New York State Bar Association Tackles Ethics of Cloud Computing
As more and more practices shift to cloud computing, lawyers are left to grapple with the application of the ethics rules to advancing technology. The New York State Bar Association’s Committee on Professional Ethics (“NYSBA Committee”) published an opinion outlining the ethical considerations for attorneys who hire third-party providers to store electronic client files. N.Y. State Bar Assoc. Comm. on Prof’l Ethics, Opinion No. 842 (2010). The NYSBA Committee concluded that, just as an attorney may hire a third party to store hard-copies of client files, so too may an attorney use an online storage system, provided the attorney exercises reasonable care to ensure that confidential information will remain secure.
The NYSBA Committee’s holding is consistent with New York Rules of Professional Conduct Rule 1.6(a), which requires that, subject to certain exceptions, “a lawyer shall not knowingly reveal confidential information . . . or use such information to the disadvantage of a client or for the advantage of a lawyer or third person .” Rule 1.6(c) requires that an attorney exercise “reasonable care” to ensure that third-parties who provide services for the attorney do not divulge or use confidential information.
While it may be relatively clear what constitutes “reasonable care” in the context of traditional third-party storage, those same practices do not seamlessly transfer to online storage. To assist attorneys, the NYSBA Committee offered a non-exhaustive list of four steps attorneys may wish to take in an effort to exercise reasonable care. First, attorneys should ensure that the storage provider has “an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information.”
Second, attorneys should investigate the storage provider’s “security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances.” While the opinion does not directly address what constitutes “adequate under the circumstances,” it certainly requires consideration of specific client circumstances. For example, different security measures might be required for a large corporate or government client who has been the target of “hacking.” A firm may even want to consider whether cloud storage should be avoided entirely for such a client. Conversely, less stringent security measures may be required for a smaller client where there is minimal risk. This is not a new requirement, however; these same individualized considerations are required when considering more traditional storage.
Third, the NYSBA Committee’s opinion suggests that lawyers utilize “available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored.” Finally, attorneys should investigate the provider’s ability to “purge,” “wipe,” and “transfer” the data if the attorney decides to use another provider.
In addition to the NYSBA Committee, at least four other jurisdictions have addressed the ethics of cloud computing, and all have approved of the use of this technology in the practice of law. N.Y. State Bar Assoc. Comm. on Prof’l Ethics, Op. 842 (2010); AL State Bar Disciplinary Comm’n., Op. 2010-02 (2010); State Bar of Ariz. Ethics Comm., Op. 09-04 (2009); State Bar of Nev. Standing Comm. on Ethics and Prof’l Resp., Op. 33 (2006); N.J. Advisory Comm. on Prof. Ethics, Op. 701 (2006). The general gist of all five opinions is that, while the technology may be different, an attorney’s ethical obligations remain the same and an attorney has an affirmative obligation to stay abreast of technological developments to ensure that security measures remain current.
The ABA may provide much-desired clarity to the issue of what technological standards are required when using an online storage provider. In December 2010, a group of cloud computing providers organized as the Legal Cloud Computing Association (LCCA). The LCCA published a letter to the ABA Commission on Ethics requesting, among other things, that the ABA publish minimum technology standards as well as model terms of service for cloud computing providers. See LCCA, Response to ABA Commission on Ethics 20/20 RE: Issues Paper Concerning Client Confidentiality and Lawyers’ Use of Technology , December 15, 2010, available at http://www.legalcloudcomputingassociation.org/Home/aba-ethics-20-20-response. Should the ABA respond to this request, practitioners will have guidance when seeking out a provider and evaluating whether its security measures are adequate. Until then, practitioners should be aware that they have a continuing obligation to monitor the technology they are using to make sure it remains adequate to protect confidential information.
Ethics Corner is a regular contribution by the Section’s Ethics and Professional Responsibility Committee. This month’s column was adapted from materials submitted by Cara E. Greene and David Fallon in connection with the panel “Technology Tools and Legal Ethics,” National Symposium on Technology in Labor and Employment Law, April 2011.
Justin M. Swartz is a partner at Outten & Golden LLP, www.outtengolden.com, and Co-Chair of its Class Action Practice Group. He has represented employees in class action discrimination and wage/hour cases, as well as individual discrimination cases and other employment matters, since 1998. Mr. Swartz is Employee Co-Chair of the Section of Labor & Employment Law Annual Conference Committee.
Cara E. Greene is an associate at Outten & Golden LLP, www.outtengolden.com, where she represents employees in litigation and negotiation in all areas of employment law, including disability, pregnancy, and family responsibilities discrimination; class actions; and executive and professional contracts and compensation. She is a member of the ABA LEL Ethics and Professional Responsibility Committee and is Plaintiff Co-Chair of the Complex Litigation subcommittee of the Employment Rights and Responsibilities Committee.