Ethics of Cloud Computing – Part 2 (Ethical Rules)

In my previous blog post, I provided a brief overview of cloud computing and how it is used by lawyers. I noted that its use is expanding beyond virtual law firms and alternative law firms to include Big Law, too, even including AmLaw 100 law firms. In this post, I will discuss some of the main ethical issues stemming from lawyers’ use of cloud computing and other virtual law technologies.

Click here for 1 hours of CLE Credits (Ethics)

The main issues can be summed up as follows: when a lawyer uses cloud computing, the lawyer is using a third party to store and transmit confidential client information. For instance, if a lawyer uses Gmail, then a third party – Google – has a record of all the lawyer’s e-mail communications with his clients.

Most discussions about the legal ethics of cloud computing principally focus on two ethical rules: the rules governing Competency and Confidentiality.

Model Rule of Professional Responsibility (“MRPC”) 1.1 requires a lawyer to “provide competent representation to a client.” The comments to MRPC 1.6 (which is discussed below) note that, “A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer.” So storing and transmitting client information is among the many things that a lawyer must do in a competent fashion, under Rule 1.1.

The rule regarding confidentiality is Rule 1.6 of the MRPC. That rule essentially states that lawyers are not permitted to disclose confidential client information without the client’s permission. The ABA is also considering amending this rule to specifically require a lawyer to make reasonable efforts to prevent the unauthorized disclosure or access to information pertaining to the representation of a client. The relevance of this rule to cloud computing is clear.

These two ethical rules raise a conundrum for lawyers who are thinking about using Internet-based applications in their practices. When we store documents online, or use web-based e-mail, are we revealing client confidences? And if such tools are permitted, how do we know if we’re competently safeguarding our clients’ information?

A number of start bars have issued ethics opinions on the subject and their treatment of this issue has significantly varied. States like Arizona and Nevada have issued general opinions permitting the use of cloud computing provided that the lawyer take reasonable steps to prevent the unauthorized or inadvertent disclosure of confidential information. On the other end of the spectrum, states like North Carolina are proposing to institute strict rules governing lawyers’ use of cloud computing. And in the middle of the field, are states like California and New York, that have issued specific guidelines for attorneys to consider when evaluating cloud computing services while declining to impose strict rules.

Notably, no state to opine on the subject has forbidden the use of cloud computing by lawyers. Lawyers who are considering using or currently using these tools in their practices are advised to carefully review how their local state bars have treated these issues.

In my next blog post, I will discuss how to evaluate vendors of cloud computing services to ensure you are adequately protecting your and your clients’ information.