Cloud Computing: Ethical Considerations and Obligations

Ethics and the Cloud Richard K. Herrmann Technology American Inn of Court January 21, 2015

Ethics and the Cloud 1. What is Cloud Computing Jim Heisman 2. Cloud Computing: Ethical Obligations for Attorneys Beth Powers 3. Cloud Computing Services & Products John Simmons & Brian Legum 4. Revisiting GlaxoSmithKline v. Discovery Works Legal Ryan Costa

WHAT IS CLOUD COMPUTING? Jim Heisman

What Is Cloud Computing? Cloud computing refers to a broad range of services that allow users to store their data and applications on remote computers. Data and applications stored on a cloud computer can be accessed anywhere the user has an Internet connection including a home computer, work computer, laptop, smartphone, or tablet. As the Pennsylvania Bar Association succinctly put it, cloud computing is a fancy way of saying stuffs [sic] not on your computer. * *Pa. Bar Ass n Comm. On Legal Ethics & Prof l Responsibility Formal Ethics Opinion 2011-200: Ethical Obligations for Attorneys Using Cloud Computing/Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property at 1 (2011).

The National Institute of Standards and Technology Defines Cloud Computing Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.* * http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

Essential Characteristics: On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider. Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations). Resource pooling. The provider s computing resources are pooled to serve multiple consumers using a multi- tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth. Rapid elasticity.Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time. Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

Service Models: Software as a Service (SaaS). The capability provided to the consumer is to use the provider s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. SaaS applications are designed for end-users, delivered over the web. Examples include Google Apps and MicroSoft 365 Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. PaaS is a set of tools and services designed to make coding and deploying applications quick and efficient. Examples include Google App Engine and Windows Azure Compute. Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls). IaaS is the hardware and software that powers it all servers, storage, networks, operating systems. Examples include Amazon Web Services and Rackspace. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

Service Models Compared Source: IBM: http://thoughtsoncloud.com/2014/01/cloud-computing-defined-characteristics-service-levels/

Deployment Models: Private cloud.The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. Community cloud.The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

ADVANTAGES OF THE CLOUD Low upfront costs Elimination of large capital expense for data centers and hardware Predictable monthly IT costs Easy access to information via internet connection Readily scalable pay for what you need when you need it Access to latest cutting edge technologies Redeploy or eliminate internal IT resources and lower internal IT labor costs Business Continuity/Disaster recovery multiple data centers in diverse geographic areas High availability 99.9% uptime SLAs Software applications regularly updated allowing access to latest features and functions.

DISADVANTAGES OF CLOUD Lack of physical control over your data Dependent on internet connection (unless user has a dedicated line from the hosting provider) Security Issues: Information subject to disclosure or misappropriation by outside hacking or theft from rogue or disgruntled cloud employees Support Issues

CLOUD COMPUTING: ETHICAL OBLIGATION FOR ATTORNEYS Beth Powers

Cloud Computing: The Rules of Professional Conduct Those states that have issued ethics opinions on cloud computing have deemed it permissible so long as the lawyer takes reasonable steps to ensure that sensitive client information remains confidential.

Cloud Computing: What Rules are Implicated Rule 1.1: Competence A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation. The comments make clear that a lawyer s handling of a particular matter includes, inter alia, use of methods and procedures meeting the standards of competent practitioners. (DRPC 1.1, cmt. 5.)

Cloud Computing: What Rules are Implicated Application of Rule 1.1 in the Context of Cloud Computing Competency requires a lawyer to have a basic understanding of the technology and how it potentially impacts the confidentiality of information. Once the attorney understands the technology, he or she must take reasonable steps to ensure that client data and information is maintained, organized and kept confidential in the cloud. Competency also includes a lawyer s ability to reliably access and retrieve data relevant to a client s case when needed.

Cloud Computing: What Rules are Implicated Rule 1.6: Confidentiality of Information A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent . A fundamental principle in the client-lawyer relationship is that, absent the client's informed consent, the lawyer must not reveal information relating to the representation. This trust encourages the client to seek legal assistance and to communicate fully and frankly with the lawyer even as to embarrassing or legally damaging subject matter. (DRPC 1.6, cmt. 2.)

Cloud Computing: What Rules are Implicated Application of Rule 1.6 in the Context of Cloud Computing If an attorney intends to use cloud computing to manage highly confidential information, it may be necessary to obtain the client s informed consent. Storing and transmitting information in the cloud may be deemed an impliedly authorized disclosure to the provider of cloud computing services. If server used by cloud computing provider is physically kept in another country, lawyer must ensure that the data on the server is protected by privacy laws that reasonably mirror those in the U.S.

Cloud Computing: What Rules are Implicated Rule 1.15: Safekeeping Property A lawyer shall hold property of clients or third persons that is in a lawyer's possession in connection with a representation separate from the lawyer's own property . [Such] property shall be appropriately safeguarded. Client property generally includes files, information and documents, including those existing electronically.

