|By Karen E. RubinIf you are looking for ways to bring your law office management into the digital age, you might be considering “the cloud.” For instance, using the cloud to store your client data can (at least potentially) increase access to the data, reduce costs and boost efficiency. But there are ethics issues to consider as you make decisions about using the cloud—and there is a new informal advisory opinion from the Ohio State Bar Association’s Professionalism Committee that can help guide Ohio lawyers.
First, here is some background. What is the cloud, and how does it work? Cloud computing has been facetiously described as when “stuff’s not on your [own] computer.”1 This is an apt description, because data that is in the cloud is saved and stored on off-site computers, instead of your office computers. A storage system that is in the cloud is administered by a third-party vendor instead of you or your office personnel. When you want to access the stored data, you use the Internet to connect to the vendor’s database, so that “your computer becomes just a way of getting to your stuff.”2
You are probably already using the cloud in your personal digital life. For instance, Web email is a form of cloud storage—providers such as Google store your messages on their servers, and you access your email from your own device by connecting to the Internet. Dropbox and Google Docs are other familiar providers of cloud storage.
Cloud computing is more than just storing data in the cloud. For instance, cloud computing also includes “software as a service,” or “SaaS,” in which a vendor hosts software applications and makes them available to customers over the Internet. SaaS can augment or replace individual ownership or licensing of software. “Platform as a Service” or “PaaS” is another aspect of cloud computing. PaaS has been described as “a way to rent hardware, operating systems, storage and network capacity over the Internet.”3
However, there are significant ethics issues to consider when using the cloud in your legal practice, because in many of its variations, this involves turning client confidential information over to the control of a third party. Of course there is risk in relinquishing client data to a third party, even in the nondigital world of bricks and mortar. Storage facilities burn; floods happen; a meteor can destroy a building.4 But perhaps because it involves relatively new technology that is not well-understood by non-experts, cloud storage raises more concern than traditional forms. And indeed, storing data in the cloud is not without some unique risks, including outages resulting from technology glitches and even from bad weather.5 Malicious disruption of the cloud remains a nightmare scenario.6
Ethics committees in more than a dozen jurisdictions have issued opinions on various aspects of cloud computing.7 In July 2013, the OSBA’s Professionalism Committee weighed in with an informal advisory opinion on the subject of storing client data in the cloud.8 The committee concluded that the Ohio Rules of Professional Conduct (ORPC) permit cloud storage, as long as lawyers observe several key rules.
First, the opinion points out that Ohio’s lawyer conduct rules are adaptable and able to address new technology. For instance, in 1970, when the now-superseded Ohio Code of Professional Responsibility was enacted, email was not even a glimmer on the horizon. Nonetheless, the former disciplinary rule on client confidentiality was easily found to apply to email and the various ethical duties in handling it.9 Likewise, despite the digital technology involved in storing client data in the cloud, the OSBA Professionalism Committee found that the issues and ethical duties are not significantly different from those arising when lawyers store data the old-fashioned way.10 Therefore, instead of microlegislating specific cloud storage security requirements or practices that would be quickly overtaken by technology advances, the committee expressed the view that with proper guidance lawyers could look to the applicable ethics rules with “specific practices” being left to the lawyer’s exercise of judgment: “Specific practices regarding protection of client property and information have always been left up to individual lawyers’ judgment, and that same approach applies to the use of online data storage.”11
Recently, the American Bar Association adopted amendments to the Model Rules of Professional Conduct that reflect the same approach. As a result of the work of the Commission on Ethics 20/20, the Model Rules and comments were tweaked to acknowledge digital technology, but no specific regulations were adopted. For example, a new comment to Model Rule 5.3, regarding supervising nonlawyers who provide support services, now provides that lawyers may use nonlawyers to help render legal services, including “using an Internet-based service to store client information,” but that the extent of the lawyer’s supervisory obligation as to such providers “will depend upon the circumstances.”12 (The Ohio Supreme Court has not yet adopted any of the revised provisions of the Model Rules.13)
The OSBA Professionalism Committee’s opinion identifies four key ethics considerations in the cloud storage of client data:
The duty of competence under ORPC 1.1 requires a lawyer to exercise the “legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation.” Selecting an outside vendor for any type of legal support services has been held to require a lawyer to exercise “due diligence as to the qualifications and reputation of those to whom services are outsourced,” as well as due diligence in determining whether the third-party vendor will provide services competently and diligently.14 The committee pointed to several resources that can help lawyers select an appropriate vendor.15
- Competently selecting the vendor;
- Preserving confidentiality and safeguarding client property;
- Supervising cloud vendors; and
- Communicating with the client.
