Here is the latest legal-ethics forecast for cloud computing in the legal profession: Clear skies ahead.
Two new ethics opinions in recent weeks on lawyers’ use of the cloud add further weight to what has so far been the consensus of state ethics panels–that it is ethical for lawyers to store client documents in the cloud and use cloud-based applications, provided the lawyers take reasonable safeguards to ensure the safety and security of the data.
The first of the two latest opinions is yet another in a series of proposed opinions from the North Carolina State Bar. As I wrote in an earlier post here, the North Carolina Ethics Committee deserves credit for the careful and thoughtful consideration it is giving this issue. On Oct. 20, it issued Proposed 2011 Formal Ethics Opinion 6, Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property. [Hat tip to Jack Newton at Slaw.]
This is the committee’s third version of this proposed opinion. The first version, issued in April 2010, said that a lawyer may ethically use SaaS, “provided steps are taken effectively to minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property, including file information, from risk of loss.”
Although commentators generally praised that opinion, the Ethics Committee withdrew it and, on April 21, 2011, filed a revised proposed opinion. While this second proposed opinion again endorsed lawyers’ use of cloud computing, it also set out mandatory minimum requirements a lawyer should adhere to in selecting a cloud provider. This time, the comments were less favorable, with many in the legal computing arguing that the requirements were so onerous as to effectively block the use of many cloud applications.
Clearly, the North Carolina Ethics Committee heard and was swayed by those arguments. In this latest opinion, it once again endorsed a lawyer’s use of SaaS, provided the lawyer takes care to protect confidential information:
[A] law firm may use SaaS if reasonable care is taken to minimize the risks of inadvertent disclosure of confidential information and to protect the security of client information and client files. A lawyer must fulfill the duties to protect confidential client information and to safeguard client files by applying the same diligence and competency to manage the risks of SaaS that the lawyer is required to apply when representing clients.
This time, however, the opinion omits any list of specific requirements a lawyer must follow in selecting a SaaS provider. Instead, it cautions lawyers to “make reasonable efforts to ensure that the services are provided in a manner that is compatible with the professional obligations of the lawyer,” taking into consideration “the experience, stability, and reputation of the vendor.” It then goes on to list five “recommended” security measures to consider:
- Agreement with the vendor on how it will handle confidential client information.
- Ability to retrieve the data if the lawyer terminates the vendor or the vendor goes out of business.
- Careful review of the terms of the lawyer’s agreement with the vendor, including its security policy.
- Evaluation of the vendor’s measures for safeguarding the security and confidentiality of data.
- Evaluation of the vendor’s back-up procedures.
The opinion suggests that lawyers, in considering these issues, may want to consult with “professionals competent in the area of online security.”
Pennsylvania Says ‘Yes’ to the Cloud
The second new opinion comes from the Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility (with a hat tip to Dan Pinnington at Slaw for posting it). In Formal Opinion 2011-200, the Pennsylvania committee address the ethical obligations of attorneys using cloud computing and SaaS while fulfilling their duties of confidentiality and preservation of client property.
The short answer it gives (within a lengthy and thoughtful opinion) is this:
Yes. An attorney may ethically allow client confidential material to be stored in “the cloud” provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks.
In addressing the reasonable safeguards a lawyer should follow, the committee follows the lead of other states in declining to list mandatory standards. “This Committee acknowledges that the advances in technology make it difficult, if not impossible to provide specific standards that will apply to every attorney,” it explains. Even so, it provides a fairly detailed list of the steps that a standard of reasonable care “may include.” Some of these steps address internal law firm measures–such as backing up data, installing firewalls, and using encryption–and others address measures a law firm should ask of a vendor. In the latter category, the opinion recommends that a lawyer ensure that the provider:
- Explicitly agrees that it has no ownership or security interest in the data.
- Has an enforceable obligation to preserve security.
- Will notify the lawyer if requested to produce data to a third party and provide the lawyer with the ability to respond to the request before the provider produces the requested information.
- Has technology built to withstand a reasonably foreseeable attempt to infiltrate data, including penetration testing.
- Includes in its terms of service or service level agreement an agreement about how confidential client information will be handled.
- Provides the firm with right to audit the provider’s security procedures and to obtain copies of any security audits performed.
- Hosts the data only within a specified geographic area.
- Provides a method for the lawyer to retrieve the data.
- Provides the ability to get data off the vendor’s servers for the lawyer’s own use or in-house backup offline.
The Pennsylvania opinion also includes a discussion of lawyers’ use of Web-based email services such as Gmail and Hotmail. While cautioning that such services carry risks “that attorneys should be aware of and mitigate,” the opinion nonetheless indicates that lawyers are free to use such services. In most cases, these services may be used without encryption, although certain matters may require heightened security, including encryption, the committee says.
The Pennsylvania committee cites with approval a 1998 ethics opinion in which the District of Columbia Bar concluded: “In most circumstances, transmission of confidential information by unencrypted electronic mail does not per se violate the confidentiality rules of the legal profession. However, individual circumstances may require greater means of security.”
What this Means for Cloud Computing
On this blog, we have been following and writing about the ethics of cloud computing for a year now. To date, not a single ethics panel has found any ethical concern with lawyers’ use of cloud computing, provided the lawyer exercises reasonable care in selecting and vetting a vendor. The Pennsylvania opinion includes a state-by-state review of relevant ethics opinions and sums them up this way:
Generally, the consensus is that, while “cloud computing” is permissible, lawyers should proceed with caution because they have an ethical duty to protect sensitive client data. In service to that essential duty, and in order to meet the standard of reasonable care, other Committees have determined that attorneys must (1) include terms in any agreement with the provider that require the provider to preserve the confidentiality and security of the data, and (2) be knowledgeable about how providers will handle the data entrusted to them.
The measures these various ethics panels suggest are reasonable and sensible. For the most part, lawyers should select cloud vendors that have proven themselves to be reputable, stable and competent. Lawyers should expect agreements with these vendors that clearly address issues of confidentiality and security.
That said, these latest opinions underscore what we said at the outset: The forecast for cloud computing in the legal profession is clear skies ahead.
If you are interested in reading our prior posts on this topic, see:
- NC Bar Goes Back to the Drawing Board on Cloud Ethics.
- The California Bar Weighs in on Legal Ethics in the Cloud.
- Is it Ethical to Store Client Data in the Cloud?
- N.C. Ethics Opinion on SaaS Merits Broader Inquiry.
- The Legal Ethics of Cloud Computing.