Data Sharing in the Cloud

The “cloud” refers to use of a third party's servers, to which the user is connected via the Internet, in lieu of the user's local server or a personal computer to store information. It is this introduction of a third party ' the cloud provider and its affiliates ' into the mix that calls into question whether communications between client and attorney “in the cloud” remain privileged.

In order to maintain attorney-client privilege, communications need to be confidential. Thus, the person communicating the information must take care to preserve the privacy of the information by excluding third parties that are not agents of the client or the attorney from the exchange. For instance, a whispered conversation in a public place may not waive privilege, while a conversation easily overheard by bystanders can. See United States v. Blasco, 702 F.2d 1315 (11th Cir. 1983). But in today's digital landscape, what does it mean to be “confidential”? Must only the attorney and the client be able to view the information? What is the effect, if any, of ToS or privacy policies that allow for the cloud storage provider to view information? When are the cloud provider and its affiliates “agents” of the attorney and client for privilege purposes? In the bricks-and-mortar world, most lawyers are cautious enough to exclude third parties from their client communications to avoid waiver of the privilege. In the virtual world, however, preservation of the attorney-client privilege has become increasingly complicated.

While there are no reported cases in which courts have addressed waiver of the attorney client privilege specifically in the context of documents shared in the cloud, courts have considered the question of privilege in the context of e-mail and e-discovery. Courts have held that a law firm does not waive its client's privilege by contracting with an outside litigation support provider for a service necessary to the law firm's work. See Compulit v. Banctec, Inc., 177 F.R.D. 410 (W.D. Mich. 1997). But this precedent, predicated on notions of agency, does not necessarily ensure that use of a free document storage service or one contracted with a company, not a law firm, will enjoy the same protections.

The precedents addressing attorney-client privilege in e-mail correspondence also provide no bright-line rules. In In re Asia Global Crossing Ltd., 322 B.R. 247, 257 (S.D.N.Y. Bankr. 2005), a seminal case relating to waiver in the context of employees' e-mails sent though the employer's e-mail system, and in cases that have followed, courts have applied a four-factor analysis to assess whether employees have a reasonable expectation of privacy regarding their personal e-mails and, ultimately, whether an employee waives the attorney-client privilege by communicating via a system to which third parties also have access. In analyzing the privilege in e-mail cases, courts have considered:

1. Whether third parties had a right of access to the computer and the e mail correspondence;
2. Whether the user (typically an employee) had notice of the use and monitoring policy and, therefore, understood that communications using the system would not be confidential;
3. Whether the employer had a policy banning or restricting personal use of the system, which undercut the employees' expectation of privacy; and
4. Whether actual third-party monitoring of the e-mail occurred.

Courts applying these factors, however, have reached differing conclusions. In Asia Global, the court found that the employees had a reasonable expectation of privacy in their e-mail correspondence with their attorney, and therefore upheld the attorney-client privilege. In In re Royce Homes, LP, 449 B.R. 709 (S.D. Tex. Bankr. 2011), in contrast, the court found an individual waived the attorney-client privilege with respect to e-mails he had sent to his attorney using the company's e-mail system. While the company did not monitor its employees' computer use and there was little evidence that employees were aware of the policies, the court relied on the company's explicit policy stating that employees waived any privacy interest in electronic information sent or stored on the company's system. The Royce Homes court held that “whether the [company] actually reads an employee's e-mails is irrelevant,” implying that merely the capacity of a third-party to view information is enough for waiver of the privilege. Id. at 739. More recently, the Delaware Chancery Court held that a corporation's policy on work e-mail and monitoring weighed in favor of finding that its executive officers did not have reasonable expectation of privacy in their work e-mail, and thus could not assert privilege. See In re Info. Mgmt. Servs., Inc. Derivative Litig. , 81 A.3d 278, 291 (Del. Ch. 2013).

Best Practices for Selecting'a Cloud-Based Document Repository

Thoughtful Due Diligence

Both the ABA and at least seven state bars have addressed the use of cloud-based services by attorneys. These examinations indicate how critical it is that the attorney conduct careful due diligence of the document repository provider before any confidential information is placed into the cloud. A key element of this prescribed due diligence is reviewing the provider's ToS and privacy policy. Under ABA Model Rule of Professional Conduct 1.6(b) comment 7(c) a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. This obligation extends to vetting services used to store and share client documents.

