According to the American Bar Association 2015 Techreport, 31% of American lawyers utilize cloud computing or software as a service (SaaS) in their practice. We at Percipient are big fans of the cloud because the electronic discovery (e-discovery) software we tend to favor is cloud based. However, cloud based software for lawyers is not limited to e-discovery software. Modern practice management software and document storage services are often cloud based solutions.
As the use of cloud computing increases, what are the ethical implications for lawyers storing client files remotely? In short, lawyers must observe their long standing ethical obligation to preserve client confidences and conduct due diligence into any service or vendor used to store client information. To those ends, in early 2016 a consortium of legal cloud computing providers, the Legal Cloud Computing Association (LCCA), released its Security Standards providing guidelines for cloud service providers to ensure adequate protection of client data stored in the cloud in a manner consistent with lawyers’ ethical obligations.
Over 20 state and local bar associations have weighed in on cloud computing with ethics opinions. However, regardless of jurisdiction, most opinions share common underpinnings: preservation of confidential client information and a duty of due diligence to ensure that vendors or data storage services take adequate precautions to secure client data.
The starting point for legal ethics relating to cloud computing is an attorney’s obligation to keep client matters confidential. This obligation is generally found in state rules of professional conduct similar to Model Rule of Professional Conduct 1.6 which states that lawyers “shall not reveal information relating to the representation of a client unless the client gives informed consent.”
Of the opinions considering attorneys’ use of cloud storage and SaaS, the consensus is that use of cloud services is appropriate, provided the attorney uses reasonable care to ensure client data security. For instance, the Alabama Disciplinary Commission, drawing guidance from Arizona and Nevada, concluded in Opinion 2010-02 “that a lawyer may use ‘cloud computing’ or third party providers to store client data provided the attorney exercises reasonable care in doing so.” In Alabama, the lawyer’s duty of reasonable care requires them to: 1) learn how the provider secures data; 2) reasonably ensure the software provider abides by confidentiality agreements; and 3) keep abreast of safeguards to protect client data.
Other states describe a lawyer’s duty as one of “due diligence.” For instance, in Informal Opinion 2013-07 the Connecticut Bar Association Professional Ethics Committee found that “[i]n order to determine whether use of a particular technology or hiring a particular service provider is consistent or compliant with the lawyer’s professional obligations, a lawyer must engage in due diligence.” The Vermont Bar Association’s Professional Responsibility Section suggests in Opinion 2010-6 that due diligence often requires a reasonable understanding of:
Opinions, such as Iowa Bar Association Ethics Committee Opinion 11-01, acknowledge that “due diligence regarding information technology can be complex and requires specialized knowledge and skill. [However, a lawyer may rely] on the due diligence services of independent companies, bar associations or . . . its own qualified employees.”
The State Bar of California notes that a lawyer’s duty to protect confidential client information is also one of competence. Opinion 2010-179 notes that the “manner in which an attorney acts to safeguard confidential information is governed by the duty of competence . . . [which] includes taking appropriate steps to ensure both that secrets and privileged information of a client remain confidential and that the attorney’s handling of such information does not result in a waiver of privileges or protections.”
Several opinions, such as Connecticut’s (noted above) and Massachusetts Bar Association Opinion 12-03 also require that client information maintained in the cloud be subject to the lawyer’s reasonable access and control and requires lawyers to ensure software vendors and cloud service providers take adequate steps to prevent unauthorized access to the data.
In early 2016, the Legal Cloud Computing Association (LCCA), a consortium aiming to “facilitate the adoption of cloud computing within the legal profession”, released its Cloud Security Standards. The Standards provide guidelines for several aspects of cloud computing including data security, user access and control, and data privacy and ownership. Many of the suggested standards compliment an attorney’s ethical duties relating to cloud computing
For example, to protect client information, the LCCA standards suggest cloud service providers implement policies restricting disclosure of customer information to third parties, obtain recognized security certifications, encrypt data both during transfer and “at rest” and maintain data centers in multiple geographic locations to minimize the impact of natural disasters.
The standards also encourage the use of appropriate user access and control, including the ability to add and delete users and the ability to add and delete data. The LCCA standards also note that cloud service providers serving lawyers should provide explicit acknowledgement that data stored by the cloud service providers is owned by the user.
Although many of the legal ethics opinions addressing cloud computing observe a common theme of due diligence to preserve the confidentiality of client information, for specifics, lawyers must consult the rules of professional conduct in their state of practice. However, regardless of jurisdiction, the opinions generally share a common directive which is a part of a larger trend in legal ethics, especially as it relates to e-discovery, to keep abreast of changes in technology and the benefits of its use.