Lawyers have ethical duties to protect sensitive client data. When it comes to storing information in “the cloud,” just as with any other form of storage, taking steps to ensure that confidential client data is protected is imperative. Unfortunately, there are very few ethics opinions that have been issued on this topic, causing many lawyers to fear the potential ramifications of storing confidential client files via the cloud computing model.
According to this Law Library Journal article, “Law Libraries in the Cloud,” at least two states have issued ethics opinions regarding the storage of client data on third party servers, New Jersey (N.J. Supreme Court Advisory Comm. on Prof’l Ethics, Op. 701 (2006)) and Nevada (Nev. State Bar Standing Comm. on Ethics & Prof’l Responsibility, Formal Op. 33 (2006)). As explained in the article:
“At least two state bars, Nevada and New Jersey, have issued ethics opinions permitting the use of an outside service provider to store client files in digital for-mat, provided the attorney exercises reasonable care…These ethics opinions suggest that to meet the standard of reasonable care attorneys must be knowledgeable about how the SaaS provider will handle data entrusted to it, and they must include terms in any agreement with the provider requiring the provider to preserve the confidentiality and security of the data.”
In other words, common sense prevails, dictating that the same confidentiality standards applicable to physical client files should apply to computer-generated data as well. Any other conclusion would prohibit lawyers from using computers in their law practices altogether; surely, an unrealistic alternative in the 21st century.”
Third parties always have had access to confidential client information, including process servers, court employees, building cleaning crews, summer interns, document processing companies, external copy centers and legal document delivery services.
The employees who manage and have access to computer servers have the same security obligations as any other third party to whom an attorney entrusts confidential client files.
In order to practice law effectively, third parties, such as virtual data room companies, necessarily must have access to certain files. Assurances by the company in question that it will take reasonable efforts to protect sensitive client data and ensure that employees will not access confidential information is, in most cases, all that should be required.
In later posts, we’ll delve more deeply into the ethical issues related to cloud computing and also discuss security and legal issues.