Cloud computing is no longer the new kid on the block. It’s been around for years now and is quite commonplace. In fact, it’s the underlying infrastructure behind most of the popular websites and social media platforms that we use every day and businesses from all industries use it regularly. Because of its ubiquity, it’s not surprising, then, that legal ethics committees across the United States have begun to grapple with the issue of whether lawyers can ethically use cloud computing to store confidential client data.
Thus far, 13 states have addressed the ethics of using cloud computing in a law practice with the majority concluding that lawyers who do so have a duty to exercise due diligence in selecting a provider and must take reasonable care to ensure that confidential client data is not inadvertently disclosed to third parties. For a summary of all opinions handed down thus far, you need look no further than this handy chart recently published by the American Bar Association’s Law Practice Management Section’s Legal Technology Resource Center.
However, importantly, the MBA took the minority view and added an additional roadblock to the implementation of cloud computing by lawyers, concluding that prior to using cloud computing, client consent may be required. Specifically, the MBA stated that:
(a lawyer is) bound to follow an express instruction from his client that the client’s confidential information not be stored or transmitted by means of the Internet, and that he should refrain from storing or transmitting particularly sensitive client information by means of the Internet without first seeking and obtaining the client’s express consent to do so.
To the best of my knowledge, the only other jurisdiction which requires client notification prior to using cloud computing is Vermont in Advisory Ethics Opinion 2010-6. In this opinion, the Vermont committee determined that “a lawyer handling particularly sensitive client property, like trade secrets, may conclude after consultation with the client that remote SaaS storage is not sufficiently secure.”
However, more recently, this requirement reared its ugly head when the ABA Commission on Ethics 20/20 (which was formed to “perform a thorough review of the ABA Model Rules of Professional Conduct and the U.S. system of lawyer regulation in the context of advances in technology and global legal practice developments) indicated on page 7 in its September report to the house of delegates that it had asked the ABA Standing Committee on Ethics and Professional Responsibility to clarify the circumstances in which client consent might be required when law firms utilize nonlawyer services such as cloud computing providers since “(t)he proposed Comments do not describe the lawyer’s obligation to obtain consent when disclosing confidential information to nonlawyer service providers outside the firm…(and there are) situations where client consent might be advisable or required.”
So, not only has the MBA adopted the minority position on client notification, it seems quite possible that the ABA may very well adopt a similar standard, in which case, we’ll be facing a cloud computing backlash similar to the 1990s email backlash that I discussed last week.
Not surprisingly, the MBA’s adoption of the minority position requiring client notification did not go unnoticed and was criticized by a number of law bloggers as unnecessary and unduly burdensome.
First, at My Shingle, Carolyn Elefant expressed her frustration with the requirement that lawyers obtain client consent, since it shifted the burden of vetting technology to clients, reflecting poorly on lawyers in the process:
(W)hy must we burden clients with an obligation that should be our responsibility alone…(C)lients aren’t stupid. Many of them use online banking or patronize doctors’ offices that store files in the cloud…So when their lawyer requires consent, clients will either wonder (1) whether the cloud products that we lawyers use are inferior to those of banks and doctors (because otherwise, why would a special consent be required), or (2) how they’re expected to know whether the cloud is safe enough for their data to provide informed consent when their lawyer apparently can’t figure it out. Neither scenario makes us look very good.
Meanwhile, over at the eLawyering blog, Rich Granat was likewise unhappy with the client consent requirement, contending that it was unrealistic and curtailed legal innovation, while reducing the ability of solos and small firms to compete with BigLaw:
The requirement that in every case the client’s express consent to store confidential information in the cloud is not realistic and not consistent with the way web technology is evolving. There are clearly situations where it would would be reasonable under the circumstances to secure a client’s consent for storing confidential information in the cloud, but the way this Opinion is framed law firms will interpret to this mean that in every case the client’s express consent needs to be explicitly secured. This adds unnecessary “friction” to creating the lawyer/client relationship…(and) puts Massachusetts lawyers, particularly solos and small law firms at a competitive disadvantage.
Finally, at ZixCorp Insight blog, Jim Brashear asserted that the client consent requirement for cloud computing was at odds with the current legal ethics stance on unencrypted emails containing confidential client data (that being that lawyers who use email in their law practice, including cloud-based emails, are not required to obtain client consent and have not been required to do so since the late 1990s). According to Jim, this purported distinction between “cloud services” and “cloud email” is logically inconsistent:
There is no logical basis for this ethics rules distinction. It makes no sense to differentiate the transmission and storage of documents using Cloud email services versus the transmission and storage of documents using other types of Cloud services. The key functions of Cloud document transmission and storage solutions are essentially the same as transmitting and storing documents via Cloud email. From an ethics perspective, it should not matter whether the server on which a confidential document is stored belongs to a document storage provider (such as Dropbox) or a webmail provider (such as Yahoo!).
In other words, a rose is a rose by any other name. Logistically, unencrypted emails sent using cloud-based email are no different than data stored using cloud computing platforms, except that unencrypted emails are inherently more unsecure compared to data stored on secure cloud computing platforms, as I discussed last week.
So, requiring lawyers to obtain client consent in order to use secure cloud-based platforms when no consent is required for the use of unsecure, unecrypted email makes no sense at all.
Hopefully, in due time, this cloud computing consent requirement will go the way of the email consent requirement adopted by a number of jurisdictions in the mid-1990s [see, for eg., South Carolina (Opinion 94-27 1995) and Iowa (Iowa Ethics Opinion 96-1 1996)], which was essentially eradicated in 1999. It was then, in the face of the overwhelming societal acceptance of email, that the American Bar Association issued ABA Formal Opinion No. 99-413 and concluded that client consent regarding the use of email was unnecessary. By doing so, the committee implicitly vested attorneys with the responsibility of making technology decisions and condoned attorneys’ use of unencrypted electronic communications with their clients, thus ushering the legal field into the 21st century.
Historically, the legal field has been slow to adapt to change and, as indicated by the MBA’s recent decision, the path toward unfettered acceptance of cloud computing technology will most likely be a bumpy one. However, I truly believe that, like email, the roadblocks to the use of cloud computing by lawyers will ultimately be removed as cloud computing technology gains mass acceptance. It’s simply a matter of time.