With the deployment of virtually every new law-practice technology come the questions. Is it permissible to use cell phones for client communications? Do professional conduct standards permit lawyers to send documents via fax? Similar questions exist as to lawyers’ use of “cloud” service providers, such as on-line document storage vendors (Google Drive, Dropbox and SugarSync), on-line calendaring services (Google Calendar) and total practice management solutions (Clio and Rocket Matter).
The legal ethics issues presented by the use of cloud technology, however, are not materially different from those that arise with regard to more traditional methods of data storage and communication. Irrespective of the technology, a lawyer owes a client the duties of confidentiality and competence. Furthermore, a lawyer engaging nonlawyer assistants (such as paralegals, secretaries, contractors and vendors) must assure that they act in a manner that is consistent with the professional obligations of a lawyer.
Considering these obligations, a lawyer may store and transmit client data using “the cloud”—if the lawyer takes reasonable precautions to assure that the vendor will maintain the confidentiality and integrity of the data. To assure compliance with these obligations, a lawyer should engage in the following “due diligence” before storing client data on-line:
- Obtain the cloud storage vendor’s service agreement. For example, the “terms of service” for Dropbox and SugarSync are posted on those vendors’ websites.
- Assure that the service agreement requires the vendor to preserve the confidentiality and security of materials.
- Consider whether the vendor requires password access to the data, and whether the data will be encrypted.
- Consider whether the vendor must inform lawyer of unauthorized access events.
- Investigate how the vendor stores and backs up data, and whether the lawyer will have unrestricted and reliable access to data.
- Investigate how the lawyer can obtain data upon terminating the vendor.
- Become fully competent in the use of the vendor’s interface and technology.
- Reevaluate the vendor’s contractual obligations and capabilities periodically.
- Respect the client’s contrary wishes about cloud storage.
- Save paper copies of wills, notes and other documents when a paper “original” is typically necessary.
Assuming that the lawyer undertakes these reasonable measures, client confidential data can be stored and transmitted in the cloud. All state and local bar association advisory opinions addressing the issue are in accord.
Opinions Approving Cloud Storage of Client Data
Massachusetts Bar Association, Ethics Op. 12-03 (2012) (lawyer may store electronic files in cloud if lawyer makes “reasonable efforts to assure that the provider’s policies and practices are compatible with the lawyer’s professional obligation of confidentiality).
New Hampshire Ethics Comm. Advisory Opinion, No. 2012-13/4 (2012) (lawyer may store data in cloud with reasonable due diligence).
Oregon State Bar Formal Opinion No. 2011-188 (2011) (“Lawyer may store client materials on a third-party server so long as lawyer complies with the duties of competence and confidentiality to reasonably keep the client’s information secure within a given situation. To do so, the lawyer must take reasonable steps to ensure that the storage company will reliably secure client data and keep information confidential.”).
Professional Ethics Committee of the Florida Bar Op. 10-2 (2011).
Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility, Formal Opinion No. 2011-200 (2011).
Iowa Committee on Practice Ethics and Guidelines, Ethics Opinion No. 11-01 (2011) (lawyer may store client data with cloud provider, but must perform due diligence to evaluate whether provider will protect and competently store data).
New York State Bar Association’s Committee on Professional Ethics Op. 842 (2010).
Vermont, Op. 2010-6 (2010) (lawyer may store client data in cloud with reasonable precautions).
New Jersey Supreme Court, Advisory Committee on Professional Ethics, Ethics Op. 701 (2006).
Nevada Bar Association, Standing Comm. on Ethics, Formal Op. No. 33 (2006) (lawyer may store client data in cloud if lawyer competently and reasonably ensures data will be kept secure and confidential).
Alabama State Bar Association, Ethics Opinion No. 2010-02 (2010) (lawyer may store client data with cloud provider provided the lawyer undertakes reasonable efforts to ensure confidentiality).
California State Bar Association, Ethics Op. 2010-179 (2010) (cloud storage permitted with reasonable care).
Maine Board of Bar Overseers, Ethics Op. 194 (2008) (cloud storage permitted with reasonable care).
Arizona State Bar Association, Ethics Op. 09-04 (2004) (cloud storage permitted with reasonable care).