E-Discovery Search Blog

Home / Cloud Computing / Is it Ethical to Store Client Data in the Cloud?

Is it Ethical to Store Client Data in the Cloud?

by John Tredennick | December 13, 2010

As lawyers move from paper into the digital age, we create new strains on the ethical fabric of the law. Are cell phone conversations privileged? Will that email from my client be protected from a claim of waiver?

Many of us can remember those debates as we waited patiently for opinions from state bar ethics committees that would either hinder or help the advance of these new technologies in the law. Of course, the answer was yes. Lawyers are free to use cell phones and email to communicate in confidence with their clients. How could it be otherwise?

Today the ethical debate has moved to the cloud. The Ethics Committee of the Alabama State Bar recently issued Ethics Opinion 2010-02, Retention, Storage, Ownership, Production and Destruction of Client Files, and for the first time addressed the issue of cloud computing. Is it ethical to store client files in the cloud? Does it matter that client files would be under the control of a non-lawyer third party who could have its way with them? What are the rules and requirements if I want to get rid of my own servers?

What is Cloud Computing?

You would need to be permanently offline not to realize that cloud computing is the next step in the Internet revolution. Rather than buy, configure, install, support and maintain expensive software and hardware, some people are looking to the cloud for these services. Others use the cloud for backup and, increasingly, for document storage.

The Alabama Ethics Committee cited a recent ABA Journal article for its definition of the cloud and cloud computing:

According to a recent ABA Journal article on the subject, “cloud computing” is a sophisticated form of remote electronic data storage on the internet. Unlike traditional methods that maintain data on a computer or server at a law office or other place of business, data stored ‘in the cloud’ is kept on large servers located elsewhere and maintained by a vendor.

Citing Richard Acello, “Get Your Head in the Cloud,” ABA Journal, April 2010, at 28-29.

There are, of course, more sophisticated definitions. Wikipedia describe Cloud Computing this way:

Cloud computing is Internet-based computing, whereby shared resources, software, and information are provided to computers and other devices on demand, as with the electricity grid. . . . Cloud computing describes a new supplement, consumption, and delivery model for IT services based on the Internet, and it typically involves over-the-Internet provision of dynamically scalable and often virtualized resources. It is a byproduct and consequence of the ease-of-access to remote computing sites provided by the Internet. This frequently takes the form of web-based tools or applications that users can access and use through a web browser as if it were a program installed locally on their own computer.

The National Institute of Standards and Technology (NIST) provides perhaps a more official definition of cloud computing:

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Cloud computing, at least through what we might call “Private Cloud” services, is nothing new in the world of big litigation. Many of us have been hosting highly confidential litigation documents via the Internet cloud for more than a decade. Been there, done that, got the t-shirt.

But it is new with respect to other applications. How about dumping that email server in favor of the cloud? Here at Catalyst, we did and switched to Gmail and its enterprise package. Granted, we had some initial complaints during the changeover but since then the service has worked fine. I can’t imagine anyone asking to reinstall an Exchange server or, God forbid, to buy Lotus Notes.

Likewise, what if we stopped buying and supporting Microsoft Office applications such as Word, Excel and perhaps even PowerPoint? Google Docs offers an attractive alternative to local software for those with good Internet connectivity. My folks really like the shared, multi-edit capabilities of the Google spreadsheet application. Maybe we should stop paying Microsoft for its licenses? Plenty of people are doing just that.

And, most importantly, the notion of cloud computing is new to the legal bar. Alabama wasn’t the first to address the question but is one of the leaders on the subject. The state bars of Nevada and Arizona have also addressed the ethical issues of cloud computing and reached similar conclusions. And the Ethics Committee of the North Carolina State Bar has written extensively about the ethics of SAAS-based cloud services. For two reports on that opinion, see The Legal Ethics of Cloud Computing, posted on May 20, 2010, by Bob Ambrogi, and N.C. Ethics Opinion on SaaS Merits Broader Inquiry, posted on May 24, 2010, by John Tredennick.

Bill Kellermann, who heads electronic discovery over at Wilson Sonsini, tells me he has heard that Florida and the American Bar Association Technology Committee are due to release opinions on cloud computing soon as well.

