Opinion #207. The Ethics of Cloud Computing and Storage
Issued by the Professional Ethics Commission
Date Issued: January 8, 2013
Is it ethical for Maine attorneys to use cloud computing and storage for client matters?
Yes, assuming safeguards are in place to ensure that the attorney’s use of this technology does not result in the violation of any of the attorney’s obligations under the various Maine Rules of Professional Conduct. While the technology is perpetually renewing and reinventing itself, cloud computing triggers the same ethical obligations that lawyers always have owed to their clients. With the expansion of remote data storage and processing services comes the need to observe the same, previously established ethical obligations attorneys always have followed in caring for client information.
So-called “cloud computing” includes any software and/or hardware package that allows a lawyer to transmit, manipulate, store, and retrieve data off the lawyer’s premises – in the proverbial clouds – rather than on the hard drive seated at the lawyer’s office. It includes platforms like web-based e-mail, online data storage, software-as-a-service (“SaaS”), platform-as-a-service (“PaaS”), infrastructure-as-a-service (“IaaS”), Amazon Elastic Cloud Compute (“Amazon EC2”), and Google Docs, to name but a few examples.
The American Bar Association (“ABA”) canvassed the decisions of state ethics bodies across the nation and listed Maine as one of 13 states to have considered and formally approved attorney use of cloud computing and storage. http://www.americanbar.org/groups/departmentsoffices/legaltechnologyresources/resources/chartsfyis/cloud-ethics-chart.html December 21, 2012. The ABA cited Opinion #194 and noted that the Maine Professional Ethics Commission did not squarely address the cloud in that Opinion, but addressed issues similar enough to cover the ethical implications of using cloud computing and storage too. In a recent “Enduring Ethics Opinion” email, the Commission noted that Opinion #194 remained a proper opinion under the Maine Rules of Professional Conduct, even though it was rendered under the former Bar Rules. The Commission further observed that the conclusion reached in Opinion #194 translates to cloud computing and storage, just as the ABA had suggested. However, at the request of Maine attorneys, the Commission has now elected to remove any uncertainty at this point by squarely and formally addressing the issue.
There is another Opinion of the Maine Professional Ethics Commission that should be considered as a precursor to Opinion #194 and this Opinion. Prompted by the increasing shift from paper hardcopies to electronic data, the Commission issued Opinion #183 on January 28, 2004. The Opinion answered the question whether an attorney is obligated to keep a paper copy of correspondence if that correspondence is converted to an electronic format and stored on a computer. Analyzing then applicable Maine Bar Rules 3.5(a) and 3.6(a) & (e) and Opinions #74 & #120, the Commission concluded that the ethics rules did not require the attorney to retain a paper copy in addition to the electronic one, but only if certain conditions are met. Those conditions generally ensure that the electronic format does not make the correspondence any less accessible to the client than a paper document. Note, however, that M. R. Prof. Conduct 1.15(f) states that there is an obligation now to retain and safeguard client records that have “intrinsic value in the particular version, such as original signed documents,” rather than destroy them after conversion to an electronic format.
Four years later, in 2008, the Commission addressed in Opinion #194 the ethics of transmitting electronic recordings – presumably the lawyer’s dictated correspondence, briefs and the like about the client’s confidential information – for off-site transcription and transferring client files in the form of the electronic data off-site for backup storage. The Commission relied on then applicable Maine Bar Rules 3.6(a) & (h) and 3.13(c), as well as Opinions #74 & #134, to conclude that “with appropriate safeguards, an attorney may utilize transcription and computer server backup services remote from both the attorney’s direct control or supervision without violating the attorney’s ethical obligation to maintain client confidentiality.” The 2008 version of Maine Bar Rule 3.6(a) & (h) can be found in current Maine Professional Conduct Rules 1.1 and 1.6, and former Maine Bar Rule 3.13(c) translates to current Maine Professional Conduct Rule 5.3.
