January 2017 • Volume 105 • Number 1 • Page 14
Thank you for viewing this Illinois Bar Journal article. Please join the ISBA to access all of our IBJ articles and archives.
ISBA ethics opinion OKs storing client info in the cloud
Lawyers can store client information on cloud-based servers, an ISBA ethics opinion says, but only if they take the proper precautionary steps.
Advancing technology has often raised ethical issues for attorneys. Not so long ago, email was suspect. Could lawyers use it to securely communicate with clients?
In response, the ISBA issued an ethics opinion - in 1996, which was confirmed in 1997. Opinion No. 96-10 stated that lawyers could use email, without encryption, to communicate with clients unless enhanced security measures were required by the circumstances.
We've come a long way since CompuServ, which was cited as an email/internet provider in the opinion. See https://www.isba.org/sites/default/files/ethicsopinions/96-10.pdf at p. 2. Virtual law offices now enable attorneys to provide unbundled legal services to clients all over Illinois. Practice management software may be entirely managed and hosted in the cloud. Services like Dropbox, Microsoft OneDrive, and Google Drive allow for easy file storage and sharing - all based in the cloud. Practice management solutions like Clio are hosted entirely in the cloud. Others, like TrialWorks, offer users the ability to have their data hosted in the cloud. All of which raises the question - is it ethical to store client information in the cloud?
ISBA Professional Conduct Advisory Opinion No. 16-06, issued in October, says yes, as long as lawyers take specific steps to ensure the security of the data stored there. See https://www.isba.org/sites/default/files/ethicsopinions/16-06.pdf.
In Opinion 10-01, issued in 2009, the ISBA determined that lawyers could use third-party vendors to administer their servers either in-house or at a remote location. Opinion 16-06 finds that lawyers may use cloud computing services, but that Illinois Rule of Professional Conduct 1.1 requires attorneys to keep abreast of changes in law and its relation to technology. This means that attorneys need to be aware of modern security standards - and whether their cloud service uses them.
In that vein, the opinion notes that Rule 1.6(e) requires lawyers to make "reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to," confidential information. This requirement applies to attorneys who use cloud-based services, requiring them to employ, supervise, and oversee the third-party provider. Based on the opinions of other states, like Nevada, an attorney would not necessarily be at risk of an ethical breach if a rogue third party or hacker accessed the confidential data - as long as that attorney acted reasonably and competently to protect the data.
Small storage providers might need more vetting
Although the opinion does not provide specific requirements for choosing cloud-based services, it does list some reasonable practices and inquiries that a lawyer could make. For example, a lawyer could become familiar with current cloud-computing industry standards and safeguards. Another step would be to investigate the reputation and policies of the specific provider.
That investigation might be difficult with "big box" providers. The end user license agreement for Microsoft's OneDrive service is a take-it-or-leave-it proposition. You can't negotiate clickwrap agreements. But Aaron Brooks of HolstromKennedy, PC, says that those same "big box" providers tend to publish the details of their security program. They also make up for the lack of custom contracts by having a history in the industry, including a reputation for security.
On the other hand, he says, smaller companies may require more vetting. Do they have security certificates? Do they have a risk management program? Does the company practice industry standards for security? Does it document those procedures and adhere to them? If the company can't answer these questions, "run," he says. The opinion notes that these steps are similar to those required by Alabama, Iowa, and Tennessee, all of which mandate due diligence and reasonable care in selecting an electronic storage method.
The duty does not end at the selection phase. "Pursuant to Rules 1.6 and 5.3, a lawyer has ongoing obligations to protect the confidentiality of client information and data and to supervise non-lawyers. Future advances in technology may make a lawyer's current reasonable protective measures obsolete." The opinion states that lawyers should conduct periodic reviews to determine if client information is adequately protected. This, the opinion notes, is similar to how Arizona and Washington treat the issue.
The cloud isn't going away. Much like email (and likely the fax machine), it will eventually become a standard and accepted method of storing and sharing data. Moving to cloud-based storage makes sense for many attorneys, particularly those who often practice in the field as opposed to at the office. Until the cloud is as normal as email, however, attorneys should take extra care when choosing and working with a cloud-services provider.