Monday, August 6, 2012

Dropbox for Lawyers...?

Update 2012-08-10: At its annual meeting, the ABA House of Delegates approved amendments to the MRPC that include new language to address  lawyers' use of technology and confidentiality requirements. With the addition of a new subsection (c), MRPC 1.6 now explicitly provides "[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." The revisions also supplemented the comments to Rule 1.1 (Competence) to expressly address the need for lawyers to keep abreast of the benefits and risks of technology relevant to the practice of law. While these changes do not establish new obligations for lawyers, they better communicate existing ethical obligations and emphasize the importance of ethical considerations in the use of technology.


Intro


The latest Dropbox security incident (not the company’s first) received attention from the technology press last week, reigniting privacy and security concerns associated with the service.  Given that the ABA lists Dropbox among the more popular cloud services for lawyers (while simultaneously declining to recommend Dropbox in light of security concerns), this incident likely impacted some legal professionals.  Rather than spending more time on the security issues, I want to instead look at Dropbox’s terms and conditions to see how a lawyer might evaluate the service’s appropriateness for client work. 



Background and State Bar Ethics Opinions

Attorneys who use cloud services need to consider (1) the ethical obligations that attach to that use, (2) implications for maintaining attorney-client privilege and work product protection, (3) avoiding malpractice, and (4) the overall importance of securing client information. See David G. Ries, Information Security for Attorneys: An Ethical Obligation, 78 PA Bar Assn. Quarterly 1 (2007). In what follows I hope to provide some insight into some factors relevant to the first consideration. 

To date, at least twelve state bar associations have issued ethics opinions on the use of cloud services (or similar technology). The opinions all permit an attorney to use a cloud service so long as the attorney exercises reasonable care to select a service provider that adequately safeguards client information. What does “reasonable care” under the circumstances entail? The opinions each recommend (or mandate) consideration of various factors and articulate those factors somewhat differently. Some opinions speak in very general terms and aren’t especially prescriptive. See, e.g., Maine Professional Ethics Commission Opinion #194 (2008). Others provide detailed information about best practices and also acknowledge that the relevant considerations may evolve over time. See e.g., Pennsylvania Bar Association Opinion 2011-200 (2011). 


For a complete list of the opinions, see the very useful chart the ABA has compiled. Rather than looking to any one opinion or jurisdiction, I’m going to base my analysis on the ABA Model Rules of Professional Conduct (MRPC). Unless otherwise noted, all citations will be to those rules. On the technical front, I will assume all data is unencrypted and that the only security measures in place are those provided by Dropbox itself. In other words, I am assuming that the prospective lawyer-customer would not apply any special security measures to protect client information apart from those Dropbox itself offers.  I highly recommend client-side encryption for all cloud services whenever possible to avoid reliance on service provider security.  


Cloud Computing Ethics Primer  


In brief, the analysis of cloud computing under the MRPC goes (roughly) as follows: Storage or transmission of (previously unencrypted) confidential client information on a cloud service amounts to a disclosure for purposes of MRPC 1.6. Such disclosures may fall under the implied authorization exception under subsection (a) to the rule (“[applicable] when the lawyer has reasonable grounds for believing that a client has impliedly authorized disclosure of a confidence or secret in order to carry out the representation”). 

However, the duties of competence (MRPC 1.1), confidentiality (MRPC 1.6) and safekeeping property (MRPC 1.15) require that lawyers exercise reasonable care in selecting a provider that will adequately protect confidential client information. See, e.g., Arizona Ethics Opinion 09-04 (2009) (lawyer must take reasonable precautions to protect security and confidentiality); New York Ethics Opinion # 842 (2010) (requiring lawyers to take "reasonable care to ensure that the system is secure and that client confidentiality will be maintained"). To meet the reasonable care standard, lawyers must have and maintain a competent understanding of current technology and available security measures.  Some states go on to hold the duty to communicate with clients  (MRPC 1.4) entails seeking a client’s informed consent prior to using a cloud service under certain circumstances. See, e.g., Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility, Formal Opinion 2011-200 (2011) (holding that under some circumstances "it may be necessary . . . to inform the client of the nature of the attorney’s use of 'cloud computing' and the advantages as well as the risks. . ."). 



