Can Lawyers Ethically Store and Transmit Client Info in the Cloud?
QUESTION: Our law firm would like to reduce our paper and physical storage use and costs by “going to the cloud” with our data. Before we invest in training our attorneys and staff, how do we know what companies are secure and trustworthy? We don’t want an ethics violation due to a data breach of our clients’ confidential information.
ANSWER: In many instances, data you are using and communicating with your clients are already being stored and managed with cloud-based technology. For example, your practice management software may be entirely managed and hosted in the cloud. When you cannot email certain documents due to their size, you might be turning to services like Dropbox, Microsoft OneDrive and Google Drive for easy file storage and sharing — they’re all cloud-based.
So, let’s focus on two parts of your question:
Do the Rules of Professional Conduct allow lawyers to store and transmit client information in the cloud?
What steps should lawyers take to ensure the security of the data stored there?
First, lawyers may use cloud-based data storage of confidential information while still protecting their client confidentiality responsibilities. Over 20 state bar associations have issued ethics opinions on this very topic, and all have reached the conclusion that lawyers may ethically use cloud computing, so long as they exercise reasonable care to keep client information and files confidential. Some of those opinions may be found on the ABA Legal Technology Resource Center’s webpage. (Note that it is an incomplete list with Illinoisand possibly others omitted.)
As you know by now, especially if you live in one of the over 30 states that has adopted it,ABA Model Rule 1.1 requires attorneys to keep abreast of changes in law and its relation to technology. This means that attorneys need to be aware of the benefits and risks of technological applications and the standards that regulate them. You certainly don’t have to have a computer science degree to know how it all works. You just need to take reasonable due diligence to know it is secure.
Likewise, Model Rule 1.6(c) requires lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Such access prevention responsibilities do not end when the information isn’t sitting in a file folder on your desk. The confidential client information transmitted via electronic means must be properly safeguarded, demanding that you employ, supervise and oversee third-party providers with the same reasonable efforts.
So, an examination of what are “reasonable efforts” to ensuring the security of cloud-stored data leads us to part two of your question. How might a firm best select a cloud-based service provider and what ongoing obligations does the lawyer have to maintain that reasonable care?
When vetting a cloud-based provider, or any technology vendor really, it is important to recognize that best practices and industry standards evolve alongside technology. Just as our technology tools evolve, so must our factors in evaluating the quality and abilities of our hardware and software providers.
Ask the Providers
If you are not familiar with current cloud-computing industry standards and safeguards, you should at least know what kinds of questions to ask to investigate specific providers’ abilities and policies. Ask the company which industry security standards it practices. Find out what type of security audits it will provide and the like.
The Illinois State Bar Association Professional Conduct Advisory Opinion outlines seven non-exhaustive reasonable inquiries and practices lawyers could engage in to select a cloud-based service provider:
Reviewing cloud computing industry standards and familiarizing oneself with the appropriate safeguards that should be employed;
Investigating whether the provider has implemented reasonable security precautions to protect client data from inadvertent disclosures, including but not limited to the use of firewalls, password protection, and encryption;
Investigating the provider’s reputation and history;
Inquiring as to whether the provider has experienced any breaches of security and if so, investigating those breaches;
Requiring an agreement to reasonably ensure that the provider will abide by the lawyer’s duties of confidentiality and will immediately notify the lawyer of any breaches or outside requests for client information;
Requiring that all data is appropriately backed up completely under the lawyer’s control so that the lawyer will have a method for retrieval of the data; and
Requiring provisions for the reasonable retrieval of information if the agreement is terminated or if the provider goes out of business.
As the applications of cloud computing evolve (see more from the National Institute of Standards and Technology if you’re interested), so must our security and compliance inquiries to keep our practices and clients safe. As the Illinois opinion states:
Pursuant to Rules 1.6 [Confidentiality of Information] and 5.3 [Responsibilities Regarding Nonlawyer Assistance], a lawyer has ongoing obligations to protect the confidentiality of client information and data and to supervise non-lawyers. Future advances in technology may make a lawyer’s current reasonable protective measures obsolete. Accordingly, a lawyer must conduct periodic reviews and regularly monitor existing practices to determine if the client information is adequately secured and protected. See, e.g., Arizona Ethics Op. 09-04 (2009); Washington State Bar Association Advisory Op. 2215 (2012).
Along with asking questions, you need to read the provider’s contract or terms and conditions, which are very likely going to be different if you use a free service instead of a paid service. The difference in what could happen to your clients’ information in the event the service is canceled is an example of what could be at issue.
Additionally, some opinions suggest you obtain the informed consent of your client before placing confidential information in the cloud. To that end, think about what language you could put in your retainer agreement to memorialize it.
Bottom line: Cloud-based storage has become the standard method for storing and sharing data. The legal profession, as other industries, must make ongoing reasonable efforts in choosing and reviewing our service providers. We owe it to our clients, ethically and professionally.