It’s All in the Cloud?
By: Bruce A. Campbell and Lindsay McNutt
In the business world, technology continues to change the face of the work place. Although the legal profession oftentimes lags behind corporate America, today’s lawyers continue to expand their use of technology in the practice of law. In my lifetime, lawyers have gone from typewriters, to computer punch cards, to main frame computers, to personal computers, tablet computers, and beyond. As a result of these technological changes, ethical issues continue to emerge that were not even a glimmer in the eyes of the draftsmen of the Texas Disciplinary Rules of Professional Conduct when they were passed back in 1990.
One of the more recent ethical discussions arises out of lawyer use of cloud computing. Cloud computing typically involves storing client and law firm data in a third party vendor’s data center, rather than on a law firm’s servers. Typically, the data is accessed by users over the internet. A lawyer may access the data stored in the “cloud” through a variety of devices including Smartphones, tablets and personal computers. Virtually any device that can access the internet can at least in theory be used to access the data in the cloud. Lawyers who use Google Docs or Dropbox to share or view data are using “cloud computing.”
Over the past two years, 15 states have issued ethical opinions regarding a lawyer’s use of cloud computing. All 15 states permit the use of cloud computing. However, each state has established different requirements for the attorney to follow in order to show he used “reasonable care” in maintaining attorney/client confidentiality and security over the client’s file.
In Alabama, for example, the attorney must: (i) know how the provider will handle storage and security of the information; (ii) reasonably ensure the provider abides by a confidentiality agreement in handing the data; and (iii) stay abreast of safeguards that should be used by the attorney and third party vendor.
California has created a list of factors for an attorney to undertake before using a particular form of technology, including: (i) consideration of the attorney’s own level of technological competence; (ii) the necessity to consult with or hire an expert; (iii) the client’s instructions; and (iv) the legal ramifications if any electronic information is intercepted or interfered with by a third party.
Florida just recently took the position that an attorney is required to be up-to-date on technological developments, but the opinion did not discuss whether the lawyer could delegate the technological savvy to a duty to a paralegal or outside expert.
Massachusetts has determined that lawyers should refrain from using cloud computing without their client’s consent. And, Massachusetts determined that the lawyer must follow a client’s express instructions regarding information that may or may not be viewed online.
New Hampshire stated that client consent may be necessary when information is “highly sensitive” before it can be uploaded to the cloud. In contrast, Nevada compared storing electronic information online to storing confidential files in a third party warehouse, and determined that client consent was not necessary. However, Nevada stated that an attorney would violate its disciplinary rules if it transmitted data to a third party vendor without an agreement by the vendor to keep the data confidential.
Both Iowa and North Carolina cautioned attorneys to ensure they would have unfettered access to any client information stored online, including how the attorney could retrieve the information if the vendor goes out of business. Many of the ethical opinions caution an attorney to ensure an adequate firewall exists, that data is encrypted online, that data stored online is kept in separate files to protect against inadvertent disclosure of one client’s information to other clients of the lawyer.
Of course, for multi-jurisdictional law firms, the compliance requirements for the several states in which they practice can be challenging. The most likely result will be for multi-jurisdictional law firms to follow the most stringent requirements of the states in which they practice. These firms will also have to monitor the several states in which they practice for changes that will affect their ability to comply with each state’s requirements.
Texas has yet to issue an ethics opinion regarding an attorney’s use of cloud computing. It is likely Texas will follow the national trend and specifically allow cloud computing. Nevertheless, we must always remember that Texas does not necessarily always follow national trends. We need only go back to the last referendum on the Texas Disciplinary Rule amendments to remind ourselves that unlike every other state that has addressed the issue, Texas rejected the adoption of a disciplinary rule prohibiting attorneys from having sex with their clients. Thus, although it is likely that Texas will have an ethics opinion that allows Texas lawyers to specifically allow cloud computing, what the exact parameters of the requirements might be for cloud computing for Texas lawyers remains to be seen.
Bruce A. Campbell is a shareholder in and Lindsay McNutt is an associate with Campbell & Associates Law Firm, P.C. in Dallas. They defend lawyers in disciplinary and tort actions. Mr. Campbell is regularly retained as an expert witness to opine on lawyer conduct and lawyer-ethics issues.