ABA Ruling: Cloud Computing is Ethical
Cloud computing, a once unfamiliar concept, is becoming increasingly popular in law firms of all sizes and practice areas. In fact, the ABA reported that the percentage of lawyers who use cloud-based software and services jumped from 21% in 2012 to 31% in 2013!
Lawyers are taking advantage of the many benefits of the cloud, including costs savings, flexibility, disaster recovery and mobility.
As with any new technology, concerns about security and ethical issues arise. The ABA recently ruled cloud computing ethical so long as lawyers take “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client” and many State Bar Associations are following suit with ethics opinions and regulations of their own.
Use the map and chart below to browse ethics opinions in various states.
Specific Requirements or Recommendations*
Informal Opinion 2013-07
2011 Formal Ethics Opinion 6
Legal Ethics Opinion 1872
Advisory Opinion 2215
|* Note that in most opinions, the specific steps or factors listed are intended as non-binding recommendations or suggestions. Best practices may evolve depending on the sensitivity of the data or changes in the technology.** These opinions address issues which aren’t directly labled cloud computing or software as a service, but which share similar technology (e.g.. online backup and file storage).|
Summary of Opinion
The Alabama Disciplinary Commission examined cloud computing specifically within the context of storing and producing client files. In that context, the Commission recognized certain benefits of cloud computing, including “the lawyer’s increased access to client data” and the possibility that it may also “allow clients greater access to their own files over the internet.” That said, the Commission recognized the “confidentiality issues that arise with the use of ‘cloud computing,’” specifically that “[c]lient confidences and secrets are no longer under the direct control of the lawyer or his law firm.”
After reviewing other opinions from both Arizona and Nevada, the Commission eventually concluded “that a lawyer may use “cloud computing” or third-party providers to store client data provided that the attorney exercises reasonable care in doing so.” The Commission defined reasonable care as requiring the lawyer to:
In the event that a breach of confidentiality occurs, “the focus of the inquiry will be whether the lawyer acted reasonably in selecting the method of storage and/or the third party provider.”
Finally, with regard to client files generally, the Commission emphasized that the the format the lawyer uses to store client documents must allow the lawyer “to reproduce the documents in their original paper format,” and that the lawyer “must abide by the client’s decision in whether to produce the file in its electronic format … or in its original paper format.”
The State Bar of Arizona’s Ethics Committee reviewed a query from an Arizona lawyer interested in using “an encrypted online file storage and retrieval system for clients in which all documents are converted to password-protected PDF format and stored in online folders with unique, randomly-generated alpha-numeric names and passwords.”
In an earlier 2005 opinion, Arizona’s Committee had already approved electronic storage of client files where the lawyer or law firm takes “competent and reasonable steps to assure that the client’s confidences are not disclosed to third parties through theft or inadvertence.” The opinion stated that there were a “panoply of electronic and other measures … available to assist an attorney” in this regard, and that specific reasonable precautions included “firewalls, password protection schemes, encryption, anti-virus measures, etc.”
The opinion concluded that the “proposed online client file system appears to meet the requirements” outlined by the rules and the earlier ethics opinion, but did stress that “technology advances may make certain protective measures obsolete over time” and therefore “lawyers should periodically review security measures in place to ensure that they still reasonably protect the security and confidentiality of the clients’ documents and information.”
Recognizing that a technology-by-technology analysis “would likely become obsolete” in a short amount of time, the State Bar of California’s Standing Committee on Professional Responsibility and Conduct instead issued an opinion that “sets forth the general analysis that an attorney should undertake when considering use of a particular form of technology.”
The Committee stated that “transmission of information through a third party reasonably necessary for purposes of the representation should not be deemed to have destroyed the confidentiality of the information,” but that the “manner in which an attorney acts to safeguard confidential information is governed by the duty of competence.” Examining the issue of competence, the Committee declares that “the duty of competence includes taking appropriate steps to ensure both that secrets and privileged information of a client remain confidential and that the attorney’s handling of such information does not result in a waiver of any privileges or protections.”