Is it Ethical to Store Client Documents and Data in the Cloud?

The word from the bar is yes. A lawyer may store documents or data through a third-party cloud provider without violating client confidences or waiving the privilege. The Alabama Ethics Committee took a practical and forward-looking approach to its analysis in reaching this conclusion. I am not sure there was any other real choice but I think the committee’s reasoning was impeccable. Hats off to the bar for helping lawyers keep up with the times.

The committee started by stating the obvious: There are real advantages in moving to the cloud for at least some functions and services:

The obvious advantage to “cloud computing” is the lawyer’s increased access to client data. As long as there is an internet connection available, the lawyer would have the capability of accessing client data whether he was out of the office, out of the state, or even out of the country. In addition, “cloud computing” may also allow clients greater access to their own files over the internet.

At the same time, it noted the legitimate concerns that would give people pause before trusting confidential data to a third party:

However, there are also confidentiality issues that arise with the use of “cloud computing.” Client confidences and secrets are no longer under the direct control of the lawyer or his law firm; rather, client data is now in the hands of a third‐party that is free to access the data and move it from location to location. Additionally, there is always the possibility that a third party could illegally gain access to the server and confidential client data through the internet.

Citing its approval of the Nevada and Arizona bar opinions, the committee stated: “[J]ust as with traditional storage and retention of client files, a lawyer cannot guarantee that client confidentiality will never be breached, whether by an employee or some other third‐party.” The committee went on to state the controlling rule governing the use of outside providers:

[A] lawyer only has a duty of reasonable care in selecting and entrusting the storage of confidential client data to a third‐party vendor. The Disciplinary Commission agrees and has determined that a lawyer may use “cloud computing” or third‐party providers to store client data provided that the attorney exercises reasonable care in doing so.

That makes perfect sense to me and is the unanimous view of the three bar committees that have so far addressed the issue. I believe it will prevail in further opinions as well.

So what are the rules of the road? The Alabama Ethics Committee set them out in its opinion. Here is my summary of what it had to say:

  1. Electronic documents (images or native) must be secured and reasonable measures must be in place to protect the confidentiality, security and integrity of the document.
  2. The lawyer must ensure that the process is at least as secure as that required for traditional paper files.
  3. The lawyer must have reasonable measures in place to protect the integrity and security of the electronic file and to ensure that only authorized individuals have access to the files.
  4. The lawyer must take reasonable steps to ensure that the files are secure from outside intrusion.
  5. The lawyer must back up electronic files to another computer or media in case of loss but is free to use a third-party so long as the lawyer exercises reasonable care in doing so.
  6. These third-party providers may include cloud computing providers.

The committee went on to limn the duty of reasonable care as it related to cloud providers.

The duty of reasonable care requires the lawyer to become knowledgeable about how the provider will handle the storage and security of the data being stored and to reasonably ensure that the provider will abide by a confidentiality agreement in handling the data. Additionally, because technology is constantly evolving, the lawyer will have a continuing duty to stay abreast of appropriate security safeguards that should be employed by the lawyer and the third‐party provider. If there is a breach of confidentiality, the focus of any inquiry will be whether the lawyer acted reasonably in selecting the method of storage and/or the third party provider.

Further decisions from these and other committees will help flesh out the boundaries of the rule but the path is clear for those who want to head in that direction. For those considering moving to the cloud, I would suggest you take at least the following steps:

  1. Work with a reputable provider, preferably one with a history of dealing with confidential information.
  2. Have an express NDA (non-disclosure agreement) in place with the cloud provider.
  3. Understand and verify if possible the physical and electronic security procedures followed by the provider.
  4. Understand and verify if possible the provider’s practices with respect to backup and disaster recovery.
  5. Have a clear written understanding with respect to ownership of the data so that others cannot make a claim to it in the event of financial adversity.
  6. Know where your data will be housed and who will have access to it.
  7. For practical reasons, make sure the provider offers the functionality and services you need with respect to your data.

