In the olden days of document storage and management (i.e., before the 1990s), law firms and corporations could confidently identify the location of their documents. These files were kept either onsite in file cabinets and desk drawers, or in offsite storage. And even with the advent of computers and word processing in the 1980s, electronic documents rarely migrated beyond local computer hard drives and servers. This high level of geographic determinacy receded in the 1990s, however, as interconnected computer networks gave users the ability to access documents and software stored in geographically remote locations. For example, a virtual privacy network (VPN) allowed a remote employee to access his or her employer’s workplace network, all from the comfort of his or her home or other offsite location.
Then, in the 2000s, as technology advanced and the cost of document storage plummeted, many people turned to new services to store their personal and professional documents online. People began saying that their data was in the “cloud,” which gets its name from the cloud symbol used to represent the complex infrastructure behind the concept. But with documents entrusted to a third party, issues of privacy and confidentiality naturally arose. These concerns are especially important in the legal world, where ethical duties of confidentiality and safeguarding client property are paramount.
The Cloud Itself
You may still be asking yourself, “What exactly is the cloud?” To answer that question, a brief overview is in order. As discussed above, the cloud refers to an undefined geographic space in which documents and data can be stored remotely for access by local users through a network connection. Specifically, as applied to lawyers, you will most likely encounter three “segments” of the cloud: (1) private; (2) public; and (3) hybrid.
Private clouds are the most secure, as their access is restricted to an organization’s internal users. Many lawyers are familiar with network drives in a private cloud, which can be accessed only by certain users within the firm. Public clouds, on the other hand, are freely accessible by anyone with an Internet connection. Solo practitioners often prefer public clouds because of their lack of internal IT infrastructure and ease of access. Lastly, hybrid clouds have characteristics of public and private clouds and offer the best of both worlds. Many larger organizations gravitate toward hybrid clouds because they provide certain spaces that are private to the company and other spaces in which documents can be stored for access well beyond the geographical confines of the office or the organization’s internal infrastructure.
Moreover, while the distinctions among the types of cloud computing may seem esoteric, the choice of cloud computing carries risks to a legal practitioner, as discussed below. But before turning to these issues, we will first need to understand the background ethical rules implicated by cloud computing.
The Model Rules and the Ethics 20/20 Commission
There are three particular rules from the Model Rules of Professional Conduct addressed herein: (1) Competence (M.R. 1.1); (2) Confidentiality (M.R. 1.6); and (3) Non-Lawyer Assistance (M.R. 5.3). Although most practitioners are generally aware of what these rules provide, it is important to note that each of these rules has recently been clarified by the American Bar Association (ABA) as part of the Ethics 20/20 Commission. The ABA created this commission in 2009 to evaluate new technological realities and their effects, and how the rules should be changed to address these challenges. In August 2012 and February 2013, the ABA House of Delegates approved the commission’s suggested changes to the rules after a series of meetings.
Model Rule 1.1 provides that “[a] lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” M.R. 1.1. The comments to this rule have always specified that your competence is not static; rather, you must keep abreast of changes in the law and practice that are relevant to the subject areas of the representation. Moreover, the commentary was expanded in 2012 and now states that a lawyer’s competence requires an understanding of the “benefits and risks associated with relevant technology.” M.R. 1.1, cmt. 8 (2012). This clarification did not effect any change to the rule itself but supplements the comment to emphasize the importance of technology in the modern law practice. The commission concluded that, for example, a lawyer likely would fall short of complying with Rule 1.1 if he or she were unable to send an email or create a basic electronic document.
Going beyond technological knowledge, the commission also changed the rule on confidentiality to address new areas of concern. The commission added section (c) to Rule 1.6, which states that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” M.R. 1.6(c) (2012). Lawyers have always had the obligation to protect against unauthorized disclosure of client confidences, but this rule, and its associated commentary, are aimed at protection of documents stored with third-party vendors, including cloud providers.
