Catalyst Repository Systems - Powering Complex Legal Matters

E-Discovery Search Blog

Catalyst E-Discovery Search Blog RSS Follow Catalyst on Twitter Join Catalyst on Facebook Catalyst on LinkedIn Catalyst YouTube Channel
Follow Us:
Technology, Techniques and Best Practices

Latest Ethics Opinion on Cloud Computing Emphasizes Duty of Competence

by Bob Ambrogi | March 19, 2013

New Hampshire has become the latest state to weigh in on the ethics of using cloud computing in the practice of law. The Ethics Committee of the New Hampshire Bar Association recently published Advisory Opinion #2012-13/4, in which it adopted the consensus opinion among states that a lawyer may use cloud computing consistent with his or her ethical obligations, as long as the lawyer takes reasonable steps to ensure that sensitive client information remains confidential.

While the opinion mirrored much of what other states have said on the ethics of cloud computing, it took a slightly different tack from some of the other opinions in its discussion of lawyer competence as it relates to cloud computing.

Last August, I wrote here about the American Bar Association’s vote to amend the Model Rules of Professional Conduct to make clear that a lawyer’s duty of competence extends to technology. In a revised comment to Model Rule 1.1 governing competence, the ABA said that a lawyer has a duty to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”

Referring to this change, the NHBA’s Ethics Committee said that the duty of competence requires a lawyer who uses the cloud to “understand and guard against the risks inherent in it.”

There is no hard and fast rule as to what a lawyer must do with respect to each client when using cloud computing. The facts and circumstances of each case, including the type and sensitivity of client information, will dictate what reasonable protective measures a lawyer must take when using cloud computing. ….

Competent lawyers must have a basic understanding of the technologies they use. Furthermore, as technology, the regulatory framework, and privacy laws keep changing, lawyers should keep abreast of these changes.

In other respects, the opinion tracked those issued by other states. It addressed a lawyer’s duty to maintain the confidentiality of client information stored in the cloud and to ensure that the cloud provider will take steps to safeguard client data. It also analogized a cloud provider to a nonlawyer assistant under the ethics rules, cautioning that “the lawyer must make reasonable efforts to ensure that the provider understands and is capable of complying with its obligation to act in a manner consistent with the lawyer’s own professional responsibilities.”

Similar to what some other states’ opinions have done, the NHBA opinion set out 10 points a lawyer should consider before using a cloud computing service:

  1. Is the provider of cloud computing services a reputable organization?
  2. Does the provider offer robust security measures?
  3. Is the data stored in a format that renders it retrievable as well as secure?
  4. Does the provider commingle data in a way that could result in inadvertent disclosure?
  5. Do the terms of service state that the provider merely holds a license to the stored data?
  6. Does the provider have an enforceable obligation to keep the data confidential?
  7. Where are the provider’s servers located and what are the privacy laws in effect at that location?
  8. Will the provider retain the data when the representation ends or the agreement between the lawyer and provider is terminated?
  9. Do the terms of service obligate the provider to warn the lawyer if information is subpoenaed by a third party?
  10. What is the provider’s disaster recovery plan with respect to stored data?

In summing up its opinion, the NHBA Ethics Committee once again emphasizes a lawyer’s duty of competence with respect to technology:

The New Hampshire Ethics Committee concurs with the consensus among states that a lawyer may use cloud computing in a manner consistent with his or her ethical duties by taking reasonable steps to protect client data. Granted, a lawyer may not find a provider of cloud computing services whose terms of service address all of the issues addressed above, but it bears repeating, that while a lawyer need not become an expert in data storage, a lawyer must remain aware of how and where data is stored and what the service agreement says. Although the New Hampshire Rules of Professional Conduct do not impose a strict liability standard, the duties of confidentiality and competence are ongoing and not delegable. The requirement of competence means that even when storing data in the cloud, a lawyer must take reasonable steps to protect client information and cannot allow the storage and retrieval of data to become nebulous.

For other posts on this blog about legal ethics and cloud computing, view the posts collected in the ethics category.

Filed Under: Cloud Computing, Ethics Tagged With: ,

Florida Legal Ethics Opinion Clears Way for Cloud Computing

by Bob Ambrogi | February 14, 2013

Florida has become the latest state to weigh in on the legal ethics of cloud computing, joining other states that have done so in concluding that lawyers may ethically use cloud computing, provided they exercise due diligence to ensure that the cloud provider maintains adequate safeguards to protect the confidentiality and security of client information.

The Professional Ethics Committee of the The Florida Bar issued the proposed opinion (Proposed Advisory Opinion 12-3) Jan. 25. The committee concluded:

[L]awyers may use cloud computing if they take reasonable precautions to ensure that confidentiality of client information is maintained. The lawyer should research the service provider to be used, should ensure that the service provider maintains adequate security, should ensure that the lawyer has adequate access to the information stored remotely, and should consider backing up the data elsewhere as a precaution.

(This blog has frequently covered the legal ethics of cloud computing. For our other posts on this topic, click here.)

For lawyers, the primary concern about cloud computing is confidentiality, the committee explained. “A lawyer has the obligation to ensure that confidentiality of information is maintained by nonlawyers under the lawyer’s supervision, including nonlawyers that are third parties used by the lawyer in the provision of legal services.”

