Don’t Let the Cloud Rain on Your Parade
Emerging issues with software-as-a-service providers and ethical obligations.
By Tom Kulik
In the past, attorneys purchased a new disk drive, memory, or software to meet their needs, but technology has now evolved to the point where lower costs for hardware storage and processing speed have facilitated the proliferation of what are called software-as-a-service providers. The broad availability and relatively low (even free) cost of these cloud-based services make them tempting solutions for legal practices, but a storm is brewing regarding their use that could rain on lawyers’ ethical obligations.
A cornerstone of the attorney-client relationship is confidentiality. Once computers entered the law office that generally meant securing access to computers in law offices. Now, the cloud provides software platforms for many different kinds of tasks, ranging from notation (Evernote) to document retrieval (Dropbox) to storage (Google Drive). Documents on such software now no longer reside locally, but rather, within a virtual server (or many different ones) located somewhere else—and maybe not even in the U.S. Unfortunately, these services are not immune to hackers who understand the black market demand for personal information—especially highly sensitive data attorneys may possess about their clients.
This problem is real. A 2013 hack of Evernote required the resetting of 50 million passwords. Worse, Dropbox was hacked in 2012 and again in 2016 … where the data of 68 million users was compromised and offered for sale on the “dark web.”
Although each state’s ethical rules for lawyers are relatively clear on the confidentiality of attorney-client communications, far less guidance exists regarding the use of technology that encapsulates the content of such communications. For example, under Rule 1.05(b) of the Texas Disciplinary Rules of Professional Conduct “a lawyer shall not knowingly … [r]eveal confidential information of a client or a former client to [third parties]” unless certain exceptions apply (such as when the client consents to the disclosure). These exceptions do not address using cloud services or other independent contractors to facilitate the lawyer’s representation of the client. However, the Professional Ethics Committee in Opinion 572 (June 2006) addressed using an independent copy service without the client’s express consent as long as “the lawyer reasonably expects that the independent contractor will not disclose or use materials or their contents except as directed by the lawyer.” See Tex. Comm. on Prof’l Ethics, Op. 572, 69 Tex. B.J. 793-94.
As of January, only 20 states had rendered ethics opinions addressing attorney use of cloud services, generally requiring a “reasonable standard of care” in the use of such services. Specific opinions advise taking “reasonable precautions to protect the security and confidentiality of client documents and information” (Arizona), “periodically reviewing security measures” (Oregon), or requiring the attorney-user be satisfied with the provider’s “security policies and mechanisms [that] segregate the lawyer’s data and prevent unauthorized access to the data by others including the cloud service providers” (Connecticut). In states—like Texas—that haven’t issued advisory opinions on cloud computing, the attorney-user must ensure the privacy and security of client communications and data. Here are three things every lawyer should do when using cloud services:
1. Use a reasonable standard of care. Although the current advisory opinions have different requirements, all require the use of a reasonable standard of care when using cloud services. That said, an argument can be made that it is not “reasonable” to continue using a provider that gets repeatedly hacked … so be wary.
3. Consider obtaining clients’ informed consent. Where possible, revise client engagement letters to address the use of cloud services in the law practice and how they’re used, and that by engaging legal services, they consent to such use during their representation.
Technology will continue to evolve, but it shouldn’t do so at the cost of lawyers’ ethical obligations to their clients. For now, the forecast remains cloudy in this ethical arena … so lawyers should remain vigilant.TBJ