Many cloud-based data storage and data sharing applications such as Dropbox, iCloud and Amazon Cloud Drive offer services to the public for free. A review of their ToS illustrates the problems these free services potentially pose for an attorney. For example, Dropbox's privacy policy clearly informs its users that “third parties will access your information only to perform tasks on our behalf and in compliance with this Privacy Policy.” See www.dropbox.com/privacy (posted Feb. 13, 2015). Its privacy policy articulates reasons for access, including to “protect Dropbox's property rights” and to “help improve the level of service that Dropbox provides.” So, when information is shared via Dropbox, it is with the knowledge that third parties may access the information to help Dropbox, a purpose outside the scope of the attorney-client relationship.

Similarly, iCloud's ToS state that Apple reserves the right “to determine whether Content is appropriate and in compliance with this Agreement, and may pre-screen, move, refuse, modify and/or remove Content at any time, without prior notice and in its sole discretion.” See http://apple.co/1IoMetZ. Amazon Cloud Drive provides in its ToS that Amazon “may use, access, and retain Your Files in order to provide the Service to you and enforce the terms of the Agreement, and you give us all permissions we need to do so. These permissions include, for example, the rights to copy Your Files for backup purposes, modify Your Files to enable access in different formats, use information about Your Files to organize them on your behalf, and access Your Files to provide technical support.” See http://amzn.to/1QGEhdp (Last updated March 25, 2015).

In sum, these widely used cloud storage providers allow third parties to access, view and, in the case of iCloud, modify and/or remove information as they deem fit, and thus clearly invite questions of waiver when privileged material is shared using these services.

Utilize Cloud Service Providers Built for the Legal Community

Given that free cloud providers have policies permitting third-party access to stored data, counsel should consider contracting with providers whose shared document repositories have been built with the legal community in mind. NetDocuments is an example of one such provider, whose ToS and privacy policy have been designed for lawyers. The provider's ToS should state it does not share, or have access to, any confidential information, except when acting as an agent of the client or attorney. Specifically, counsel should look for provisions in the service agreement stipulating that the cloud services provider has no ownership interest in the customer data and shall not use customer data, except in clearly delineated circumstances necessary to the provision of the service. Additionally, the applicable privacy policy should state that no one can access documents except with the owner's specific authorization.

Utilize Providers That Employ a High Level of Security

Counsel should also assess the level of security the provider employs. When a client file is uploaded to the cloud, it should immediately be indexed, encrypted and saved to a private repository where no one except the owner of the document can view its contents. Moreover, as part of its data storage architecture, the cloud provider should further obfuscate access to customer data via random storage. NetDocuments reports that it accomplishes this by storing each individual data file in one out of millions of folders on the vendor's system. In this way, the provider is physically unable to view or determine the contents of a document beyond its metadata, which is used for purposes of conducting searches. This level of security will likely be present only in paid services.

Examine the Provider's Subpoena Policy

Counsel's ethical obligation to make reasonable efforts to prevent unauthorized disclosure of information relating to the representation of a client requires that attention be given to cloud providers' subpoena policies, as well. A proper subpoena policy should afford notice to the data owner and the opportunity to oppose the request, before the provider releases documents in response to a subpoena or court order. Free cloud storage services may not afford counsel and clients these protections.

Beware BYOD

The risk addressed in this article ' that counsel or client will, for reasons of economy or convenience, exchange sensitive documents via a cloud-based repository ' is heightened in a “bring your own device” environment, where it can be all too easy to bypass institutional systems in favor of online services. Counsel should accordingly routinely caution clients to communicate privileged information only via established, approved channels, and advocate for clear BYOD policies and training that prohibit the use of unapproved services to exchange sensitive documents.

Conclusion

Before exchanging documents with clients via a cloud-based document repository, due diligence to determine the degree and types of third-party access permitted by the cloud provider is crucial. If properly addressed, this can help to ensure that the privileged status of documents stored in the cloud will be upheld.

Gregory Mottla is an associate in Kutak Rock LLP's Washington, DC, office. L. Elise Dieterich is a partner in the same office, and a member of this newsletter's Board of Editors.

Storing and sharing data “in the cloud” has become, in many instances, a business necessity. The practical and economic advantages of cloud computing are clear ' it eliminates the need to send client data via traditional, costly methods, and is significantly less expensive than building and maintaining the same data storage capacity in-house.