Against that background, let’s take a look at Dropbox’s Terms of Service and Privacy Policy. Jointly, they give Dropbox and “Trusted Third Parties” rights to use customer information. MRPC 1.6 presumptively prohibits disclosure of confidential information related to a client representation. So, is Dropbox’s use compatible with an attorney’s ethical obligations to preserve confidentiality? To answer that question in full we must evaluate each of the sections of Dropbox’s terms and conditions that involve use or disclosure of customer-supplied information and files. 



Dropbox Analysis

TOS authorizes “Trusted Third Parties” to use customer information 

TOS provides Dropbox and “trusted third party companies and individuals” with the ability to use customer files to “provide, analyze, and improve” Dropbox. The disclosure of customer information to those third parties raises two questions which must be explored: 

(1) Do those third parties have reasonable security in place? 

(2) Are the uses by both Dropbox and the third parties compatible with a lawyer’s ethical obligations to preserve confidentiality? 


Third Parties & Security

A cloud provider’s use of “trusted third parties” in order to run its services isn’t necessarily problematic for an attorney looking to use the service for client work. However, the attorney’s ethical obligations to evaluate the cloud provider’s security extends to any third parties to whom the provider discloses information. Dropbox neither exhaustively identifies its trusted third parties nor provides assurances regarding the security measures those parties will be obligated to take.  

So, Dropbox’s trusted third parties would not obviously be subject to the sort of enforceable obligation to preserve security advocated by the ethics opinions. See  N.J. Ethics Opinion 701 (2006) (holding that the “touchstone in using ‘reasonable care’ against unauthorized disclosure that . . . the lawyer has entrusted such documents to an outside provider under . . . an enforceable obligation to preserve confidentiality and security). Dropbox itself makes no representation regarding the security of those parties. The company does explain that third parties must observe use restrictions similar to those in the privacy policy. So what are the allowed uses and disclosures outlined in the Dropbox privacy policy?


Use of customer information authorized to analyze and improve Dropbox

The uses to which Dropbox puts customer information may be difficult to reconcile with an attorney’s ethical obligations. Disclosures to improve and analyze Dropbox do not obviously fall within the scope of the implied authorization exception. That exception within MRPC 1.6(a)  governs situations where “disclosure is impliedly authorized in order to carry out the representation.” Use of a client’s confidential information by Dropbox or its trusted third parties in order to analyze and improve the service isn’t really a use to “carry out the representation” in an obvious sense. 

For example, suppose Dropbox engages a third party analyst to review the contents of a confidential memorandum in a client file in order to better understand the nature of documents stored on the service. Is the disclosure to the analyst necessary for the attorney to carry out the representation? Probably not. Of course, an attorney advocating for the use of Dropbox might argue that Dropbox itself helps the attorney carry out a variety of tasks for the representation and that the use of Dropbox carries it with this required disclosure. So, the disclosure would be permissible insofar as it’s a necessary consequence of using Dropbox.  I would reject that argument based on the highly attenuated link between the disclosure and carrying out the representation. Moreover, given that attorneys could easily reject Dropbox in favor of competitors that offer similar functionality but do not make such disclosures, the use of Dropbox doesn’t seem reasonably necessary to carry out the representation at all.


Does that mean any disclosure solely to benefit the service provider would be impermissible? It would appear so based on MRPC 1.6 which has no exception to permit such disclosures. However, NYSBA did approve use of automated content scanning for optimization of advertising content in Ethics Opinion # 820 (2008). Optimization of advertising would seem to serve the interests of the advertisers (a third party) in much the way that Dropbox’s third-party use for analysis/improvement serves Dropbox. Would the reasoning of the NYSBA opinion extend to permit use by Dropbox? There’s a strong indication to the contrary in the opinion (“[w]e would reach the opposite conclusion if the e-mails were reviewed by human beings. . . .”) 


