Lawyers can use “cloud computing” to store client records and other confidential information but must take reasonable steps to ensure that data remains private.
The Bar Board of Governors has approved a proposed ethics advisory opinion from the Professional Ethics Committee about storing information in offsite computers owned by third parties that rent out digital storage space.
“What the committee wants to do is go forward and say if in fact you use cloud computing, you take reasonable steps to ensure the confidentiality of client information, the provider takes reasonable steps for security, and the lawyer has access to the information,” Board Review Committee on Professional Ethics Chair Carl Schwait told the board in presenting the opinion.
In response to a question, committee member Scott McMillen said that all Internet services that offer to transfer or store files for attorneys are not the same and some are more secure than others.
“We’re supposed to generally figure out the differences,” he said. “You need to take your two-hour seminar and learn the differences. We need an opinion like this for guidance.”
The BRCPE did tweak the concluding paragraph slightly to clarify lawyers’ duties and avoid creating a strict liability standard if something goes wrong, McMillen said.
The opinion defines cloud computing “as ‘Internet based computing in which large groups of remote servers are networked so as to allow sharing of data-processing tasks, centralized data storage, and online access to computer services or resources.’”
“The main concern regarding cloud computing relates to confidentiality,” the opinion said. “Lawyers have an obligation to maintain as confidential all information that relates to a client’s representation, regardless of the source.”
Overseeing and managing nonlawyers who have access or control over that information, the opinion noted, is included in the attorney’s obligations.
The opinion agreed with those from other states that the use of cloud computing is permissible if lawyers “take reasonable precautions to ensure that confidentiality of client information is maintained, that the service provider maintains adequate security, and that the lawyer has adequate access to the information stored remotely. The lawyer should research the service provider to be used.”