FYI: The Ethics of Online Backup Systems

"Three things in life are certain: death, taxes and computer failures."
From the Law Practice Management article, How to Back Up Your PCs and Macs: An Obsessive's Guide for the Small Law Firm by Erik J. Heels.

According to the 2007 ABA LTRC Survey report, over half of all respondents (54%) have a disaster recovery plan, with external hard drives (33%) being the preferred method for respondents' firms for backing up computer files. Only 7% reported using online backup providers. In FYI: Data Backup, the ABA LTRC mentions that while "Backups of your data can be kept onsite for easy access... it is recommended to keep backups of your data offsite as well ...” Additionally, the article "Too Many Backups? No Such Thing" (free registration required), advocates that in the absence of a dedicated IT staff, “Small firms, especially, should be prepared for data and system recovery."

In the ABA Law Practice Today article, Avert Disaster: Protect Your Practice with Online Backups, the authors mention that some lawyers shy away from Internet backup due to security fears--the authors then discuss the benefits of strong encryption as a protection option. See FYI: Playing it Safe with Encryption for more information on encryption.

There can be ethical concerns about maintaining the confidentiality of client data; however the American Bar Association provides some guidance on the issue of using outside data processing agencies. In ABA Opinion 95-398 (10/95) (membership access required) the Committee recognized that "in this era of rapidly developing technology...lawyers now use outside agencies for numerous functions such as accounting, data processing and storage, printing, photocopying, computer servicing, and paper disposal.” The outside service providers would be considered to be non-lawyer assistants under Model Rule 5.3 which states that lawyers have an obligation to ensure that the conduct of the non lawyer employees they employ, retain or become associated with is compatible with the professional obligations of the lawyer. The opinion states that "Under Rule 5.3, a lawyer retaining such an outside service provider is required to make reasonable efforts to ensure that the service provider will not make unauthorized disclosures of client information. Thus when a lawyer considers entering into a relationship with such a service provider he must ensure that the service provider has in place, or will establish, reasonable procedures to protect the confidentiality of information to which it gains access, and moreover, that it fully understands its obligations in this regard."

North Dakota is the only state thus far that directly addresses the ethical issue of utilizing online service providers. Other states refer to computer systems, third party access, and remote servers or file storage. The following digests of state ethics opinions may also be of interest.

Opinion 05-04 (7/05) by The State Bar of Arizona's Committee on the Rules of Professional Conduct In response to the following; How do we protect the confidentiality and integrity of client information while continuing to increase reliance on internet for … storage of documents? Ethical Rule's 1.6 and 1.1 require that an attorney act competently to safeguard client information and confidences. It is not unethical to store such electronic information on computer systems whether or not those same systems are used to connect to the internet. However, to comply with these ethical rules as they relate to the client's electronic files or communications, an attorney or law firm is obligated to take competent and reasonable steps to assure that the client's confidences are not disclosed to third parties through theft or inadvertence. In addition, an attorney or law firm is obligated to take reasonable and competent steps to assure that the client's electronic information is not lost or destroyed. In order to do that, an attorney must be competent to evaluate the nature of the potential threat to client electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end. An attorney who lacks or cannot reasonably obtain that competence is ethically required to retain an expert consultant who does have such competence.

Opinion 2005-4 (3/3/05) The Massachusetts Bar Association Committee on Professional Ethics issued the ethics opinion that “A law firm may provide a third-party software vendor with access to confidential client information stored on the firm’s computer system for the purpose of allowing the vendor to support and maintain a computer software application utilized by the law firm. However, the law firm must “make reasonable efforts to ensure” that the conduct of the software vendor (or any other independent service provider that the firm utilizes) “is compatible with the professional obligations of the lawyer[s],” including the obligation to protect confidential client information reflected in Rule 1.6(a). The fact that the vendor will provide technical support and updates for its product remotely via the Internet does not alter the Committee’s opinion.”

Formal Opinion No. 33 (02/9/06) State Bar of Nevada Standing Committee on Ethics and Professional Responsibility responded to a query regarding an attorney’s use of an outside agency to store electronically formatted client information. In the situation posed, the attorney’s electronic client files, which contain confidential client information and communications, are stored on a server or other computer device which is physically located and maintained by a third party outside the attorney’s direct control and supervision. The committee responded; “The lawyer’s duty to protect client confidentiality under Supreme Court Rule 156 is not absolute. In order to comply with the rule, the lawyer must act competently and reasonably to safeguard confidential client information and communications from inadvertent and unauthorized disclosure. This may be accomplished while storing client information electronically with a third party to the same extent and subject to the same standards as with storing confidential paper files in a third party warehouse. If the lawyer acts competently and reasonably to ensure the confidentiality of the information, then he or she does not violate SCR 156 simply by contracting with a third party to store the information, even if an unauthorized or inadvertent disclosure should occur.”

New Jersey
Opinion 701 (4/10/06) Advisory Committee on Professional Ethics regarding the Electronic Storage and Access of Client Files opined the following

“when client confidential information is entrusted in unprotected form, even temporarily, to someone outside the firm, it must be under a circumstance in which the outside party is aware of the lawyer's obligation of confidentiality, and is itself obligated, whether by contract, professional standards, or otherwise, to assist in preserving it. Lawyers typically use messengers, delivery services, document warehouses, or other outside vendors, in which physical custody of client sensitive documents is entrusted to them even though they are not employed by the firm. The touchstone in using “reasonable care” against unauthorized disclosure is that: (1) the lawyer has entrusted such documents to an outside provider under circumstances in which there is an enforceable obligation to preserve confidentiality and security, and (2) use is made of available technology to guard against reasonably foreseeable attempts to infiltrate the data. If the lawyer has come to the prudent professional judgment he has satisfied both these criteria, then “reasonable care” will have been exercised. In the specific context presented by the inquirer, where a document is transmitted to him by email over the Internet, the lawyer should password a confidential document (as is now possible in all common electronic formats, including PDF), since it is not possible to secure the Internet itself against third party access.”

Opinion 2003-03 (undated) The Vermont Bar Association Committee on Professional Responsibility responding to the following question “Is the use of outside technical experts to retrieve computer files permissible and not a violation of a lawyer’s duty of confidentiality to the client?” concluded that “It is appropriate for a lawyer to use outside technological support in managing case files when it is done in furtherance of carrying out the representation of the client. It is the expectation of the Rules that the lawyer will actively manage the non-lawyer to protect the confidentiality of the client’s information and should a significant breach occur, the lawyer would need to disclose such a breach to the client.” Additionally, “A lawyer may engage an outside contractor as a computer consultant to recover a lost data-base file, which contains confidential client information so long as: “The lawyer clearly communicates the confidentiality rules to the outside contractor; the contractor fully understands the confidentiality rules and embraces the obligation to maintain the confidentiality of any information obtained in the course of assisting the lawyer; and the lawyer determines that the contractor has instituted adequate safeguards to preserve and protect confidential information.”

When considering an online backup provider, LTRC Director Catherine Sanders Reach cautions attorneys to ask the correct questions in “The Cost of Free”. A list of suggested questions to ask a potential online backup service provider is offered by the South Carolina Bar Association.


Additional Resources:
Online Backup Service Providers
  • BackupReview lists more than 400 online backup companies and ranks the top 25 on a monthly basis.
Data Encryption Information