Practicing Law in the Cloud Ethically and Securely

Nicole Black

Cloud computing: It’s a concept that was once foreign in the legal field but is now increasingly familiar. Just five years ago, very few lawyers used cloud computing software in their practices, but today, it’s a different story. Depending on the survey, between 33 percent and 60 percent of small firm lawyers are storing confidential client data on servers located off-site and owned by a third party.

Cloud Computing on the Rise

For example, according to the 2016 International Legal Technology Association/InsideLegal Technology Purchasing Survey, cloud computing was hands-down one of the hottest topics in legal IT. Firms of all sizes indicated that they planned to move to the cloud, with some firms doing so on an application-by-application basis while others took a “cloud first” approach. In fact, cloud computing software was at the top of the technology to-do list of lawyers for whom it was a priority to incorporate new legal software into their practices. Of those lawyers, small law firms were “the most aggressive regarding cloud adoption,” with 61 percent of small firm lawyers reporting that more than 51 percent of their firm’s software/service offerings would be cloud-based within the next one to three years.

It’s the many benefits of cloud computing software that made it so popular with lawyers in 2016. The survey results showed that the top reasons firms moved to the cloud included the versatility and mobility of cloud solutions (62 percent), flexibility (53 percent), overall efficiencies and cost savings (34 percent), and security (25 percent). For 43 percent of medium-sized firms, one of the top-cited benefits of cloud computing was that it offered business continuity, flexibility, and mobility.

One popular category of cloud computing for law firms of all sizes was cloud storage, with 34 percent of those surveyed reporting that they had purchased cloud storage for their law firm within the last 12 months. And 25 percent planned to invest in a cloud storage solution over the next 12 months (compared to just 16 percent in 2015).

Case management software was another major area of future investment for the firms surveyed, with 12 percent reporting that their firms had purchased case management software within the past 12 months and 15 percent planning to invest in case management software over the next 12 months (compared to 8 percent in 2015).

The Ethical Obligation to Maintain Technology Competence

In 2012 the American Bar Association adopted an amendment to Comment 8 to ABA Model Rules of Professional Conduct Rule 1.1. This amendment imposed an ethical duty on lawyers to stay abreast of changes in technology. The amended comment reads as follows:

Maintaining Competence. To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. (Emphasis added).

Twenty-seven states have since followed suit and have similarly adopted this comment to Rule 1.1. Bob Ambrogi tracks the states that have adopted this ethical obligation on his blog LawSites. Is your jurisdiction on the list?

Even if it’s not, all signs point to the likelihood that your state will soon adopt this requirement to learn about and understand technology. For example, ABA President Linda Klein’s platform includes encouraging lawyers to embrace technology. That’s why, as she accepted the position at the 2016 ABA Annual Meeting, she stated:

[I]t is clear that the longer our profession refuses to adopt and adapt its practices to new technologies, the more opportunities there are for alternative services providers and web-based platforms that have found ways to use technology to provide legal services in a more efficient and less costly manner—in many cases reaching people previously unserved by traditional providers of legal services.

How to Use Cloud Computing Ethically in Your Law Practice

One opinion that provides helpful guidance for lawyers seeking to use cloud computing in their practices is Wisconsin Formal Ethics Opinion EF-15-01. (You can locate opinions from other jurisdictions by referring to a chart found on the ABA’s website.) In the Wisconsin opinion, the State Bar Professional Ethics Committee considered the steps that lawyers must take to ethically store confidential client data online. In reaching its decision, the Committee explained that absolute security is, quite simply, an impossibility, and is therefore not required: “Lawyers are not required to guarantee that a breach of confidentiality cannot occur when using a cloud service provider, and . . . are not required to use only infallibly secure methods of communication.”

Importantly, the Committee acknowledged that the relevant inquiry was not whether lawyers could use cloud computing, but instead, how to go about ethically using cloud computing services: “As cloud computing becomes more ubiquitous and as clients demand more efficiency, the question for counsel is no longer whether to use cloud computing, but how to use cloud computing safely and ethically.”

The Committee wisely noted that an elastic standard was required because “lawyers’ ethical duties are continually evolving as technology changes.” Then, the Committee moved on to the heart of the issue, concluding that lawyers may ethically use cloud computing in their practices:

[C]loud computing is permissible as long as the lawyer adequately addresses the potential risks associated with it. . . . [L]awyers must make reasonable efforts to protect client information and confidentiality as well as to protect the lawyer’s ability to reliably access and provide information relevant to a client’s matter when needed. To be reasonable, those efforts must be commensurate with the risks presented. Lawyers must exercise their professional judgment when adopting specific cloud-based services, just as they do when choosing and supervising other types of service providers.

Like a number of other jurisdictions, the Committee determined that while client consent is not required, in certain cases it may be advisable. The Committee explained: “A lawyer must follow client instructions unless doing so would cause the lawyer to violate ethical rules or other laws. The client may require the lawyer to implement special security measures not required by the ethics rules, or may give informed consent to forgo certain security measures.”

Finally, according to the Committee, specific requirements for assessing reasonableness would soon become obsolete with changing technologies and the risks would likewise vary with the technology involved, the lawyer’s areas of practice, and the individual needs of each client. For that reason, the Committee determined that “[l]awyers must exercise their professional judgment in adopting specific cloud-based services, just as they do when choosing and supervising other types of service providers, and specific requirements would do little to assist the exercise of professional judgment.”