The committee noted that other states that have addressed the issue of cloud computing have generally determined that lawyers may ethically use cloud services as long as they take reasonable steps. The committee said that it agrees with these other states’ opinions.

Regarding the steps a lawyer should take to research a cloud provider, the committee endorsed the recommendations suggested by New York State Bar Ethics Opinion 842, which included:

  • Ensure that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information.
  • Investigate the online data storage provider’s security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances.
  • Employ available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored.

The Florida committee also cited Iowa Ethics Opinion 11-01 as being of particular practical assistance to lawyers facing this issue.

As suggested by the Iowa opinion, lawyers must be able to access the lawyer’s own information without limit, others should not be able to access the information, but lawyers must be able to provide limited access to third parties to specific information, yet must be able to restrict their access to only that information. Iowa Ethics Opinion 11-01 also recommends considering the reputation of the service provider to be used, its location, its user agreement and whether it chooses the law or forum in which any dispute will be decided, whether it limits the service provider’s liability, whether the service provider retains the information in the event the lawyer terminates the relationship with the service provider, what access the lawyer has to the data on termination of the relationship with the service provider, and whether the agreement creates “any proprietary or user rights” over the data the lawyer stores with the service provider.

In addition, the Florida committee agreed with Iowa’s suggestion that a lawyer determine whether the information is password protected, whether the information is encrypted, and whether the lawyer will have the ability to further encrypt the information if additional security measures are required because of the special nature of a particular matter or piece of information.

Under the Florida Bar’s rules, members of the bar will now be invited to submit comments on the proposed opinion. When the committee next meets on June 28, it will consider any comments it has received. Anyone wishing to submit comments should direct them to Elizabeth Clark Tarbert, Ethics Counsel, The Florida Bar, 651 E. Jefferson Street, Tallahassee 32399-2300.

Filed Under: Cloud Computing, Ethics Tagged With: ,

New ABA Ethics Rule Underscores What EDD Lawyers Should Already Know: There’s No Hiding from Technology

by Bob Ambrogi | August 16, 2012

The legal profession underwent a sea change last week, but few lawyers even knew about it. In a historic but little-heralded move, the American Bar Association said that lawyers must be competent not only in the law and its practice, but also in technology.

The ABA’s House of Delegates voted to amend the comment to its Model Rule of Professional Conduct governing lawyer competence to make clear that a lawyer’s skill set must include technology.

The rule itself remains unchanged. It says:

Rule 1.1 Competence

A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.

The change was to the comment that follows the rule, which provides interpretative guidance as to the rule’s application and meaning. The revised comment adds the clause shown in italics here:

Maintaining Competence

To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.

The ABA Model Rules are not binding on lawyers but serve as models for the ethics rules in most states. Only time will tell whether state ethics regulators will adopt this change, but I predict most will.

The change regarding competence was one of several amendments to the model rules approved at the annual meeting. The changes resulted from the work of the ABA Commission on Ethics 20/20, which spent three years reviewing legal ethics rules in light of advances in legal technology and the increasing globalization of the legal profession.

Too Little, Too Late?

There are some who argue that this change is too little, too late. Michael Arkfeld and Stephanie Loquvam make that case in the latest issue of Law Technology News.

Though the commission used the phrase, “[b]ecause of the sometimes bewildering pace of technological change,” the transition to widespread use of digital technology has been in effect since 1985, more than 25 years ago. This is hardly a “bewildering” pace of change, unless you have stayed in a cave and remained a Luddite. Now more than ever is the time to commit to understanding digital change and ensure that you can competently handle your client’s needs.

It’s hard to argue with their premise. Lawyers have been using PCs since the late 1970s and the Internet for at least two decades. Still, the pace of technological change has accelerated in recent years, driven by our increasingly digital culture and an unprecedented degree of digital mobility.

And, even in the face of so much change, Luddites remain. Just last week, a lawyer told me that he refuses to use email in his law practice and he has no idea what a blog is. It’s one thing to draw a line in the sand, but it’s something else altogether to bury your head in it.

In E-Discovery, Luddites Need Not Apply

Interestingly, the 20/20 Commission takes the position that this duty of technological competence is nothing new. In the commission’s report to the ABA House of Delegates, it says:

Comment [6] already encompasses an obligation to remain aware of changes in technology that affect law practice, but the Commission concluded that making this explicit, by addition of the phrase “including the benefits and risks associated with relevant technology,” would offer greater clarity in this area and emphasize the importance of technology to modern law practice. The proposed amendment, which appears in a Comment, does not impose any new obligations on lawyers. Rather, the amendment is intended to serve as a reminder to lawyers that they should remain aware of technology, including the benefits and risks associated with it, as part of a lawyer’s general ethical duty to remain competent.

That assertion may come as a surprise to many lawyers. But for lawyers who are engaged in electronic discovery, the need for them to be competent in technology should be obvious. It is impossible to competently (let alone zealously) represent a client in a matter involving electronically stored information without a better-than-average familiarity with technology. You cannot be both a Luddite and an advocate in e-discovery — at least not for long.

