Private companies and law firms have shown increased interest in turning to the cloud for data storage, but the risks must be managed to protect data confidentiality. Generally, lawyers have an ethical responsibility to ensure their clients’ records and communications remain confidential by investigating possible cloud vendors and negotiating the most secure practices possible for conveying, storing, and retrieving client and legal data from the cloud. Some state ethics bar committees have recently issued guidance on cloud storage, as has the ABA. The opinions vary on the degree of secure practices necessary to meet the ethical obligations.
ABA Commission on Ethics 20/20 Revised Proposal – Outsourcing (9/19/11)
Rule 5.3 of the ABA Model Rules of Professional Conduct states that a lawyer who employs or retains a nonlawyer, and has “direct supervisory contact over the non-lawyer shall make reasonable efforts to ensure that the person’s conduct is compatible with the professional obligations of the lawyer…” Model Rule 5.3(b). The American Bar Association recently issued new proposed Comments to this Model Rule and noted in the accompanying Report that these Comments should help lawyers more easily determine their ethical obligations with the “continued rapid changes in and diversity of outsourcing arrangements”.
The ABA Report is available at the following link.
One of the new Comments to the ABA Model Rule focuses on non-lawyer services “using an Internet-based service to store client information” and notes that the lawyer has a duty to ensure that the non-lawyer services and conduct are “compatible with the professional obligations of the lawyer.” The Comment notes that this will depend on the “education, experience and reputation” of the non-lawyer, the nature of the services, the terms to protect the client information and the legal and ethical requirements of the jurisdiction especially regarding client confidentiality. Model Rule 5.3 Comment . Other state bars have gone further in recommended security obligations, like the revised North Carolina State Bar Ethics Opinion proposed in October.
Proposed 2011 Formal Ethics Opinion 6: Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property
On October 20, 2011, the Ethics Committee of the North Carolina State Bar proposed an opinion that a law firm may contract with a vendor of software as a service (“SaaS”) provided the lawyer uses reasonable care to safeguard confidential client information. The Committee noted that software used by lawyers for case or practice management, document management, and billing/financial management, is moving to the “software as a service” (SaaS) model in the cloud. While traditional software requires installation on a computer or server, SaaS is accessed via a web browser over the Internet. Lawyers have a continuing need to retrieve client data in a usable form, but they also have a duty to safeguard that information—and their use of SaaS does not alter their duty to protect the confidentiality of the data. According to the Committee, a lawyer must apply the “same diligence and competency to manage the risks of SaaS that the lawyer is required to apply when representing clients.”
The text of the proposed opinion is available at the following link.