Keeping it Confidential in the Cloud

Attorneys have taken to the cloud, storing client data and other information online, including confidential client information. Unlike traditional data storage methods, such as a computer or server at the law office, data stored in the clouds is kept on large servers located “off site” and maintained by a third party vendor.[1] Cloud Computing connects attorneys with client’s information by storing that information on a third party’s data servers which allow for access to that information anywhere in the world. This technology comes with major advantages, as it is a cost effective way to manage case files and gives more access to both the attorney and the client.[2] Storing privileged information in the clouds also poses a problem for attorneys hoping to maintain confidential information on behalf of their clients.

The American Bar Association (ABA) attempted to address the ethical concerns of storing data in the clouds in an issue paper published in 2010.[3] The ABA highlighted a number of concerns regarding a lawyer’s use of cloud computing, including: access to confidential client information, storage of information in countries with fewer legal protections, third party failure to adequately back-up client data, ownership of data policies, necessity of client consent and policies of destruction of client data.[4]  The overarching concern with client data stored in the clouds, however, is ensuring that this information remain privileged and secure. The ABA concluded that attorneys should use a reasonable care standard in protecting client information.[5]

Numerous states have addressed the ethical concerns of storing data in the clouds. If an effort to protect client confidentiality and attorney-client privilege, New York, Arizona, Alabama and North Carolina have all issued or proposed ethics opinions on Cloud Computing. State Ethics Authorities have detailed how lawyers should take reasonable precautions to protect client data stored in the clouds.[6]  The New York State Bar Association (NYSBA) Committee on Professional Ethics issued an opinion to address the ethics of online storage of confidential information.[7]  The opinion noted that lawyers are obligated under the state’s Rules of Professional Conduct to exercise “reasonable care to prevent others whose services are utilized by the lawyer from disclosing or using confidential client information.”[8]  The Committee concluded that lawyers may rely on cloud computing to store client files, as long as the lawyer takes reasonable care to ensure the system is secure and that client confidentiality will be maintained.[9]

The Arizona State Bar Association Committee on the Rules of Professional Conduct reached a similar conclusion in its opinion addressing electronic data storage.[10]  The Arizona Committee Opinion noted that attorneys much keep abreast of technological changes but that, “technology advances may make certain protective measures obsolete over time. …whether a particular system provides reasonable protective measures must be ‘informed by the technology reasonably available at the time to secure data against unintentional disclosure.’”[11] Ultimately, the Arizona Committee concluded that as advances in technology occur, lawyers should periodically review the security measures in place to ensure that they still reasonably protect the security and confidentiality of the clients’ information.[12]

Alabama’s Ethics opinion permits the use of cloud computing for storing client data.[13]  The opinion highlights the evident pros of cloud computing for attorneys, including increased access to client data. They write, “As long as there is an internet connection available, the lawyer would have the capability of accessing client data, whether he was out of the office, out of the state or even out of the country.”[14] With this access, however, the lawyer must exercise the same reasonable care as described in the Arizona opinion.[15] The opinion warns attorneys that client confidences and secrets are no longer under the attorney’s direct control but now are in the hands of third parties, who have free access to the data.[16] Additionally they warn of the possibility that a third party would hack the server gaining access to client data through the internet. The Opinion notes, “However, such confidentiality concerns have not deterred other states from approving the use of third-party vendors for the storage of client information.”[17]

The North Carolina State Bar Associations Professional Ethics Committee has proposed a similar opinion on cloud computing and confidentiality. The North Carolina opinion does not require that attorneys use infallible methods of data production but instead, much like Arizona and New York, they advice that attorneys use “reasonable methods” to reduce the risk to client data.[18]

While these Ethics Opinions note that attorney’s need to exercise reasonable care, they also are careful to point out that exercising reasonable care does not mean that the lawyer guarantees that the information is secure from any unauthorized access.[19] Keeping clients apprised of the possibility of third party access and making reasonable efforts to ensure confidentially should be the attorney’s primary concern. Stephanie Kimbro a North Carolina attorney has lectured on the topic of Cloud Confidentiality on numerous occasions. She writes, “the best approach to take [for data storage] would be to create guidelines for lawyers rather than restricting use of web-based technology to a private cloud or restricting technology use.”[20] The Virginia State Bar agrees noting, “Attorneys are not required to guarantee that a breach of confidentiality cannot occur when using an outside service provider. [The Rules of Professional Conduct] only requires the lawyer to act with reasonable care to protect information relating to the representation of a client.”[21]

Cloud computing raises serious concerns about third party access to client data. So far, only a few states have addressed these confidentiality concerns, recommending that attorneys take “reasonable means’ to ensure that client data is secure. The difficulty with the reasonableness standard, however, is that technology, unlike the law, is rapidly changing. It is recommended that lawyers seek out a data storage provider who has enforceable means to protect confidentiality and security, who responds promptly to the attorney’s data production needs and who has measures in place for securing dating from outside access as well as data recovery.[22] As the technology continues to develop at a rapid pace, the attorney’s duty of reasonable care now also includes a duty to keep up with the technological advances they are employing.