In fact, some argue that the 2006 e-discovery amendments to the Federal Rules of Civil Procedure already imposed on lawyers who handle e-discovery a duty of technological competence. A 2008 article by the legal ethics counsel for the District of Columbia Bar, R U Competent?, made this point, citing a 2008 report by the ABA Center for Continuing Legal Education that concluded that the FRCP changes required lawyers to understand their clients’ IT systems, know how to identify ESI, and have knowledge regarding digital file formats, sources of electronic data, and how computers operate.

Note that I said that the need for technological competence in e-discovery should be obvious. Regrettably, it isn’t always so. Arkfeld and Loquvam accurately sum up the true state of affairs:

Let’s face it — lawyers historically have ignored (and still do) the technological issues affecting client communications, discovery and production of electronically stored information, and other digital issues in their practice. We see it daily in sanctions handed down by the court in e-discovery cases — for confidentiality breaches of clients’ electronic information, or chastizing lawyers who fail to use litigation search technologies that reduce costs and provide greater access to justice.

And let’s also face the fact that his stuff isn’t easy. No less an authority on e-discovery than U.S. Magistrate Judge John M. Facciola has described the complexity of just one aspect of e-discovery — search — as taking legal professionals into an area “where angels fear to tread.” Similarly, Arkfeld and Loquvam point out that understanding how ESI is created, stored and retrieved requires a lawyer to understand more esoteric concepts such as deleted information, unallocated space, active files, fragmentation, media storage, metadata, audit trails, encryption and a host of others.

Fortunately, the ABA rule does not require that we all run out and enroll in advanced courses at MIT. We can understand the “benefits and risks” of technology without understanding its most-intricate inner workings. I have long believed that a key to technological competence is knowing what you don’t know. Lawyers don’t have to be IT professionals or engineers — but they need to know when they need one.

Of course, even knowing what you don’t know requires a higher level of understanding about technology than many lawyers have today. That is why this rule amendment from the ABA is welcome, if overdue. While I can’t argue with those who say this is “too little, too late,” I prefer to view it as “better late than never.” Maybe this official pronouncement from the ABA will force a few lawyers to pull their heads out of the sand.

Filed Under: Ethics Tagged With:

Mass. Joins Other States in Ruling that Cloud Computing is Ethical for Lawyers

by Bob Ambrogi | July 5, 2012

The Massachusetts Bar Association has issued an ethics opinion concluding that lawyers may use cloud services to store and synchronize digital files containing client information, provided the lawyer takes reasonable measures to ensure that the service’s terms of use and data-privacy policies are compatible with the lawyer’s professional obligations. However, lawyers should not use cloud services for clients who expressly request that their documents not be stored online and lawyers should not store “particularly sensitive” information in the cloud without first obtaining the client’s express consent, the opinion says.

MBA Ethics Opinion 12-03 was drafted by the MBA’s Committee on Professional Ethics and approved by the association’s House of Delegates on May 17, 2012. The MBA is not the official lawyer-discipline board in the state, so its ethics opinions are advisory only. (Note that I am a member of the MBA and have served on various MBA committees over the years.)

Even so, the MBA’s opinion adds to the growing and unanimous list of lawyer-ethics panels that have concluded that lawyers may ethically use cloud applications and services, provided they take reasonable precautions to protect the confidentiality and security of the data. (See our earlier post: Two New Legal Ethics Opinions Suggest Clear Skies Ahead for Cloud Computing.)

This brings to 11 the number of states that have ruled on the ethics of cloud computing. In addition to Mass., the other opinions are:

Notably, all of these states agree that the use of cloud computing is ethical.

Storing Client Files in the Cloud

This latest opinion out of Massachusetts was issued in response to a lawyer who wanted to use Google Docs or some similar service to store and synchronize his work files. The issue was whether the lawyer’s use of such a service would violate his professional obligations under the Massachusetts Rules of Professional Conduct.

In considering this issue, the committee noted that it had twice before issued opinions dealing with lawyers’ use of the Internet and remote access. In its Opinion 00-01, the committee concluded that a lawyer’s use of unencrypted email to communicate with clients does not violate the professional conduct rules. Later, in Opinion 05-04, the committee ruled that a law firm may provide a third-party software vendor with remote access to confidential client information stored on the firm’s computers, provided the law firm undertakes “reasonable efforts” to ensure that the vendor operates in a manner that is consistent with the lawyers’ professional obligations.

The reasoning of these earlier opinions extends to the use of cloud storage, the committee concluded, and “generally would allow Lawyer also to use Google docs or some other Internet based data storage service provider to store confidential information, and to synchronize data using that provider over the Internet.

As other ethics panels have done, the Mass. committee went on to emphasize that a lawyer must take reasonable efforts to ensure the security of client information.

[T]he Committee believes that the use of an Internet based service provider to store confidential client information would not violate Massachusetts Rule of Professional Conduct 1.6(a) in ordinary circumstances so long as Lawyer undertakes reasonable efforts to ensure that the provider’s data privacy policies, practices and procedures are compatible with Lawyer’s professional obligations, including the obligation to protect confidential client information reflected in Rule 1.6(a).