What changes with evolving technology like cloud computing is not the overriding ethical constraints on counsel, but how those constraints are satisfied with respect to new challenges presented by that technology. Commentators on the ethics implications of cloud computing and the Maine Rules of Professional Conduct themselves reveal several rules implicated by the use of this technology:
• Rule 1.1 (competence)
• Rule 1.3 (diligence)
• Rule 1.4 (communications with client)
• Rule 1.6 (confidentiality)
• Rule 1.15 (safeguarding client property)
• Rule 1.16 (terminating representation)
• Rule 1.17 (sale of practice)
• Rule 5.3 (supervision of third parties)
Ethics commissions in other jurisdictions and legal scholars have written extensively on the nuts and bolts of acting ethically with cloud computing, including providing checklists for practitioners. See, e.g., Pennsylvania Formal Opinion 2011-200; North Carolina 2011 Formal Opinion #6 (January 27, 2012); The American Bar Association, “Ethical Challenges on the Horizon: Confidentiality, Competence, and Cloud Computing,” 2012. For the purposes of this Opinion, some of the more salient safeguards Maine counsel should adopt in an effort to satisfy the Maine Rules of Professional Conduct in connection with cloud usage include several internal policies and procedures:
1. Backing up data to allow the firm to restore data that has been lost, corrupted, or accidentally deleted;
2. Installing a firewall to limit access to the firm’s network;
3. Limiting information that is provided to others to what is required, needed, or requested;
4. Avoiding inadvertent disclosure of information;
5. Verifying the identity of individuals to whom the attorney provides confidential information;
6. Refusing to disclose confidential information to unauthorized individuals (including family members and friends) without client permission;
7. Protecting electronic records containing confidential data, including backups, by encrypting the confidential data;
8. Implementing electronic audit trail procedures to monitor who is accessing the data;
9. Creating plans to address security breaches, including the identification of persons to be notified about any known or suspected security breach involving confidential data; and
10. Educating and training employees of the firm who use cloud computing to abide by all end-user security measures, including, but not limited to, the creation of strong passwords and the regular replacement of passwords.
See Pennsylvania Formal Opinion 2011-200.
In dealing with third-party vendors of cloud computing services or hardware, additional safeguards Maine counsel should adopt include the following considerations made relevant by the Maine Rules of Professional Conduct.
1. Inclusion in the [cloud computing] . . . vendor’s Terms of Service or Service Level Agreement, or in a separate agreement between the [cloud computing] . . . vendor and the lawyer or law firm, of an agreement on how the vendor will handle confidential client information in keeping with the lawyer’s professional responsibilities.
2. If the lawyer terminates use of the [cloud computing] . . . product, the [cloud computing] . . . vendor goes out of business, or the service otherwise has a break in continuity, the law firm will have a method for retrieving the data, the data will be available in a non-proprietary format that the law firm can access, or the firm will have access to the vendor’s software or source code.
3. The [cloud computing] . . . vendor is contractually required to return or destroy the hosted data promptly at the request of the law firm.
4. Careful review of the terms of the law firm’s user or license agreement with the [cloud computing] . . . vendor including the security policy.
5. Evaluation of the [cloud computing] . . . vendor’s (or any third party data hosting company’s) measures for safeguarding the security and confidentiality of stored data including, but not limited to, firewalls, encryption techniques, socket security features, and intrusion-detection systems.
6. Evaluation of the extent to which the [cloud computing] . . . vendor backs up hosted data.
North Carolina 2011 Formal Opinion #6 (January 27, 2012)(internal citations omitted).
More specifically, the attorney should ensure that the vendor of cloud computing services or hardware
1. Explicitly agrees that it has no ownership or security interest in the data;
2. Has an enforceable obligation to preserve security;
3. Will notify the lawyer if requested to produce data to a third party, and provide the lawyer with the ability to respond to the request before the provider produces the requested information;
4. Has technology built to withstand a reasonably foreseeable attempt to infiltrate data, including penetration testing;
5. Provides the firm with the right to audit the provider’s security procedures and to obtain copies of any security audits performed;
6. Will host the firm’s data only within a specified geographic area. If the data is hosted outside of the United States, the law firm must determine that the hosting jurisdiction has privacy laws, data security laws, and protections against unlawful search and seizure that are as rigorous as those of the United States and Maine;
7. Provides the ability for the law firm, on demand, to get data from the vendor’s or third-party data hosting company’s servers for the firm’s own use or for in-house backup.
See Pennsylvania Formal Opinion 2011-200.
These lists are not intended to be exhaustive or to convey a “safe harbor” for counsel in all instances of cloud computing. The proprietary cloud options available and the dynamic nature of the technology make it impossible to list criteria that apply to all situations for all time. The North Carolina Ethics Committee aptly articulated the measure of an attorney’s appropriately discharging all professional ethical duties owed to the client while using cloud technologies:
[W]hile the duty of confidentiality applies to lawyers who choose to use technology to communicate, “this obligation does not require that a lawyer use only infallibly secure methods of communication.” RPC 215. Rather, the lawyer must use reasonable care to select a mode of communication that, in light of the circumstances, will best protect confidential client information and the lawyer must advise effected parties if there is reason to believe that the chosen communications technology presents an unreasonable risk to confidentiality.
In light of the above, the Ethics Committee concludes that a law firm may use [cloud computing] . . . if reasonable care is taken to minimize the risks of inadvertent disclosure of confidential information and to protect the security of client information and client files. A lawyer must fulfill the duties to protect confidential client information and to safeguard client files by applying the same diligence and competency to manage the risks of [cloud computing] . . . that the lawyer is required to apply when representing clients.
North Carolina 2011 Formal Opinion #6 (January 27, 2012).
Furthermore, the reasonable care standard for ethical conduct requires attorneys’ periodic education on computer technology as it changes and as it is challenged by and reacts to additional indirect factors such as third party hackers or technical failures.