Lawyers can use “cloud computing” to provide software and store records but must take reasonable steps to ensure than information remains confidential, according to a suggested Bar ethics opinion.
The Professional Ethics Opinion on January 25 approved Proposed Advisory Opinion 12-3. It is published in an official notice in this News. If there are comments filed within 30 days, the committee will review those at its June meeting at the Bar’s Annual Convention.
If there are no comments, the opinion will be forwarded to the Bar Board of Governors.
The committee had asked the board to direct it to prepare the opinion and the board agreed.
As the proposed opinion notes: “Because cloud computing involves the use of a third party as a provider of services and involves the storage and use of data at a remote location that is also used by others outside an individual law firm, the use of cloud computing raises ethics concerns of confidentiality, competence, and proper supervision of nonlawyers.”
Cloud computing gives lawyers the ability to access records from laptops, tablets, and smartphones and also protects records from being lost if a law office is damaged by a hurricane or fire. But because the records and software are stored by a third party at a remote location, lawyers must work to see that the information and client confidences are protected.
Several other states, the proposed opinion says, have found that the use of cloud computing is ethically acceptable as long as precautions are taken. The opinion notes, for example, that the Iowa Bar described the goal as: “[L]awyers must be able to access the lawyer’s own information without limit, others should not be able to access the information, but lawyers must be able to provide limited access to third parties to specific information, yet must be able to restrict their access to only that information.”
New York listed three obligations for attorneys: Ensuring that the provider can preserve confidentiality and security, including informing the lawyer if there is a subpoena seeking information in those records; reviewing the provider’s security procedures; and using available technology to protect “against reasonably foreseeable” attempts to infiltrate the offsite records.
“This committee agrees with the advice given by both Iowa and New York State,” the proposed opinion says. “Additionally, this committee believes that the lawyer should consider whether the lawyer should use the outside service provider or use additional security in specific matters in which the lawyer has proprietary client information or has other particularly sensitive information.”
The committee struck proposed language that in such cases the lawyer should disclose and get the client’s consent before using cloud computing, which otherwise would not be needed. Also struck was a sentence that the lawyer may not use cloud computing if the client specifically objects.
“In summary, lawyers may use cloud computing if they take reasonable precautions to ensure that confidentiality of client information is maintained,” the opinion says. “The lawyer should research the service provider to be used, should ensure that the service provider maintains adequate security, should ensure that the lawyer has adequate access to the information stored remotely, and should consider backing up the data elsewhere as a precaution.”