The iPad, the Cloud and Data Protection

August 5, 2010

To a casual observer, the legal world might seem to be in the grip of iPad mania. 

The Law Society Gazette recently devoted two pages to Apple’s new tablet and reported that Eversheds are considering a firm wide issue of iPads to their fee earners.  

Tablet computing in general is booming. Dell has already released the Streak tablet (running the Android operating system) and RIM are rumoured to have a Blackberry tablet in the works (will it really be called the ‘Blackpad’?). 

The response to my iPad Lawyer blog suggests that lawyers are generally investing in the iPad as a business device as well as a consumer gadget. The same was true of the iPhone, but the iPad’s larger display opens the door to reviewing (and even drafting) documents on the move, a key step toward the paperless office. 

Unfortunately, many of the lawyerly blogs and articles about the iPad overlook the issue of data security. 

Data Security 

Data on the iPad itself is protected by 256-bit AES encryption and should be secure provided the user sets a strong password. 

What is worrying are the ‘workarounds’ which users are adopting to get files onto the device in the first place. These are needed for two reasons.  

Firstly, users need to install Apple’s iTunes in order to transfer files to the iPad using a USB. If the IT department doesn’t support the iPad then this may not be possible.  

Secondly, transferring files by a USB is cumbersome anyway. Files can be loaded into different apps on the device, but there is no central file management system which the user can access. The solution is generally to use cloud-based storage. Dropbox, Sugarsync and Apple’s MobileMe iDisk seem to be the most popular (and I use Dropbox as an example in this article), but there are plenty of other options. Files stored on these cloud servers can be accessed by apps on the iPad. They also allow users to have the folder-based file management system which is lacking in the iPad. These services aren’t really enterprise solutions. They are typically low-cost or free and provided on standard click-wrap terms rather than under a formal service level agreement. I would categorise them as ‘consumer’ services. 

The theory for lawyers is that documents relating to a client’s matter are transferred and stored in the cloud so that they can be accessed on the iPad on the road, in meetings or even in court. This would be a great way to use the iPad, but unfortunately for UK-based lawyers there are serious professional conduct and data protection issues.  

Data Protection and Professional Conduct  

Using these services to store or transfer client information (or any other personal data) risks breaching the seventh and eighth data protection principles set out in the Data Protection Act 1998. 

Starting with the eighth principle, data stored in the cloud is likely to be transferred outside of the EEA. Many of the popular services are based outside the UK and rely in turn on services such as Amazon Web Services S3. There is no real indication of where data is likely to be physically stored and certainly no guarantee that it will not be outside the EEA. 

These services operate on click-wrap standard terms and conditions which don’t incorporate the relevant European Commission model clauses. This leaves firms in the position of trying to assess the adequacy of the protection which can be afforded to the data (for example by encrypting it at source before storing it on the cloud server). A law firm could always seek informed consent from their clients to storing data in this way, but I doubt that many of them have done so. 

Even if these requirements can be satisfied, there are further problems with the seventh principle (or more specifically under the requirements of paras 11 and 12 of part 2 of sch 1 to the DPA, which apply where processing of personal data is carried out by a data processor on behalf of the data controller). These paragraphs require a written contract with the cloud service (which is likely to be satisfied where the user accepts their terms and conditions when registering for the service). However, the contract must require the processor to act only on instructions from the data controller and ‘to comply with obligations equivalent to those imposed on a data controller by the seventh principle’. 

Just in case there was any doubt, the recently issued Personal Information Online Code of Practice specifically sets out the ICO’s view of the requirements for outsourcing to cloud storage providers. In order to store personal data on a cloud service: 

‘There must be a written contract in place… requiring the internet-based service provider to only act on your instructions and to have a level of security equivalent to yours.’ 

The Solicitors Code of Conduct doesn’t actually refer to cloud computing, but the notes to r 4 (Confidentiality) make it clear that, whilst it may be permissible to outsource storage of data: 

‘This would normally require confidentiality undertakings from the provider and checks to ensure that the terms of the arrangements regarding confidentiality are being complied with.’ 

I have reviewed the terms and conditions of several of these services and, unsurprisingly, they don’t contain any provisions which would satisfy the requirements of the DPA or the Solicitors Code of Conduct. They contain the usual provisions that service is provided on an ‘as-is’ basis at the risk of the user, exclude all warranties of any kind and state that the provider has no ‘responsibility for any harm to your computer system, loss or corruption of data, or other harm that results from your access to or use‘ of the service.  

There is nothing particularly unreasonable about this. These consumer cloud services provide a great deal of functionality for free (I use Dropbox for a lot of my personal documents and it is a great service) and it wouldn’t be commercially reasonable for them to underwrite the security of the data they store. However, these contractual terms simply don’t give the assurances which the user needs to have to comply with the DPA and the Solicitors Code of Conduct. 

The IT Department 

The Law Society Gazette article on the iPad quoted the CIO of Eversheds as saying ‘The message to fee-earners is: if you have a device, we will find a way to hook it up’. 

This isn’t an attitude I am familiar with from big firm IT departments, but I am starting to wonder if this is the most sensible approach from a data security perspective. 

Lawyers want to use these devices. They are likely to find a way to do so whether or not they are officially supported. Paradoxically, it is when the IT department tries to lock them out of the corporate network that the use of USB memory sticks and cloud storage (where the data security issues really arise) starts to creep in. Maybe it is better to enforce a policy that the IT department will support devices where possible, but that the use of unofficial ‘workarounds’ is prohibited.  

Reform of Data Protection Law? 

Is data protection law behind the times in treating cloud storage providers as data processors at all? 

If an employee of a law firm stores data on a USB memory stick there is no transfer to a data processor. The sch 1, part 2 requirements don’t apply and, provided that appropriate technical and organisational measures are taken to encrypt and back up the data, the firm should be in compliance with the DPA. 

On the other hand, a cloud storage service is clearly a data processor under the DPA (they are holding the data and carrying out other processing operations and are not an employee of the firm) and so the sch 1, part 2 requirements apply and the appropriate written contract with the supplier is needed. 

Taking Dropbox as an example, it is straightforward to encrypt data locally using Truecrypt before it is stored in the cloud and an up-to-date copy of the data is also kept locally on the user’s computer. Provided these requirements are met, why shouldn’t the cloud storage be treated as functionally equivalent to an encrypted USB memory stick or CD-ROM? 

The alternative is for these consumer level cloud services to enhance their offerings to comply with the DPA requirements. However, this will inevitably come with an ‘enterprise grade’ price tag attached. 

Conclusion 

What can we conclude from all of this?  

Firstly, individual lawyers need to be careful not to get carried away with shiny new gadgets. Earning your law firm a mention on the enforcement pages of the ICO website is unlikely to be a good career move – and neither is a breach of the Solicitors Code of Conduct. 

Secondly, IT departments and managers might want to look again at their IT policies. How do these cover use by fee earners of their own devices? Is it better to follow the approach followed by Eversheds by bringing your lawyers’ pet gadgets into the fold and ensuring they are supported in a way which promotes data security? 

Thirdly, either cloud service providers need to become DPA compliant or data protection law needs to embrace the realities of cloud computing. As the latter would require legislation to amend the DPA (and presumably an amendment to the Data Protection Directive which it implements), this seems unlikely in the short term. Until one of these takes place, lawyers (and their clients) who are subject to UK data protection laws need to be very wary of storing personal data in the cloud. 

Jon Bloor is Head of Corporate at Lees Solicitors LLP. He is also the author of the iPad Lawyer blog at http://ipadlawyer.co.uk/