The Committee next examines several factors that an attorney should consider before using a given type of technology. These include:
Summing up the opinion, the Committee states that a lawyer must take the appropriate steps to ensure that technology use “does not subject confidential client information to an undue risk of unauthorized disclosure” and must “monitor the efficacy of such steps” on an ongoing basis.
Addressing the question of “whether it is permissible under the Rules of Professional Responsibility for a lawyer to use cloud computing in the practice of law,” the Connecticut Bar Association’s Professional Ethics Committee found that “Lawyers who use cloud computing have a duty to understand its potential impact on their obligations under applicable law and under the Rules of Professional Responsibility.”
The opinion noted that “Lawyers’ remote storage of data is not a new phenomenon; lawyers have been using off-site storage providers for many years, and the issues remain the same whether tangible records are stored in a ‘brick-and-mortar’ warehouse or intangible data is stored on third party servers.” Recognizing the new ABA Model Rule 1.1 comment that lawyers should “keep abreast of changes in the law and practice, including the benefits and risks associated associated with relevant technology, the Committee concluded that “[i]n order to determine whether use of a particular technology or hiring a particular service provider is consistent or compliant with the lawyer’s professional obligations, a lawyer must engage in due diligence.”
The Committee discussed several rules to be considered when engaged in this due diligence. They include:
This reference to Rule 5.3 seems to be the most important consideration for the Committee. In concluding its opinion, the Committee states that “the lawyer outsourcing cloud computing tasks…must exercise reasonable efforts to select a cloud service provider who…is able to limit authorized access to the data, ensure that the data is preserved…reasonably available to the lawyer, and reasonably safe from unauthorized intrusion.”
The Professional Ethics Committee of the Florida Bar examined the issues surrounding lawyers’ use of cloud computing because it “raises ethics concerns of confidentiality, competence, and proper supervision of nonlawyers.”
After identifying that confidentiality was the primary concern, the Committee stated that lawyers have an obligation “To maintain as confidential all information that relates to a client’s representation, regardless of the source,” and that obligation extends to ensuring the “confidentiality of information … maintained by nonlawyers under the lawyer’s supervision, including nonlawyers that are third parties used by the lawyer in the provision of legal services.” Added to a lawyers obligation to remain current on developments in technology that affect the practice of law, the Committee concludes that lawyers using cloud technology “have an ethical obligation to understand the technology they are using and how it potentially impacts confidentiality of information relating to client matters, so that the lawyers may take appropriate steps to comply with their ethical obligations.”
After a review of comparable ethics opinions from other state and local bars, the Committee determined that it agreed with their general finding: cloud computing is permissible “as long as the lawyer adequately addresses the potential risks associated with it.”
The Committee goes on to favorably cite the New York State Bar Ethics Opinion 842 with regard to specific due diligence steps, and likewise notes Iowa’s Ethics Opinion 11-01 which lists appropriate considerations including using secure passwords, encrypting where possible, and more.
Finally, the Committee adds an additional note that lawyers should “consider whether the lawyer should use the outside service provider or use additional security in specific matters in which the lawyer has proprietary client information or has other particularly sensitive information.”
The Iowa State Bar Association’s Ethics Committee evaluated the broad question of whether a lawyer or law firm may use cloud computing or Software as a Service (SaaS). The Committee chose to take a “reasonable and flexible approach to guide a lawyer’s use of ever-changing technology” that “places on the lawyer the obligation to perform due diligence to assess the degree of protection that will be needed and to act accordingly.”
The opinion stressed that lawyers wishing to use SaaS “must ensure that there is unfettered access to the data when it is needed” and that lawyers must also “determine the nature and degree of protection that will be afforded the data while residing elsewhere.”
In describing these two key requirements, the opinion explores a number of questions that lawyers may need to ask before using such a service, including questions about the legitimacy of the provider, the location where data will be stored, the ability to remove data from the service, and so forth. In terms of data protection, the opinion stresses the need to perform due diligence regarding password protection, access to data, and the ability to encrypt data used in such a service.
