The Legal Ethics of Cloud Computing and SaaS
According to the American Bar Association 2015 Techreport, 31% of American lawyers utilize cloud computing or software as a service (SaaS). Common uses of cloud based legal applications include e-discovery software, practice management software and document storage services.
As the use of cloud computing increases, what are the ethical implications for lawyers storing client files remotely? In short, lawyers must observe their ethical obligation to preserve clients’ confidential information and conduct due diligence into any service used to store client information. To those ends, in early 2016 a consortium of legal cloud computing providers, the Legal Cloud Computing Association (LCCA), released its Security Standards providing guidelines for cloud service providers to ensure adequate protection of client data stored in the cloud in a manner consistent with lawyers’ ethical obligations.
State Bar Ethics Opinions Regarding Cloud Storage
Over 20 state or local bar associations have weighed in on cloud computing. A good summary of ethical opinions relating to cloud computing may be found on the American Bar Association website. However, regardless of jurisdiction, most opinions share common underpinnings: preservation of confidential client information and a duty of due diligence to ensure that vendors or data storage services take adequate precautions to secure client data.
Duty of Reasonable Care and Due Diligence
The starting point for legal ethics relating to cloud computing is an attorney’s obligation to keep client matters confidential. This obligation is generally found in state rules of professional conduct similar to Model Rule of Professional Conduct 1.6 which states that lawyers “shall not reveal information relating to the representation of a client unless the client gives informed consent.”
Of the opinions considering attorneys’ use of cloud storage and SaaS, the consensus is that use of cloud services is appropriate, provided the attorney uses reasonable care to ensure client data security. For instance, the Alabama Disciplinary Commission, drawing guidance from Arizona and Nevada, concluded in Opinion 2010–02 “that a lawyer may use ‘cloud computing’ or third party providers to store client data provided the attorney exercises reasonable care in doing so.” In Alabama, the lawyer’s duty of reasonable care requires them to: 1) learn how the provider secures data; 2) reasonably ensure the software provider abides by confidentiality agreements; and 3) keep abreast of safeguards to protect client data.
Other states describe a lawyer’s duty as one of “due diligence.” For instance, in Informal Opinion 2013–07 the Connecticut Bar Association Professional Ethics Committee found that “[i]n order to determine whether use of a particular technology or hiring a particular service provider is consistent or compliant with the lawyer’s professional obligations, a lawyer must engage in due diligence.” The Vermont Bar Association’s Professional Responsibility Section suggests in Opinion 2010–6 that due diligence often requires a reasonable understanding of:
- the vendor’s security system;
- the practical and foreseeable limits to the lawyer’s access, protection and retrieval of the data;
- the vendor’s commitment to protecting confidentiality of the data;
- the nature and sensitivity of the stored information;
- the material terms of the user agreement;
- the notice provisions when third parties seek access to the data; and
- the applicable regulatory, compliance, and document retention obligations based upon the nature of the data and the lawyer’s practice.
Opinions, such as Iowa Bar Association Ethics Committee Opinion 11–01, acknowledge that “due diligence regarding information technology can be complex and requires specialized knowledge and skill. [However, a lawyer may rely] on the due diligence services of independent companies, bar associations or . . . its own qualified employees.”
Cloud Computing and SaaS May Implicate an Attorney’s Duty of Competence
The State Bar of California notes that a lawyer’s duty to protect confidential client information is also one of competence. Opinion 2010–179 notes that the “manner in which an attorney acts to safeguard confidential information is governed by the duty of competence . . . [which] includes taking appropriate steps to ensure both that secrets and privileged information of a client remain confidential and that the attorney’s handling of such information does not result in a waiver of privileges or protections.”
Lawyers Must Have Access to Data Stored in the Cloud
Several opinions, such as Connecticut’s (noted above) and Massachusetts Bar Association Opinion 12–03 also require that client information maintained in the cloud be subject to the lawyer’s reasonable access and control and requires lawyers to ensure software vendors and cloud service providers take adequate steps to prevent unauthorized access to the data.
LCCA Cloud Security Standards
In early 2016, the Legal Cloud Computing Association (LCCA), a consortium aiming to “facilitate the adoption of cloud computing within the legal profession”, released its Cloud Security Standards. The Standards provide guidelines for several aspects of cloud computing including data security, user access and control, and data privacy and ownership. Many of the suggested standards compliment an attorney’s ethical duties relating to cloud computing
For example, to protect client information, the LCCA standards suggest cloud service providers implement policies restricting disclosure of customer information to third parties, obtain recognized security certifications, encrypt data both during transfer and “at rest” and maintain data centers in multiple geographic locations to minimize the impact of natural disasters.
The standards also encourage the use of appropriate user access and control, including the ability to add and delete users and the ability to add and delete data. The LCCA standards also note that cloud service providers serving lawyers should provide explicit acknowledgement that data stored by the cloud service providers is owned by the user.
Check Local Rules
Although many of the legal ethics opinions addressing cloud computing observe a common theme of due diligence to preserve the confidentiality of client information, for specifics, lawyers must consult the rules of professional conduct in their state of practice. However, regardless of jurisdiction, the opinions generally share a common directive which is a part of a larger trend in legal ethics, especially as it relates to e-discovery, to keep abreast of changes in technology and the benefits of its use.
Percipient is an e-discovery and legal technology company focused on managed document review and managed e-discovery services.
Originally published at percipient.co on August 15, 2016.