The new rule provides guidance to attorneys evaluating data-storage services as to what constitutes “reasonable efforts” to prevent inadvertent or unauthorized disclosure. Several non-exclusive factors guide the analysis, including “the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, [and] the costs of employing the additional safeguards . . .” M.R. 1.6, cmt. 16 (2012). These factors reflect the guidance provided by some states, such as New York, that endeavor to provide concrete examples of what constitutes “reasonable efforts.” See, e.g., N.Y. Ethics Op. 842 (Sept. 10, 2010).
Thus, if lawyers move beyond a private cloud, the myriad third-party providers in public and hybrid clouds must be evaluated carefully to ensure the privacy of client documents. Lawyers should evaluate (1) confidentiality provisions in vendors’ service level agreements (SLAs); (2) security policies implemented by the vendors; (3) general storage policies; and (4) rules for the handling of data if the law firm chooses to terminate the agreement (e.g., does the vendor purge all copies of the data when the relationship ends?). Evaluating these issues will help a careful lawyer ensure that he or she has taken reasonable efforts to protect the confidentiality of client documents.
Lastly, the Ethics 20/20 Commission also added new comments to Rule 5.3, which governs a lawyer’s duty to supervise and monitor assistance by non-lawyer personnel and entities. M.R. 5.3, cmt. 3 (2012). When using cloud and document-management services outside the firm, “a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations.” As in the commentary to Rule 1.6, the scope of “reasonable efforts” is informed by several factors. Here, context matters, and
[t]he extent of this obligation will depend upon the circumstances, including the education, experience and reputation of the nonlawyer; the nature of the services involved; the terms of any arrangements concerning the protection of client information; and the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality.
Id. This rule obviously works in tandem with Rule 1.6, as lawyers have an affirmative duty to supervise the conduct of cloud providers to ensure compliance with the lawyer’s ethical duties, including the protection of client confidences.
Practical Considerations for Cloud Computing
Now that we have explored the relevant ethical rules, we can discuss several macro- and micro-level concerns. On the macro-level, as you evaluate which cloud service works best for you, you must understand not only the ethical rules, but also substantive laws affecting document privacy at the state, federal, and even international levels. For example, some states have stringent privacy regulations regarding their citizens’ personal data, and under federal law, the 2001 PATRIOT Act gives the government certain access rights to documents passing through and stored in the United States. The European Union has also adopted certain privacy directives, such that retention of personal information by a third party requires disclosure and consent regarding storage and access rights. A careful practitioner should consider how these laws might affect the decision to use certain cloud services.
Moreover, in addition to the substantive law, a lawyer entering the cloud should ask himself or herself certain micro-level questions, including what is my risk tolerance for the custody, security, and geographic location of data? The answers to those questions will inform the decision about the right cloud service. If you are a small firm without the capacity for extensive internal infrastructure, a public cloud may make the most sense. But if you are practicing overseas, and your documents pass through U.S. servers, conflicts may arise between the laws of the country in which you reside and the laws of the country (or countries) where your data may effectively be stored or accessed.
Document storage has come a long way from floppy disks. Within the past few years, electronic data can now be stored in indeterminate places with easy remote access through a basic Internet connection. While this transformation is certainly more convenient for the average user (and the average lawyer), this data revolution raises new concerns about privacy and confidentiality of client documents under governing ethical rules and substantive laws. With regard to the cloud in particular, you should carefully research available services that you may use in your practice and evaluate the risks and benefits of these options. In fact, you have a duty to do so, and this duty requires you to take reasonable efforts to protect client data from unauthorized disclosure and to ensure that your chosen third-party service’s actions are consistent with your ethical obligations. Addressing these concerns will also increase the confidence in your practice and your level of client service. After all, the cloud may sometimes seem opaque, but a greater understanding of its features will make it, for lack of a better word, a little less cloudy.
Keywords: litigation, mass torts, cloud computing, document storage, data retention
Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).