Answering security and ethical questions about e-discovery in the cloud


Back in 2003, Amazon was already the dominant retailer of the 21st century, earning $5.2 billion annually. To get to that point, the company had invested billions of dollars into data centers, networking infrastructure, and servers, and millions of dollars in annual R&D. Around that time, Amazon also realized it could resell its excess capacity to other companies through the Amazon Web Services (AWS) division. Today, AWS adds the same amount of server capacity as it took to run its entire business in 2003 each day. Amazon Simple Storage Service, or S3, now has 1.3 trillion objects stored on it and routinely processes 800,000 data requests simultaneously.

What Amazon built is a cloud computing storage and application center available to developers and software providers as Software-as-a-Service (SaaS). In this model, providers manage the hardware and software for users, and resources are dynamically assigned and reassigned to meet demand. When done at this scale, cloud computing should be able to eliminate the cost and complexity of locally installed software.

The promise and peril of the cloud

The great upside is that cloud providers like Amazon, Microsoft, and Rackspace can invest billions of dollars each year in research and development of cloud platforms, providing more robust services and security than any company or law firm can hope to provide. For example, Microsoft announced that it spent 90 percent, or $8.64 billion, of its $9.6 billion R & D budget on cloud services. Thanks to those investments, SaaS e-discovery systems cost about 35 percent less than solutions that are hosted in-house.

That’s the power of cloud computing, but it is also part of the challenge cloud computing poses for law firms. So much data is being created in today’s networked and super-massive computing environments that it can quickly overwhelm litigation. Law firms struggle to process and review gigabytes of data, while many types of litigation and investigations routinely involve multiple terabytes of information. The cloud is creating a tsunami of digital evidence, but it can also provide the most cost-effective solution to meet the challenge it has created.

The ethics of cloud computing

Just because enormous computing resources are available in the cloud, does not mean lawyers should simply migrate their critical e-discovery and review functions there. All businesses should be concerned about putting client data in the hands of a third party. Lawyers have reason to be especially concerned about these kinds of transactions, as they have special ethical obligations to maintain absolute client confidentiality.

To maintain client confidences and to avoid the inadvertent disclosure of data, law firms have to perform due diligence to understand how their data is being stored. Under the comments to ABA Model Rule 1.1 regarding competency, lawyers now have to understand the “risks and benefits of technology.” This means for competency purposes, lawyers must understand the technology they use, much like they do the substantive areas of the law.

Given this fact, e-discovery providers in the cloud must be treated as partners, not just a software provider. A cloud provider must be able to answer tough questions regarding data storage, security protocols, and data export restrictions before a law firm can export their data to them. Before entrusting client data to a third party, the ethical implications of that relationship must be considered and and resolved before transferring information.

Your Ethical Obligations in the Cloud

The ABA Model Rule on Client Confidentiality Rule 1.6 is the most important on this subject, requiring lawyers to protect their client’s property. However, as mentioned above, a recent change to ABA Model Rule 1.1 now defines “competent representation” as understanding the technology used to undertake representation of the client. That would seem to imply that an attorney must know how technology, including cloud-based e-discovery software is employed on behalf of a client.

Most state bars haven’t considered cloud computing directly as of yet, although Alabama, Arizona, California, Iowa, Nevada, New York, North Carolina, Oregon, Pennsylvania, Florida, and Vermont have issued some form of formal opinion. In general, these opinions have stated that it is ethical for attorneys to use cloud computing services as long as basic precautions are followed.

In practical terms, that means attorneys should notify new clients that their electronic data may be stored with a third party during the course of representation. This could appear in an engagement letter or any formal agreement with a client. These agreements should also specify that data will not cross international borders, where it could become subject to data privacy regulations.

To start, make sure a provider has a Service Level Agreement (SLA) and a response time that will be acceptable to your stakeholders. Ask them how highly available a cloud platform will be and examine the veracity of such claims. A cloud provider should ensure the highest levels of security and encryption so that the data protection available takes advantage of the scale of cloud computing platforms. And of course, make sure a provider stores data so that it is not crossing international boundaries and jurisdictions with different data privacy standards.

In particular, always consider the security your provider has in place, including:

  • Firewall to prevent outsiders from breaking into a computer system,
  • Encryption to protect data as it is being transmitted, and,
  • Intrusion detection to identify potential threats.

Lastly, remember to ensure data portability — that is, guarantee that your data is yours and can be recovered whenever needed. (As a cloud provider, Nextpoint publishes its standards at

The real danger is doing it yourself

In considering the ethical and security concerns of cloud computing, law firms should remember that the traditional on-premise solutions are not inherently more secure. In fact, firms that host sensitive client data are likely to find that they themselves are the greatest security risk.

A hosted on-premise software solution can afford very little in the way of network security beyond what can be found in an off-the-shelf network appliance. Even more problematic, on-premise systems (including “private cloud” systems hosted in a single facility) offer nothing in the way of physical security or environmental controls beyond what is found in a typical office building. The fact is, many local networks are managed from a supply closet or backroom that anyone with access to an office can enter.

No law firm should blindly jump to a cloud computing solution, but it is also foolish to ignore the greater scale, security, and advanced features often available there, given the proper vetting and due diligence.
jason_krauseAbout the author Jason Krause is a veteran of the legal technology industry with more than a dozen years of experience as a journalist covering eDiscovery. Prior to joining Nextpoint, Jason was a writer and reporter for the American Bar Association’s ABA Journal, where he was one of the first to recognize and report on the impact exploding volumes of evidence is having on litigation. He has also covered the industry as a freelance writer and independent marketing consultant for publications such as Law Technology News. Connect with Jason on Google Plus.