Law Society of South Africa guidelines This guideline has been compiled to provide background information and to serve as a tool to assist attorneys in South Africa (SA). The views, conclusions and recommendations contained in this guideline are not to be regarded or construed as legal advice or as establishing any standard or legal obligation. Reliance on the contents of this document is at the reader’s own will. Neither the Law Society of South Africa (LSSA) or any member of the E-Law Committee shall be liable for any loss or damage arising in any way from use of or reliance on the contents. |
Executive summary
When making use of Internet-based technologies in legal practice, lawyers should exercise due diligence before utilising a third-party service provider for purposes of storing or processing confidential information offsite. In addition, a written agreement should be concluded that requires the service provider to establish and maintain measures that ensure the security of any personal information stored by the service provider as well as the protection and integrity of any confidential or privileged client information.
‘Cloud computing’ is an expression used to describe a variety of different computing models that involve a number of computers connected via the Internet. The term is generally used to describe third-party hosted services that run server-based software from a remote location.
Cloud computing is not new to the legal field. It has been around for a number of years and many lawyers would already be familiar with a number of cloud computing service providers, including web-based e-mail service providers. Cloud computing offers flexible, affordable technologies that directly addresses a company’s objectives and goals by providing required functionality, reducing overhead expenditure and increasing mobility and convenience.
While cloud computing offers many benefits, it also introduces several new risks that lawyers must take into consideration since cloud computing often means entrusting data to a third-party.
Many foreign law societies and Bar associations around the world have determined that lawyers may use cloud computing technologies in their law practice without compromising their ethical duties towards their clients, ‘as long as the lawyer takes reasonable steps [or reasonable protective measures] to ensure that sensitive client information remains confidential’ (NHBA Ehtics Committee ‘Ethics Committee Advisory Opinion #2012-13/4 The Use of Cloud Computing in the Practice of Law’ www.nhbar.org).
The general consensus internationally is that the use of cloud computing does not violate any ethical duty (and in many instances may go some way towards upholding them) provided that reasonable care is taken effectively to minimise any risks pertaining to the confidentiality and security of client information and client files (see North Carolina State Bar ‘Proposed 2010 Formal Ethics Opinion 7’ www.rocketmatter.com) with the onus of evaluating a cloud provider’s security infrastructure placed on the law firm or practitioner (see the opinions by the Florida Bar www.floridabar.org and the New Hampshire Bar Association www.nhbar.org).
In determining whether or not a lawyer has taken ‘reasonable steps’ or put into place ‘reasonable protective measures’, the facts and circumstances of each case should be taken into account, however guidance can be obtained from the LSSA’s
previously published guides on information security and the protection of personal information (LSSA ‘Information Security Guidelines for Law Firms’ www.lssa.org.za).
Ethical duties and responsibilities impacting on the use of cloud computing
A number of ethical duties and responsibilities have been identified internationally that impact on the use of cloud computing technologies. Many of these follow on or support the main duty of a lawyer to take ‘reasonable steps’ to protect confidential client data. A summary of some of these internationally identified duties (and the law society which identified it) is set out below, including some ethical duties previously identified by the LSSA:
Duty of competence
Lawyers have access to high volumes of information and what is undeniably an obligation of every lawyer today is the proper governance of such information (see LSSA op cit). We have moved from a paper and text environment to one of electronic records and communications and the proper governance of maintaining confidentiality in electronic records and communications is hugely different to what is necessary in the text and paper environment (see LSSA op cit).
In a guidance note written by the Canadian Bar Association entitled ‘Information to Supplement the Code of Professional Conduct Guidelines for Practicing Ethically with New Information Technologies’ September 2008 at 5 (www.lawsociety.nu.ca), the following comment is pertinently made:
‘To meet the ethical obligation for competence in Rule II [i.e. to perform any legal services undertaken on a client’s behalf competently] lawyers must be able to recognise when the use of technology may be necessary to perform a legal service on that client’s behalf and must use the technology responsibly and ethically.