The opinion concludes by noting that performing due diligence “can be complex and requires specialized knowledge and skill,” but allows that lawyers may discharge their ethical duties “by relying on the due diligence services of independent companies, bar associations or other similar organizations or through its own qualified employees.”
In earlier Opinion 194, the Maine State Bar Association’s Professional Ethics Commission conducted a limited review of confidential firm data held electronically and potentially handled by third-party vendors and technicians. Though not directly addressing the cloud, the opinion covered enough common issues that it was previously included in this comparison chart.
In January 2013, the Commission revisited the matter to “remove any uncertainty … by squarely and formally addressing the issue” of cloud computing and storage. Overall, the Commission determined that use of such technology was permissible if “safeguards are in place to ensure that the attorney’s use of this technology does not result in the violation of any of the attorney’s obligations under the various Maine Rules of Professional Conduct.”
As part of its review, the Commission noted that a number of rules were implicated by the use of cloud technology including 1.1, 1.3, 1.4, 1.6, 1.15, 1.16, 1.17, and 5.3. Yet at the same time, the Commission notes that the “overriding ethical constraints on counsel” have not changed with the evolution of technology; rather, the steps lawyers must take to satisfy those constraints have changed.
The Commission notes several internal policies and procedures that lawyers should consider to satisfy their obligations generally under the Rules, including backing up firm data, protecting the firm’s network with a firewall, limiting information provided to third parties, and much more. The full list of suggested policies runs to 10 items and draws heavily on Pennsylvania Formal Opinion 2011-200.
In addition to these general suggestions regarding firm’s technology, the Commission suggests that firm’s should also carefully review the terms of service or SLA with providers and ensure adequate recognition of the lawyers’ professional responsibilities. In addition, lawyers should ensure data will be accessible if the service is terminated and that data will be destroyed at the request of the firm. Finally, lawyers should review the provider’s security and backup policies.
The Commission goes on to provide some specific guidance regarding how a lawyer may evaluate the provider’s technology and terms, including determining ownership of data, the provider’s ability to withstand infiltration attempts, and so on.
While the opinion includes several lengthy lists of suggested policies and steps to meet ethical obligations, the Commission is clear that the “dynamic nature of the technology make it impossible to list criteria that apply to all situations for all time” and thus adopts the view articulated by the North Carolina Ethics Committee that lawyers must stay educated “on computer technology as it changes and as it is challenged by and reacts to additional indirect factors such as third party hackers or technical failures.”
In this opinion, the Massachusetts Bar Association examined cloud computing in the context of a lawyer who wished to synchronize his files, including confidential client files, between multiple computers using a solution like Google Docs. The MBA recognized that other options were available and drafted the opinion to generally address storage of data in “Internet based storage solutions.”
Reviewing past opinions that dealt with electronic data and the duty to preserve confidentiality, the MBA Committee concluded that the “the use of an Internet based storage provider to store confidential client information would not violate Massachusetts Rule of Professional Conduct 1.6(a) in ordinary circumstances as long as Lawyer undertakes reasonable efforts to ensure that the provider’s data privacy policies, practices and procedures are compatible with Lawyer’s professional obligations.” [Emphasis in the original.]
The MBA Committee goes on to list several examples of “reasonable efforts,” including examining the provider’s written policies and procedures regarding confidential data, ensuring that those terms prohibit unauthorized access to data, ensuring that the lawyer will have reasonable access to and control over the data, examining the provider’s security practices (e.g. encryption, password protection) and service history, and periodically revisiting these topics to ensure continued acceptability.
The Committee also stresses that a lawyer “remains bound to follow an express instruction from his client that the client’s confidential information not be stored or transmitted by means of the Internet” and also that a lawyer “should refrain from storing or transmitting particularly sensitive client information by means of the Internet without first seeking and obtaining the client’s express consent to do so.”
Finally, the Committee concludes by stating that ultimate responsibility for determining whether to use a cloud computing solution resides with the lawyer, who must make the determination “based on the criteria set forth in this opinion, the information that he is reasonably able to obtain regarding the relative security of the various alternatives that are available, and his own sound professional judgment.”