That language suggests the NYSBA opinion’s position may stem primarily from the de minimus impact on confidentiality that automated scanning poses. See  Kevin Raudebaugh, Trusting The Machines: New York State Bar Ethics Opinion Allows Attorneys To Use Gmail, 6 Wash. J. L. Tech. & Arts 83 (2010). Effectively, I think the opinion may stand for the proposition that automated content scanning with appropriate security does not amount to a disclosure. The same cannot be said when a person reviews the information, as the New York opinion recognizes. 


Finally, on the ethical implications of third-party access, California Formal Ethics Opinion No. 2010-179 (2010) cautions that where a technical offering “imposes a requirement of third party access to information related to the attorney’s use of the technology, the attorney may need to confirm that the terms of the requirement or authorization do not permit the third party to disclose confidential client information to others or use such information for any purpose other than to ensure the functionality of the software or that the technology is not being used for an improper purpose, particularly if the information at issue is highly sensitive.” Could Dropbox’s uses of customer information for analysis and improvement of the service qualify as uses to “ensure the functionality” of the technology? 


Canons of statutory construction dictate that each word be given a nonsuperfluous meaning. See Bailey v. United States, 516 U.S. 137, 146 (1995). Applying that principle of construction to Dropbox’s terms of service, since the terms specifically authorize Dropbox to use customer information to “provide the service” and then separately reserve the right to use customer information to “improve and analyze” the service, the uses for improvement and analysis would be distinct from the use for providing the service. The California opinion seems only to permit use of the information in order to provide the service. So, under the California analysis, Dropbox’s use of customer information may well be incompatible with an attorney’s ethical obligations. 




Disclosure in response to legal process 


Dropbox will share uploaded content to “comply with a law, regulation or compulsory legal request.” Importantly, Dropbox has no obligation to notify an attorney-customer if served with process to produce confidential information related to the lawyer’s client. Why does this matter? Unintended disclosure of information may waive attorney-client privilege or work product protection. See, e.g., Amobi v. District of Columbia Dept. of Corrections, 262 F.R.D. 45 (D.D.C. 2009) (holding inadvertent disclosure waived work product protection under post-2008 version of FRE 502). Moreover, if an attorney uses a cloud service knowing that the attorney will not be notified about legal demands for information, a court might find that any disclosure that occurs to have been intentional. In short, not being aware of legal demands for information may risk loss of privilege and work product protection, which in turn could give rise to malpractice liability. 

Other Disclosures & Uses: Dropbox will also share uploaded content to “to prevent fraud or abuse of Dropbox or its users[,]” and “to protect Dropbox’s property rights.” These two exceptional disclosures seem to disadvantage the client whose information has been disclosed. Unless the disclosure falls under the narrow exceptions under MRPC 1.6(b), such disclosure would be both prohibited under MRPC 1.6 and under MRPC 1.8. The latter specifically prohibits the lawyer from using any information from the representation to the disadvantage of the client. This aspect of Dropbox’s policy seems to be largely or entirely at odds with an attorney’s ethical obligations. 




History & Reputation


At least one state bar ethics opinion specifically advises consideration of a vendor’s “experience, stability, and reputation.” North Carolina State Bar, 2011 Formal Ethics Opinion 6 (2011). How does Dropbox fare in this regard? There’s cause for concern. Dropbox has altered its privacy and security policies on multiple occasions. While the company promises to notify customers about changes negatively impacting privacy, they will enforce the new terms whether or not the customer expressly consents. 


What about the company’s history? Last June, a bug in Dropbox’s code caused the service to accept any password whatsoever. Imagine waking up one morning to find that anyone on the street had the ability to open your front door by inserting a key--any key whatsoever--into the lock and turning the handle. Effectively, that was the situation all Dropbox customers found themselves in last year. Any person who attempted to access an account was granted access no matter what the person entered for the password. 