Those “reasonable efforts,” the committee said, would include:

  • Examining the provider’s terms of use and written policies and procedures with respect to data privacy and the handling of confidential information.
  • Ensuring that the provider’s terms of use and written policies and procedures prohibit unauthorized access to data stored on the provider’s system.
  • Ensuring that the provider’s terms of use and written policies and procedures, as well as its functional capabilities, give the lawyer reasonable access to, and control over, the data, in the event that the lawyer’s relationship with the provider is interrupted for any reason.
  • Examining the provider’s practices with regard to data encryption, password protection, and system back-ups, and also its available service history, including reports of known security breaches.
  • Periodically revisiting the provider’s policies, practices and procedures to ensure that they remain compatible with the lawyer’s professional obligations.

The committee also advised that the lawyer is bound to follow any express instructions from his clients against the use of cloud services to store their data. “[H]e should refrain from storing or transmitting particularly sensitive client information by means of the Internet without first seeking and obtaining the client’s express consent to do so,” the committee cautioned.

The committee concludes its opinion with a few observations about Google Docs. It references the service’s terms of service and privacy policy, but then notes that it, “like many, if not most, remotely accessible software systems and computer networks, are not immune from attack by unauthorized persons or other forms of security breaches.” It ends with this advice:

Ultimately, the question of whether the use of Google docs, or any other Internet based data storage service provider, is compatible with Lawyer’s ethical obligation to protect his clients’ confidential information is one that Lawyer must answer for himself based on the criteria set forth in this opinion, the information that he is reasonably able to obtain regarding the relative security of the various alternatives that are available, and his own sound professional judgment.

[A hat tip to the Boston College Legal Eagle blog for bringing this opinion to my attention.]

Filed Under: Cloud Computing, Ethics Tagged With: ,

Two New Legal Ethics Opinions Suggest Clear Skies Ahead for Cloud Computing

by Bob Ambrogi | November 28, 2011

Here is the latest legal-ethics forecast for cloud computing in the legal profession: Clear skies ahead.

Two new ethics opinions in recent weeks on lawyers’ use of the cloud add further weight to what has so far been the consensus of state ethics panels–that it is ethical for lawyers to store client documents in the cloud and use cloud-based applications, provided the lawyers take reasonable safeguards to ensure the safety and security of the data.

The first of the two latest opinions is yet another in a series of proposed opinions from the North Carolina State Bar. As I wrote in an earlier post here, the North Carolina Ethics Committee deserves credit for the careful and thoughtful consideration it is giving this issue. On Oct. 20, it issued Proposed 2011 Formal Ethics Opinion 6, Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property. [Hat tip to Jack Newton at Slaw.]

This is the committee’s third version of this proposed opinion. The first version, issued in April 2010, said that a lawyer may ethically use SaaS, “provided steps are taken effectively to minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property, including file information, from risk of loss.”

Although commentators generally praised that opinion, the Ethics Committee withdrew it and, on April 21, 2011, filed a revised proposed opinion. While this second proposed opinion again endorsed lawyers’ use of cloud computing, it also set out mandatory minimum requirements a lawyer should adhere to in selecting a cloud provider. This time, the comments were less favorable, with many in the legal computing arguing that the requirements were so onerous as to effectively block the use of many cloud applications.

Clearly, the North Carolina Ethics Committee heard and was swayed by those arguments. In this latest opinion, it once again endorsed a lawyer’s use of SaaS, provided the lawyer takes care to protect confidential information:

[A] law firm may use SaaS if reasonable care is taken to minimize the risks of inadvertent disclosure of confidential information and to protect the security of client information and client files. A lawyer must fulfill the duties to protect confidential client information and to safeguard client files by applying the same diligence and competency to manage the risks of SaaS that the lawyer is required to apply when representing clients.

This time, however, the opinion omits any list of specific requirements a lawyer must follow in selecting a SaaS provider. Instead, it cautions lawyers to “make reasonable efforts to ensure that the services are provided in a manner that is compatible with the professional obligations of the lawyer,” taking into consideration “the experience, stability, and reputation of the vendor.” It then goes on to list five “recommended” security measures to consider:

  • Agreement with the vendor on how it will handle confidential client information.
  • Ability to retrieve the data if the lawyer terminates the vendor or the vendor goes out of business.
  • Careful review of the terms of the lawyer’s agreement with the vendor, including its security policy.
  • Evaluation of the vendor’s measures for safeguarding the security and confidentiality of data.
  • Evaluation of the vendor’s back-up procedures.

The opinion suggests that lawyers, in considering these issues, may want to consult with “professionals competent in the area of online security.”

Pennsylvania Says ‘Yes’ to the Cloud

The second new opinion comes from the Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility (with a hat tip to Dan Pinnington at Slaw for posting it). In Formal Opinion 2011-200, the Pennsylvania committee address the ethical obligations of attorneys using cloud computing and SaaS while fulfilling their duties of confidentiality and preservation of client property.

The short answer it gives (within a lengthy and thoughtful opinion) is this:

Yes. An attorney may ethically allow client confidential material to be stored in “the cloud” provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks.

