EverNote.  DropBox.  Google Drive. These are but a few of the many cloud-based applications available on the Internet that provide helpful and cost-effective solutions to document creation, collaboration and storage. Traditionally, the need for additional document management capability meant purchasing a new disk drive or a new software package.  Technology has now evolved to the point where lower costs for hardware storage and processing speed have facilitated the “virtualization” of computer servers and a proliferation of  “software-as-a-service” (SaaS) providers on the internet. Rather than expend valuable capital resources on hardware and software solutions to service the document needs of their practices, more and more attorneys are turning to software solutions delivered over the internet (generally referred to as “cloud computing”) to meet their technology needs.  Although the broad availability of these solutions and relatively low (even free) cost provide tempting solutions to legal practices, a storm is blowing regarding their use that may be raining on lawyers’ ethical obligations.

A cornerstone of the attorney-client relationship is the confidentiality accorded to any communications between a lawyer and his client.  With the advent of computer systems to facilitate the creation and printing of documents, ensuring such confidentiality generally remained a matter of securing access to computers and a lawyer’s offices.  As the portability of computers increased and Internet email communications became the norm, it became less easy to maintain.  Now, the “cloud” provides software platforms for many different kinds of tasks, ranging from notation (EverNote) to document creation and collaboration (DropBox) to storage of all manner of files (Google Drive).  Unfortunately, this means that the content created within the attorney-client relationship no longer resides on a local computer, but rather, within a virtual server (or many different ones) located somewhere else (and maybe not even in the U.S.).  Worse still, these services are not immune to hackers who understand that the black market for personal information  — especially the highly sensitive information attorneys may possess about their clients.  Law firms have already been (and continue to be) the target of hackers, and any SaaS services that are used by lawyers remain prime targets.  This problem is real – EverNote was hacked in 2013 and required the reset of 50 million passwords.  Worse, DropBox was hacked  in 2012 and again in 2016…where 68 million records were compromised and the data offered for sale on the “dark web”.  

Although each state’s ethical rules governing attorney conduct are relatively clear on the confidentiality accorded attorney-client communications, there is far less guidance when it comes to the use of technology that encapsulates the content of such communications.  For example,  under Rule 1.05(b) of the Texas Disciplinary Rules of Professional Conduct “a lawyer shall not knowingly…[r]eveal confidential information of a client or a former client to [third parties]” unless certain exceptions apply (such as where the client consents to the disclosure).  These exceptions do NOT address the use of cloud services or other independent contractors to facilitate the lawyer’s representation of the client. However, the Professional Ethics Committee in Opinion 572 (June 2006) addressed using an independent copy service without the client’s express consent as long as “the lawyer reasonably expects that the independent contractor will not disclose or use materials or their contents except as directed by the lawyer.” See Tex. Comm. on Prof’l Ethics, Op. 572, 69 Tex. B.J. 793-94. Currently, only 20 states have rendered ethics opinions addressing attorney use of cloud services, generally requiring a “reasonable standard of care” in the use of such services, such as taking “reasonable precautions to protect the security and confidentiality of client documents and information“and periodically reviewing security measures.  Some states even go so far as stating that the attorney-user must be satisfied with the SaaS provider’s “security policies and mechanisms to segregate the lawyer’s data and prevent unauthorized access to the data by others including the cloud service providers“.

What about states that have not rendered advisory opinions (like Texas)? Ultimately, the attorney-user maintains responsibility of ensuring the privacy and security of their client data.  Here are 3 things every lawyer should do when considering using cloud services, and especially if you are already using them:

  1. Use a Reasonable Standard of Care With SaaS…Always.  Although the current set of advisory opinions have different specific requirements, all of them require the use of a reasonable standard of care when using cloud services.  That said, an argument can be made that it is not “reasonable” to continue using a SaaS provider that gets repeatedly hacked…so remain vigilant.
  2. Review and Revisit the Provider’s Terms of Use/Service to Ensure Compliance.  Become familiar with SaaS providers’ terms of use – it is not “reasonable” to use such a service without understanding its terms of use and privacy policy.
  3. Consider Obtaining Client’s Informed Consent to Your Use of SaaS Services.  Where possible, revise  client engagement letters to address the use of cloud services in the law practice, how used, and that by engaging legal services they consent to such use during their representation.

Needless to say, technology will continue to evolve…but such evolution cannot be at the cost of lawyers’ ethical obligations to their clients. Counsel must remain vigilant about the nature of the SaaS services they are using, the security protocols in place for such services and potential breaches.  For now, the forecast remains cloudy in this ethical arena…so lawyers must remain vigilant and not get caught in the rain in the process.

Related Posts

3 thoughts on “Attorneys Beware: The “Cloud” May Be Raining on Your Ethical Obligations

  1. There is no way to ever be completely sure your data will remain secure once you’ve moved it to the cloud. Storing your data in the cloud you are abrogating responsibility for your data. Someone else has access to it and someone else is responsible for keeping it safe. Security breaches are common, data stored in the cloud is under attack 24 hours a day.
    While providers of cloud services often claim that the data they store is encrypted and private, most often they are the ones who hold the keys. That means a rogue employee, a hacker, or any government requesting encryption keys can decrypt and see your data. And even when you are the one that holds the key, the recently reported WhatsApp backdoor, that allows attackers to intercept and read encrypted messages, shows that whenever your data is handled by a third party it is not secure.
    Good security for Note Taking and Personal Information Managers (PIM) can be only achieved if you store your data off-line, encrypted with a strong password. Also you should keep your computer free of viruses and keep it secure 24 hours a day.
    The more secure PIM and NoteTaking applications that I could find are Bersoft SecureNote for Windows and Bluenote for MAC. Both them store your data off-line, safely encrypted.
    If you want easy access between different devices, note sharing and other fancy features, you better forget about security.

    1. Derek: Absolutely true – the point here is that many attorneys can no longer be ignorant of their use of technology. Wat’s worse is that law firms are increasingly being targeted by hackers due to the nature of the confidential data being held. As a result, attorneys must be more vigilant with not just the systems in their offices, but with their mobile platforms and use of third-party services. Your recommendations for PIM and note-taking applications is appreciated!

Leave a Reply

Your email address will not be published. Required fields are marked *