Ensure that your client’s confidential information stays confidential.
By Nicole Black, Lawyer
Many believe that cloud computing is the future of computing. That’s why so many businesses, including law firms, are moving to the cloud more quickly than ever before. In fact, according to the results of the American Bar Association’s 2013 Legal Technology Survey, lawyers’ use of cloud computing software to manage their law firms increased by more than 30% in 2013, with nearly one-third of all lawyers surveyed reporting that they used cloud computing software in their law practices.
So, why are so many lawyers using cloud computing? According to the survey results, 74% of the lawyers surveyed cited convenient access as one of the best selling points of cloud computing. The next most popular feature was 24/7 access, with 63% citing that feature, and affordability came in third at 56%. The bottom line: lawyers use cloud-based law practice management systems because they increase both productivity and profits.
Of course, like any type of computing system, cloud computing isn’t perfect, but no type of data storage system is risk-free. This applies equally to any type of third-party outsourcing, whether it is the outsourcing of administrative tasks, or the outsourcing of the management of your law firm’s physical or digital data.
Lawyers have always entrusted confidential data to third parties, including process servers, court employees, cleaning crews, summer interns, document processing companies, external copy centers, and legal document delivery services. Absolute security has never been required in these situations. Rather, lawyers are required to exercise due diligence by taking reasonable steps to ensure that confidential client data remains safe and secure.
And, as all of the ethics boards that have addressed this issue have concluded, the standards applied to cloud computing are no different. See, for example, Alabama (Formal Opinion No. 2012-184), Arizona (Opinion 09-04), California (Opinion 2010-179), Florida (Proposed Advisory Opinion 12-3), Iowa (Opinion 11-01), Maine (Opinion 194), Massachusetts (Opinion 12-03), New Hampshire (Opinion 2012-13/4), New Jersey (Opinion 701), New York (Opinion 842 and Opinion 940), Nevada (Opinion 33), North Carolina (2011 Formal Ethics Opinion 6), Oregon (Opinion 2011- 188), Pennsylvania (Opinion 2011- 200), Vermont (Opinion 2010-6), and Virginia (Legal Ethics Opinion 1872).1
A good example of the opinions that have been issued regarding lawyers’ use of cloud computing is Committee Advisory Opinion #2012-13/4, handed down by the New Hampshire Bar Association Board of Governors.
In this case, the Committee gave the green light to lawyers seeking to use cloud computing, noting that lawyers routinely outsource the handling of confidential data to third parties: “As noted in NH Bar Ethics Op. 2011-12/5, ‘Lawyers regularly engage companies to provide support services. Banks hold client funds; telephone companies carry privileged communications; credit card companies facilitate the payment of bills; computer consultants maintain necessary technology.’ When engaging a cloud computing provider or an intermediary who engages such a provider, the responsibility rests with the lawyer to ensure that the work is performed in a manner consistent with the lawyer’s professional duties.”
The Committee then concluded that lawyers are not required to ensure absolute security when it comes to confidential client data and that lawyers may use cloud computing if they exercise reasonable care when doing so: “It bears repeating that a lawyer’s duty is to take reasonable steps to protect confidential client information, not to become an expert in information technology. When it comes to the use of cloud computing, the Rules of Professional Conduct do not impose a strict liability standard. As one ethics committee observed, ‘Such a guarantee is impossible, and a lawyer can no more guarantee against unauthorized access to electronic information than he can guarantee that a burglar will not break into his file room, or that someone will not illegally intercept his mail or steal a fax.’”
In other words, it is your duty to ensure that the third parties to whom you entrust your data and who have access to the computer servers that house your data meet the same security obligations as any other third party to whom you entrust confidential client files. Regardless of who has access to your data or what format the data takes, the steps you take are always the same: ensure that your client’s confidential information stays confidential. The standards applicable to computer-generated are no different than those applied to digital data, even when that data resides in the cloud.
 For a complete list of the ethics decisions issued about cloud computing, see the American Bar Association’s handy comparative chart, which can be found online online: www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/cloud-ethics-chart.html.
Nicole Black is a Rochester, New York attorney and Director of Business Development and Community Relations at MyCase.com, an intuitive law practice management system for the modern law firm. She is the author of the ABA book Cloud Computing for Lawyers, co-author of the ABA book Social Media for Lawyers: the Next Frontier, and co-author of Criminal Law in New York, a West-Thomson treatise. www.mycase.com