For most lawyers, cloud computing is a familiar concept since it’s been around for years now. For that reason, law firms are increasingly taking advantage of the benefits offered by this flexible, affordable technology.
So, it’s not surprising that as more law firms seek to use cloud computing platforms in their practices, bar associations across the United States are issuing opinions on the ethics of lawyers using cloud computing, with both Florida and New York weighing in on these issues over the last few months.
First, there’s Proposed Advisory Opinion 12-3 handed down by the Professional Ethics Committee of the Florida Bar in January. After analyzing opinions from other jurisdictions and reviewing the applicable ethical rules, the Committee concluded that Florida attorneys could ethically use cloud computing in their law practices:
In summary, lawyers may use cloud computing if they take reasonable precautions to ensure that confidentiality of client information is maintained. The lawyer should research the service provider to be used, should ensure that the service provider maintains adequate security, should ensure that the lawyer has adequate access to the information stored remotely, and should consider backing up the data elsewhere as a precaution.
The Committee also cautioned that, when dealing with particularly sensitive information, lawyers should consider whether housing said data in the cloud would be appropriate even where all of the above conditions were met.
The Committee of Professional Ethics of the New York State Bar Association also recently addressed issues of client confidentiality and alternate methods of data storage in Opinion 940 (10/16/12). At issue in this case was whether: 1) a law firm may use tape backups containing confidential client data, where the tape backups are stored offsite by a third party, and 2) whether electronic copies of documents were sufficient since the New York Rules of Professional Conduct require an attorney to maintain certain records or must the attorney retain the paper originals.
The Committee concluded that in most cases retaining documents as required by Rule 1.15(d)(1) in electronic form is ethical. The Committee explained that it is ethical to store confidential client data with a third party, whether on tape backups or otherwise, but prior to outsourcing the storage and maintenance of client data, lawyers must ensure that they have a basic understanding of the services and technologies provided and must exercise due diligence in researching the provider.
Finally, in another opinion issued in October, the New York State Bar Association’s Committee on Professional Ethics touched on issues of confidentiality arising when lawyers share computer resources and the Committee’s final determination included language similar to that used in both opinions discussed above.
In Opinion 939 (10/16/12), the inquiring attorney asked whether it was ethically permissible for private lawyers who shared office space to share a computer for confidential, client-related information, where each attorney used separate, private administrative passwords to access the computer.
Importantly, at the outset of the opinion, the Committee emphasized that the Rules of Professional conduct do not require attorneys to “preserve confidentiality at all costs” and instead simply require that lawyers protect client confidentiality by exercising reasonable care under the circumstances.
Next, the Committee turned to the issue at hand and concluded that:
Lawyers practicing as sole practitioners but sharing space may share a computer to store and process client confidential information, but only if, under the actual circumstances relating to the computer, including its software and passwords and their use, the lawyers take reasonable precautions to ensure that the privacy of the confidential information is protected.
In summary, each of these opinions revolved around ideas related to preserving confidentiality and the conclusions reached required that lawyers take reasonable steps to ensure that appropriate measures were in place to ensure that their client’s data is secure. Importantly, absolute security was never a requirement since absolute security is an impossibility.
If you’d like to learn more about cloud ethics opinions from across the United States, take a look at this useful ABA chart.