Cloud Computing: What Rules are Implicated Application of Rule 1.15 in the Context of Cloud Computing In the context of cloud computing, the lawyer must take steps to safeguard data stored in and transmitted through the cloud. The appropriate safeguards depend on the nature and sensitivity of the data. The data must be returned to the client and deleted from the cloud after representation is concluded or when the lawyer decides to no longer to preserve the file.

Cloud Computing: What Rules are Implicated Rule 5.3 Responsibilities Regarding Non-lawyer Assistants With respect to a nonlawyer employed or retained by or associated with a lawyer: (a) a partner in a law firm, and a lawyer who individually or together with other lawyers possesses comparable managerial authority in a law firm, shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that the person's conduct is compatible with the professional obligations of the lawyer. Essentially, cloud computing is an online form of outsourcing the storage and transmission of data.

Cloud Computing: What Rules are Implicated Application of Rule 5.3 in the Context of Cloud Computing A provider of cloud computing may be considered a nonlawyer retained by a lawyer. The lawyer, therefore, must make reasonable efforts to ensure that sensitive client information remains confidential and secure. Attorneys may need a written service agreement that can be enforced on the cloud computing provider to protect the client s interests.

Cloud Computing: Ethical Considerations in Selecting a Provider 1. Is the provider of cloud computing services a reputable organization? 2. Does the provider offer robust security measures? 3. Is the data stored in a format that renders it retrievable as well as secure? 4. Is it stored in a proprietary format and is it promptly and reasonably retrievable by the lawyer in a format acceptable to the client? 5. Does the provider commingle data belonging to different clients and/or different practitioners such that retrieval may result in inadvertent disclosure? 6. Do the terms of service state that the provider merely holds a license to the stored data?

Cloud Computing: Ethical Considerations in Selecting a Provider 7. Does the provider have an enforceable obligation to keep the data confidential? 8. laws in effect at that location regarding unauthorized access, retrieval, and destruction of compromised data? Where are the provider's servers located and what are the privacy 9. representation ends or the agreement between the lawyer and provider is terminated for another reason? Will the provider retain the data and, if so, for how long when the 10. Do the terms of service obligate the provider to warn the lawyer if information is being subpoenaed by a third party, where the law permits such notice? 11. What is the provider's disaster recovery plan with respect stored data? Is a copy of the digital data stored on-site?

Cloud Computing: What Constitutes Reasonable Care ? Understand the technology being used and how it potentially impacts confidentiality of information. Investigate the cloud computing provider's security measures to determine if they are adequate. Stay abreast of technological advances to ensure provider s security measures remain sufficient. Ensure that the provider has an enforceable obligation to preserve confidentiality and security.

Cloud Computing: What Constitutes Reasonable Care ? Back-up data to ensure that firm can restore data if provider suffers a security breach. Ensure that the provider provides a method for attorney to reliably access and retrieve information. Ensure that data is deleted from the cloud and returned to the client at the conclusion of representation or when the file must no longer be preserved. Periodically review the provider s security measures to ensure they remain effective in light of technological advances.

CLOUD COMPUTING SERVICES & PRODUCTS Brian Legum & John Simmons

DOCUMENT SHARING Services that allow you to store and share documents and other data remotely for access by your other devices (laptops, other work stations, smartphones and tablets) and/or by others.

DOCUMENT SHARING DropBox www.dropbox.com Folder based application Can share subfolders App for smartphones and tablets too More peer to peer filesharing than peer to many Box.net www.box.net Similar to DropBox, but has more features for managing users and security Easier for sharing documents with large number of users

DOCUMENT SHARING ShareFile www.sharefile.com Virtual Data Room by Citrix Much more secure tested daily by third party as hacker safe Detailed security controls Audit Logs for tracking who accessed what files and when Nondisclosure agreement

DOCUMENT SHARING NetDocuments www.netdocuments.com Basic version (cheaper) and pro version (more features) Folder based file structure Good file searching features Customizable meta data and tagging of documents Customizable security and user access

DOCUMENT MANAGEMENT Document management software allows for document profiling, multi-user access, and document checkout. Most have additional features like document audit trail, revision control, number stamping, multi-parameter searching, and comparison of versions or documents.

