An interesting article describing the use of DropSmack to target networks via DropBox. In addition to broader considerations lawyers should consider before using cloud services, developments like this highlight the need for education regarding technology and security.
California lawyers may maintain a virtual law office in the cloud where communications with the client, and storage of and access to all information about the client’s matter, are conducted solely via the internet using a third-party’s secure servers. The lawyer may be required to take additional steps to confirm that she is fulfilling her ethical obligations due to distinct issues raised by the VLO and its operation. See California Formal Eth. Op. 2012-184 (May 2012).
Iowa Lawyers May Use SaaS [Cloud] Services provided that they consider the access to the data, conduct appropriate due diligence regarding the SaaS provider, the cost of the service, and the degree of protection afforded the data. Iowa Ethics Opinion 11-01 (September 9, 2011).
Main lawyers may store and synchronize electronic work files containing confidential client information. Maine Ethics Opinion #194 (June 30, 2008). Processing of firm data may include transcription of voice recordings and transfer of firm computer files to an off-site “back-up” of the firm’s electronically held data.
At a minimum, the lawyer should take steps to ensure that the company providing confidential data storage has a legally enforceable obligation to maintain the confidentiality of the client data involved. With the pervasive and changing use of evolving technology in communication and other aspects of legal practice, particular safeguards which might constitute reasonable efforts in a specific context today may be outdated in a different context tomorrow. Therefore, rather than attempting to delineate acceptable and unacceptable practices, the opinion outline guidance for the lawyer to consider in determining when professional obligations are satisfied.
A lawyer generally may store and synchronize electronic work files containing confidential client information across different platforms and devices using an Internet based storage solution, such as “Google docs,” so long as the lawyer undertakes reasonable efforts to ensure that the provider’s terms of use and data privacy policies, practices and procedures are compatible with the lawyer’s professional obligations, including the obligation to protect confidential client information reflected in Rule 1.6(a). A lawyer remains bound, however, to follow an express instruction from his or her client that the client’s confidential information not be stored or transmitted by means of the Internet, and all lawyers should refrain from storing or transmitting particularly sensitive client information by means of the Internet without first obtaining the client’s express consent to do so. Massachusetts Ethics Opinion 12-03. (May 17, 2012)
Pennsylvania lawyers may ethically allow client confidential material to be stored in “the cloud” provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks. Pennsylvania Formal Opinion 2011-200
Vermont lawyers can utilize Software as a Service (”SaaS”) in connection with confidential client information, property, and communications, including for storage, processing, transmission, and calendaring of such materials, as long as they take reasonable precautions to protect the confidentiality of and to ensure access to these materials. Vermont Advisory Ethics Opinion 2010-6.
Lawyers may store client materials on a third-party server so long as the lawyer complies with the duties of competence and confidentiality to reasonably keep the client’s information secure within a given situation. Oregon 2011-188 (November 2011). This may include, among other things, ensuring the service agreement requires the vendor to preserve the confidentiality and security of the materials. It may also require that vendor notify the lawyer of any nonauthorized third-party access to the materials. The lawyer should also investigate how the vendor backs up and stores its data and metadata to ensure compliance with the lawyer’s duties.
North Carolina 2011 Formal Ethics Opinion 6 Opinion rules that a lawyer may contract with a vendor of software as a service provided the lawyer uses reasonable care to safeguard confidential client information. (1/27/2012).
California Formal Opinion 2010-179 outlines the lawyer’s duties when transmitting or storing confidential client information when the underlying technology may be susceptible to unauthorized access by third parties. An attorney’s duties of confidentiality and competence require the attorney to take appropriate steps to ensure that his or her use of technology in conjunction with a client’s representation does not subject confidential client information to an undue risk of unauthorized disclosure. Because of the evolving nature of technology and differences in security features that are available, the attorney must ensure the steps are sufficient for each form of technology being used and must continue to monitor the efficacy of such steps.
Alabama lawyers can store client files in the cloud provided that they stay current with appropriate security and take reasonable steps to ensure that the provider protects the data. See Alabama State Bar Disciplinary Commn., Op. 2010-02. The opinion provides some details discussion of records retention requirements.
A lawyer may use online cloud providers to store and back up client files provided that the lawyer takes reasonable care to ensure that confidentiality will be maintained in a manner consistent with the lawyer’s obligations under Rule 1.6. Additionally, the lawyer should stay abreast of technological advances to ensure that storage remains sufficient to protect the client’s data and should monitor the laws of privilege to ensure that the online storage will not cause loss or waive privilege. See N.Y.S.B.A. Eth. Op. 842 (Sept. 10, 2010).
Lawyers providing an online file storage and retrieval system for client access of documents must take reasonable precautions to protect the security and confidentiality of client documents and information. Lawyers should be aware of limitations in their competence regarding online security measures and take appropriate actions to ensure that a competent review of the proposed security measures is conducted. As technology advances over time, a periodic review of the reasonability of security precautions may be necessary. See Arizona Eth. Op. 09-04 (Dec. 2009)
New Jersey lawyers may maintain client fliles electronically with a third party as long as the third party has an enforceable obligation to preserve the security of those files and uses technology to guard against reasonably forseeable hacking. See New Jersey Supreme Court Ethics Committee on Professional Ethics Opinion 701 (April 10, 2006).
Law firms in Nevada may store electronic client records on third party remote servers as long as the firm selects the company with care and the company agrees to keep the information confidential. Nev. St. Bar Standing Comm. on Ethics and Professional Resp. Formal Op. 33 (Feb. 9, 2006).
(112)
(1)
(15)
(20)
(58)
(4)
(2)
(6)
(16)
(51)
(90)
(14)
(8)
(18)
(11)
(8)
(19)
(69)
(40)
(64)
(2)
(3)
(3)
(4)
(1)
(3)
(36)
(3)
(39)
(4)
(4)
(3)
(24)
(12)
(63)
(6)
(12)
(15)
(12)
(3)
(22)
(15)
(2)
(107)
(1)
(2)
