions, the committee in July decided to re-evaluate its position.
Compliance Roadmap
In its proposed opinion, the Ethics Committee concludes that lawyers “may contract with a SaaS vendor, provided the risks that confidential client information may be disclosed or lost are effectively minimized.”
An accompanying proposed opinion provides a roadmap for effectively protecting against the risk of a data breach when contracting with a SaaS vendor. It lists 23 questions that “a lawyer should be able to answer sufficiently to conclude that the risk has been minimized.” The questions examine whether the SaaS vendor has satisfactorily addressed the security issues implicit in cloud computing and whether the lawyers have probed sufficiently into the security systems.
The questions include whether the agreement with the vendor addresses confidentiality, how the data is protected and who has access to the data.
After meeting again in July, the ethics committee sent the proposed opinion to a subcommittee to study based on some comments received about the security of SaaS, according to Alice Mine, assistant executive director and ethics counsel of the North Carolina Bar. “The subcommittee was instructed to obtain input from IT-savvy lawyers about the security of confidential client information when a law firm uses SaaS,” Mine says.
Among the comments published on the state bar website is one from a South Carolina bank network/LAN administrator who wrote about problems with a large SaaS provider. “They were SAS 70 certified and had a major security breach. … [We] had a lot of explaining to do to our customers. [Some] cloud lovers assume, 'Since they're big, they're safe.'”
The subcommittee will study not only the “best practices” part of the opinion but also whether there is such a substantial risk to confidential client info that the proposed opinion should be changed to prohibit use of SaaS. “I do not think that the bar should dictate a particular mode for handling client information,” Mine says. The subcommittee will make a recommendation to the full ethics committee at a meeting in October.
Data Diligence
Cloud vendors contacted said they support the proposed ethics opinion and already take extensive steps to secure customer data.
Such companies now commonly complete a SAS 70 Level II security certification, providing a security report to clients based on the accepted auditing standard. The North Carolina Ethics Committee recommendations go a bit further in suggesting that a potential SaaS customer obtain a copy of a vendor's security audits.
“Plainly, the better practice is to obtain the audit,” says Wayne Matus, a partner at Pillsbury Winthrop Shaw Pittman. If the vendor will not release the audit, Matus recommends learning as much as you can, “such as who conducted the audit, what did it find specifically as to weaknesses, the methodology, and what was excluded and included in the scope.”
The North Carolina proposal recommends additional evaluation including inquiring about firewalls, encryption techniques, socket security features and intrusion-detection systems. And some experts suggest that this level of diligent inquiry be an ongoing process.
“Ensuring data security doesn't end after the initial due diligence review,” says Jeff Davis, a shareholder at Vedder Price. He recommends regular professional reviews of vendor data security procedures.
Addressing Concerns
Several SaaS providers said they are aware of customer concerns and provide extensive security information to current and potential customers.
CT TyMetrix, for example, “provides details of its security program, system security and audit results to prospective and current customers signing a NDA [nondisclosure agreement],” according to David Gardner, chief technology officer.
Sarah Brown, communications manager for Exterro, says her company provides similar information to clients and prospects. Exterro also offers a training and implementation program to ensure users know how to get data into and out of the system securely, she says.
Not all legal technology companies use SaaS, however, and they contend they can, as a result, offer a higher level of security. For example, Rashad Porter, product strategy and services manager of DataCert, says his company, which maintains a non-SaaS hosting model, can offer a higher degree of data security by continuing to maintain individual firewalls for its customers rather than sharing databases, common with some SaaS solutions.
But George Tziahanas, vice president-compliance for cloud service provider Autonomy, says his company doesn't share customer databases. Autonomy provides specific data center locations for its customers as well as a backup data center for each client at least 500 miles away from its primary data center.
“Our clients don't have to think 'It's 5 o'clock. Where is my data?'” says Deborah Baron, vice president, legal and information governance for Autonomy.
Storing data on remote servers in a vendor's data center and accessing it via the Internet through various forms of “cloud computing” or Software as a Service (SaaS) can be a cost-effective solution for companies that don't want to invest in their own technical infrastructure. A SaaS vendor owns and maintains the infrastructure while the customer pays a periodic fee for that use.
But critics concerned about the security of data stored in vendors' data centers have thrown a curve ball at the North Carolina Bar's attempt to establish an ethical roadmap for attorneys interested in employing SaaS solutions. The setback comes even as the popularity of cloud computing grows.
Cloud-based vendor Mimecast released a survey in July, revealing that 51 percent of U.S. and U.K. organizations surveyed are now using some form of cloud computing service. Of those businesses using these services, 74 percent say that cloud computing has alleviated internal resource pressures, and 72 percent report an improved end-user experience, according to the survey.