Lawyers may satisfy this duty by personally having a reasonable understanding of the technology and using it, or by seeking assistance from others who have the necessary proficiency’.
The LSSA has stated that ‘attorneys are required to act reasonably and diligently in fulfilling their professional obligations’ (see LSSA op cit). The LSSA has stated further that ‘one of these obligations must be that in using modern technology they do not compromise the rights of their clients arising from the attorney/client relationship’ (see LSSA op cit).
The LSSA has also clarified that it will likely not only be confidential legal data that is stored in the cloud but personal information too. Therefore, in accordance with the principles and objectives of POPI, there should be a written agreement concluded between the lawyer and the provider of the cloud computing services that requires the service provider to ‘establish and maintain measures that ensure that security of the personal information and protect the integrity and confidentiality of information’ (s 21(2) of the Protection of Personal Information Bill) (see Heyink op cit).
Hosting information within SA
There are five key points of consideration when contemplating making use of a service provider to store and/or host electronic information.
1 Inadvertent waiver of privilege
Discovery for litigation is becoming increasingly more efficient when electronic discovery platforms and service providers are used to manage and review the large numbers of the documents for pre-trial preparation. It is important to note that placing documents by a service provider on a database system for review does not amount to waiver of privilege, but sharing access to that database with opposing counsel may be a waiver of privilege if privileged documents are disclosed to opposing counsel.
In ThornCreek Apartments III, LLC et al v Village of Park Forest et al ND III 2011 the court applied the rules contained in the amended Federal Rule of Evidence Rule 502(b), which states that a disclosure of privileged information does not operate as a waiver if three elements are met: ‘(1) the disclosure is inadvertent; (2) the holder of the privilege or protection took reasonable steps to prevent disclosure; and (3) the holder promptly took reasonable steps to rectify the error’. The court found that privilege had been waived where the vendor had produced privileged documents on disclosure to the opposing counsel, and after holding that the attorney’s procedures for privileged review were completely ineffective and the court had little confidence in the reasonableness of the attorney’s precautions regarding disclosure.
Lawyers need to be aware of the importance of taking reasonable steps to protect against inadvertent disclosure and to perform due diligence on potential service providers to ensure against inadvertent disclosure. A crucial point to take into consideration is that if documents are provided to a third-party service provider who does not have in place the requisite security protocols, then inadvertent disclosure could also lead to an inadvertent waiver of privilege.
2 Hosting with a SA service provider
The use of cloud computing technologies is not inconsistent with a lawyers ethical duties provided that lawyers should exercise due diligence before utilising a third-party service provider for confidential data storage or information processing in the cloud. In addition, a written agreement should be concluded that requires the service provider to establish and maintain measures that ensure the security of any personal information stored by the service provider, as well as the protection of the integrity and confidentiality of client information.
An SA lawyer should therefore look towards a SA hosted solution when considering the use of cloud computing services, for both their own and their client’s needs, due to the advantages of hosting data with an SA headquartered company with SA servers, which can offer clients a solution that avoids the reach of any extra territorial data seizures.
3 Foreign jurisdiction (safe harbour – European Union)
When using a cloud service provider not domiciled in SA, it is key to be aware of any foreign law, which may be applicable under the circumstances for the use and storage of information electronically within that jurisdiction and when using a cloud service provider.
For example, the ‘European Union Directive on the Protection of Individuals with Regards to the Processing of Personal Data and on the Free Movement of Such Data’ (ch 1, Article 4. Hereinafter referred to as the Directive. Found at http://eur-lex.europa.eu) acts as a guideline for European Union (EU) member states and requires that these states enact local data protection laws adopting the principles of data protection and privacy, which are laid out in the Directive. As part of this formalised system of data privacy, legislation, companies operating in the EU are not permitted to send personal data to countries outside of the member states (including countries that fall outside of the European Economic Area) unless that state can guarantee that its local laws comply with the levels of data protection laid out in the Directive.