Recognizing that technology has become pervasive in the practice, and that cloud computing in particular “is already a part of many devices” including smartphones and web-based email, New Hampshire sets out to explore the “effect on the lawyer’s professional responsibilities.”
The opinion focuses on four specific rules: Rule 1.1 Competence, Rule 1.6 Confidentiality, Rule 1.15 Safekeeping Property, and Rule 5.3 Responsibilities Regarding Nonlawyer Assistants. Beginning with Rule 1.1, the opinion notes that recent changes to the comments of ABA Model Rule 1.1 specifically reference the need to “keep abreast of changes in the law and its practice, including the benefits or risks associated with relevant technology.” As a result, the opinion stresses that a competent lawyer wishing to use the cloud must understand and guard against the risks inherent to it, and must stay abreast of changes in the technology, privacy laws, and applicable regulations.
On Rule 1.6, the opinion again looks at recent changes to the ABA Model Rules, particularly the factors relating to the reasonableness of a lawyers efforts to keep information confidential. As the relative sensitivity of the information is among those factors, and because not all information is alike, New Hampshire states that “consent of the client to use cloud computing may be necessary” where information is highly sensitive.
On Rule 1.15, the opinion discusses the need to safeguard the client’s property–including the client file. Where the contents of that file are stored in the cloud, the lawyer must “take reasonable steps to ensure that the electronic data stored in the cloud is secure and available while representing a client,” and that the data can be deleted from the cloud and returned to the client “after representation is concluded or when the lawyer decides to no longer preserve the file.”
Finally on Rule 5.3, New Hampshire identifies cloud computing as a form of outsourcing and notes that this requires the lawyer to “make reasonable efforts to ensure that the provider understands and is capable of complying with its obligation to act in a matter compatible with the lawyer’s own professional responsibilities.” The opinion goes on to stress that this applies as well to any intermediaries the attorney may employee in selecting a provider – e.g. technology consultants or support staff.
While New Hampshire is clear that its opinion addresses a lawyer’s obligations and not the technical requirements of the cloud providers, it does conclude with a list of issues which an attorney must address before using the cloud. These include checking the provider’s reputation, assessing their security measures, and reviewing the terms of service among other factors.
The opinion from New Jersey’s Advisory Committee on Professional Ethics does not focus on cloud-computing specifically, but on the more general topic of storing client files in digital format (e.g. PDF). The committee notes that per an earlier opinion (Opinion 692), certain types of documents are considered “property of the client” and therefore “cannot be preserved…merely by digitizing them in electronic form.”
The Committee states, however, that “there is nothing in the RPCs that mandates a particular medium of archiving” for other common document types typically included in the client file, such as correspondence, pleadings, memoranda and briefs. Indeed, the Committee states that the lawyer’s “paramount consideration is the ability to represent the client competently, and given the advances of technology, a lawyer’s ability to discharge those duties may very well be enhanced by having client documents available in electronic form.” The Committee goes on to state that putting client documents online through a secure website “has the potential of enhancing communications between lawyer and client, and promotes the values embraced in RPC 1.4.”
The Committee does acknowledge that electronic document storage presents some risk of unauthorized access, and emphasizes that a lawyer’s obligation to maintain client confidentiality “requires that the attorney take reasonable affirmative steps to guard against the risk of inadvertent disclosure.” Reasonable care in this case “does not mean that the lawyer absolutely and strictly guarantees that the information will be utterly invulnerable against all unauthorized access.” When a lawyer entrusts confidential data to an outside party, however, the “touchstone” for reasonable care requires that “(1) the lawyer has entrusted such documents to an outside provider under circumstances in which there is an enforceable obligation to preserve confidentiality and security, and (2) use is made of available technology to guard against reasonably foreseeable attempts to infiltrate the data.”