In addressing the reasonable safeguards a lawyer should follow, the committee follows the lead of other states in declining to list mandatory standards. “This Committee acknowledges that the advances in technology make it difficult, if not impossible to provide specific standards that will apply to every attorney,” it explains. Even so, it provides a fairly detailed list of the steps that a standard of reasonable care “may include.” Some of these steps address internal law firm measures–such as backing up data, installing firewalls, and using encryption–and others address measures a law firm should ask of a vendor. In the latter category, the opinion recommends that a lawyer ensure that the provider:

  • Explicitly agrees that it has no ownership or security interest in the data.
  • Has an enforceable obligation to preserve security.
  • Will notify the lawyer if requested to produce data to a third party and provide the lawyer with the ability to respond to the request before the provider produces the requested information.
  • Has technology built to withstand a reasonably foreseeable attempt to infiltrate data, including penetration testing.
  • Includes in its terms of service or service level agreement an agreement about how confidential client information will be handled.
  • Provides the firm with right to audit the provider’s security procedures and to obtain copies of any security audits performed.
  • Hosts the data only within a specified geographic area.
  • Provides a method for the lawyer to retrieve the data.
  • Provides the ability to get data off the vendor’s servers for the lawyer’s own use or in-house backup offline.

The Pennsylvania opinion also includes a discussion of lawyers’ use of Web-based email services such as Gmail and Hotmail. While cautioning that such services carry risks “that attorneys should be aware of and mitigate,” the opinion nonetheless indicates that lawyers are free to use such services. In most cases, these services may be used without encryption, although certain matters may require heightened security, including encryption, the committee says.

The Pennsylvania committee cites with approval a 1998 ethics opinion in which the District of Columbia Bar concluded: “In most circumstances, transmission of confidential information by unencrypted electronic mail does not per se violate the confidentiality rules of the legal profession. However, individual circumstances may require greater means of security.”

What this Means for Cloud Computing

On this blog, we have been following and writing about the ethics of cloud computing for a year now. To date, not a single ethics panel has found any ethical concern with lawyers’ use of cloud computing, provided the lawyer exercises reasonable care in selecting and vetting a vendor. The Pennsylvania opinion includes a state-by-state review of relevant ethics opinions and sums them up this way:

Generally, the consensus is that, while “cloud computing” is permissible, lawyers should proceed with caution because they have an ethical duty to protect sensitive client data. In service to that essential duty, and in order to meet the standard of reasonable care, other Committees have determined that attorneys must (1) include terms in any agreement with the provider that require the provider to preserve the confidentiality and security of the data, and (2) be knowledgeable about how providers will handle the data entrusted to them.

The measures these various ethics panels suggest are reasonable and sensible. For the most part, lawyers should select cloud vendors that have proven themselves to be reputable, stable and competent. Lawyers should expect agreements with these vendors that clearly address issues of confidentiality and security.

That said, these latest opinions underscore what we said at the outset: The forecast for cloud computing in the legal profession is clear skies ahead.

If you are interested in reading our prior posts on this topic, see:

Filed Under: Cloud Computing, Ethics Tagged With: ,

NC Bar Goes Back to the Drawing Board on Cloud Ethics

by Bob Ambrogi | July 22, 2011

One thing seems certain about the Ethics Committee of the North Carolina State Bar—it is trying hard to get its opinion right on the ethics of cloud computing.

In April 2010, the committee issued a proposed opinion that addressed the question of whether a law firm may ethically use Software as a Service in light of a lawyer’s duty to safeguard confidential client information and protect client property from destruction or loss. The opinion answered the question in the affirmative, “provided steps are taken effectively to minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property, including file information, from risk of loss.”

The proposed opinion generally elicited praise from lawyers who use cloud-based applications and from vendors that provide such applications. (See what we at Catalyst had to say about it in two posts, The Legal Ethics of Cloud Computing and N.C. Ethics Opinion on SaaS Merits Broader Inquiry.) But after putting the proposed opinion out for public comment, the Ethics Committee withdrew it and, on April 21, 2011, filed a revised proposed opinion (Proposed 2011 Formal Ethics Opinion 6).

While this second proposed opinion again endorsed lawyers’ use of cloud computing, it also proposed minimum requirements a lawyer should adhere to in selecting a cloud provider. This time, the comments were less favorable, with many in the legal computing arguing that the requirements were so onerous as to effectively block the use of many cloud applications. On behalf of several cloud vendors, the Legal Cloud Computing Association filed written commentsobjecting to the proposed opinion. The comments said:

[W]e believe that the additional minimum requirements imposed on lawyers as mandatory requirements will, as a practical matter, limit the ability of North Carolina lawyers to use cloud computing services in their practices, causing North Carolina’s lawyers to become less competitive with lawyers from other states.

Rather than “mandatory requirements”, we believe that it makes more sense to establish basic principles and suggested guidelines, leaving to the individual attorney to use their best judgment to exercise reasonable care under the particular circumstances of their practice, in choosing a SaaS provider.

The International Legal Technology Standards Organization also filed comments opposing the proposed opinion, as did a number of individual attorneys.

Against this backdrop, the Ethics Committee recently voted to send the proposed opinion back to the subcommittee that drafted it, according to North Carolina lawyer Stephanie Kimbro, in a post at her blog Virtual Law Practice. The subcommittee will reconsider the opinion in light of the comments that were filed. The outcome of the reconsideration should be known by the end of October, Kimbro said.

What Does this Mean for E-Discovery in the Cloud?

The short answer to that question is: Not much. Let me explain.

