Historical challenges of ediscovery
With most client information stored electronically, requests for ediscovery have become commonplace. And, ediscovery is often the single most significant expense for mid to large cases that are resolved prior to trial. Historically, there have been three basic ways attorneys have handled ediscovery prior to production to opposing parties: hard copy review, review in the native application (e.g. Outlook), and linear review in a database.
For hard copy review, as outside counsel, you might receive a CD or PDF from your client. If it is a tort defense case, the CD might contain an incident file and other supporting documents. For example, you may have received the CDs a few weeks before you have to review and produce these documents to the requesting party. The historical workflow would be to have all of the documents printed. The attorney would then review the documents on paper, flag the documents to be produced to the requesting party and the documents to be listed on the privilege log, and give the subset that they identified as responsive to the legal staff to Bates stamp and scan for production. There are at least three major disadvantages to this workflow: (1) you change documents that are already in an electronic format to hard copy paper, and then back to electronic files for production, potentially spoliating the metadata of the original documents received electronically from the client; (2) all this printing, manual review, flagging, Bates labeling, and re-scanning is a time-consuming, manual, and costly way to review documents; and (3) this system is not scalable for your more document-intensive cases, where the volume of electronically-stored information (ESI) from your client is sizable.
Another way you may have reviewed documents in the past is by receiving documents from the client in a native-application format (e.g. Microsoft Outlook emails in an email container (.pst file), or Microsoft Excel, PowerPoint, and Word files bundled together in a .zip file). Then you would have your IT team open these files for you to review, one-by-one, in the applicable software application, such as reviewing the client’s emails in Outlook or presentations in PowerPoint.
However, this method too has at least three major disadvantages: (1) searching for relevant names, text, or keywords across multiple software applications is clumsy and cumbersome. Imagine searching an email that has both Word and Excel files attached to it — you would have to open each file and search each one separately; (2) unless your IT has been instructed to make a forensic copy of what you received from your client, your review of these native files may be destroying valuable metadata; and (3) unless you convert responsive documents to a static format such as .tiff or .pdf prior to production to the requesting party, you are unable to redact, Bates label each page, or prevent producing sensitive or nonresponsive metadata to the requesting party. If you do choose to convert to a static format, that process adds time and inefficiencies to your production workflow.
Finally, you may have hired an outside vendor to process the ESI received from your client, ingested the processed data into your firm’s on-premise server, or into the vendor-supplied server, and then used a linear approach to review the documents. The benefits of this process are many: (1) the ability to search across all of the documents; (2) the ability to tag documents for responsiveness, issues, and privilege, one-by-one; and (3) the ability to streamline the workflow from receipt of ESI from your client through Bates-labeling and production. However, there are at least four major disadvantages of most legacy ediscovery software applications offered by vendors, whether the vendor’s software is installed on vendor-supplied or on-premise servers: (1) the servers may not have the latest upgrades in security, hardware, and software, because of the significant investment in time, personnel, and expense in maintaining those servers and the secure environment; (2) the servers may not have sufficient processing and computing power to handle the data and user loads on the system, resulting in extremely slow speed for processing, loading documents into a review screen, and exporting documents for production. This latency problem with legacy ediscovery software has become so pronounced that some attorneys find it is faster to review in paper rather than wait for the software to load the next page or document in the review pane; (3) the servers often do not permit remote access (at a deposition, hearing, or at trial); and (4) are not powerful enough to handle state-of-the-art artificial intelligence algorithms now coming to market.
In my previous post, I discussed the benefits of cloud computing and the fundamental components of Software as a Service (SaaS). Ediscovery software that is designed to leverage the unparalleled power and massive scale of cloud computing truly enhances the advantages of using ediscovery software but eliminates all the disadvantages of legacy programs. Gone are the days where you have to wait for searches to load or wait for a document to render on screen – to the point where it would be faster to review in paper. Instead, with cloud infrastructure, a document search takes 1/10 of a second to bring back results, regardless of the volume or complexity of the documents. Document rendering happens instantly with an average of ⅓-seconds to view any file, even large Excels. Now you can think in terms of Google or Amazon search and rendering speeds. This means your ability to review your client’s ESI is significantly accelerated. Other, previously manual tasks, that can be done in cloud-native solutions like DISCO, include redacting text and metadata, automated privilege logs, Bates numbering and document branding, and the like - even the latest AI algorithms are available to you.
Why does cloud computing matter?
Cloud computing is the reality of how many companies now do business. Law firms who want those companies as their clients must have knowledge of modern technology to comply with their ethical obligations. Thirty-one states have already adopted some technology competence requirement,  with Florida being the first state that has required technology continuing legal education (CLE) for their attorneys. 
