Tennessee has joined other states in formally approving lawyers’ cloud-storage of client-confidential data. The Board of Professional Responsibility (“BOPR”) held that lawyers ethically may use cloud storage for client-confidential information, upon taking reasonable and competent care to ensure their confidentiality and protection from loss, data breach or other risks.
The Opinion applies long-standing attorney ethical obligations to cloud storage just as they would to any other storage medium. Lawyers’ responsibilities are not delegable: Although a lawyer may out-source a service or task, she may not avoid responsibility. That standard requires lawyers to use due diligence in their selection of cloud-storage services and to impose reasonable downstream restrictions upon vendors.
The Board called out some guidelines from other states’ ethics opinions include:
- Learn providers’ storage and security methods;
- Impose downstream confidentiality obligations;
- Stay abreast of appropriate data-security safeguards;
- Ensure your Business Continuity Plan encompasses your cloud storage provider, your continued access to data and reasonable continuity, fail-over and data-transfer provisions;
- Carefully review all data-service agreements;
- Incorporate data-breach notice, mitigation and recovery provisions into agreements;
- Ensure agreements provide for appropriate procedures and response to governmental or judicial orders requiring production of client data; and,
- Ensure that these obligations, responsibilities and practices are reflected in the law firm’s procedures.
The ABA has summarized various States’ ethics opinions on cloud computing,here.
The Opinion comes even as the US government and private corporations are heightening their focus on cyber-security. Indeed, lawyers and firms would do well to focus on the same issues that the SEC has highlighted for the financial institutions it regulates:
- Governance & Risk Assessment, requiring current, tailored processes with senior management (including CISO positions) and board involvement.
- Access Rights & Controls, across, within and without the enterprise and including credentialing, access tracking, BOYD (bring your own device) issues.
- Data Loss Prevention, including patch management, system configuration, and outbound communications, with special emphasis on personally-identifiable information.
- Vendor Management, implementing due-diligence of, and downstream compliance controls over, third-party providers.
- Trainingof employees and vendors.
- Incident Response Plansand data protection priorities.
See OCIE to Conduct More Cybersecurity Exams, here.
The TN BOPR’s Formal Ethics Opinion 2015-F-159 (Sept. 11, 2015) is here.