Iowa Lawyers May Use SaaS [Cloud] Services provided that they consider the access to the data, conduct appropriate due diligence regarding the SaaS provider, the cost of the service, and the degree of protection afforded the data. Iowa Ethics Opinion 11-01 (September 9, 2011).
Main lawyers may store and synchronize electronic work files containing confidential client information. Maine Ethics Opinion #194 (June 30, 2008). Processing of firm data may include transcription of voice recordings and transfer of firm computer files to an off-site “back-up” of the firm’s electronically held data.
At a minimum, the lawyer should take steps to ensure that the company providing confidential data storage has a legally enforceable obligation to maintain the confidentiality of the client data involved. With the pervasive and changing use of evolving technology in communication and other aspects of legal practice, particular safeguards which might constitute reasonable efforts in a specific context today may be outdated in a different context tomorrow. Therefore, rather than attempting to delineate acceptable and unacceptable practices, the opinion outline guidance for the lawyer to consider in determining when professional obligations are satisfied.
A lawyer generally may store and synchronize electronic work files containing confidential client information across different platforms and devices using an Internet based storage solution, such as “Google docs,” so long as the lawyer undertakes reasonable efforts to ensure that the provider’s terms of use and data privacy policies, practices and procedures are compatible with the lawyer’s professional obligations, including the obligation to protect confidential client information reflected in Rule 1.6(a). A lawyer remains bound, however, to follow an express instruction from his or her client that the client’s confidential information not be stored or transmitted by means of the Internet, and all lawyers should refrain from storing or transmitting particularly sensitive client information by means of the Internet without first obtaining the client’s express consent to do so. Massachusetts Ethics Opinion 12-03. (May 17, 2012)
Vermont lawyers can utilize Software as a Service (”SaaS”) in connection with confidential client information, property, and communications, including for storage, processing, transmission, and calendaring of such materials, as long as they take reasonable precautions to protect the confidentiality of and to ensure access to these materials. Vermont Advisory Ethics Opinion 2010-6.
Lawyers may store client materials on a third-party server so long as the lawyer complies with the duties of competence and confidentiality to reasonably keep the client’s information secure within a given situation. Oregon 2011-188 (November 2011). This may include, among other things, ensuring the service agreement requires the vendor to preserve the confidentiality and security of the materials. It may also require that vendor notify the lawyer of any nonauthorized third-party access to the materials. The lawyer should also investigate how the vendor backs up and stores its data and metadata to ensure compliance with the lawyer’s duties.
North Carolina 2011 Formal Ethics Opinion 6 Opinion rules that a lawyer may contract with a vendor of software as a service provided the lawyer uses reasonable care to safeguard confidential client information. (1/27/2012).
An interesting, perhaps troubling, issue raised with respect to security of certain mobile devices. Read more about Carrier IQ (http://www.geek.com/articles/mobile/how-much-of-your-phone-is-yours-20111115/, http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/carrieriq-part2/, http://www.wired.com/threatlevel/2011/11/secret-software-logging-video. A somewhat long video of how this works is available here. http://tinyurl.com/cwcyjoc. Although there will likely be more articles about this in the media in the future, this highlights potential security and related issues for users of mobile devices.
A lawyer who is mistakenly copied on an e-mail between opposing counsel and their client, must notify the sender and consult with the lawyer’s own client in deciding whether and how to use the information. Penn. Bar. Ass’n. Comm on Legal ethics and Professional Responsibility Op. 2011-10 (03/2/2011)
The story with a link to the court’s order disqualifying the lawyers who read the misdirected e-mail is here.
California Formal Opinion 2010-179 outlines the lawyer’s duties when transmitting or storing confidential client information when the underlying technology may be susceptible to unauthorized access by third parties. An attorney’s duties of confidentiality and competence require the attorney to take appropriate steps to ensure that his or her use of technology in conjunction with a client’s representation does not subject confidential client information to an undue risk of unauthorized disclosure. Because of the evolving nature of technology and differences in security features that are available, the attorney must ensure the steps are sufficient for each form of technology being used and must continue to monitor the efficacy of such steps.
The article is here.
Alabama lawyers can store client files in the cloud provided that they stay current with appropriate security and take reasonable steps to ensure that the provider protects the data. See Alabama State Bar Disciplinary Commn., Op. 2010-02. The opinion provides some details discussion of records retention requirements.
The ABA Commission on Ethics 20/20 issued two papers: “Client Confidentiality and Lawyers’ Use of Technology”, and “Lawyers’ Use of Internet Based Client Development Tools”. Please e-mail your responses by December 15, 2010, to Senior Research Paralegal Natalia Vera at veran@staff.abanet.org of may be posted to the Commission’s website.
Romano v. Steelcase is here. It holds that putting a photo on a “private” Facebook page doesn’t magically make the photo undiscoverable… just as putting it in a folder labeled “ultra top secret” doesn’t in the real world….
Lawyers providing an online file storage and retrieval system for client access of documents must take reasonable precautions to protect the security and confidentiality of client documents and information. Lawyers should be aware of limitations in their competence regarding online security measures and take appropriate actions to ensure that a competent review of the proposed security measures is conducted. As technology advances over time, a periodic review of the reasonability of security precautions may be necessary. See Arizona Eth. Op. 09-04 (Dec. 2009)
(112)
(1)
(15)
(20)
(58)
(4)
(2)
(6)
(16)
(51)
(90)
(14)
(8)
(18)
(11)
(8)
(19)
(69)
(40)
(64)
(2)
(3)
(3)
(4)
(1)
(3)
(36)
(3)
(39)
(4)
(4)
(3)
(24)
(12)
(63)
(6)
(12)
(15)
(12)
(3)
(22)
(15)
(2)
(107)
(1)
(2)