Ethical considerations for the use of cloud computing
Model Rule 1.1 – A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation.
We have all seen the ABA Model Rule (MR) 1.1 on competence at some point in time. As attorneys, it is an ethical obligation to provide competent representation to a client. Part of the question is how do you define “competency”? Comment 8 to MR 1.1 elaborates that maintaining competence means you need to understand the benefits and risks associated with relevant technology. It is clear that MR1.1 is relevant to ediscovery technology. What the ABA Rule doesn’t do is explain where that fits into SaaS (i.e. cloud computing). There are a lot of different ways in which SaaS technology can be relevant to practicing law; part of that is understanding what solutions are available for ediscovery.
An ethics opinion from Wisconsin in 2015 states:
“(C)loud computing is permissible as long as the lawyer adequately addresses the potential risks associated with it … (L)awyers must make reasonable efforts to protect client information and confidentiality as well as to protect the lawyer’s ability to reliably access and provide information relevant to a client’s matter when needed. To be reasonable, those efforts must be commensurate with the risks presented. Lawyers must exercise their professional judgment when adopting specific cloud-based services, just as they do when choosing and supervising other types of service providers.” 
This opinion from Wisconsin looks at the same underlying issues that we would consider nationally. Attorney competence requires an understanding of cloud computing and to make reasonable efforts to protect client information. One way this could play out in the real world is understanding whether using the technology will satisfy the attorney’s duty to minimize the risk of inadvertent disclosure of privileged documents. Along those same lines would be whether the technology improves the ability to identify confidential documents and avoid disclosing a trade secret of your client.
It is counsel’s obligation to oversee the process of ediscovery. The standard is reasonable care under the circumstances. Perfection, however, is not the standard. For example, Oregon noted that its ethics rules would not require an attorney to protect a client’s data against attacks by foreign or domestic intelligence services using highly sophisticated methods beyond the capabilities of the general public unless the circumstances of the client or the representation involved highly sensitive information related to national security interests.  According to the Ohio Bar Ethics Committee, specific requirements for assessing reasonableness would soon become obsolete with changing technologies and the risks would likewise vary with the technology involved, the lawyer’s areas of practice, and the individual needs of each client. For that reason, the Committee determined that “overly-specific rules would become obsolete as soon as they were issued.” 
Model Rule 1.6(a) — A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation, or [paragragh (b) exception applies].
Model Rule 1.6(c) — A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
How does the lawyer comply with his/her ethical duty of protecting client data when it comes to protecting client data in the cloud? Comment 18 to MR 1.6 lists five factors to consider whether the lawyer exercised reasonable efforts to prevent inadvertent or unauthorized disclosure or access. The five factors include:
- The sensitivity of the information,
- The likelihood of disclosure if additional safeguards are not employed,
- The cost of employing additional safeguards,
- The difficulty of implementing additional safeguards,
- And the extent to which the additional safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Comment 19 makes clear that the methods an attorney may use to transmit confidential information that affords a reasonable expectation of privacy do not require special security measures. Some states, e.g. New York, hold that email is such a method that does not require special security measures. New York Ethics Opinion 709 (1998) found that email was no less a risk to disclosure of confidential information than other telecommunication mediums such as facsimiles or telephones. However, where the nature of the information is highly sensitive, then encrypted email transmission may be appropriate where not onerous to do so. See, e.g., Cal. Ethics Opinion 2010-179 (2010).
Ethics opinions require that attorneys exercise reasonable care to ensure the security and confidentiality of client data. This comes down to understanding the risks of using a particular technology with respect to client data. In the context of using the cloud, you must understand the security of the data as it gets loaded into a cloud platform, while it’s hosted and maintained in the cloud platform over time, what kind of access security (e.g.login requirements) exists, and what is the capability to transfer that data when it needs to be exported or produced and sent to the opposing party. Confidentiality is similar to security but is more concerned about the disclosure of client data to those who should not have it. Confidentiality agreements are often put in place to handle this requirement. Again, the standard is reasonable care. So what are some of the risks associated with using the cloud to process, host, review, and produce client data?
One risk of cloud computing is the risk of downtime. When choosing a cloud provider, you want to make sure that the data is available when you need it, where you need it, and that there are reasonable limits on access to the data. Oftentimes these risks can be controlled through service-level agreements (SLAs) that provide for a high percentage of uptime for the platform and a high percentage of confidentiality and security for the client materials. These SLAs can often be written into the particular agreements with your vendor.
