EverNote. DropBox. Google Drive. These are but a few of the many cloud-based applications available on the Internet that provide helpful and cost-effective solutions to document creation, collaboration and storage. Traditionally, the need for additional document management capability meant purchasing a new disk drive or a new software package. Technology has now evolved to the point where lower costs for hardware storage and processing speed have facilitated the “virtualization” of computer servers and a proliferation of “software-as-a-service” (SaaS) providers on the internet. Rather than expend valuable capital resources on hardware and software solutions to service the document needs of their practices, more and more attorneys are turning to software solutions delivered over the internet (generally referred to as “cloud computing”) to meet their technology needs. Although the broad availability of these solutions and relatively low (even free) cost provide tempting solutions to legal practices, a storm is blowing regarding their use that may be raining on lawyers’ ethical obligations.
A cornerstone of the attorney-client relationship is the confidentiality accorded to any communications between a lawyer and his client. With the advent of computer systems to facilitate the creation and printing of documents, ensuring such confidentiality generally remained a matter of securing access to computers and a lawyer’s offices. As the portability of computers increased and Internet email communications became the norm, it became less easy to maintain. Now, the “cloud” provides software platforms for many different kinds of tasks, ranging from notation (EverNote) to document creation and collaboration (DropBox) to storage of all manner of files (Google Drive). Unfortunately, this means that the content created within the attorney-client relationship no longer resides on a local computer, but rather, within a virtual server (or many different ones) located somewhere else (and maybe not even in the U.S.). Worse still, these services are not immune to hackers who understand that the black market for personal information — especially the highly sensitive information attorneys may possess about their clients. Law firms have already been (and continue to be) the target of hackers, and any SaaS services that are used by lawyers remain prime targets. This problem is real – EverNote was hacked in 2013 and required the reset of 50 million passwords. Worse, DropBox was hacked in 2012 and again in 2016…where 68 million records were compromised and the data offered for sale on the “dark web”.
Although each state’s ethical rules governing attorney conduct are relatively clear on the confidentiality accorded attorney-client communications, there is far less guidance when it comes to the use of technology that encapsulates the content of such communications. For example, under Rule 1.05(b) of the Texas Disciplinary Rules of Professional Conduct “a lawyer shall not knowingly…[r]eveal confidential information of a client or a former client to [third parties]” unless certain exceptions apply (such as where the client consents to the disclosure). These exceptions do NOT address the use of cloud services or other independent contractors to facilitate the lawyer’s representation of the client. However, the Professional Ethics Committee in Opinion 572 (June 2006) addressed using an independent copy service without the client’s express consent as long as “the lawyer reasonably expects that the independent contractor will not disclose or use materials or their contents except as directed by the lawyer.” See Tex. Comm. on Prof’l Ethics, Op. 572, 69 Tex. B.J. 793-94. Currently, only 20 states have rendered ethics opinions addressing attorney use of cloud services, generally requiring a “reasonable standard of care” in the use of such services, such as taking “reasonable precautions to protect the security and confidentiality of client documents and information“and periodically reviewing security measures. Some states even go so far as stating that the attorney-user must be satisfied with the SaaS provider’s “security policies and mechanisms to segregate the lawyer’s data and prevent unauthorized access to the data by others including the cloud service providers“.
What about states that have not rendered advisory opinions (like Texas)? Ultimately, the attorney-user maintains responsibility of ensuring the privacy and security of their client data. Here are 3 things every lawyer should do when considering using cloud services, and especially if you are already using them:
- Use a Reasonable Standard of Care With SaaS…Always. Although the current set of advisory opinions have different specific requirements, all of them require the use of a reasonable standard of care when using cloud services. That said, an argument can be made that it is not “reasonable” to continue using a SaaS provider that gets repeatedly hacked…so remain vigilant.
- Consider Obtaining Client’s Informed Consent to Your Use of SaaS Services. Where possible, revise client engagement letters to address the use of cloud services in the law practice, how used, and that by engaging legal services they consent to such use during their representation.
Needless to say, technology will continue to evolve…but such evolution cannot be at the cost of lawyers’ ethical obligations to their clients. Counsel must remain vigilant about the nature of the SaaS services they are using, the security protocols in place for such services and potential breaches. For now, the forecast remains cloudy in this ethical arena…so lawyers must remain vigilant and not get caught in the rain in the process.