Clients are not the only ones using the “cloud” for business purposes; in-house and outside counsel also are using the cloud to store and use confidential client information. Some recent ethics opinions address this issue, and their guidance equally applies to the business of law and our clients.
The New York State Bar Association Committee on Professional Ethics concluded that a lawyer may use a “cloud computer data backup system to store client files provided that the lawyer takes reasonable care to ensure that the system is secure and that client confidentiality will be maintained.” See Opinion 842 (9/10/10).
“Reasonable care” means:
- Ensuring that the vendor has an enforceable obligation to preserve confidentiality and security, and that notification is required if the vendor is served with process requiring production of client information
- Doing due diligence on the vendor’s security measure, policies and recovery methods
- Employing available technology to guard against “reasonably foreseeable attempts to infiltrate the data that is stored”
Of course, these apply equally to commercial deals.
The Opinion continues:
- Recognizing that technology and the security of stored data are changing rapidly and that periodic reaffirmation of a vendor’s measures is necessary (including the ability to terminate the relationship in the event of a breach
- The law relating to technology is changing and should be monitored
- Both of these points apply especially in regulated businesses and should be dealt with in any cloud agreement.
The State Bar of California Standing Committee on Professional Responsibility and Conduct issued Formal Opinion 2010-179. The opinion discusses whether an attorney violates the duties of confidentiality or competence when using technology to transmit and store client information when it may be susceptible to unauthorized access by third parties. When using such technology, the opinion discusses factors to consider that also are helpful in the commercial context.
These factors include:
- The ability to assess the level of security afforded by the technology (including whether reasonable precautions may be taken to increase the level of security and limitations on who is permitted to monitor the use of the technology, to what extent and on what grounds)
- Legal ramifications to third parties of intercepting, accessing or exceeding authorized use of another person’s electronic information (the fact that such could be subject to criminal or civil claims “favors an expectation of privacy with respect to a particular technology”)
- The degree of sensitivity of the information
- The possible impact of an inadvertent disclosure of privileged or confidential information on the client or work product, including possible waiver of the privileges
- The urgency of the situation
- Client instructions and circumstances
The issues above are thought provoking for our practices and for our clients using the cloud. Some additional opinions to consider: Alabama Opinion 2010-02; Arizona Opinion 09-04; Massachusetts Opinion 05-04; Nevada Opinion 33 (2006); New Jersey Opinion 701 (2006).