The Importance of Vetting Cloud-Computing Providers

Lawyers have always entrusted confidential data to third parties, whether document-processing companies, process servers, copy centers, document storage companies, or legal document delivery services. Because lawyers must rely on third parties in order to do business as a matter of practicality, absolute security has never been required in these situations. After all, as explained in the Wisconsin opinion, absolute security is an impossibility.

That’s why the standard lawyers are held to is due diligence, which requires that reasonable steps be taken to ensure that confidential client data remains safe and secure. The ethical standard is no different when lawyers seek to store their data in the cloud. No matter who has access to a firm’s data or what format the data takes—paper or digital—lawyers should always ensure that the same confidentiality standards relevant to physical client files are likewise applied to computer-generated data.

That being said, cloud computing, by its very nature, involves unique risks. For example, some cloud-computing providers offer the option of many third-party integrations with their product. Although these integrations offer convenience and added features, lawyers must nevertheless thoroughly vet each and every company that integrates with their primary cloud-computing software platform. In fact, some ethics opinions even suggest there is a continuing duty to do so.

That’s why many firms choose to limit the number of integrations with their primary cloud-computing platform and prefer platforms that have the necessary features built right into the system. That way, the number of third parties that have access to their law firm’s data is reduced, making it easier for them to maintain their ethical obligation to ensure that confidential client data remains secure.

Regardless of the number of integrations, vetting a cloud-computing vendor requires that lawyers ask the right question to determine whether appropriate security measures are being taken by the vendor to protect law firm data. The questions that should be asked of a cloud-computing provider focus on determining where firm data will be stored, what security procedures are in place, how often the data is backed up, and who will have access to it. You’ll find a list of suggested questions to ask each vendor in the sidebar at right.

Once you’ve ascertained the answers to these questions and are satisfied with the answers, you’ll be ready to move your firm to the cloud. It’s an important decision—and it’s not an easy one. But as long as you’ve carefully researched your options ahead of time and conducted a thorough vetting of your chosen vendor, you’ll be well on your way to choosing the right legal cloud-computing platform for your law firm.

For solos and small firm attorneys, cloud computing is the great leveler, providing affordable access to powerful software that was previously available only to large law firms with even larger IT budgets. The trick to taking advantage of this powerful tool while still complying with your ethical obligations is to take steps to ensure that security is not traded for convenience. Follow the vetting process described above, and you’ll be well on your way to enjoying the many benefits of cloud computing, safely, securely, and ethically.

Results of the American Bar Association’s 2015 Legal Technology Report

Lawyers Using Cloud Computing

  • 59 percent of lawyers with cloud computing available for use in their firms used online storage for law-related tasks in 2015, up from 45 percent in 2012.
  • 62 percent were from firms of two to nine attorneys (up from 40 percent in 2012).
  • 61 percent were sole practitioners (up from 43 percent in 2012).
  • 56 percent were from firms of ten to 49 attorneys (up from 44 percent in 2012).
  • 50 percent were from firms of 100 or more attorneys (up from 52 percent in 2012).

Why Lawyers Use Cloud Computing

  • 71 percent use it for the easy browser access from any location.
  • 60 percent use it for the 24/7 access to their law firm’s data.
  • 57 percent appreciate the low cost and predictable monthly expense.
  • 48 percent use it for the robust data backup and recovery.
  • 47 percent use it because it eliminates IT and software management requirements.
  • 46 percent use it because it’s quick and easy to get up and running in their firms.

Source: ABA TECHREPORT 2015.

Questions to Ask Cloud Vendors

  • When was the company founded? Has it received funding from or has it been acquired by an established company?
  • What rights do I have in the event of a billing dispute or other issue with the vendor?
  • Are there integrations with the company’s product? How does the company screen the security processes of the other vendors and of the products that integrate with the software?
  • If there is a problem with a product that integrates with the vendor’s software, which company will be responsible for addressing the issue?
  • Does the contract with the vendor address confidentiality?
  • Does the contract with the provider include a guarantee of uptime?
  • What remedies does the contract provide?
  • Does the agreement with the provider contain a forum selection clause or a mandatory arbitration clause?
  • What rights do I have upon termination of the contract?
  • Can I retrieve a copy of my law firm’s data, and in what format will it be provided?
  • If there is a data breach, will I be notified? How are costs for remedying the breach allocated?
  • Where are the servers located? Will all my firm’s data always stay within the boundaries of the United States?
  • What type of facility will host my law firm’s data?
  • Who else has access to the cloud facility, the servers, and the data? What mechanisms are in place to ensure that only authorized personnel will be able to access my data?
  • How does the vendor screen its employees? If the vendor doesn’t own the data center, how does the data center screen its employees?
  • Is the data accessible by the vendor’s employees limited to only those situations where I request assistance?
  • How often are backups performed? Is data backed up to more than one server?
  • What type of security is used at the data centers where the servers are located?
  • What types of encryption methods are used? Is my data encrypted while in transit and while at rest?
  • Are there redundant power supplies for the servers where my data is stored?
  • If a natural disaster strikes one geographic region, would all data be lost or are there geo-redundant backups?

Nicole Black is a Rochester, New York, attorney and the Legal Technology Evangelist at MyCase.com, a law practice management software company. She is the author of Cloud Computing for Lawyers (ABA, 2012) and co-author of Social Media for Lawyers: The Next Frontier (ABA, 2010) and Criminal Law in New York (Thomson Reuters, 2016–2017). She has authored hundreds of articles for other publications and frequently speaks at conferences regarding the intersection of law, mobile computing, and Internet-based technology.