DOCUMENT MANAGEMENT WorldDox GX3 Cloud http://www.worldox.com/products/worldox_g x3_cloud Document management and profiling Works best when integrated with WorldDox document management software Built in PDF editing application with one-step creation of PDF s from Word, Excel and the like Auto converts PDF s in editable documents Very secure with routinely backed-up servers

DOCUMENT BACKUP Online backup is different than document storage and management. Online backup services are intended for disaster recovery of data by incrementally backing up data files to an encrypted data file on a remote server. Does not require dragging files to the folder. Mozy www.mozy.com Carbonite www.carbonite.com

LAW FIRM HOSTED SOLUTIONS Remotely hosts all applications for a law firm like a virtual computer that is accessible from the web so you can access your desktop remotely. MindShift Oasis - http://www.mindshift.com/ Legal WorkSpace http://legal-workspace.com/ UpTime Legal Systems - http://www.uptimesystems.net/cloud/law/

REVISITING GLAXOSMITHKLINE V. DISCOVERY WORKS LEGAL Ryan Costa

Revisiting GlaxoSmithKline v. Discovery Works Legal A horribl[e,] cautionary tale about putting information in a cloud. Brief Background: 2004 GlaxoSmithKline ( GSK ), the world s fourth largest pharmaceutical company, engages Discovery Works, a small e-discovery vendor, to perform litigation support and e-discovery services. 2007 Parties enter into an agreement through which GSK outsources its document storage and retrieval systems to Discovery Works.

Revisiting GlaxoSmithKline v. Discovery Works Legal Vendor possesses approximately 750 million pages [20 terabytes] of GSK s highly confidential, sensitive data (trade secrets, patent portfolio data, pricing information, clinical trial information, litigation materials, personal information, etc.). Vendor stores this data across many servers. Some in United States. Most in St. Vincent s. 2011 GSK hears rumors that Discovery Works was facing financial difficulties and not paying creditors. GSK makes repeated requests for information to be returned. Discovery Works refuses.

Revisiting GlaxoSmithKline v. Discovery Works Legal Lawsuit: January 22, 2013 GSK files a complaint against Discovery Works and its CEO in NY requesting the immediate return of its data and seeking to enjoin defendants from destroying or deleting it. Complaint alleges that defendants were holding hostage over 20 terabytes of GSK s most sensitive and confidential data, and threatening to withhold and destroy the data unless GSK pays the ransom of $80,000. GSK: If [confidential data is] disclosed, the genie could not be put back in the bottle. If the data is not returned, the business and legal secrets of GSK could become public. Moreover, if Discovery Works is unable to pay its creditors, its servers and other media storing GSK data may be repossessed, abandoned, or caught up in evictions. January 24, 2013 Parties enter into a Settlement Agreement. GSK agrees to pay $50,000 for the immediate return of its data. 9 months later Discovery Works had returned less than 1% of the data.

Revisiting GlaxoSmithKline v. Discovery Works Legal September 24, 2013 Hearing on GSK s contempt motion: Court orders Discovery Works to meet with GSK s IT professionals and provide an index of all GSK s data by November 2. If Discovery Works fails to do so, the Court will appoint an IT person selected by GSK to retrieve the documents at Discovery Works expense.

Revisiting GlaxoSmithKline v. Discovery Works Legal Recent Events: After Discovery Works failed to provide an index, the Court appointed an IT expert to retrieve GSK s documents. Discovery Works is then sued by former employees, landlord, etc. On December 5, 2013, St. Vincent court enters an order freezing assets. GSK intervenes in the St. Vincent litigation, but months pass before its application to modify the Freezing Order is heard.

Revisiting GlaxoSmithKline v. Discovery Works Legal Where are they now? December 17, 2014 St. Vincent court modifies its Freezing Order to permit GSK to enter the facility and retrieve its data. GSK has learned that Discovery Works has been locked out of the building where the servers are located and the power was turned off. GSK currently has another contempt motion pending before the New York.

Contracting to Protect Yourself & Your Clients Regarding Use of Data Cloud Storage Provider shall have no right to use or distribute Customer Data for any purpose other than provision of the contracted service to Customer and for Customer s benefit. Regarding Physical Location of Data Storage Services shall be provided from the United States and all Customer content and any other personal information will be stored and processed ONLY in the United States

Contracting to Protect Yourself & Your Clients Regarding Subpoena of Data In the event that Cloud Storage Provider receives a subpoena for the Customer s data, Cloud Storage Provider shall notify Customer of the receipt of the subpoena or other process within 2 business days of receipt and use its best efforts to provide the Customer with a reasonable opportunity and time to quash the subpoena. If the Customer does not respond or is unsuccessful in quashing the subpoena, then the Customer acknowledges and understands that the Cloud Storage Provider may be forced to comply.

Contracting to Protect Yourself & Your Clients Regarding Confidential Data Cloud Storage Provider shall use no less than industry standards and best practices of care to safeguard the Confidential Information received from the Customer. Cloud Storage Provider will only use the Confidential Information of the Customer: (a) to exercise its rights and perform its obligations under this Agreement; or (b) in connection with the Parties ongoing business relationship

Contracting to Protect Yourself & Your Clients Regarding contract language that references a website for further language and or the right to change language The Customer requires that the language that is present at the time of signing is frozen in time. If the Cloud Storage Provider wishes to alter the language as applied to the Customer, then the Customer shall have the option to review the language and cancel the agreement if the Customer is not amenable to the changes.