Cloud computing raises unique ethical issues for lawyers with regard to ensuring the confidentiality and security of client documents and communications. At this blog, we’ve written several posts addressing these issues and noted the handful of state ethics boards that have addressed this issue. (See our posts here, here and here.)  So far, the consensus of the states is that it is ethical for lawyers to store documents in the cloud and use cloud-based applications, provided the lawyers exercise common sense in vetting the security and stability of the providers of these services.

Now, the State Bar of California has issued an ethics opinion that provides further guidance for lawyers who work in the cloud. The opinion (Formal Opinion No. 2010-179) is not specifically directed at cloud-based applications. Rather, it outlines the analysis lawyers should apply whenever they evaluate whether to use a particular form of legal technology, particularly any technology that uses the Internet.

“Rather than engage in a technology-by-technology analysis, which would likely become obsolete shortly,” explained the committee in its opinion, “this opinion sets forth the general analysis that an attorney should undertake when considering use of a particular form of technology.”

Factors Attorneys Should Consider

The actual issue raised by the California attorney who sought the committee’s guidance involved wireless access to the Internet. Was it ethical for him, he wanted to know, to conduct legal research on behalf of clients and send e-mail to clients using a public wireless Internet connection in a coffee shop or using his home wireless network?

In addressing this question, the committee set out six general factors that attorneys should take into account when considering any new technology:

• The attorney’s ability to assess the level of security afforded by the technology.
• The legal ramifications to third parties of intercepting, accessing or exceeding authorized use of another person’s electronic information.
• The degree of sensitivity of the information.
• The possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product, including any possible waiver of the privileges.
• The urgency of the situation.
• Client instructions and circumstances.

Applying these factors to the question at hand, the committee concluded that the attorney’s use of public wireless connections would be risky unless the attorney took appropriate precautions.

With regard to the use of a public wireless connection, the Committee believes that, due to the lack of security features provided in most public wireless access locations, Attorney risks violating his duties of confidentiality and competence in using the wireless connection at the coffee shop to work on Client’s matter unless he takes appropriate precautions, such as using a combination of file encryption, encryption of wireless transmissions and a personal firewall. Depending on the sensitivity of the matter, Attorney may need to avoid using the public wireless connection entirely or notify Client of possible risks attendant to his use of the public wireless connection, including potential disclosure of confidential information and possible waiver of attorney-client privilege or work product protections, and seek her informed consent to do so.

Finally, if Attorney’s personal wireless system has been configured with appropriate security features, the Committee does not believe that Attorney would violate his duties of confidentiality and competence by working on Client’s matter at home. Otherwise, Attorney may need to notify Client of the risks and seek her informed consent, as with the public wireless connection.

The committee concluded its opinion with a cautionary note. “Because of the evolving nature of technology and differences in security features that are available,” it said, “the attorney must ensure the steps are sufficient for each form of technology being used and must continue to monitor the efficacy of such steps.”

The committee’s opinion goes into much greater detail in discussing the factors that attorneys should consider, particularly with regard to assessing a particular technology’s level of security. Even though the opinion does not expressly consider cloud computing and Software as a Service, its discussion of these factors should provide useful guidance for any lawyer considering computing in the cloud.

A hat tip to Perry Segal who mentioned the opinion at his blog, e-Discovery Insights. Also, Segal points to an in-depth analysis of the opinion written by lawyers at Mayer Brown.