Lawyer ethics and the cloud is an increasingly important topic, especially given that technology is advancing at an astronomical rate. It seems like every day there is a legal software upgrade to download, a hot new app to install or a revolutionary new technology is released. Think of it this way, how many times in the last week have you updated something on your phone/tablet (or at least gotten a notification that updates were available)? Sometimes I have updated an app only to immediately get a notification that another update is available for the same app. Given the ethical requirements lawyers must contend with, how is it possible to integrate these new technologies into your practice?
Fortunately, the Ethics Committees of many state bar associations have already provided guidance for the would-be technologically innovative law firm. To date, 20 states have issued Ethics Opinions on Cloud Computing, with 17 states addressing the “cloud” specifically and an additional three states opening upon the use of technologies upon which the cloud is based. The ABA even maintains a tracker specifically for opinions on ethics and the cloud.
What is the interaction between ethics and the cloud?
Do the ethics rules permit lawyers to use the cloud? The short answer is, yes — lawyers can use the cloud. To date, every state Ethics Committee to take up the issue of cloud computing has concluded that the use of cloud systems is permitted by their version of Model Rule of Professional Conduct 1.6, which addresses Confidentiality. Model Rule 1.6 states (in part), “A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent…”. While each state has enacted its own version of Model Rule 1.6, the differences are minor and the meaning is the same. Take, for example, New York Rule 1.6 (arguably the most heavily modified of all versions of the Model Rule) which, as cited in N.Y. State 842 (2010), states,
“A lawyer shall not knowingly reveal confidential information … or use such information to the disadvantage of a client or for the advantage of a lawyer or a third person, unless:
(1) The client gives informed consent, as defined in Rule 1.0(J)…”
Clearly, and as every lawyer knows, the confidential nature of our clients’ information as a part of the attorney-client privilege is sacrosanct. As such, lawyers throughout the US (and indeed the world) are held to high standards when it comes to protecting that information. As the vast majority of Ethics Opinions dealing with attorney-client privilege and confidentiality in general point out, law firms are not just prohibited from disclosing this information. They must “diligently preserve the client’s confidences, whether reduced to digital format, paper or otherwise.” See N.Y. County 733 (2004).
However, regardless of whether they are addressing the preservation of client confidences in general or in the context of some new technology, Ethics Committees throughout the country recognize that no practice management solution is perfect. The New Jersey Advisory Committee on Professional Ethics neatly captured the reality of the situation by stating that maintaining confidences,
“does not mean that the lawyer absolutely and strictly guarantees that the information will be utterly invulnerable against all unauthorized access. Such a guarantee is impossible, and a lawyer can no more guarantee against unauthorized access to electronic information than he can guarantee that a burglar will not break into his file room, or that someone will not illegally intercept his mail or steal a fax.” N.J. Opinion 701 (2006)
Are there any ethical requirements for using the cloud?
So what then is the ethical standard to which lawyers using the cloud are held? Fortunately, it is the same standard as in all other instances relating to the maintenance of client confidences — reasonable care. For attorneys wondering what, exactly, constitutes reasonable care when it comes to the cloud and other online technologies, the Ethics Committees have provided some guidance.
Each state has provided (generally non-binding) guidelines and, as with everything else in the legal world in the US, each state’s guidelines are slightly different. However, despite these differences, several common themes have emerged:
- Conduct due diligence on your cloud provider, including a review of their service agreements and security measures.
- Ensure that you have unhindered ownership of and access to the data, including the ability to permanently erase data.
- Consult an expert if lawyer’s technology expertise is lacking.
- Ensure adequate backup of your data.
- Evaluate the nature of the data to be stored on the cloud and, in the case of highly confidential information, consider getting client approval.
- Stay abreast of changes in privacy laws/regulations, the law of attorney-client privilege and technological developments that may privacy/privilege.
- Vendor must have an enforceable obligation to preserve confidentiality and security, and should notify lawyer if served with forces for client data.
Fortunately, the major cloud platform providers, upon which the most-reputable cloud applications are built — such as Microsoft Azure — have made complying with many of these guidelines relatively easy. Microsoft Azure has numerous industry and government data security certifications, including HIPAA/HITECH. As many civil litigation firms deal with HIPAA protected data, this certification goes a long way to meeting a lawyer’s ethical requirements. Microsoft Azure also meets with requirement seven – they do not disclose any data without either your consent or a properly executed warrant. In the event they receive a request for access to your data (whether with a valid warrant or without), you will be notified immediately, allowing you to take appropriate steps to meet your ethical obligations.
When selecting any cloud-based system, such as legal practice management software, law firms would be wise to seek solutions designed specifically for the Legal Cloud. Certain products have been designed specifically for law firms by lawyer-led teams. This means that client confidentiality, data security and — by extension — ethical compliance has been built into the very DNA of these systems. What better way to ensure ethical compliance than to subscribe to a system designed for lawyers by lawyers, hosted on HIPAA compliant platforms?
Thanks to the rapid advance of technology, increased client demand and the cost-effectiveness of cloud-based systems, the legal industry has been forced to quickly address lawyer ethics and the cloud, new legal technologies like legal case management software, apps, etc. For the cost-conscious law firm, the tech-savvy lawyer and all those millennial who are now in law practice, the news is good. Cloud computing is here to stay for the legal industry and ethical compliance is actually easy! Maybe the times really are a changin’.