So, you thought our cloud series was over? Wishful thinking. It is time to talk about ethics. Yes, ethics. Historically, lawyers and technologists lived in different worlds. The lawyers were over here, and IT was over there. Here's the reality: Technology - whether we are talking cloud computing, ediscovery or data security generally - IS very much the business of lawyers. This post focuses on three recent documents, ranging from formal opinions to draft issue papers, issued by three very prominent Bar associations -- the American Bar Association (ABA), the New York State Bar Association (NYSBA), and the State Bar of California (CA Bar). These opinions and papers all drive home the following points: as succinctly stated by the ABA, "[l]awyers must take reasonable precautions to ensure that their clients' confidential information remains secure"; AND lawyers must keep themselves educated on changes in technology and in the law relating to technology. The question, as always, is what is "reasonable"? Also, what role should Bar associations play in providing guidelines/best practices and/or mandating compliance with particular data security rules? Technology, and lawyer use of technology, is evolving at a pace that no Bar association can hope to meet. At the end of the day, do the realities of the modern business world render moot any effort by the Bar(s) to provide guidance or impose restrictions? Read on and tell us - and the ABA - what you think.
Back by popular demand, this is Part Four in our ongoing series, Legal Implications of Cloud Computing. This installment will focus on digital evidence and e-discovery, and follows up on Part One (the Basics), Part Two (Privacy), and Part Three (Relationships). After all, what better topic than the cloud to tackle on the day after Thanksgiving, recovering from tryptophan and wine? As with many other areas previously discussed in this series, the cloud does not necessarily change the legal analysis, it just highlights the need to think through and anticipate the many areas of legal concern that could/are likely to arise when using the cloud. As a litigator, when I think about the challenges posed by the cloud, the one that seems most intuitive is e-discovery/digital evidence. It is always difficult to fully appreciate and digest the scope and volume of information that may be called for in litigation or in an investigation. The presence of corporate data in the cloud multiplies those considerations. Some, but by no means all, of the digital evidence issues that should be considered in negotiating cloud arrangements and contracts (whether you are putting data in the cloud or designing and marketing a cloud offering), are as follows: 1. preservation/retention/disposal; 2. control/access/collection; 3. metadata; 4. admissibility; and, cutting across all of the foregoing 5. cost. As I will discuss below, like other forms of electronically stored information (ESI), one of the best ways for addressing data in the cloud in the discovery and evidentiary context is to plan ahead and discuss treatment of cloud data (a) in records retention policies well in advance of litigation; and (b) at the Rule 26 conference once litigation has commenced. And, if you read to the end, I will comment on the paucity of case law referencing the cloud (and describe the few references that have appeared in federal and state case law to date).
While there is much debate on the IT side as to whether Cloud computing is revolutionary, evolutionary or "more of the same" with a snazzy marketing label, in the legal context, Cloud computing does have a potential significant impact on legal risk. Part three of our ongoing Cloud legal series explores the relationships in the Cloud, and the potential legal implications and impacts suggested by them.
Last month we posted some basics on cloud computing designed to provide some context and identify the legal issues. What is the cloud? Why is everyone in the tech community talking about it? Why do we as lawyers even care? Dave provided a few things for our readers to think about -- privacy, security, e-discovery. Now let's dig a little deeper. I am going to start with privacy and cross-border data transfers. Is there privacy in the cloud? What are the privacy laws to keep in mind? What are an organization's compliance obligations? As with so many issues in the privacy space, the answer begins with one key principle -- location, location, location.
I had the pleasure of hearing an excellent presentation by Tanya Forsheit on the legal issues arising out of cloud computing during the ABA Information Security Committee's recent meeting (at the end of July) in Chicago. The presentation resulted in a spirited debate between several attorneys in the crowd. The conversation spilled over into happy hour and became even more interesting. The end result: my previous misunderstanding of cloud computing as "just outsourcing" was corrected, and now I have a better appreciation of what "the cloud" is and the legal issues cloud computing raises.