Despite its obvious benefits, counsel must consider whether client data stored in the cloud is safe, not just from hackers, but from the inadvertent waiver of the attorney client privilege. Fine print in cloud providers' Privacy Policies and Terms of Service (ToS) authorizing third parties to access information may jeopardize the privileged status of documents stored in the cloud. Ambiguous case law, expansive and vague provider policies, and uncertainty surrounding the attorney client privilege in the context of evolving technology, require that counsel exercise due diligence and follow best practices to ensure that the attorney client privilege is protected when sharing information via cloud-based services.

Third-Party Access: When Does It Waive Attorney Client Privilege?

The “cloud” refers to use of a third party's servers, to which the user is connected via the Internet, in lieu of the user's local server or a personal computer to store information. It is this introduction of a third party ' the cloud provider and its affiliates ' into the mix that calls into question whether communications between client and attorney “in the cloud” remain privileged.

In order to maintain attorney-client privilege, communications need to be confidential. Thus, the person communicating the information must take care to preserve the privacy of the information by excluding third parties that are not agents of the client or the attorney from the exchange. For instance, a whispered conversation in a public place may not waive privilege, while a conversation easily overheard by bystanders can. See United States v. Blasco , 702 F.2d 1315 (11th Cir. 1983). But in today's digital landscape, what does it mean to be “confidential”? Must only the attorney and the client be able to view the information? What is the effect, if any, of ToS or privacy policies that allow for the cloud storage provider to view information? When are the cloud provider and its affiliates “agents” of the attorney and client for privilege purposes? In the bricks-and-mortar world, most lawyers are cautious enough to exclude third parties from their client communications to avoid waiver of the privilege. In the virtual world, however, preservation of the attorney-client privilege has become increasingly complicated.

While there are no reported cases in which courts have addressed waiver of the attorney client privilege specifically in the context of documents shared in the cloud, courts have considered the question of privilege in the context of e-mail and e-discovery. Courts have held that a law firm does not waive its client's privilege by contracting with an outside litigation support provider for a service necessary to the law firm's work. See Compulit v. Banctec, Inc. , 177 F.R.D. 410 (W.D. Mich. 1997). But this precedent, predicated on notions of agency, does not necessarily ensure that use of a free document storage service or one contracted with a company, not a law firm, will enjoy the same protections.

The precedents addressing attorney-client privilege in e-mail correspondence also provide no bright-line rules. In In re Asia Global Crossing Ltd., 322 B.R. 247, 257 (S.D.N.Y. Bankr. 2005), a seminal case relating to waiver in the context of employees' e-mails sent though the employer's e-mail system, and in cases that have followed, courts have applied a four-factor analysis to assess whether employees have a reasonable expectation of privacy regarding their personal e-mails and, ultimately, whether an employee waives the attorney-client privilege by communicating via a system to which third parties also have access. In analyzing the privilege in e-mail cases, courts have considered:

1. Whether third parties had a right of access to the computer and the e mail correspondence;
2. Whether the user (typically an employee) had notice of the use and monitoring policy and, therefore, understood that communications using the system would not be confidential;
3. Whether the employer had a policy banning or restricting personal use of the system, which undercut the employees' expectation of privacy; and
4. Whether actual third-party monitoring of the e-mail occurred.

Courts applying these factors, however, have reached differing conclusions. In Asia Global, the court found that the employees had a reasonable expectation of privacy in their e-mail correspondence with their attorney, and therefore upheld the attorney-client privilege. In In re Royce Homes, LP, 449 B.R. 709 (S.D. Tex. Bankr. 2011), in contrast, the court found an individual waived the attorney-client privilege with respect to e-mails he had sent to his attorney using the company's e-mail system. While the company did not monitor its employees' computer use and there was little evidence that employees were aware of the policies, the court relied on the company's explicit policy stating that employees waived any privacy interest in electronic information sent or stored on the company's system. The Royce Homes court held that “whether the [company] actually reads an employee's e-mails is irrelevant,” implying that merely the capacity of a third-party to view information is enough for waiver of the privilege. Id. at 739. More recently, the Delaware Chancery Court held that a corporation's policy on work e-mail and monitoring weighed in favor of finding that its executive officers did not have reasonable expectation of privacy in their work e-mail, and thus could not assert privilege. See In re Info. Mgmt. Servs., Inc. Derivative Litig. , 81 A.3d 278, 291 (Del. Ch. 2013).