But security holes in some systems make them vulnerable to cyber attacks and well-publicized online data breaches continue to occur periodically. Security flaws have raised questions about the ethics of storing clients' information in the cloud, given a lawyer's obligation to protect confidential client information from disclosure.
Addressing questions on this point, the Ethics Committee of the North Carolina State Bar in April published for comment a proposed, first-of-its-kind ethical opinion that would give lawyers in that state the green light to employ cloud computing solutions, while suggesting the importance of due diligence in hiring a vendor. It also provides an extensive set of questions that corporate law departments nationwide can adopt to determine if they've exercised due diligence.
Many legal technology experts heralded the proposed opinion for providing guidance on the evaluation of SaaS vendors while opening the door to using the cost saving technology. But after receiving comments questioning the security of SaaS-based solutions, the committee in July decided to re-evaluate its position.
Compliance Roadmap
In its proposed opinion, the Ethics Committee concludes that lawyers “may contract with a SaaS vendor, provided the risks that confidential client information may be disclosed or lost are effectively minimized.”
An accompanying proposed opinion provides a roadmap for effectively protecting against the risk of a data breach when contracting with a SaaS vendor. It lists 23 questions that “a lawyer should be able to answer sufficiently to conclude that the risk has been minimized.” The questions examine whether the SaaS vendor has satisfactorily addressed the security issues implicit in cloud computing and whether the lawyers have probed sufficiently into the security systems.
The questions include whether the agreement with the vendor addresses confidentiality, how the data is protected and who has access to the data.
After meeting again in July, the ethics committee sent the proposed opinion to a subcommittee to study based on some comments received about the security of SaaS, according to Alice Mine, assistant executive director and ethics counsel of the North Carolina Bar. “The subcommittee was instructed to obtain input from IT-savvy lawyers about the security of confidential client information when a law firm uses SaaS,” Mine says.
Among the comments published on the state bar website is one from a South Carolina bank network/LAN administrator who wrote about problems with a large SaaS provider. “They were SAS 70 certified and had a major security breach. … [We] had a lot of explaining to do to our customers. [Some] cloud lovers assume, 'Since they're big, they're safe.'”
The subcommittee will study not only the “best practices” part of the opinion but also whether there is such a substantial risk to confidential client info that the proposed opinion should be changed to prohibit use of SaaS. “I do not think that the bar should dictate a particular mode for handling client information,” Mine says. The subcommittee will make a recommendation to the full ethics committee at a meeting in October.
Data Diligence
Cloud vendors contacted said they support the proposed ethics opinion and already take extensive steps to secure customer data.
Such companies now commonly complete a SAS 70 Level II security certification, providing a security report to clients based on the accepted auditing standard. The North Carolina Ethics Committee recommendations go a bit further in suggesting that a potential SaaS customer obtain a copy of a vendor's security audits.
“Plainly, the better practice is to obtain the audit,” says Wayne Matus, a partner at
The North Carolina proposal recommends additional evaluation including inquiring about firewalls, encryption techniques, socket security features and intrusion-detection systems. And some experts suggest that this level of diligent inquiry be an ongoing process.
“Ensuring data security doesn't end after the initial due diligence review,” says
Addressing Concerns
Several SaaS providers said they are aware of customer concerns and provide extensive security information to current and potential customers.
CT TyMetrix, for example, “provides details of its security program, system security and audit results to prospective and current customers signing a NDA [nondisclosure agreement],” according to David Gardner, chief technology officer.
Sarah Brown, communications manager for Exterro, says her company provides similar information to clients and prospects. Exterro also offers a training and implementation program to ensure users know how to get data into and out of the system securely, she says.
Not all legal technology companies use SaaS, however, and they contend they can, as a result, offer a higher level of security. For example, Rashad Porter, product strategy and services manager of DataCert, says his company, which maintains a non-SaaS hosting model, can offer a higher degree of data security by continuing to maintain individual firewalls for its customers rather than sharing databases, common with some SaaS solutions.
But George Tziahanas, vice president-compliance for cloud service provider Autonomy, says his company doesn't share customer databases. Autonomy provides specific data center locations for its customers as well as a backup data center for each client at least 500 miles away from its primary data center.
“Our clients don't have to think 'It's 5 o'clock. Where is my data?'” says Deborah Baron, vice president, legal and information governance for Autonomy.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllRepublican FTC Commissioner: 'The Time for Rulemaking by the Biden-Harris FTC Is Over'
4 minute readSo You Want to Be a Tech Lawyer? Consider Product Counseling
FTC Lauds Withdrawal of Proposed Indiana Hospitals Merger After Leaning on State Regulators
4 minute readHow Qualcomm’s General Counsel Is Championing Diversity in Innovation
6 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250