4 things to know about cloud-based e-discovery vendors
Before you entrust your client’s data to a third party, the ethical implications of that relationship must be considered and all doubts and questions resolved before any transfer of data. In this respect, a cloud-based e-discovery provider is no different from any other vendor; simply because the data is stored in “the cloud” does not mean that any greater or lesser analysis of your ethical obligations should take place. The preliminary questions may be different, but the primary question remains the same: can this provider protect my client’s confidential information, so that it is not improperly disclosed to other parties?
The main ethical rule that comes into play here is that of Client Confidentiality (ABA Model Rule 1.6), but would also include the rule requiring lawyers to protect their client’s property (ABA Model Rule 1.15). A recent change to ABA Model Rule 1.1 (Competence) may also apply in this situation—it now defines “competent representation” as understanding the technology used to undertake representation of the client. To translate for the purposes of this article, it is in your best interest to have at least a reasonable understanding of how a cloud-based e-discovery tool works before you undertake to use it on behalf of a client.
We won’t engage in an in-depth discussion of the ethical issues to be considered—for that, check out Cloud Computing for Lawyers by Nicole Black, published by the ABA’s Law Practice Management Section. Most state bars haven’t considered the issue yet—so far, we have seen ethics opinions from Alabama, Arizona, California, Iowa, Nevada, New York, North Carolina, Oregon, Pennsylvania and Vermont. In general, they all state that using cloud computing services is ethical, as long as certain precautions are followed.
As you’ll notice, these considerations are necessarily vague. As technology changes, and vendors continue to innovate in the ways that they provide services, lawyers should remain prepared to adjust their requirements.
1. The fine print.
Make sure the Service Level Agreement (SLA) includes terms on how the vendor will protect the confidentiality of your client’s information.
2. Check under the hood.
Satisfy yourself that the vendor offers sufficient protection for your client’s data. A reputable e-discovery provider will provide strong security in the following areas:
● Firewall—to prevent data from moving into or outside of the provider’s storage facility.
● Encryption—to protect data as it is transmitted between you and the vendor, as well as protect it from being opened should it be accessed by a bad actor.
● Intrusion Detection and Data Loss Prevention measures—to understand when an attack is made, or when data is being transmitted from the vendor’s storage facility.
3. Data portability.
Over time, your relationship with the vendor may change—you may decide to terminate your contract, or fall behind in making payments for the service. The service itself may go out of business. In any of these occurrences, you must be able to retrieve the data stored with the vendor. Alternatively, you can arrange to have access to a backup of the information, or to the vendor’s software so you can gain temporary access to the information.
4. Re-Evaluate, regularly.
Technology changes over time, and some cloud tools might not keep with the latest in security. Revisit your relationships with cloud vendors each year to make sure they still meet the standards necessary to keep you in compliance.