Monday, January 17, 2011

Lawyers and Clouds

As Wikipedia notes (and I assume everyone probably knows), cloud computing is “Internet-based-based computing, whereby shared resources, software, and information are provided to computers and other devices on demand. . . .”

In a relatively recent ethics opinion, the New York State Bar Association considered whether law firms can ethically store client files online . . . in a cloud.

The opinion addressed the issue after it was, apparently, raised by a lawyer who practices by himself, i.e., a “solo practitioner.” This is how the ethics opinion describes the issue it addresses:

Various companies offer online computer data storage systems that are maintained on an array of Internet servers located around the world. (The array of Internet servers that store the data is often called the `cloud.’) A solo practitioner would like to use one of these online `cloud’ computer data storage systems to store client confidential information.

The lawyer's aim is to ensure that his clients' information will not be lost if something happens to the lawyer's own computers. The online data storage system is password-protected and the data stored in the online system is encrypted.

New York State Bar Association – Committee on Professional Ethics, Opinion No. 842, 2010 WL 3961389 (2010) (“Opinion No. 842”).

The NY Committee on Professional Ethics began its opinion by noting that the issue involves confidential client information and therefore “implicates Rule 1.6 of the New York Rules of Professional Conduct”, which you can find here. Opinion No. 842. As the opinion explains, Rule 1.6(a) provides as follows:

A lawyer shall not knowingly reveal confidential information ... or use such information to the disadvantage of a client or for the advantage of a lawyer or a third person, unless:

(1) the client gives informed consent, as defined in Rule 1.0(j);

(2) the disclosure is impliedly authorized to advance the best interests of the client and is either reasonable under the circumstances or customary in the professional community; or

(3) the disclosure is permitted by paragraph (b).

Rule 1.6(b) allows disclosure in certain specified circumstances, such as to prevent the client from committing a crime, to “prevent reasonably certain death or substantial bodily harm”, to ensure that legal advice given by another lawyer complies with the Rules of professional Conduct and under a few other, similar circumstances.

The Opinion goes on to explain that the ethical obligation to preserve the confidentiality of client information extends beyond

merely prohibiting an attorney from revealing confidential information without client consent. A lawyer must also take reasonable care to affirmatively protect a client's confidential information. . . . As a New Jersey ethics committee observed, even when a lawyer wants a closed client file to be destroyed, `[s]imply placing the files in the trash would not suffice. Appropriate steps must be taken to ensure that confidential and privileged information remains protected. . . . .’ New Jersey Opinion (2006). . . .

Opinion No. 842.

The Opinion also notes that Rule 1.6(c) of the New York Rules of Professional Conduct requires that a lawyer “`exercise reasonable care to prevent . . . others whose services” the lawyer uses “from disclosing or using confidential information of a client’”, except to the extent allowed by Rule 1.6(b). Opinion No. 842 (quoting Rule 1.6(c)). The Ethics Committee explained that while this means a lawyer must take “reasonable affirmative steps to guard against the risk of inadvertent disclosure by others who are working under” his or her supervision, it does not mean that the lawyer “guarantees that the information is secure from any unauthorized access.” Opinion No. 842 (emphasis in the original).

The Committee noted that “[t]o date, no New York ethics opinion has addressed the ethics of storing confidential information online.” Opinion No. 842 (emphasis in the original). It also noted that ethics opinions from “other states have approved the use of electronic storage of client files provided that sufficient precautions are in place”, but the opinions it cites do not seem to involve cloud computing. Two of those opinions are older (Arizona, 2005 and New Jersey, 2006) and seem to have involved basic offsite storage of electronic files. Opinion No. 842.

The third, an Arizona ethics opinion from 2009, concluded that a lawyer could “provide clients with an online file storage and retrieval system” clients could access as long as the lawyer took “reasonable precautions” to protect the security and confidentiality of the information. Opinion No. 842. None of these, IMHO, seem to raise the precise issue that is the focus of this particular opinion.

The Ethics Committee then found that because the lawyer who raised that issue “will use the online data storage system for the purpose of preserving client information . . . using the online system is consistent with conduct that this Committee has deemed ethically permissible.” Opinion No. 842. The Committee therefore concluded that

a lawyer may use an online `cloud’ computer data backup system to store client files provided that the lawyer takes reasonable care to ensure that the system is secure and that client confidentiality will be maintained. “Reasonable care” to protect a client's confidential information against unauthorized disclosure may include consideration of the following steps:

(1) Ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information;

(2) Investigating the online data storage provider's security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances;

(3) Employing available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored; and/or

(4) Investigating the storage provider's ability to purge and wipe any copies of the data, and to move the data to a different host, if the lawyer becomes dissatisfied with the storage provider or for other reasons changes storage providers.

Opinion No. 842.

The Committee also explained that since “[t]echnology and the security of stored data are changing rapidly”, in addition to taking some or all of the steps outlined above, the lawyer should also periodically reconfirm that the

provider's security measures remain effective in light of advances in technology. If the lawyer learns information suggesting that the security measures used by the online data storage provider are insufficient to adequately protect the confidentiality of client information, or if the lawyer learns of any breach of confidentiality by the online storage provider, then the lawyer must investigate whether there has been any breach of his or her own clients' confidential information, notify any affected clients, and discontinue use of the service unless the lawyer receives assurances that any security issues have been sufficiently remediated.

Opinion No. 842.

And, finally, the Committee cautioned that because “[n]ot only the technology itself but the law relating to technology . . . is changing rapidly”, lawyers who use “online storage systems . . . should monitor these legal developments, especially regarding instances when using technology may waive an otherwise applicable privilege.” Opinion No. 842.

This is the only ethics opinion I can find, so far, at least, which addresses the propriety of a law firm’s using cloud computing to store confidential client information. I assume we’ll see other opinions addressing this issue, as the use of online storage becomes more common among lawyers.


SeaDrive said...

I think they should call out data security during transmission of data to/from offsite storage as a separate point. I don't see any understanding that the data is vulnerable during that phase (which it most certainly is).

Anonymous said...

North Carolina appeared poised to approve cloud use in this proposed opinion, but as far as I know it's still being studied.