In the wake of the 2011 incident, Ph.D. student and security researcher Christopher Soghoian  filed a complaint with the FTC alleging that Dropbox had engaged in a deceptive trade practice subject to FTC review pursuant to the agency’s authority under 15 USC § 45. The complaint detailed multiple instances in which Dropbox allegedly misrepresented the nature of its security protections. Soghoian alleged Dropbox had misled customers into thinking encryption protected the contents of their files from review even by Dropbox staff. Although Dropbox emphatically denied these allegations, the company did change its description of the security measures protecting the service. 


These incidents and the recent incident involving a Dropbox employee losing customer information raise concerns about Dropbox’s “history” and “reputation” as a service provider.  From a pragmatic standpoint, suppose you are an attorney representing a technology company. The company’s confidential attorney-client communications become public due to a security incident with Dropbox. Imagine the CEO’s outrage when he or she learns that despite the media coverage of Dropbox and its security issues, you nonetheless stored the company’s confidential information on the service. 



Bottom Line

Ultimately, every lawyer will need to make his or her own decision about the appropriateness of using Dropbox for client work.The analysis above goes through only a few of the factors that ought to guide such decisions. Do I think Dropbox offers a useful service? Absolutely. I use it to store the latest Ninth Circuit decisions on my mobile devices so I can read them while commuting. Would I use Dropbox for confidential client information? No, I think Dropbox’s policies and security model fall short of the mark.  Even if Dropbox does implement the security improvements they’ve promised, such improvements do not address the issues outlined above with Dropbox’s terms and conditions. To address those concerns, Dropbox would need to offer a different security and privacy model for business users with much more stringent restrictions around the use and disclosure of customer information along with additional security protections. 

Even without changes to the Dropbox service, lawyers who use the service can take additional steps to improve security. 



Recommendations

Encrypt sensitive information before placing it on Dropbox. The analysis above presupposes that the lawyer does not encrypt confidential information prior to placing it in Dropbox. If a lawyer were to encrypt information prior to transmission and Dropbox had no ability to decrypt the data, the concerns above largely dissolve. 

Avoid communicating with clients through Dropbox. Communicating with clients through Dropbox raises additional problems.  While encrypting data before it is sent to Dropbox addresses many confidentiality concerns, encryption itself becomes much more complicated when multiple people need access to the information. Not all clients will have the technical sophistication to work with shared encryption solutions.


The privilege concerns are also heightened when using Dropbox as a client communication tool. When clients use Dropbox knowing third parties may review the communication, a court may hold that privilege does not attach to the communication because the client had no reasonable expectation that the communication would be private. Cf. Holmes v. Petrovich Development Corp., 119 Cal. Rptr. 3d 878 (Cal. Ct. App. 2011) (holding privilege inapplicable where plaintiff-employee communicated with attorney via employer’s e-mail system and employee knew employer monitored e-mail communications). 


Finally, when a client uses Dropbox to communicate with his or her attorney, the client may inadvertently end up replicating those communications across multiple devices--devices the client might routinely share with third parties. This increases the risk of unwanted disclosure, which isn’t something an attorney should encourage. 

3 comments:

  1. Great post, thanks for the analysis.

    ReplyDelete
  2. Having had this conversation with a large number law firms, I know that it is a concern and my job is to ensure that these firm stay in good standing. To that end, Google Apps, Drive, makes what I do a breeze and keeps my clients safe. Plus, my best practices, which is really what it comes down to.

    ReplyDelete
  3. Yes, a very helpful post. I wonder whether the issues associated with the use of dropbox and other SaaS services are any different than with the use of e-mail. All e-mail is stored on the web by the law firm's internet service provider. I have never looked at the terms and conditions for Road Runner, Gmail, AOL, etc., but I assume those providers have the ability, if not the express right, to access customers' e-mail. In light of the ethicial pronouncement in my state (North Carolina), it seems that the safest thing for me to do is to limit the use of dropbox to the sharing of non-confidential documents, such as court filings. Obtaining the informed consent of the client would seem to be necessary before transmitting any confidential client information through a SaaS.

    ReplyDelete