Is your law firm thinking of moving to the cloud? If so, you could join a number of law firms and other businesses that benefit from cloud computing’s efficiency, flexibility and portability options. Yet as a lawyer, it’s important to understand the potential benefits of cloud computing come with professional and ethical risks and obligations.
About Cloud Computing
Numerous vendor companies are now offering “cloud services,” which provide offsite document storage services, as well as access to law practice management software on a pay-as-you-go basis. Documents and software live “in the cloud,” making your firm’s data securely accessible from any location. Many cloud software-as-a-service vendors also offer law practice management software applications for email, calendaring, integrated billing and client management.
Benefits of Moving to the Cloud
Cloud computing has numerous potential benefits for businesses. Among the chief benefits for law practices are:
- Cost Savings—Reduced cost and capital expenditures means that firms no longer need onsite computer data storage equipment. Instead, data stored in the cloud is accessible from any computer, tablet or other device with access to the internet.
- Flexibility—Increased flexibility and scalability of storage and access needs means that firms pay only for the number of users that need access, easily accommodating downsizing or growth cycles.
- Data Accessibility—The on-the-go portability of data across different devices means that firms no longer need to create or maintain multiple versions of the same document on multiple devices.
- Secure Collaboration—Sharing and collaborating on document reviews and revisions with clients is easier in the cloud, where documents can be saved to a shared folder and viewed by a client with secured password access.
Risks and Obligations
As cloud computing entails the uploading of information onto a third-party’s network of servers, there are important ethical implications for lawyers and your law practice. ABA Model Rule 1.6 states that a lawyer “shall not reveal information relating to the representation of a client without the client’s informed consent.” Model Rule 1.15 is the basis of an attorney’s duty to safeguard clients’ property entrusted to counsel.
Several state ethics opinions offer insight into lawyers’ obligations to their clients when engaging the services of cloud vendors, consistently noting that lawyers must exercise “reasonable care to protect the security and confidentiality of client documents and information.” Further opinions have stated this “reasonable” standard requires lawyers become knowledgeable1 about pertinent technologies and take reasonable care to stay abreast2 of technological advances.
Risk Management Check List
When engaging third-party cloud services, lawyers should review the vendor’s Service Level Agreement and use the following risk control techniques to help manage the ethical and professional risks:
- Verify the vendor’s business model, financial stability, background and their procedures for data handling should the vendor go out of business.
- Ensure the vendor conforms to the highest industry standards for data security, data encryption and security audit procedures.
- Confirm that your firm will own your data and all its rights.
- Ensure the vendor won’t have access that jeopardizes the attorney-client privilege.
- Confirm that the vendor will assume responsibility and legal liability for data confidentiality and that there are no liability limitations for a breach.
- Ensure the vendor’s compliance with HIPAA, the HITECH Act and other state and federal privacy and confidentiality laws.
- Verify the physical location of the vendor’s data storage facilities and equipment and review the vendor’s choice of law provision in the Service Level Agreement.
- Determine whether and how you will be able to control levels of access for lawyers, support staff and clients.
- Confirm procedures for contract termination, ensuring that your data will be returned to your firm in a usable format with the vendor’s copies subsequently and permanently deleted from servers.
- Inquire about other representative clients of the vendor, such as corporations in data-sensitive industries and, ideally, other law firms.
- California State Bar Standing Committee on Professional Responsibility and Conduct, Formal Opinion 2010-179; Florida Bar Standing Committee on Professional Ethics, Opinion 06-01 (April 10, 2006); Illinois State Bar Association Ethics Opinion 10-01 (July 2009); The Maine Board of Overseers of the Bar Professional Ethics Commission, Opinion 194 (June 30, 2008); Massachusetts Bar Association Ethics Opinion 05-04 (March 2005); The State Bar of Nevada Standing Committee on Ethics and Professional Responsibility, Formal Opinion No. 33 (Feb. 9, 2006); The New Jersey State Bar Association Advisory Committee on Professional Ethics Opinion 701 (April 2006); State Bar Association of North Dakota Ethics Committee Opinion 99-03 (June 21, 1999); Vermont Bar Association Advisory Ethics Opinion 2003-03; Virginia State Bar Ethics Counsel Legal Ethics Opinion 1818 (September 30, 2005).
- See Alabama Office of General Council Disciplinary Commission, Ethics Opinion 2010-02; State Bar of Arizona Ethics Opinion 09-04 (December 2009); New York State Bar’s Committee on Professional Ethics issued Opinion 842 (Sept. 10, 2010); North Carolina State Bar Ethics Committee Formal Opinion 6 (currently under further review); Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility Formal Opinion 2011-200.