The Internet and the Cloud
Cloud computing has an over-sized reputation that should really be put in context before we go much further. It can be more useful to look at the cloud as an extension or alternative method of client / server rather than as something new. Treating the cloud as something different suggests that it creates new issues that may not have existed before. It doesn’t. It only shifts responsibility for roles to people outside the firm; the lawyer continues to be accountable for the systems, people supporting them, and the data involved.
The term cloud has become loaded with additional meanings but there is a good technical definition. At one end of the spectrum of the hype, cloud includes anything that’s Internet connected. The more precise definition involves three layers: infrastructure, platform, and software. These are delivered as a service but are present in most law offices and from hosting companies that are Internet connected but not cloud services.
Internal v. Hosted v. Cloud: An Example
Here’s a more concrete example. You open up your Web browser and go to the Microsoft Outlook Web App on your Exchange e-mail server. Many law firms host the e-mail server inside the firm. That means the infrastructure (the physical server on which the Web app runs) and the platform (Microsoft Windows server) are both maintained and licensed in-house. That may involve IT staff that are employed by the firm full time or IT consultants who are hired on an as-needed basis.
Some law firms do not want to host their e-mail server. They may use a hosting company who takes on those roles. The hosting company makes sure the infrastructure is in place: the server computer is running, it’s connected to the Internet and sending and receiving mails, is backed up, and so on. They ensure the platform is working and up to date, that the Microsoft Windows server software is updated and patched so that it’s secure.
The hosting company also makes sure the software applications – Microsoft Exchange and the Web app – are running and accessible. They probably require the law firm to provide appropriate licenses for the Windows server and Exchange server software, bought from Microsoft. If the server crashes, the law firm will pay for the hardware replacement. If the firm runs out of space because it’s receiving a lot of email and holding on to it, it pays for more hard drive space so that it can keep getting and keeping mail.
An alternative to using a host is to use cloud-based Exchange. It differs from hosted Exchange primarily because the cloud service provider should have the attributes described in that NIST definition I mentioned. The elasticity, self-service, and resource pooling should mean that your service is always running, never running out of space or memory, and can be expanded (new accounts, etc.) on demand.
You might use a cloud provider focused on just delivering Exchange or you might use one of the many geographic server locations offered by Microsoft Office 365, which can include Exchange. In this case, the platform-as-a-service (PAAS), infrastructure-as-a-service (IAAS), and software-as-a-service (SAAS) are managed and provided by the cloud vendor. One significant difference is that, if you are licensing software-as-a-service, your SaaS provider may be using a third-party IaaS provider, who may be using yet another PaaS provider. When you get into the cloud, you should understand who all of those providers are.
In all three examples, you use your Web browser to get to the Web app. And in all three examples, the servers should be physically and digitally secured, and maintained to ensure your business continuity. The type of environment you choose depends on your own comfort level, that of your client’s, and other considerations like applicable rules.
Managing Your Professional Obligations
Whether you keep your own servers internally, use a company that hosts servers with your software on it, or use the cloud, the lawyer has the same fundamental professional obligations:
- You need to protect your client’s confidentiality as well as their non-confidential but personally identifiable information that could be of interest to identity thieves.
- You need to secure your client and firm information against unauthorized use, by your staff and by external people.
- You need to protect your information and systems against theft, business outages, and disaster, so that your law practice can keep running in the event of your data becoming unavailable.
What using the cloud does is to shift the activities to third parties and put your data outside your own office. You may already have done that. It doesn’t change the fact you’re still responsible for your professional obligations.
If you keep your servers in your law firm office, you take on the roles of server administrator, business continuity, and intrusion detection, among others. The challenge at solo practices and large firms is how to hire the staff and purchase the appropriate technology to handle those roles. If you use the cloud, and all servers are outside your control, you shift those roles just as you would if you’d hired staff. You never shift your own accountability for your obligations.
In many cases, as a business owner, you will have privacy laws or regulatory laws in addition to your professional obligations that govern how you can handle information you keep and to whom you may be able to shift those roles. It’s not just about trade secrets and family secrets. You will be protecting credit card information and other personally identifiable information (PII) that, if misused, could lead to identity theft and other damage to your clients as threatening as a breach of confidentiality.
Throw in the fact that all modern law practices rely on the Internet – for legal research and communication at the very least – and the role of silicon-based legal technology has never been more crucial to successful law practice. You will need the Internet to meet your client’s needs and expectations, whether it is they or the courts or your opposing counsel who demand it. I suppose one could imagine an Internet-free law practice but it wouldn’t seem to be something that would be either desirable or easy to replicate outside of a very small niche.
One thing seems clear. The complexity of the Internet-connected law firm is approaching, or has passed, the point where most lawyers no longer have the technological skills to manage all of their technology tools directly. Whether they gain the skills, or hire someone with them, or buy technology to fill the gap, or outsource the whole kit and caboodle, will depend on the lawyer or firm.
Lawyer regulators are parsing their rules to determine whether they already require lawyers to know how their systems (a.k.a. their technology) work or whether there needs to be a new obligation spelling that out.
The American Bar Association amended its model rules in 2014 so that the commentary to Rule 1.1 talks specifically to competence around technology. It’s important to note that (a) the ABA model rules do not regulate anyone directly and (b) commentary isn’t a rule. There is confusion, particularly outside the US, about this. US state lawyer regulators adopt part or all of the model rules, and may or may not adopt the commentary at all.
While the ABA ethics group may have thrown a sop to those focused on the future of law practice as well as the hand-wringers who need everything spelled out for them, a tweak to the commentary isn’t a change. If a change is necessary – and I think that’s debatable – it will need to happen in the rules themselves. Right now, everyone appears to see what they want to see, in whatever rule or commentary they want to see it.
The selection of technology for a lawyer will be driven by the demographics of the firm (size and practice areas in particular) as well as by professional and business obligations. It will almost inevitably rely on the Internet and client / server based infrastructure, in whatever form that takes for the particular law practice.
Related Reading and Resources