Concerns With Using "Cloud" Document Sites for Confidential or Proprietary Information
July 31, 2013
By: Robert J. Munnelly, Jr.
The use of cloud-based document sites is growing and many believe they promote mobility, flexibility, organization and efficiency. Nevertheless, it would be a mistake to believe that such cloud sites - especially free sites (such as Dropbox and Google Docs) - are appropriate for housing sensitive or confidential information. Cloud site terms of service agreements can, and often do, vary widely in the extent of available physical, technical and administrative safeguards; some free sites even reserve express rights to "data mine" information placed on their sites.
The importance of this concern can be seen in the dozen-plus Ethics Opinions over the past two years - the latest from Connecticut last month - that have limited the ability of lawyers and firms to place any confidential client information "on the cloud." The opinions impose on lawyers a duty to make reasonable efforts to ensure the existence of adequate safeguards against unintended disclosures or access by unauthorized third parties to confidential data. This duty includes the responsibility of choosing a reliable cloud provider and undertaking due diligence in reviewing the terms of service, provider policies and other information to confirm that the provider can and will limit authorized access to the data and ensure that the data is preserved (backed up), reasonably available, and reasonably safe from unauthorized intrusion.
The data protection principles reflected in each of the recent Ethics Opinions highlight the importance of a common sense point: the use of cloud sites by any business or individual involves some degree of risk of disclosure or loss of data. The risks may not matter when making vacation photos available to family and friends on Dropbox. They can be of substantial consequence, however, when using a cloud-based document service in a commercial setting such as litigation, regulatory compliance or a business transaction. Users need to balance the potential for convenient access by parties, attorneys and experts to key documents against risks of data disclosure, data loss and liability. These concerns are heightened whenever such data may include not only sensitive private, competitive or trade secret information but also data such as credit card or social security numbers separately protected by State data security laws or personal health care information protected by Federal HIPAA laws.
The underlying lesson, made clear by Ethics authorities nationwide, is that one should not place important or sensitive information on a cloud site without first
(1) reviewing the terms of service and any available information about the performance of the cloud provider, and
(2) making an informed judgment that the protections offered are consistent with the importance of the information being transmitted to the cloud.
If you have any questions about the information contained in this Alert, please contact your Murtha Cullina attorney or a member of our Information Security and Privacy Group.