ABA Ruling: Cloud Computing is Ethical

Cloud computing, a once unfamiliar concept, is becoming increasingly popular in law firms of all sizes and practice areas. In fact, the ABA reported that the percentage of lawyers who use cloud-based software and services jumped from 21% in 2012 to 31% in 2013!

Lawyers are taking advantage of the many benefits of the cloud, including costs savings, flexibility, disaster recovery and mobility.

As with any new technology, concerns about security and ethical issues arise. The ABA recently ruled cloud computing ethical so long as lawyers take “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client” and many State Bar Associations are following suit with ethics opinions and regulations of their own.

Use the map and chart below to browse ethics opinions in various states.

 

 
Jurisdiction
Permitted?
Standard?
Specific Requirements or Recommendations*
Yes
Reasonable Care
  • Know how provider handles storage/security of data.
  • Reasonably ensure confidentiality agreement is followed.
  • Stay abreast of best practices regarding data safeguards.
ARIZONA**
Opinion 09-04
Yes
Reasonable Care
  • “Reasonable security precautions,” including password protection, encryption, etc.
  • Develop or consult someone with competence in online computer security.
  • Periodically review security measures.
Yes
Reasonable Care
  • Evaluate the nature of the technology, available security precautions, and limitations on third-party access.
  • Consult an expert if lawyer’s technology expertise is lacking.
  • Weigh the sensitivity of the data, the impact of disclosure on the client, the urgency of the situation, and the client’s instructions.
CONNECTICUT
Informal Opinion 2013-07
Yes
Reasonable Care
  • Lawyers ownership and access to the data must not be hindered.
  • Security policies and processes should segregate the lawyer’s data to prevent unauthorized access to the data, including by the cloud service provider.
Yes
Reasonable Care
  • Ensure provider has enforceable obligation to preserve confidentiality and security, and will provide notice if served with process.
  • Investigate provider’s security measures
  • Guard against reasonably foreseeable attempts to infiltrate data.
IOWA
Opinion 11-01
Yes
Reasonable Care
  • Ensure unfettered access to your data when it is needed, including removing it upon termination of the service.
  • Determine the degree of protection afforded to the data residing within the cloud service.
Yes
Reasonable Care
  • Ensure firm technology in general meets professional responsibility constraints.
  • Review provider’s terms of service and/or service level agreements.
  • Review provider’s technology, specifically focusing on security and backup.
MASSACHUSETTS
Opinion 12-03
Yes
Reasonable Care
  • Review (and periodically revisit) terms of service, restrictions on access to data, data portability, and vendor’s security practices.
  • Follow clients’ express instructions regarding use of cloud technology to store or transmit data.
  • For particularly sensitive client information, obtain client approval before storing/transmitting via the internet.
NEW HAMPSHIRE
Opinion #2012-13/4
Yes
Reasonable Care
  • Have a basic understanding of technology and stay abreast of changes, including privacy laws and regulations.
  • Consider obtaining client’s informed consent when storing highly confidential information.
  • Delete data from the cloud and return it to the client at the conclusion of representation or when the file must no longer be preserved.
  • Make a reasonable effort to ensure cloud providers understand and act in a manner compatible with a lawyer’s professional responsibilities.
NEW JERSEY**
Opinion 701
Yes
Reasonable Care
  • Vendor must have an enforceable obligation to preserve confidentiality and security.
  • Use available technology to guard against foreseeable attempts to infiltrate data..
NEW YORK
Opinion 842
Yes
Reasonable Care
  • Vendor must have an enforceable obligation to preserve confidentiality and security, and should notify lawyer if served with process for client data.
  • Use available technology to guard against foreseeable attempts to infiltrate data.
  • Investigate vendor security practices and periodically review to be sure they remain up-to-date.
  • Investigate any potential security breaches or lapses by vendor to ensure client data was not compromised.
Yes
Reasonable Care
  • Chose a vendor that can be reasonably relied upon to keep client information confidential.
  • Instruct and require the vendor to keep client information confidential.
Yes
Reasonable Care
  • Review terms and policies, and if necessary re-negotiate, to ensure they’re consistent with ethical obligations.
  • Evaluate vendor’s security measures and backup strategy.
  • Ensure data can be retrieved if vendor shuts down or lawyer wishes to cancel service.
Yes
Reasonable Care
  • Competently select appropriate vendor.
  • Preserve confidentiality and safeguard client property.
  • Provide reasonable supervision of cloud vendor.
  • Communicate with the client as appropriate.
Yes
Reasonable Care
  • Ensure service agreement requires vendor to preserve confidentiality and security.
  • Require notice in the event that lawyer’s data is accessed by a non-authorized party.
  • Ensure adequate backup.
  • Re-evaluate precautionary steps periodically in light of advances in technology.
PENNSYLVANIA
Opinion 2011-200
Yes
Reasonable Care
  • Exercise reasonable care to ensure materials stored in the cloud remain confidential.
  • Employ reasonable safeguards to protect data from breach, data loss, and other risk.
  • See full opinion for 15 point list of possible safeguards.
Yes
Reasonable Care
  • Take reasonable precautions to ensure client data is secure and accessible.
  • Consider whether certain types of data (e.g. wills) must be retained in original paper format.
  • Discuss appropriateness of cloud storage with client if data is especially sensitive (e.g. trade secrets).
Yes
Reasonable Care
  • Exercise care in selection of the vendor.
  • Have a reasonable expectation the vendor will keep data confidential and inaccessible.
  • Instruct the vendor to preserve the confidentiality of information.
Yes
Reasonable Care
  • Conduct a due diligence investigation of any potential provider.
  • Stay abreast of changes in technology.
  • Review providers security procedures periodically.
* Note that in most opinions, the specific steps or factors listed are intended as non-binding recommendations or suggestions. Best practices may evolve depending on the sensitivity of the data or changes in the technology.** These opinions address issues which aren’t directly labled cloud computing or software as a service, but which share similar technology (e.g.. online backup and file storage).