The New York State Bar Association’s Committee on Professional Ethics examined the question of whether a lawyer could store client’s confidential information online without violating professional responsibility rules, and if so, what steps the lawyer should take to ensure the data remains secure.
The Committee stresses that a lawyer’s duty to maintain client confidentiality includes an affirmative duty to exercise reasonable care in protecting confidential data. This includes exercising reasonable care to prevent inadvertent disclosure by attorney’s staff, but does not mean “that the lawyer guarantees that the information is secure from any unauthorized access.” The Committee notes that “the exercise of reasonable care may differ from one case to the next” based on the sensitivity of the data.
Using online data storage to backup (i.e. preserve) client data is deemed ethically permissible where the lawyer has exercised reasonable care “to ensure that the system is secure and that client confidentiality will be maintained.” The Committee suggests that this might include ensuring that the vendor has an enforceable obligation to preserve confidentiality and security and will notify the lawyer if served with process requiring production of client data, investigating the vendor’s security and backup procedures, and using available technology to guard against reasonably foreseeable attempts to infiltrate it.
The Committee also writes that lawyers “should periodically reconfirm that the vendor’s security measures remain effective in light of advances in technology.” If the vendor’s methods are insufficient or if the lawyer learns of any breaches effecting the vendor, the lawyer must investigate to be sure his or her clients’ data wasn’t compromised and if necessary discontinue use of the vendor’s service. Lawyers should also stay abreast of general developments in technology insofar as they impact the transmission or storage of electronic files.
The State Bar of Nevada’s Standing Committee on Ethics and Professional Responsibility examined whether a lawyer violated their professional responsibility rules “by storing confidential client information and/or communications, without client consent, in an electronic format on a server or other device that is not exclusively in the lawyer’s control.”
The Committee provided that a lawyer “must act competently to safeguard against inadvertent or unauthorized disclosure of confidential client information” by taking “reasonable precautions.” The Committee likened the storage of data online to the storage of paper documents in a third-party warehouse, and stated that this was permissible “so long as the attorney observes the usual obligations applicable to such arrangements.” This would include, for example, choosing a vendor that “can be reasonably relied upon to maintain the confidentiality” of client data.
The opinion also noted that client consent isn’t necessary, but that a client “may give informed consent to a means of protection that might otherwise be considered insufficient.”
The North Carolina State Bar’s Ethics Committee examined two broad questions in its opinion on cloud computing: first, may a lawyer use cloud computing or software as a service, and second, what measures should a lawyer consider when evaluating a vendor or seeking to reduce the risks associated with the cloud?
On the first subject, the Committee’s answer is straightforward: yes, lawyers may use the cloud, “provided steps are taken to minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property.” In taking these steps, the lawyer should apply “the same diligence and competency to manag[ing] the risks of SaaS that the lawyer is required to apply when representing clients.”
On the broader question of the appropriate measures a lawyer should take, the Committee begins by stating hat it “does not set forth specific security requirements because mandatory security measures would create a false sense of security in an environment where the risks are continually changing.” Rather, the Committee urges lawyers to exercise due diligence and educate themselves regularly about the subject.
The Committee does recommend several security measures, however, which includes reviewing applicable terms and policies, and if necessary, negotiating terms regarding how confidential data will be handled. The Committee also suggests that the lawyer have a method of retrieving data if they leave the service or the vendor goes out of business, that the lawyer review the vendor’s backup strategy, and finally that the lawyer evaluate the vendor’s overall security measures.
The OSBA Informal Advisory Opinion examines a question of “whether [a] law firm may use a third-party vendor to store client data ‘in the cloud.’” While acknowledging that previous opinions and rules have traditionally examined “older data storage methods,” the Professional Committee writes that the “issues and ethical duties regarding cloud storage are analogous to the ones that apply when lawyers opt to use a vendor to store their paper files offsite rather than in their own offices.”
Thus, the Committee opts to take a “practical” approach by “applying existing principles to new technological advances while refraining from mandating specific practices.” More specifically, the Committee notes that rules about specific security measures would be superseded quickly by technological advances.