Best Practices for Selecting'a Cloud-Based Document Repository

Thoughtful Due Diligence

Both the ABA and at least seven state bars have addressed the use of cloud-based services by attorneys. These examinations indicate how critical it is that the attorney conduct careful due diligence of the document repository provider before any confidential information is placed into the cloud. A key element of this prescribed due diligence is reviewing the provider's ToS and privacy policy. Under ABA Model Rule of Professional Conduct 1.6(b) comment 7(c) a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. This obligation extends to vetting services used to store and share client documents.

Many cloud-based data storage and data sharing applications such as Dropbox, iCloud and Amazon Cloud Drive offer services to the public for free. A review of their ToS illustrates the problems these free services potentially pose for an attorney. For example, Dropbox's privacy policy clearly informs its users that “third parties will access your information only to perform tasks on our behalf and in compliance with this Privacy Policy.” See www.dropbox.com/privacy (posted Feb. 13, 2015). Its privacy policy articulates reasons for access, including to “protect Dropbox's property rights” and to “help improve the level of service that Dropbox provides.” So, when information is shared via Dropbox, it is with the knowledge that third parties may access the information to help Dropbox, a purpose outside the scope of the attorney-client relationship.

Similarly, iCloud's ToS state that Apple reserves the right “to determine whether Content is appropriate and in compliance with this Agreement, and may pre-screen, move, refuse, modify and/or remove Content at any time, without prior notice and in its sole discretion.” See http://apple.co/1IoMetZ. Amazon Cloud Drive provides in its ToS that Amazon “may use, access, and retain Your Files in order to provide the Service to you and enforce the terms of the Agreement, and you give us all permissions we need to do so. These permissions include, for example, the rights to copy Your Files for backup purposes, modify Your Files to enable access in different formats, use information about Your Files to organize them on your behalf, and access Your Files to provide technical support.” See http://amzn.to/1QGEhdp (Last updated March 25, 2015).

In sum, these widely used cloud storage providers allow third parties to access, view and, in the case of iCloud, modify and/or remove information as they deem fit, and thus clearly invite questions of waiver when privileged material is shared using these services.

Utilize Cloud Service Providers Built for the Legal Community

Given that free cloud providers have policies permitting third-party access to stored data, counsel should consider contracting with providers whose shared document repositories have been built with the legal community in mind. NetDocuments is an example of one such provider, whose ToS and privacy policy have been designed for lawyers. The provider's ToS should state it does not share, or have access to, any confidential information, except when acting as an agent of the client or attorney. Specifically, counsel should look for provisions in the service agreement stipulating that the cloud services provider has no ownership interest in the customer data and shall not use customer data, except in clearly delineated circumstances necessary to the provision of the service. Additionally, the applicable privacy policy should state that no one can access documents except with the owner's specific authorization.

Utilize Providers That Employ a High Level of Security

Counsel should also assess the level of security the provider employs. When a client file is uploaded to the cloud, it should immediately be indexed, encrypted and saved to a private repository where no one except the owner of the document can view its contents. Moreover, as part of its data storage architecture, the cloud provider should further obfuscate access to customer data via random storage. NetDocuments reports that it accomplishes this by storing each individual data file in one out of millions of folders on the vendor's system. In this way, the provider is physically unable to view or determine the contents of a document beyond its metadata, which is used for purposes of conducting searches. This level of security will likely be present only in paid services.

Examine the Provider's Subpoena Policy

Counsel's ethical obligation to make reasonable efforts to prevent unauthorized disclosure of information relating to the representation of a client requires that attention be given to cloud providers' subpoena policies, as well. A proper subpoena policy should afford notice to the data owner and the opportunity to oppose the request, before the provider releases documents in response to a subpoena or court order. Free cloud storage services may not afford counsel and clients these protections.

Beware BYOD

The risk addressed in this article ' that counsel or client will, for reasons of economy or convenience, exchange sensitive documents via a cloud-based repository ' is heightened in a “bring your own device” environment, where it can be all too easy to bypass institutional systems in favor of online services. Counsel should accordingly routinely caution clients to communicate privileged information only via established, approved channels, and advocate for clear BYOD policies and training that prohibit the use of unapproved services to exchange sensitive documents.

Conclusion

Before exchanging documents with clients via a cloud-based document repository, due diligence to determine the degree and types of third-party access permitted by the cloud provider is crucial. If properly addressed, this can help to ensure that the privileged status of documents stored in the cloud will be upheld.

Gregory Mottla is an associate in Kutak Rock LLP's Washington, DC, office. L. Elise Dieterich is a partner in the same office, and a member of this newsletter's Board of Editors.