The Legal Ethics of Cloud Computing & SaaS

According to the American Bar Association 2020 Techreport, 60% of its survey participants answered “yes” to the basic question of whether they had used web based or software as a service (SaaS) applications in their practice.

As the use of cloud computing by lawyers increases, what are the ethical implications for lawyers storing client files remotely? In short, lawyers must observe their long-standing ethical obligation to preserve client confidence and conduct due diligence into any service or vendor used to store client information. To those ends, in early 2016 a consortium of legal cloud computing providers, the Legal Cloud Computing Association (LCCA), released its Security Standards providing guidelines for cloud service providers to ensure adequate protection of client data stored in the cloud in a manner consistent with lawyers’ ethical obligations.

State Bar Ethics Opinions Regarding Cloud Storage

At least 30 state and local bar associations have weighed in on the legal ethics of cloud computing. However, regardless of jurisdiction, most opinions share common underpinnings: preservation of confidential client information and duty of due diligence to ensure that vendors or data storage services take adequate precautions to secure client data.

Duty of Reasonable Care and Due Diligence

The starting point for legal ethics and cloud computing for lawyers is an attorney’s obligation to keep client matters confidential. This obligation is generally found in state rules of professional conduct similar to Model Rule of Professional Conduct 1.6 which states that lawyers “shall not reveal information relating to the representation of a client unless the client gives informed consent.”

Of the opinions considering attorneys’ use of cloud storage and SaaS, the consensus is that the use of cloud services is appropriate, provided the attorney uses reasonable care to ensure client data security.  For instance, the Alabama Disciplinary Commission, drawing guidance from Arizona and Nevada, concluded in Opinion 2010-02 that lawyer cloud computing and the use third parties to store client data is permissible “provided the attorney exercises reasonable care in doing so.”  In Alabama, the lawyer’s duty of reasonable care requires them to 1) learn how the provider secures data; 2) reasonably ensure the software provider abides by confidentiality agreements, and 3) keep abreast of safeguards to protect client data.

Similarly, California Opinion 2010-179 notes that when lawyers use technology in connection with client information they must  evaluate the nature of the technology and understand all of the available security precautions as well as limitations on third party access or consult an expert if need be.

Other states describe a lawyer’s duty when choosing SaaS and cloud computing services as one of “due diligence.” For instance, in Informal Opinion 2013-07 the Connecticut Bar Association Professional Ethics Committee found that “[i]n order to determine whether use of a particular technology or hiring a particular service provider is consistent or compliant with the lawyer’s professional obligations, a lawyer must engage in due diligence.”

The Vermont Bar Association’s Professional Responsibility Section suggests in Opinion 2010-6 that due diligence often requires a reasonable understanding of:

• the vendor’s security system;
• the practical and foreseeable limits to the lawyer’s access, protection, and retrieval of the data;
• the material terms of the user agreement;
• the vendor’s commitment to protecting the confidentiality of the data;
• the nature and sensitivity of the stored information;
• the notice provisions when third parties seek access to the data; and
• the applicable regulatory, compliance, and document retention obligations based upon the nature of the data and the lawyer’s practice.

Similarly, Louisiana Opinion 19-RPCC-021 notes that “when a lawyer decides to use a non-lawyer technology service provider or computer consultant, that lawyer should take reasonable steps to ensure that ethical standards and responsibilities of the lawyer are met by the conduct of the service provider or consultant.”

Opinions, such as Iowa Bar Association Ethics Committee Opinion 11-01, acknowledge that “due diligence regarding information technology can be complex and requires specialized knowledge and skill. [However, a lawyer may rely] on the due diligence services of independent companies, bar associations or . . . its own qualified employees.”

Cloud Computing and SaaS May Implicate an Attorney’s Duty of Competence

The State Bar of California notes that a lawyer’s duty to protect confidential client information is also one of competence.  Opinion 2010-179 notes that the “manner in which an attorney acts to safeguard confidential information is governed by the duty of competence . . . [which] includes taking appropriate steps to ensure both that secrets and privileged information of a client remain confidential and that the attorney’s handling of such information does not result in a waiver of privileges or protections.”  (It is also worth noting that lawyers may also be obligated to understand the SaaS and technology products used by clients.)

Lawyers Must Have Access to Data Stored in the Cloud

Several opinions, such as Connecticut’s (noted above) and Massachusetts Bar Association Opinion 12-03 also require that client information maintained in the cloud be subject to the lawyer’s reasonable access and control and requires lawyers to ensure software vendors and cloud service providers take adequate steps to prevent unauthorized access to the data. Some state’s opinions, like New York Opinion 842, require that cloud service providers used by attorneys must “have an enforceable obligation to preserve confidentiality and security.”

LCCA Cloud Security Standards

In early 2016, the Legal Cloud Computing Association (LCCA), a consortium aiming to “facilitate the adoption of cloud computing within the legal profession”, released its Cloud Security Standards. The Standards provide guidelines for several aspects of cloud computing including data security, user access and control, and data privacy and ownership. Many of the suggested standards compliment an attorney’s ethical duties relating to cloud computing

For example, to protect client information, the LCCA standards suggest cloud service providers implement policies restricting disclosure of customer information to third parties, obtain recognized security certifications, encrypt data both during transfer and “at rest” and maintain data centers in multiple geographic locations to minimize the impact of natural disasters.

The standards also encourage the use of appropriate user access and control, including the ability to add and delete users and the ability to add and delete data. The LCCA standards also note that cloud service providers serving lawyers should provide an explicit acknowledgment that data stored by the cloud service providers are owned by the user.

Check Local Rules

Although many of the legal ethics opinions addressing cloud computing observe a common theme of due diligence to preserve the confidentiality of client information, for specifics, lawyers must consult the rules of professional conduct in their state of practice. However, regardless of jurisdiction, the opinions generally share a common directive which is a part of a larger trend in legal ethics, especially as it relates to e-discovery, to keep abreast of changes in technology and the benefits of its use.

Additional Legal Ethics Articles

Lawyers’ Duty of Technology Competence By State in 2021

Must Lawyers Supervise the Robots? (The Legal Ethics of AI)

E-Discovery Ethical Conundrums (In-House Counsel Edition)