The objections to the proposed opinion focused on the fairly rigorous vetting process it required lawyers to go through before entrusting client data to a cloud provider. The opinion would require a lawyer, for example, to investigate the vendor’s financial stability and review its security audits. This was seen as unfair to solo and small firm lawyers in particular, who would have neither the time nor the resources to follow each of the recommended steps. Even if a lawyer was in a position to follow each of the steps, getting all the required information would be virtually impossible from consumer-focused vendors such as Google or Dropbox.

By contrast, with regard to e-discovery, the opinion’s proposed requirements make perfect sense. A lawyer selecting a cloud provider to serve as a hosting and review platform for litigation documents would be remiss not to engage in this sort of vetting process. Further, any established e-discovery vendor will be prepared for just such an inquiry and will have due-diligence documentation readily available regarding its security, systems and facilities.

I’ve read some criticism of one aspect of the proposed rule that would require lawyers to look into the financial history and stability of the SaaS vendor. Granted, vendors are not likely to want to share all their financials with every lawyer who asks. But I do not believe that this is what the rule envisions. Surely, the rule was not intended to require lawyers to dig into a company’s finances beyond information that is publicly available.

My friend and fellow Boston College Law School alumnus Erik Mazzone made a similar point in his post about this latest proposed opinion. Mazzone, who is director of the Center for Practice Management at the North Carolina Bar Association (a separate entity from the State Bar), highlights one of the opinion’s proposed requirements as worthy of particularly close attention:

The agreement with the vendor must specify that firm’s data will be hosted only within a specified geographic area. If by agreement the data is hosted outside of the United States, the law firm must determine that the hosting jurisdiction has privacy laws, data security laws, and protections against unlawful search and seizure that are as rigorous as those of the United States and the state of North Carolina.

This could be a real problem with respect to vendors who do not focus on the legal market, Mazzone writes. Major vendors such as Google, Dropbox and Evernote are not likely to change where their data is hosted in response to one state’s ethics requirements, he argues. At the same time, he writes, “I expect that this provision will not cause a great deal of difficulty for the legal-specific … cloud software out there.”

His point about legal-specific cloud software is particularly true within the context of e-discovery. Here again, a lawyer would be remiss not to pin down at least the country in which the data will be hosted. The physical location of the data can implicate the host country’s privacy and security laws, regardless of where the company that owns the data is headquartered or of where the litigation is situated. That could open a can of worms separate and apart from the litigation at hand.

The North Carolina Bar should be commended for the careful thought and study it is devoting to this issue. We will look forward to seeing what comes of this latest reconsideration. Meanwhile, within the very specific context of e-discovery in the cloud, we are confident that established practitioners and established vendors already adhere to the most rigid of policies and practices. In e-discovery, the confidentiality and security of client data is already a matter of the highest order.

Filed Under: Cloud Computing, Ethics Tagged With: , ,

The California Bar Weighs in on Legal Ethics in the Cloud

by Bob Ambrogi | February 25, 2011

Cloud computing raises unique ethical issues for lawyers with regard to ensuring the confidentiality and security of client documents and communications. At this blog, we’ve written several posts addressing these issues and noted the handful of state ethics boards that have addressed this issue. (See our posts herehere and here.)  So far, the consensus of the states is that it is ethical for lawyers to store documents in the cloud and use cloud-based applications, provided the lawyers exercise common sense in vetting the security and stability of the providers of these services.

Now, the State Bar of California has issued an ethics opinion that provides further guidance for lawyers who work in the cloud. The opinion (Formal Opinion No. 2010-179) is not specifically directed at cloud-based applications. Rather, it outlines the analysis lawyers should apply whenever they evaluate whether to use a particular form of legal technology, particularly any technology that uses the Internet.

“Rather than engage in a technology-by-technology analysis, which would likely become obsolete shortly,” explained the committee in its opinion, “this opinion sets forth the general analysis that an attorney should undertake when considering use of a particular form of technology.”

Factors Attorneys Should Consider

The actual issue raised by the California attorney who sought the committee’s guidance involved wireless access to the Internet. Was it ethical for him, he wanted to know, to conduct legal research on behalf of clients and send e-mail to clients using a public wireless Internet connection in a coffee shop or using his home wireless network?

In addressing this question, the committee set out six general factors that attorneys should take into account when considering any new technology:

  • The attorney’s ability to assess the level of security afforded by the technology.
  • The legal ramifications to third parties of intercepting, accessing or exceeding authorized use of another person’s electronic information.
  • The degree of sensitivity of the information.
  • The possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product, including any possible waiver of the privileges.
  • The urgency of the situation.
  • Client instructions and circumstances.

Applying these factors to the question at hand, the committee concluded that the attorney’s use of public wireless connections would be risky unless the attorney took appropriate precautions.

With regard to the use of a public wireless connection, the Committee believes that, due to the lack of security features provided in most public wireless access locations, Attorney risks violating his duties of confidentiality and competence in using the wireless connection at the coffee shop to work on Client’s matter unless he takes appropriate precautions, such as using a combination of file encryption, encryption of wireless transmissions and a personal firewall. Depending on the sensitivity of the matter, Attorney may need to avoid using the public wireless connection entirely or notify Client of possible risks attendant to his use of the public wireless connection, including potential disclosure of confidential information and possible waiver of attorney-client privilege or work product protections, and seek her informed consent to do so.

