Ethics rulings tell lawyers to seek security when in the cloud
New ethics rules require lawyers to be technologically competent and aware of the ethical implications of cloud computing. But what exactly constitutes technological competence? And how far must a lawyer who stores data in the cloud go to protect client confidences from inadvertent or unauthorized access or disclosure?
Those two questions were at the heart of an ABA Techshow presentation Thursday on “Ethics 20/20, Security and Cloud Computing.” Co-presenters Catherine Sanders Reach, director of law practice management and technology for the Chicago Bar Association, and Kevin A. Thompson, who practices trademark, copyright and Internet law at the Chicago firm Davis McGrath, walked attendees through recent changes in the ethics rules and what state ethics authorities have had to say so far about lawyers’ use of the cloud.
For those who weren’t sure what cloud computing is, the pair cited a passage from a 2011 Pennsylvania ethics opinion quoting from an article in Maximum PC magazine, which called it “a fancy way of saying stuff’s not on your computer.” Thompson offered another way of looking at it: “It depends on whether you need an active Internet connection to access the data,” he said.
Reach said changes in the ABA Model Rules of Professional Conduct, which took effect in 2012, remind lawyers that they not only must stay abreast of changes in the law but must also maintain a basic understanding of the benefits and risks of relevant technology. Those changes also make it clear that lawyers have a duty to take “reasonable precautions” to protect client confidences from inadvertent or unauthorized disclosure. They even include a five-point “checklist” for determining the reasonableness of a lawyer’s efforts to maintain confidentiality, including the sensitivity of the information, the likelihood of disclosure without safeguards and the cost and difficulty of implementing additional safeguards.
To date, 18 states have weighed in with ethics opinions on the use of cloud computing by lawyers, either directly or indirectly, according to Reach. And all 18 have said it is OK, as long as the lawyer investigates the products and methods he or she uses and keeps up with any changes made by the provider. A list of those opinions, maintained by the ABA Legal Technology Resource Center, can be found at www.lawtechnology.org.
But Reach and Thompson boiled those opinions down to what they call the five “big-picture requirements” for lawyers who work in the cloud:
• Stay up to date.
• Know what you don’t know.
• Remember that you aren’t guaranteeing that client information is secure from unauthorized access.
• Periodically review a vendor’s security measures.
• Keep in mind that special circumstances warrant special precautions.
Updated on April 1 to correct a typo.