MBA Ethics Opinion 12-03 was drafted by the MBA’s Committee on Professional Ethics and approved by the association’s House of Delegates on May 17, 2012. The MBA is not the official lawyer-discipline board in the state, so its ethics opinions are advisory only. (Note that I am a member of the MBA and have served on various MBA committees over the years.)
Even so, the MBA’s opinion adds to the growing and unanimous list of lawyer-ethics panels that have concluded that lawyers may ethically use cloud applications and services, provided they take reasonable precautions to protect the confidentiality and security of the data. (See our earlier post: Two New Legal Ethics Opinions Suggest Clear Skies Ahead for Cloud Computing.)
This brings to 11 the number of states that have ruled on the ethics of cloud computing. In addition to Mass., the other opinions are:
- North Carolina 2011 Formal Ethics Opinion 6.
- Pennsylvania Formal Opinion 2011-200.
- California Formal Opinion No. 2010-179.
- Alabama State Bar Ethics Opinion 2010-02.
- Arizona State Bar Formal Opinion 09-04.
- Nevada State Bar Formal Opinion No. 33.
- New York State Bar Association Opinion 842 of 2010.
- Iowa Op. 11-01.
- Oregon Formal Op. 2011-188.
- Vermont Advisory Ethics Op. 2010-6.
Notably, all of these states agree that the use of cloud computing is ethical.
Storing Client Files in the Cloud
This latest opinion out of Massachusetts was issued in response to a lawyer who wanted to use Google Docs or some similar service to store and synchronize his work files. The issue was whether the lawyer’s use of such a service would violate his professional obligations under the Massachusetts Rules of Professional Conduct.
In considering this issue, the committee noted that it had twice before issued opinions dealing with lawyers’ use of the Internet and remote access. In its Opinion 00-01, the committee concluded that a lawyer’s use of unencrypted email to communicate with clients does not violate the professional conduct rules. Later, in Opinion 05-04, the committee ruled that a law firm may provide a third-party software vendor with remote access to confidential client information stored on the firm’s computers, provided the law firm undertakes “reasonable efforts” to ensure that the vendor operates in a manner that is consistent with the lawyers’ professional obligations.
The reasoning of these earlier opinions extends to the use of cloud storage, the committee concluded, and “generally would allow Lawyer also to use Google docs or some other Internet based data storage service provider to store confidential information, and to synchronize data using that provider over the Internet.
As other ethics panels have done, the Mass. committee went on to emphasize that a lawyer must take reasonable efforts to ensure the security of client information.
[T]he Committee believes that the use of an Internet based service provider to store confidential client information would not violate Massachusetts Rule of Professional Conduct 1.6(a) in ordinary circumstances so long as Lawyer undertakes reasonable efforts to ensure that the provider’s data privacy policies, practices and procedures are compatible with Lawyer’s professional obligations, including the obligation to protect confidential client information reflected in Rule 1.6(a).
Those “reasonable efforts,” the committee said, would include:
- Examining the provider’s practices with regard to data encryption, password protection, and system back-ups, and also its available service history, including reports of known security breaches.
- Periodically revisiting the provider’s policies, practices and procedures to ensure that they remain compatible with the lawyer’s professional obligations.
The committee also advised that the lawyer is bound to follow any express instructions from his clients against the use of cloud services to store their data. “[H]e should refrain from storing or transmitting particularly sensitive client information by means of the Internet without first seeking and obtaining the client’s express consent to do so,” the committee cautioned.
Ultimately, the question of whether the use of Google docs, or any other Internet based data storage service provider, is compatible with Lawyer’s ethical obligation to protect his clients’ confidential information is one that Lawyer must answer for himself based on the criteria set forth in this opinion, the information that he is reasonably able to obtain regarding the relative security of the various alternatives that are available, and his own sound professional judgment.
[A hat tip to the Boston College Legal Eagle blog for bringing this opinion to my attention.]