Finally, if Attorney’s personal wireless system has been configured with appropriate security features, the Committee does not believe that Attorney would violate his duties of confidentiality and competence by working on Client’s matter at home. Otherwise, Attorney may need to notify Client of the risks and seek her informed consent, as with the public wireless connection.

The committee concluded its opinion with a cautionary note. “Because of the evolving nature of technology and differences in security features that are available,” it said, “the attorney must ensure the steps are sufficient for each form of technology being used and must continue to monitor the efficacy of such steps.”

The committee’s opinion goes into much greater detail in discussing the factors that attorneys should consider, particularly with regard to assessing a particular technology’s level of security. Even though the opinion does not expressly consider cloud computing and Software as a Service, its discussion of these factors should provide useful guidance for any lawyer considering computing in the cloud.

A hat tip to Perry Segal who mentioned the opinion at his blog, e-Discovery Insights. Also, Segal points to an in-depth analysis of the opinion written by lawyers at Mayer Brown.

Filed Under: Cloud Computing, Ethics Tagged With: ,

Is it Ethical to Store Client Data in the Cloud?

by John Tredennick | December 13, 2010

As lawyers move from paper into the digital age, we create new strains on the ethical fabric of the law. Are cell phone conversations privileged? Will that email from my client be protected from a claim of waiver?

Many of us can remember those debates as we waited patiently for opinions from state bar ethics committees that would either hinder or help the advance of these new technologies in the law. Of course, the answer was yes. Lawyers are free to use cell phones and email to communicate in confidence with their clients. How could it be otherwise?

Today the ethical debate has moved to the cloud. The Ethics Committee of the Alabama State Bar recently issued Ethics Opinion 2010-02, Retention, Storage, Ownership, Production and Destruction of Client Files, and for the first time addressed the issue of cloud computing. Is it ethical to store client files in the cloud? Does it matter that client files would be under the control of a non-lawyer third party who could have its way with them? What are the rules and requirements if I want to get rid of my own servers?

[Read more...]

Filed Under: Cloud Computing, Ethics Tagged With: ,

N.C. Ethics Opinion on SaaS Merits Broader Inquiry

by Bob Ambrogi | May 24, 2010

The Ethics Committee of the North Carolina State Bar issued a proposed ethics opinion recently that could break significant ground. As we noted in an earlier post, the committee was asked whether a law firm could use a SaaS (Software as a Service) provider to store confidential client data or documents. The specific question was this:

SaaS for law firms may involve the storage of a law firm’s data, including client files, billing information, and work product, on remote servers rather than on the law firm’s own computer and, therefore, outside the direct control of the firm’s lawyers.

Given the duty to safeguard confidential client information, including protecting that information from unauthorized disclosure; the duty to protect client property from destruction, degradation, or loss (whether from system failure, natural disaster, or dissolution of a vendor’s business); and the continuing need to retrieve client data in a form that is usable outside of the vendor’s product; may a law firm use SaaS?

Yes, You Can Use SaaS Providers

Not surprisingly, the committee answered a resounding “Yes” so long as the law firm takes steps to minimize the risk of inadvertent disclosure of client confidential information.

That makes sense to me simply as a matter of practicality. The market is quickly moving toward the SaaS delivery model because it is cheaper and provides better functionality and features so long as you are connected to the Internet. If the trend continues, there may not be any client-based software in a few years. It may all be delivered as a service over the Internet by SaaS providers.

Best Practices for Dealing with SaaS Vendors?

I found the next part of the opinion even more interesting. The committee went further to offer what it called “best practices” for selecting SaaS vendors.

The specific question was this:

Are there any “best practices” that a law firm should follow when contracting with a SaaS vendor to minimize the risk?

Again, the answer was “Yes.” The committee suggested that a lawyer be able to answer the following questions satisfactorily in order to conclude that the risk of inadvertent disclosure is minimized.

  • What is the history of the SaaS vendor? Where does it derive funding? How stable is it financially?
  • Has the lawyer read the user or license agreement terms, including the security policy, and does he/she understand the meaning of the terms?
  • Does the SaaS vendor’s Terms of Service or Service Level Agreement address confidentiality? If not, would the vendor be willing to sign a confidentiality agreement in keeping with the lawyer’s professional responsibilities? Would the vendor be willing to include a provision in that agreement stating that the employees at the vendor’s data center are agents of the law firm and have a fiduciary responsibility to protect client information?
  • How does the SaaS vendor, or any third party data hosting company, safeguard the physical and electronic security and confidentiality of stored data? Has there been an evaluation of the vendor’s security measures including the following: firewalls, encryption techniques, socket security features, and intrusion-detection systems?
  • Has the lawyer requested copies of the SaaS vendor’s security audits?
  • Where is data hosted? Is it in a country with less rigorous protections against unlawful search and seizure?
  • Who has access to the data besides the lawyer?
  • Who owns the data—the lawyer or SaaS vendor?
  • If the lawyer terminates use of the SaaS product, or the service otherwise has a break in continuity, how does the lawyer retrieve the data and what happens to the data hosted by the service provider?
  • If the SaaS vendor goes out of business, will the lawyer have access to the data and the software or source code?
  • Can the lawyer get data “off” the servers for the lawyer’s own offline use/backup? If the lawyer decides to cancel the subscription to SaaS, will the lawyer get the data? Is data supplied in a non-proprietary format that is compatible with other software?
  • How often is the user’s data backed up? Does the vendor back up data in multiple data centers in different geographic locations to safeguard against natural disaster?
  • If clients have access to shared documents, are they aware of the confidentiality risks of showing the information to others?
  • Does the law firm have a back-up for shared document software in case something goes wrong, such as an outside server going down?