It was interesting to me that the Alabama Ethics Committee was focused on the mere storage of client documents in the cloud. Before we move too far into the next decade, I believe locally installed software and hardware will become scarce and perhaps extinct. The ability of central cloud providers to provide equally sophisticated services via the Internet is already well established. With a couple more years to polish up their offerings, I don’t see how the appliance types will be able to compete. It is good to know that the state bar associations are paving the way toward this next revolution in Internet computing.

As you consider moving to the cloud, it might also be a good time to think about the level of security you are providing now for your client files today. If you are like most lawyers, your paper files are stored in unlocked cabinets either in your office or near your secretary’s work station. How secure is that? Do you know who is cleaning your offices at 2 in the morning? Don’t they have open access to those same client files? And, access to one or more photocopiers? You get the point.

Postscript

It is always amusing to look back at earlier technology revolutions and see how lawyers handled the new challenges and opportunities. In the early 1900s, the telephone started to make inroads in the cities. At the time, lawyers communicated in person or by letter. The idea of moving to something as unprecedented as a telephone caused a big stir in the legal ethics community.

“These telephones are not secure,” claimed some. Others pointed out the fact that telephone communications ran through third-party providers who might gain improper access to the underlying transmissions. Indeed, back in the day, you had to place your call through an operator. What if she listened on the conversation between attorney and client? Heavens to Betsy!

Many lawyers refused to install telephones in their offices. Reportedly, the Cravath firm finally relented to having a telephone in its office but only in the reception area and then in a closet resembling our more modern phone booths. At Davis Polk, the only telephone was kept in the clerk’s office and was only to be used by “experienced” clerks. It took years before the partners themselves would deign to have a telephone at their desk.

If you want to read more about the early history of technology and the law, get a copy of Louis M. Brown’s excellent article called Emerging Changes in the Practice of Law in the Utah Law Review 599 (1978). You will have to purchase it online or head to your local law library to get a copy of it.

Filed Under: Cloud Computing, Ethics Tagged With: ,
John Tredennick About John Tredennick

A nationally known trial lawyer and longtime litigation partner at Holland & Hart, John founded Catalyst in 2000 and is responsible for its overall direction, voice and vision.

Well before founding Catalyst, John was a pioneer in the field of legal technology. He was editor-in-chief of the multi-author, two-book series, Winning With Computers: Trial Practice in the Twenty-First Century (ABA Press 1990, 1991). Both were ABA best sellers focusing on using computers in litigation technology. At the same time, he wrote, How to Prepare for Take and Use a Deposition at Trial (James Publishing 1990), which he and his co-author continued to supplement for several years. He also wrote, Lawyer's Guide to Spreadsheets (Glasser Publishing 2000), and, Lawyer's Guide to Microsoft Excel 2007 (ABA Press 2009).

John is the former chair of the ABA's Law Practice Management Section. For many years, he was editor-in-chief of the ABA's Law Practice Management magazine, a monthly publication focusing on legal technology and law office management. More recently, he founded and edited Law Practice Today, a monthly ABA webzine that focuses on legal technology and management. Over two decades, John has written scores of articles on legal technology and spoken on legal technology to audiences on four of the five continents.

Trackbacks

  1. Tweets that mention Is it Ethical to Store Client Data in the Cloud? | Catalyst E-Discovery Blog, CRS SubMaster -- Topsy.com says:
    December 13, 2010 at 5:46 pm

    [...] This post was mentioned on Twitter by Bob Ambrogi, Rob Robinson, InfoGovernance, Kevin Cahill, Vilma Duncan and others. Vilma Duncan said: Everyone's moving to the Cloud! http://lnkd.in/XptR-y [...]

    Reply
  2. Weekly Top Story Digest - December 15, 2010 | ComplexDiscovery says:
    December 15, 2010 at 11:03 am

    [...] it Ethical to Store Client Data in the Cloud? http://tinyurl.com/2cqnvsy (John [...]

    Reply
  3. Unfiltered Orange | Weekly eDiscovery News Update - December 15, 2010 | Orange Legal Technologies says:
    December 15, 2010 at 11:13 am

    [...] it Ethical to Store Client Data in the Cloud? http://tinyurl.com/2cqnvsy (John [...]

    Reply

Share Your Thoughts

*