Data theft prevention
Data theft is always a risk, regardless of where the data is stored. Again, it is the attorney’s obligation to take reasonable measures under the circumstances. Even in a paper world, documents can be subject to theft. Overall, it is always important to make sure that there are adequate security measures in place. When looking at a cloud environment, there are three main types of controls you should look for in a cloud provider: (1) technical controls (e.g. 2-factor authentication or IP address whitelists); (2) administrative controls (e.g. need-to-know personnel lists); and (3) physical controls (e.g. biometric access). Industry-recognized information security certifications, such those provided by the International Standardization Organization (ISO) or the Service Organization Control (SOC), may also provide some comfort that robust technical, administrative, and physical controls are in place.
There should be protection against loss of data and a process for redundancy of the database. Many times cloud providers will provide redundancy, but lawyers should ask about redundancy anytime they are considering hosting data in the cloud. Also, in the rare case that the data is lost, can it be restored? You should inquire into what mechanisms there are to allow for the data to be restored. Finally, there should be a continuity of the relevant technology to access the data. You have likely heard about a situation where backup tapes were found in a box somewhere and now there is no equipment to read them. Obtaining access to the data in those instances would be unduly burdensome. With the advent of cloud technology, it is important that the cloud technology software provider is keeping the software code up-to-date and is continuing to maintain it, update it, and improve the security to meet the ever-evolving security challenges that arise.
Ethics opinions require that no client data should be held hostage and that any efforts to remove clients’ data are easy. If there is a need to close the database, there should be a simple process to export the data (with work product) out of the database. There should be confirmation in writing; often times self-service download from the database is best. There should be no charges to take the data down or to receive the data with all of your work product. After the legal team is done and all of the redactions, tags, and productions are complete, the lawyer should be able to take all of the data down and preserve all of the work product.
Responsibility for non-lawyer assistance
MR 5.3 — With respect to a nonlawyer employed or retained by or associated with a lawyer:
(a) A partner . . . shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that the person’s conduct is compatible with the professional obligations of the lawyer.(b) A lawyer having direct supervisory authority over the nonlawyer shall make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer
(b) A lawyer having direct supervisory authority over the nonlawyer shall make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer
Model Rule 5.3 addresses your ethical duty to take reasonable efforts to ensure that any nonlawyers you hire conduct themselves in a manner that is compatible with your own professional obligations. Attorneys cannot become competent in cloud computing overnight when a new matter arises. One way to handle this is to reach out to an ediscovery vendor or consultant that can provide expertise in a certain area. However, lawyers cannot just hand off everything to an outside party without their further involvement. Attorneys still have an ethical duty to supervise and remain involved with the work.
Comment 3 provides examples of nonlawyers who may be retained to assist in rendering legal services. Examples provided include retaining an investigative or paraprofessional service, hiring a document management company to create and maintain a database for complex litigation, sending client documents to a third party for printing or scanning, and using an Internet-based service to store client information.
Comment 3 also states four factors to consider when retaining nonlawyer assistance. When using such services outside the firm, a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations. The extent of this obligation will depend upon the circumstances, including:
- The education, experience, and reputation of the nonlawyer;
- The nature of the services involved;
- The terms of any arrangements concerning the protection of client information;
- The legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality.
Modern legal teams should embrace the cloud for their clients’ data needs. State-of-the-art cloud environments provide superior security, scalability, integrated technology, and functionality. This is clearly evident in the ediscovery practice, where cloud environments enable legal teams to review and understand ESI at a pace that outstrips the older methodology of hard copy review, native review, or review on legacy software platforms that were not cloud-designed from the ground up. The cloud will provide law firms with the efficiencies and cost-savings that their clients demand from outside counsel. Not all state bars have published opinions on the ethical considerations of attorneys using the cloud for client data. However, of all the states that have published opinions on the topic, the unanimous decision is in favor of using the cloud, provided that the attorney does his/her due diligence to understand the risks and benefits of the technology in a reasonable effort to fulfill the ethical duties of preserving confidentiality and supervising any nonlawyers involved.
Interested in learning more? Read next: Demystifying the Cloud
 (no date) Tech Competence [Article]. Retrieved from: https://www.lawsitesblog.com/tech-competence
 (30 Sep 2016) Florida Supreme Court approves mandatory tech CLE classes for lawyers [Article]. Retrieved from: http://www.abajournal.com/news/article/florida_supreme_court_approves_mandatory_tech_cles_for_lawyers
 Oregon Formal Opinion No. 2011-188 (2011, rev. 2015).
 Ohio Informal Advisory Opinion 2013-03 (2013).