These are pretty hefty requirements. I am not sure most lawyers will be able to call Google or Microsoft and get answers to these questions.

Moreover, some are open to debate. For example, is the committee requiring that a lawyer only use a SaaS vendor with data centers in different geographical locations? If so, that will add to the service costs. I don’t know of many law firms that save their data to multiple data centers to protect against a natural disaster. In my experience, most keep their backups in the same vicinity as their primary files. Some keep the backup tapes in the same office.

The basis for the committee’s opinion is pretty interesting. The committee cited email recommendations from Erik Mazzone, the director of the Center for Practice Management at the North Carolina Bar Association. It also referred to the ABA Legal Technology Resource Center.

I don’t challenge Mr. Mazzone’s recommendations so much as suggest that these kinds of issues merit broader inquiry. The opinion is one of the first on the subject, which means it will be persuasive to the next bar dealing with this issue. There is certainly the chance that the recommendations will be picked up as precedent and codified as the standards for dealing with SaaS vendors. I hope there is more discussion on some of these points before the cement hardens.

To be fair, the committee issued this as a tentative opinion in an attempt to generate comments. Moreover, they expressly stated that the list was not meant to be all-inclusive and suggested “consultation with a security professional competent in the area of online computer security.” They also noted that “given the rapidity with which computer technology changes, what may constitute reasonable care may change over time and a law firm would be wise periodically to consult with such a professional.”

All in all, I commend the committee for a thoughtful opinion that heads in the right direction. I hope others pick up this debate and add their ideas. SaaS is the future, both for business and the legal profession. Lawyers will use SaaS providers and clients will benefit through better and cheaper services. Let’s hope the other bar associations agree.

Proposed 2010 Formal Ethics Opinion 7, Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property (April 15, 2010).

Filed Under: Cloud Computing, Ethics, Uncategorized Tagged With: , ,

The Legal Ethics of Cloud Computing

by Bob Ambrogi | May 20, 2010

With its move this month into cloud-computing versions of its stalwart desktop Office applications, Microsoft is bowing to a rapidly escalating trend. Increasingly, businesses are demanding cloud-based versions of enterprise applications. Applications that run in the cloud or that are delivered as Software-as-a-Service make enormous sense. They can be deployed anywhere, require no installation or maintenance, are always up to date, and are scalable to match virtually any size need.

To an ever-expanding extent, this trend is reaching into the practice of law and, notably, into the field of e-discovery. For Catalyst clients, this may sound like preaching to the choir. Catalyst was a pioneer in the use of the Internet to deliver e-discovery products and services. Use of the “cloud” to deliver litigation support software and secure repositories has been the Catalyst model since its inception well over a decade ago.

With any evolving technology for lawyers, questions arise about how it fits into the professional and ethical obligations that lawyers are bound to uphold. On the subject of cloud computing, lawyers have had little in the way of explicit guidance. That is now changing thanks to a recent ethics opinion that proposes to endorse lawyers’ use of the cloud.

The April 15 opinion was published by the Ethics Committee of the North Carolina State Bar. At this point, it is only a proposed opinion. As is its standard procedure, the committee is seeking comment from lawyers and the public before recommending a final opinion to the State Bar Council. You can read the opinion here: Proposed 2010 Formal Ethics Opinion 7 (you will need to scroll down on the page).

The question it addresses is whether a law firm may use SaaS “given the duty to safeguard confidential client information, including protecting that information from unauthorized disclosure; the duty to protect client property from destruction, degradation, or loss (whether from system failure, natural disaster, or dissolution of a vendor’s business); and the continuing need to retrieve client data in a form that is usable outside of the vendor’s product.”

The opinion answers the question in the affirmative, “provided steps are taken effectively to minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property, including file information, from risk of loss.” At the same time, the opinion adds, “the law firm is not required to guarantee that the system will be invulnerable to unauthorized access.”

The proposed opinion goes on to suggest “best practices” that a law firm should follow when contracting with a SaaS vendor. Specifically, it recommends a set of questions that a lawyer should ask in order to conclude that any risk is minimized. These include asking about the vendor’s history and financial stability, reviewing the vendor’s systems for data storage and security, and carefully reviewing user agreements, terms of service and the like.

In a 2008 ethics opinion, the North Carolina State Bar had already endorsed lawyers’ use of online document repositories as a means of transmitting documents to clients (2008 Formal Ethics Opinion 5). This latest SaaS opinion is a further recognition that lawyers need have no ethical concerns about cloud computing, provided they exercise the same degree of care they would whenever they work with confidential information and client documents.

Filed Under: Cloud Computing, Ethics, Uncategorized Tagged With: ,