The Committee addresses the matter in four areas. First, it states that lawyers must “exercise ‘due diligence as to the qualifications and reputation of those to whom services are outsourced,’ and also as to whether the outside vendor will itself provide the requested services competently and diligently.” The Committee specifically suggests a Service Level Agreement and offers some guidance on the types of questions that vendors should be asked.
Next, the Committee looks at confidentiality and states that lawyers have a “duty…to maintain the confidentiality of all client data relating to the representation, irrespective of the form of that data, and to carry out that duty with due regard for the form that the data is in.” To preserve the confidentiality, a lawyer must exercise competence “(1) in selecting an appropriate vendor, (2) in staying abreast of technology issues that have an impact on client data storage and (3) in considering whether any special circumstances call for extra protection for particularly sensitive client information or for refraining from using the cloud to store such particularly sensitive data.” The Committee notes that terms of service that provide or suggest that the vendor has an ownership interest in the data “would violate the duty to keep client property ‘identified as such’.”
Third, the Committee looks at supervision of cloud vendors and states that putting data in the cloud “is almost by definition a service that lawyers will out-source,” thus “lawyers who contract with a cloud-storage vendor must make reasonable efforts to ensure that the vendor’s conduct is compatible with the lawyer’s own professional obligations.” On the fourth and final issue, the Committee states that lawyers should use judgment to determine if the circumstances require consultation with the client regarding the use of cloud computing. That might arise where the data is of a particularly sensitive nature.
The Oregon Committee found that a lawyer “may store client materials on a third-party server as long as Lawyer complies with the duties of competence and confidentiality to reasonably keep the client’s information secure within a given situation.” That compliance requires “reasonable steps” to ensure that the storage company will secure the client data and preserve its confidentiality.
The Committee stated that in some circumstances it may be sufficient for the vendor to be compliant with “industry standards relating to confidentiality and security,” but only where those standards “meet the minimum requirements imposed on the Lawyer by the Oregon RPCs.
As examples of these requirements, the Committee suggests that lawyers should ensure that “the service agreement requires the vendor to preserve the confidentiality and security of the materials,” and that the vendor notify the lawyer if there’s any non authorized third-party access to the lawyer’s files. The opinion also suggests that lawyers should “investigate how the vendor backs up and stores its data and metadata.”
Finally, the Committee notes that the reasonableness of the lawyer’s protective measures will be judged based on the technology available at the time of disclosure. In other words, the “vendor’s protective measures may become less secure or obsolete over time” and therefore the lawyer must reevaluate the measures periodically.
The Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility begins its opinion by recognizing that advances in technology, including the cloud, offer opportunities to “reduce costs, improve efficiency and provide better client service.” There’s also a genuine risk of data breach, particularly given a recent FBI warning that law firms are “being specifically targeted by hackers who have designs on accessing the firms’ databases.”
Noting that an earlier informal opinion (2010-060) had found that a lawyer may “ethically allow client confidential material to be stored in ‘the cloud’ provided the attorney makes reasonable efforts to protect confidential electronic communications and information,” the Committee dedicates most of this formal opinion to addressing the nature of those “reasonable” efforts.
The Committee provides a 15 point list of possible steps a firm “may” take in exercising reasonable care with cloud computing. Several of these steps are routine elements of preserving client confidentiality (e.g. “[r]efusing to disclose confidential information to unauthorized individuals (including family members and friends) without client permission”), but others focus on specific technology issues:
Pennsylvania attorneys should review the full list published in the opinion.
The opinion goes on to stress that “some data may be too important to risk inclusion in cloud services,” and also notes that most states have data breach notification laws that lawyers should be familiar with and adhere to in the event that a data breach occurs.
The opinion also addresses the question of web-based email, which the Pennsylvania Committee lists as a type of cloud computing. It suggests that attorneys take reasonable precautions “to minimize the risk of unauthorized access to sensitive client information” when using webmail, possibly including specific steps like “encryption and strong password protection”–especially when the data is of a particularly sensitive nature.
