info@weberglaw.com
(781) 952-0074

Legal Ethics

Reveal, Research, Review: The Ethics of Cloud Storage

Reveal, Research, Review: The Ethics of Cloud Storage

Reveal, Research, and Review: The Ethics of Cloud Storage

Kristin N. Weberg, Esq.

If there is ever an affectionate image of a lawyer, it is the disheveled curmudgeon-for-justice, toiling away under rows of stacked files, folders and papers while doggedly championing the little guy. Movies like A Civil Action, Erin Brockovich and, most recently, Spotlight, have used this image to show the more human side of lawyers. So, it is sad to see the era of the paper-buried lawyer disappear.

The good news for justice, though, is that technology is enabling us to be more organized, more efficient, and more effective lawyers. I have recently been asked to advise an established firm on the use of cloud storage for its files and communication with a major client. The firm wanted to know whether use of cloud storage poses any ethical problems. The answer is that use of the cloud does not violate the Rules of Professional Conduct as long as the lawyer follows the “Three Rs” of cloud usage: Reveal, Research and Review.

The Rule

Ethical concerns about use of cloud storage generally fall under Rule 1.6(a). Rule 1.6 governs the confidentiality of client information. Rule 1.6 states, in relevant part, that a lawyer “shall not reveal confidential information relating to the representation of a client unless the client consents after consultation [ ].” According to an Ethics Opinion of the Massachusetts Bar Association, “Rule 1.6 (as well as other rules) imposes upon [a] lawyer the obligation to avoid using means of communication with the client that pose an unreasonable risk of inadvertent disclosure to third persons.” MBA Ethics Opinion 12-03. In that Opinion, the Massachusetts Bar Association addressed a lawyer’s question about whether a lawyer’s use of Google Docs presented an unreasonable risk of inadvertent disclosure in violation of Rule 1.6.

Reveal, Research, Review

When thinking about confidentiality risks involving cloud storage, it may be helpful to think about the risks associated with older methods of data transmission and storage. For example, a paper letter sent to a client is at risk of interception. Lawyers use judgment and due diligence in deciding how best to transmit a piece of paper to a client. The lawyer might use the US Postal Service, a private courier service, or hand delivery by a staff person. In each case, it is the lawyer’s obligation to carefully consider the risks involved in each method and make a determination that most complies with Rule 1.6.

So it is with cloud storage. There is no list of which storage providers are okay under the rules and which are not. It is a lawyer’s duty to make this determination using the best available guidance. According to the Massachusetts Bar Association, a lawyer must “undertake reasonable efforts to ensure that the provider’s date privacy policies, practices and procedures are compatible with Lawyer’s professional obligations.” Here is what any lawyer should do before using a cloud storage system, according to Opinion 12-03, which can be broken down into the “Three Rs:” Reveal, Research, and Review.

Reveal

  • Notify your client that you will be storing confidential information in the cloud;
  • Do not store a client’s data in the cloud if that client objects to your doing so;

Research

  • Read the provider’s terms of use, privacy policies, and policies for handling confidential information;
  • Make sure that the provider’s policies explicitly prohibit unauthorized access to cloud data;
  • Make sure you will have access to and control over the data should your relationship with the provider end or be interrupted;
  • Examine the providers actual practices with respect to data encryption, password protection, and system back ups to make sure there are procedures to reasonably ensure protection against intentional or inadvertent disclosure of confidential information;

Review

  • Periodically review and reexamine the provider’s policies to ensure continued protection against breaches of confidentiality.

It is the lawyer’s responsibility to ensure thorough review of a provider’s policies before using cloud storage for confidential data. Only the lawyer can make a determination of whether use of a particular cloud storage provider satisfies the Rule 1.6 duties. By following the “Three Rs,” you are doing the most to protect your clients and yourself.

For continued updates on professional ethics issues in Massachusetts, visit the following resources: http://www.mass.gov/obcbbo/, http://masslomap.org, http://www.massbar.org/publications/ethics-opinions.