In order to assist the United States (US) in meeting the EU data protection requirements a new framework, called the Safe Harbour Privacy Principles, has been developed and aimed at companies within the EU or US that store customer data, in an attempt to protect such data by preventing accidental disclosure or loss of such personal information (Wikipedia The Free Encyclopaedia ‘International Safe Harbour Privacy Principles’ http://en.wikipedia.org). However, the EU Commission conducted a review of this framework and on the 5 June 2013 adopted Opinion 06/2013 (Drafted by the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data set up by Directive 95/46/EC, having regard to Articles 29 and 30 of that Directive. Found at http://ec.europa.eu) on open data and public sector information reuse, which in essence came to the conclusion that the Safe Harbour Privacy Principles may not be in actual fact be safe enough.
Lawyers looking to host data outside of SA should thus take these considerations into account and take note that your company will be subject to that particular country’s laws surrounding the storing and monitoring of data. For example, Dropbox received requests for user information from the US government in relation to 164 user accounts in 2012 (L Essers ‘Dropbox pushes to publish spy data request details’ www.pcworld.com).
For example, lawyers need to be aware that if they host data anywhere in the world with a US headquartered service provider then irrespective of where the data is hosted, the service provider will be obliged to disclose all data and client information upon the issuing by a fed
eral court of a search warrant for such data in response to US investigations. This is a direct result of the judgment delivered in New York by US District Judge Loretta Preska on 31 July 2014 (see In re: A Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp, US District Court, Southern District of New York, No. 13-mj-02814.), whose judgment has been stayed to allow the parties to appeal such ruling, however, the implications are that data hosted with US companies is now subject to seizure by US investigators anywhere in the world.
4 South African Revenue Service
Lawyers need to maintain awareness of any relevant South African Revenue Service (Sars) ruling for electronic storage of accounting records.
For example, in GN 787 GG35733/1-10-2012) the Commissioner for Sars prescribed that taxpayers are allowed to keep records, in terms of s 29 of the Tax Administration Act 28 of 2011, in an electronic form, so long as the rules contained in the notice are observed.
Rule 3.2 of the notice defines an ‘acceptable electronic form’ as a form in which ‘the integrity of the electronic record satisfies the standard contained in section 14 of the Electronic Communications and Transactions Act’. In addition, it is required that ‘the person required to keep “records” is able to, within a reasonable period when required by Sars –
(i) to provide Sars with an electronic copy of the “records” in a format that Sars is able to readily access, read and correctly analyse; (ii) send the “records” to Sars in an electronic form that is readily accessible by Sars; (iii) or provide Sars with a paper copy of those “records”’.
Rule 4 requires that the ‘“records” retained in electronic form must be kept and maintained at a place physically located in South Africa’. Electronic documents may not, therefore, be retained outside of SA without a senior Sars official’s authorisation and consent.
Rule 6 places a requirement on persons who keep records in an electronic format to ‘ensure that measures are in place for the adequate storage of the “electronic records” for the duration of the period referred to in section 29 of the Act’, for a period of not less than five years.
5 Conduct vendor due diligence
Due diligence should be conducted on cloud service providers to actively verify the cloud vendors security standards, prior to hosting with such service provider. Such due diligence constitutes reasonable steps, which a lawyer must take to ensure that sensitive client information is protected and remains confidential, and to identify whether or not the service provider and technology they use support the lawyer’s professional obligations, including compliance with applicable law societies regulatory processes.
This article was first published in De Rebus in 2015 (Dec) DR 30.
De Rebus proudly displays the “FAIR” stamp of the Press Council of South Africa, indicating our commitment to adhere to the Code of Ethics for Print and online media, which prescribes that our reportage is truthful, accurate and fair. Should you wish to lodge a complaint about our news coverage, please lodge a complaint on the Press Council’s website at www.presscouncil.org.za or e-mail the complaint to enquiries@ombudsman.org.za. Contact the Press Council at (011) 4843612.
South African COVID-19 Coronavirus. Access the latest information on: www.sacoronavirus.co.za
|