Illinois Bar Journal

The Magazine of Illinois Lawyers

November 2013Volume 101Number 11Page 588

November 2013 Illinois Bar Journal Cover Image

CLE Spotlight

The Ethics of Lost Laptops, Cloud Computing

Mark S. Mathewson

How to do the right thing when your laptop turns up stolen or you hire an Internet-based service to store client data.

Every year, hundreds of Illinois lawyers share their knowledge with thousands of colleagues through the ISBA's Law Ed program. Here's a look at just a few minutes of a representative presentation. For a complete list of ISBA online and live CLE, visit

Professional Responsibility, Ethics, and Social Media Update

The Intersection of Social Media and the Practice of Law

Mary F. Andreoni, Ethics Education Counsel, Illinois Attorney Registration and Disciplinary Commission

In her CLE presentation on the intersection of ethics rules and social media, the ARDC's Mary Andreoni offered two tasty ethics-and-tech appetizers before she even got to the social-media main course.

Both came under the heading of a lawyer's duty of confidentiality under of the Rule of Professional Conduct 1.6. One dealt with the confidentiality obligations raised by cloud computing, in which data is stored on and accessed from the Internet rather than the server - or paper-file storage cabinet - in your basement. The other addressed every lawyer's nightmare, the stolen laptop loaded with sensitive client information.

'Someone stole my laptop!' "There are the confidentiality concerns with laptops, cellphones, flashdrives," Andreoni said. "I've had this question before from attorneys: 'What do I do if my laptop is stolen and there's confidential information on there - the client's name, address, maybe their medical records, their financial records?'"

The answer is straightforward. "The lawyer has an obligation to notify those clients," Andreoni said. But wait, you say. Your laptop is password protected. A run-of-the-mill thief won't be able to crack the code. So no worries, right?

Don't count on it, Andreoni said. "If you have [password protection alone], that's probably not enough. You might want to have a GPS locator on your laptop. In any event, you'll have to notify the police."

Laptop users "have to think about the worst case scenario," she said. "Like someone breaking into your car or your home. How secure is your laptop? A password is not enough" for truly sensitive client data.

What's more, the Illinois Personal Identification Protection Act, which is codified at 815 ILCS 530 et seq. and covers lawyers, imposes notice requirements in case of a breach of confidential information.

Confidentiality and the cloud. Cloud computing - affordable and accessible-from-anywhere Internet-based storage for client data - is growing in popularity among lawyers. And putting client information on servers owned by someone else and accessed by other users certainly raises its own set of confidentiality issues. But fundamental low-tech rules of common sense still apply, Andreoni said.

"In the old days, if you had a file cabinet and you shared your office with others, you would not have the files stored in such a way that they were accessible to lawyers not in your law firm," she said. "You would not leave documents lying around."

"So you have to apply that same idea to the cloud," she said. "How are you protecting [client data]? It's just like that file cabinet. If you had your [physical] office in the Hilton, would everyone who walked by be able to open your file cabinet? You need to know how client data is being protected."

In other words, she said, you need to educate yourself about the technology and its risks and make a good business decision like you would about anything else. "Know the entity you're using - don't use a fly-by-night vendor," she said. Assess risk on a case-by-case basis. Consider getting the client's express permission to store his or her data in the cloud.

Andreoni recited some of the potential threats to data security posed by a mismanaged cloud that were raised by the ABA Commission on Ethics 20/20: unauthorized access to confidential client information, servers located in countries with fewer legal protections for cloud storage, the vendor's failure to back up data adequately, unclear policies about who owns stored data.

Does the vendor have an adequate policy for notifying customers of security breaches? What about file destruction, say, when the client switches firms?

"Is the destruction going to be done by the third-party vendor? We've all used third-party vendors, even for storing paper documents," Andreoni said. "But you need to assure, [and] maybe [to spell] out in the agreement, that they're going to get rid of this in a very secure way." In her written materials, she cited ABA Formal Opinion 08-451, which sets out guidelines for ethical outsourcing to vendors.

To view the rest of this program and earn CLE credit, visit

Login to read and post comments