Cloud computing is a hot topic in the world of legal practice. Just look around Lawyerist for reviews and articles of the myriad options available for cloud software tailored to lawyers, and countless additional options exist for software that works for lawyers even if it’s not specifically-tailored to us. As with many things, from casual Fridays to 401(k) matching, the world of law is a bit slow to catch on to emerging technology.
Why Aren’t Existing Rules Enough?
Law’s slow evolution is generally more of an inconvenience than a real problem, but when it comes to ethics rules being slow to evolve, it can really put lawyers in a bind. Technology moves so quickly, and rules change so slowly, that lawyers are often left wondering what is and is not permissible.
Cloud computing is a great example of the difficulty lawyers can have in using the tools available without running afoul of ethical obligations. We know that having a “confidential” client meeting in a busy restaurant can destroy privilege, but what about putting confidential communications on a cloud server accessible from any computer? We know having a third party present in a meeting also destroys privilege, but how about a shared cloud server where clients have separate files?
Applying logic and common sense gets us somewhere, but no one wants to be the test case where disciplinary charges are brought under existing rules and the disciplinary regulators figure out how to apply them to new technology. For the sake of clarity, the rules need to catch up.
Trends in Rulemaking
Thankfully, the rulemakers are taking steps toward clarifying our obligations, though states will not always agree and we need to follow closely the changes in the rules in our own jurisdictions. Among the states that have spoken on cloud computing are Alabama, Arizona, California, Florida, Iowa, Maine, Massachusetts, New Hampshire, New Jersey, New York, Nevada, North Carolina, Oregon, Pennsylvania, Vermont, Virginia, and just a few weeks ago, Connecticut. If you don’t see your state listed, contact your regulators and ask them for guidance.
For the purpose of noting the general trend, two states stand out.
In California, the State Bar Committee on Professional Responsibility and Conduct (“COPRAC”) issued Opinion 2012-184 on the operation of a Virtual Law Office (“VLO”), which follows on Opinion 2010-179 on technology in law practice. In COPRAC’s 2012 opinion, the VLO is operated without any person-to-person contact with the client, so all communications are electronic. Its 2010 opinion is more general as to what technology is used. They come to consistent conclusions.
The attorney must carefully select any outside vendor used, and outsourcing of technology does not unburden the attorney from making sure he complies with all ethical rules. Attorneys must use reasonable care in selecting and supervising vendors, and they must keep informed as to changes at the vendor. Periodic review of vendor selection and security measures should be made.
The attorney must consider the relative security of the technology, and he must take precautions to use any heightened levels of security available. He should also consider and weigh the relative sensitivity of any information shared on the cloud and the legal ramifications if the information is intercepted by a third party.
COPRAC specifically provides in the 2010 opinion that the urgency of the situation and the client’s instructions may be taken into account when the attorney shares information by technological means.
Connecticut is the most recent state to issue guidance. In June, the Connecticut Bar Association’s Standing Committee on Professional Ethics issued a report on cloud computing.
One point Connecticut made is that outsourced storage is not really a new idea in law; IronMountain and other large paper data storage vendors have been used by lawyers for years to store sensitive client information. It is the technological means by which the storage is now being held that makes cloud computing different.
Connecticut also highlights that absolute security is not always possible. Here too, it is not really different than paper storage, with penetrable brick and mortar walls at storage facilities. A reasonableness standard is adopted by Connecticut in this regard.
What has some commentators concerned is that Connecticut referred to a lawyer’s duty to continue to keep up with emerging trends in technology as part of a lawyer’s duty of due diligence. Whether this is any different than California’s requirement that attorneys periodically review their technology choices remains to be seen.
Where Are We Left?
What Connecticut and California’s opinions highlight is that as attorneys move into heavier use of technology, our reliance upon it creates a duty that we understand it. We cannot simply pawn off on others the choices of service providers or rely upon the service providers to keep our client data secure. We do not have to suddenly become programmers, but we are going to have to learn the functions of the technology we choose if we are going to keep in compliance with our ethical obligations.
If 17 out of 50 states have now issued some guidance on cloud computing, with some requiring ongoing learning on technology, we still have a ways to go for real clarity of our obligations. These last few years have seen a good effort made, but when it comes to the nuts and bolts of employing cloud computing, lawyers should still feel some pause as to which decisions will keep them in compliance.
At the very least, lawyers must make a real effort to understand the technology they use, to employ all available security measures and understand where the technology’s weaknesses lie. And in the end, if you are sharing a client’s most sensitive details or information the disclosure of which would be highly detrimental to your client, take no chances with technology you are not completely sure is secure.