The Vermont Bar Association’s Professional Responsibility Section addressed the “propriety of use by attorneys and law firms of Software as a Service (“SaaS”) which is also known as Cloud Computing.” In its analysis, it looked at storing client data in the cloud, possible data types that should not be stored online, as well as specific Cloud uses such as web-based email, calendaring, and remote document synchronization.
A significant portion of the Section’s analysis is focused on reviewing other recent cloud computing ethics opinions from other jurisdictions, including North Carolina, California, and New York. Drawing upon these opinions and its own analysis, the Section “agrees with the consensus view” that lawyers are obligated to provide “competent representation” while “maintaining confidentiality of client information, and protecting client property in their possession.” In choosing whether to use new technologies, including the cloud, lawyers must exercise their due diligence. The Section provides a list of steps a lawyer may take, though it stresses that is not providing a formal “checklist of factors a lawyer must examine.”
This loose list of factors includes reviewing the vendor’s security, checking for limitations on access to or protection of data, reviewing terms of service, examining vendor confidentiality policies, weighing the sensitivity of data placed in the cloud, reviewing other regulatory obligations, and requiring notice if a third party accesses or requests access to data.
In addition to those factors, the Section adds that a lawyer may consider giving notice to the client when using the cloud to store client’s data, and may want to look to expert third parties to review the vendor’s security and access systems. Finally, the Section stresses that lawyers should take “reasonable measures to stay apprised of current developments regarding SaaS systems and the benefits and risks they present.”
Virginia Legal Ethics Opinion 1872 examines a variety of ethical issues associated with virtual law offices, including the use of cloud computing. This summary focuses specifically on the elements of the opinion dealing with cloud computing, but readers are encouraged to view the full text of the opinion to understand the context.
The opinion begins by stating that lawyers “must always act competently to protect the confidentiality of client information, regardless of how that information is stored/transmitted,” but notes that the task may be more challenging when the information is being “transmitted and/or stored electronically through third-party software and storage providers.”
The opinion notes that the duty is not to “absolutely guarantee that a brief of confidentiality cannot occur,” only to “act with reasonable care to protect information relating to the representation of a client.”
Specifically, lawyers are instructed to carefully select vendors, instruct the vendor to preserve confidentiality, and to have a reasonable expectation that the vendor will in fact keep data confidential and inaccessible. To do that, lawyers must “examine the third party provider’s use of technology and terms of service” and, if they’re unable to make an assessment on their own, “consult with someone qualified to make that determination.”
In Advisory Opinion 2215, the Washington State Bar Association’s Rules of Professional Conduct Committee examined lawyers’ ethical obligations relating “to the use of online data storage managed by third party vendors to store confidential client documents.” The opinion focused specifically on data storage rather than the broader category of cloud computing, but addressed many issues common to both platforms.
In its analysis, the Committee noted that such an arrangement places “confidential client information … outside of the direct control of the lawyer” and thus raises some concern. In particular, the Committee notes lawyers’ obligations to preserve confidentiality under RPC 1.6 and to protect client property under RPC 1.15A.
Acknowledging that specific guidelines regarding security are impossible “because the technology is changing too rapidly,” and also noting that it’s “impractical to expect every lawyer who uses such services to be able to understand the technology sufficiently in order to evaluate a particular service provider’s systems,” the Committee nonetheless suggested that a lawyer must conduct a due diligence investigation of the provider and “cannot rely on lack of technological sophistication to excuse the failure to do so.”
The Committee offered several steps to conduct such a due diligence investigation, including familiarizing oneself with the risks of online data storage, evaluating the provider’s history, comparing terms with other providers, ensuring notice of any non-authorized access to lawyer’s data, and generally ensuring that data is secured and backed up.
Finally, the Committee also noted that under RPC 1.1 a lawyer has a duty to stay abreast of changes in the law and its practice, and that necessarily includes staying informed about the risks associated with the technology the lawyer employs in his or her practice. As technology evolves, the lawyer must also “monitor and regularly review the security measures of the provider” he or she uses for online data storage.