As a former application security engineer at Amazon Web Services, I find the Florida Bar's Ethics Opinion 12-3 on cloud computing vague and outdated, even for 2013 standards. While acknowledging the growing importance of cloud services in legal practice is a step in the right direction, the guidance provided falls short of addressing the complex security challenges inherent in cloud environments.
The opinion's suggestions for due diligence are surface-level at best. Asking lawyers to "investigate the online data storage provider's security measures" without providing specific technical criteria is like asking someone to assess a car's safety features without knowledge of automotive engineering. The recommendation to "employ available technology to guard against reasonably foreseeable attempts to infiltrate the data" is frustratingly ambiguous. In the fast-paced world of cybersecurity, what's "reasonably foreseeable" can change overnight.
The Bar missed an opportunity to provide concrete, actionable guidance. They could have mandated minimum encryption standards, insisted on multi-factor authentication, or outlined specific questions lawyers should ask about data residency and breach notification procedures. Instead, they've left attorneys – many of whom lack technical expertise – to navigate the complex world of cloud security largely on their own. While I appreciate the intent behind this opinion, I can't help but feel it falls short of truly protecting client confidentiality.
These are good points. The opinion is vague precisely because lawyers don't have the technical expertise to be more specific. Plus, anything specific that would have been written in 2013 would soon be out-of-date. Just as with statutory drafting, sometimes it is better to define general principles and leave room for interpretation within those principles as reality on the ground (or in the cloud) changes. That is one of the advantages of the U.S. Constitution. It is vague enough to allow for reinterpretation as society changes, but clear enough in its guiding principles to still be useful centuries later.
ReplyDeleteIf I were setting up my own firm, I would want to use cloud-based storage for everything. Naturally, I would be concerned about security and the first thing I would do is look at guidance like 12-3. I might look around for some more specific cases of what not to do, but after reading ethics opinions I would want to ask other attorneys what they do. The value of someone like yourself as a former application security engineer who is now in the world of law, probably can't be overestimated. You're exactly the attorney I would want practical advice from. It sounds like you might be able to do seminars on cloud computing for small firms.
ReplyDelete