When it comes to selecting a cloud storage vendor, the committee stressed not only the vendor’s reputation and qualifications, but also the importance of reading and understanding the terms-of-service agreement. The opinion lists the following questions that can frame your approach to the agreement:
With respect to data ownership issues, the opinion advised that agreement terms giving the cloud storage vendor “ownership” rights in the stored data would violate ORPC 1.15(a), which requires that client property “be identified as such.”16
- What safeguards does the vendor have to prevent confidentiality breaches?
- Does the agreement create a legally enforceable obligation on the vendor’s part to safeguard the confidentiality of the data?
- Do the terms of the agreement purport to give “ownership” of the data to the vendor, or is the data merely subject to the vendor’s license?
- How may the vendor respond to government or judicial attempts to obtain disclosure of your client data?
- What is the vendor’s policy regarding returning your client data at the termination of its relationship with your firm?
- What plans and procedures does the vendor have in case of natural disaster, electric power interruption or other catastrophic events?
- Where is the server located (particularly if the vendor itself does not actually host the data, and uses a data center located elsewhere)? Is the relationship subject to international law?
The second key ethics concern is the confidentiality of client data stored in the cloud. Under ORPC 1.6(a), a lawyer “shall not reveal information relating to the representation of a client.” Implicit in that duty, the committee opined, is “to maintain the confidentiality of all client data relating to the representation, irrespective of the form of that data.”17 The committee acknowledged that storing client data in the cloud could present the risk of unauthorized disclosure—just as storing a client’s paper files offsite does. In neither case can a lawyer guarantee that client confidentiality will never be breached.18 The issue is analogous to communicating with clients by email: There is a risk that a confidential message can be intercepted, just as there is a risk that postal mail or a telephone communication can be intercepted, or a face-to-face conversation can be overheard. Yet, lawyers are permitted to use any of these methods to communicate with clients, without taking extraordinary precautions such as encrypting their emails.19 Therefore, the committee advised, the duty of confidentiality with respect to cloud storage involves competently selecting a vendor, staying abreast of technology issues affecting data storage and carefully considering whether particularly sensitive client information should be stored in the cloud at all.20 The secret recipe for Coca-Cola, for instance, probably does not belong in the cloud.
The third ethics issue connected to cloud storage is the duty to supervise cloud vendors. Rule 5.3(a)-(b) of the ORPC requires that law firms and individual lawyers make reasonable efforts to ensure that the conduct of a nonlawyer employed by the lawyer is “compatible with the professional obligations of the lawyer.” These duties apply whenever lawyers outsource nonlegal support services, which have been defined to include all varieties of “ministerial” services that the lawyer does not provide in-house, and that are nonlegal in nature.21 The extent of vendor supervision, though, is “a matter of professional judgment for an Ohio lawyer,” so long as the lawyer exercises due diligence with respect to the vendor’s qualifications, competence and ability to protect confidentiality.22 As applied to cloud storage, these concepts point again to the lawyer’s judgment, and the necessity of vetting the cloud-storage vendor.
Last, the committee advised that the lawyer must use judgment to determine whether circumstances require client consultation before storing the client’s data in the cloud.23 Rule 1.4(a)(2) requires a lawyer to “reasonably consult with the client” about how the client’s objectives are to be accomplished. But in line with other jurisdictions that have considered the issue, the OSBA Professionalism Committee stopped short of recommending such consultation in all circumstances. The committee concluded that whether the lawyer should consult with the client about plans to store the client’s information in the cloud depended on the sensitivity of the data involved.
Using the cloud to store client data can benefit you in managing your practice, and the Professionalism Committee’s informal advisory opinion should provide some clear guidance to Ohio lawyers who would like to embrace the digital age. By proceeding with due regard for Ohio’s ethics rules, there are blue skies above.
Karen E. Rubin is counsel at Thompson Hine LLP. She is a member of the firm’s Conflicts/Ethics Committee and counsels internal and external clients on ethics issues. Karen is vice chair of the OSBA Professionalism Committee, which issued the opinion discussed in this article. Karen is also a vice chair of the Cleveland Metropolitan Bar Association’s Certified Grievance Committee.
1 Formal Op. 2011-200, 1 (Pa. Bar Ass’n. Comm. on Legal Ethics & Prof’l Respon. 2011) (quoting Quinn Norton, Byte Rights, Maximum PC (Sept. 2010)).
2 Quinn Norton, Byte Rights, Maximum PC (Sept. 2010). For a more detailed description of the process, see J. Strickland, How Cloud Storage Works, http://computer.howstuffworks.com/clouud-computing/cloudstorage1.
3 SearchCloudComputing, Platform as a Service, http://searchcloudcomputing.techtarget.com/definition/Platform-as-a-Service-PaaS.
4 See “Blaze in storage facility destroys belongings,” CBC News (Jan. 9, 2012, 7:56 a.m. ET) (reporting on fire at Toronto storage facility causing total loss of contents), www.cbc.ca/news/canada/toronto/story/2012/01/09/osler-fire-street.html; See, “Meteorite-caused emergency situation regime over in Chelyabinsk region,” Russia Beyond the Headlines (English version) (Mar. 5, 2013) (describing damage and destruction affecting thousands of buildings when a meteorite blasted above the Chelyabinsk region in Russia on February 15, 2013), http://tinyurl.com/kzkw8kz.
5 See J. R. Raphael, “The worst cloud outages of 2013 (so far),” InfoWorld (July 1, 2013) (describing, among others, day-long outage at Dropbox in January 2013 caused by never-specified server problem), http://tinyurl.com/lfvlau8; Mikael Ricknäs, “Lighting strike in Dublin downs Amazon, Microsoft clouds,” Computerworld (Aug. 8, 2011, 8:02 a.m. ET) (describing Dublin, Ireland, lightning strike to a transformer servicing data centers, causing cloud services to go offline for several hours), http://tinyurl.com/4ytzghw.
6 Ellen Messmer, “Startup Defense.Net debuts with anti-DDoS service,” InfoWorld (Aug. 6, 2013, 8:20 a.m.) (describing product aimed at stopping denial-of-service attacks against enterprises and cloud service networks), http://tinyurl.com/lpya4zp.
7 See Am. Bar Ass’n, Cloud Ethics Opinions Around the U.S., http://tinyurl.com/733gyr8. Not yet included on the ABA’s chart summarizing cloud ethics opinions is Florida’s 2013 opinion. See Op. 12-3 (Fla. Bar Prof’l Ethics Comm. Jan. 25, 2013) (concluding that lawyers may use cloud computing assuming that lawyer researches the service provider, and that lawyers take “reasonable precautions” to ensure confidentiality, adequate security and adequate access to remotely stored information).
8 OSBA Inf. Adv. Op. 2013-03 (July 25, 2013), available at www.ohiobar.org/ForPublic/LegalTools/Documents/OSBAInfAdvOp2013-03.pdf. The Professionalism Committee of the Ohio State Bar Association issues informal, non-binding advisory opinions on the application of the Ohio Rules of Professional Conduct.
9 Id. at 2 (citing Ohio Adv. Op. 99-2 (Ohio Bd. of Comm’rs on Grievances & Disc. Apr. 9, 1999)).
10 Id. at 2.
11 Id. (quoting Adv. Op. 2215, 2 (Wash. St. Br Rules of Prof’l Cond. Comm. 2012)).
12 Model R. Prof’l Cond. 5.3 cmt. .
13 See Univ. of Akron Miller-Becker Ctr. for Prof’l Respon., Navigating the Practice of Law in the Wake of Ethics 20/20 - Globalization, New Technologies, and What It Means to be a Lawyer in these Uncertain Times (Apr. 4-5, 2013) (examining Ethics 20/20’s work and its impact in Ohio and elsewhere), http://tinyurl.com/lblj6q8; Frank E. Quirk, “Lawyer Ethics for the 21st Century,” Ohio Lawyer, Jan.-Feb. 2013, at 19-21 (discussing Ethics 20/20, including possible future impact on ORPC).
14 OSBA Inf. Adv. Op. 2013-03 at 3 (quoting Ohio Adv. Op. 2009-6 (Aug. 14, 2009)).
15 Id. at 3 n. 2. Cited resources include: John Edwards, “How to Pick the Best Cloud,” Law Technology News (June 11, 2013), http://tinyurl.com/k77w2sg; Nicole Black & Matt Spiegel, “Breaking Down Cloud Computing,” ABA Section of Litigation (Feb. 7, 2013), http://tinyurl.com/ksaeww8; Am. Bar Ass’n, “Moving Your Law Practice to the Cloud Safely and Ethically” (Jan. 14, 2013), available at http://tinyurl.com/kr3s2xw; Am. Bar Ass’n, “Evaluating Cloud-Computing Providers” (YourABA June 2012), http://tinyurl.com/l7b9wfh. See generally, Nick Pournader, “Embracing Technology’s ‘Cloudy’ Frontier,” Law Practice Today (webzine of ABA Law Practice Management Section) (Oct. 2010), http://tinyurl.com/k54f3gh.
16 OSBA Inf. Avd. Op. 2013-03 at 4 n.2, 5.
17 Id. at 4.
18 Id. at 5.
19 See Ohio Adv. Op. 2009-6, 9-10 (Ohio Bd. of Comm’rs on Grievances & Disc. Aug. 14, 2009) (even though communication may be susceptible to interception, no additional security method such as encryption required for e-mail; attorney must use professional judgment in protecting confidentiality).
20 OSBA Inf. Adv. Op. 2013-03 at 5.
21 Ohio Adv. Op. 2009-6 at 3.
22 Id. at 8.
23 OSBA Inf. Adv. Op. 2013-03 at 6.