Ethics Considerations When Computing in the Cloud and on the Earth

Computing, like technology in general, continues to evolve at breakneck speed. Sixty years ago, a single computer commanded an entire room. Ten years ago, hundreds of desktop computers stationed around an office building were powered by servers humming away in a central vault. Most recently, technology has advanced beyond the physical to the ethereal ' computers, which fit in the palm of the hand, now rely on the “Cloud” for storing and retrieving information.

While computing technology has advanced in leaps and bounds, attorneys have struggled to keep pace with the rapid changes to the way our society works and communicates. This is especially true when it comes to legal ethics. Attorneys must remember that while the technology has changed, the ethics rules have not ' the same rules apply in the Cloud as on the Earth, and the benefits of technology do not come without potential ethical pitfalls.

Ethics and Cloud Computing

Cloud computing, a phrase so new that it has yet to be included in the Merriam-Webster Dictionary, has transformed the way attorneys work. In its simplest form, cloud computing allows individuals to access applications and store information remotely, without physically buying and installing software or saving to a local storage device (consider “Gmail” for e-mail or “DropBox” for online storage). This technology undoubtedly offers a number of benefits to law practices of all sizes, the two primary advantages being reduced cost and increased accessibility.

Cloud computing allows a law firm to greatly reduce its need for a large internal IT infrastructure (servers, back-up storage, on-site tech support, etc.) by utilizing online storage systems. This is especially useful for small firms that may not have the capital to establish adequate on-site IT infrastructure. Cloud computing also has transformed the way attorneys work by allowing access to practice management software and client files from anywhere with an Internet connection.

While cloud computing is changing the way attorneys practice law and manage their business, it is not without potential risks; these risks range from the disclosure of confidential client information to the spoliation of evidence. The American Bar Association's Commission on Ethics 20/20 (the “ABA 20/20 Commission”), which has been charged with the task of updating the Model Rules of Professional Conduct (“Model Rules”) to reflect technological changes in the way law is practiced, has identified the following potential risks associated with cloud computing:

• Unauthorized access to confidential client information by a vendor's employees (or sub-contractors) or by outside parties (e.g., hackers) via the Internet;
• The storage of information on servers in countries with fewer legal protections for electronically stored information;
• A vendor's failure to back up data adequately;
• Unclear policies regarding ownership of stored data;
• The ability to access the data using easily accessible software in the event that the lawyer terminates the relationship with the cloud computing provider or the provider changes businesses or goes out of business;
• The provider's procedures for responding to (or when appropriate, resisting) government requests for access to information;
• Policies for notifying customers of security breaches;
• Policies for data destruction when a lawyer no longer wants the relevant data available or transferring the data if a client switches law firms;
• Insufficient data encryption; and
• The extent to which lawyers need to obtain client consent before using cloud computing services to store or transmit the client's confidential information.

(See Am. Bar Ass'n Comm'n on Ethics 20/20 Initial Draft Proposals ' Technology & Confidentiality (May 2, 2011), (“ABA 20/20 Comm'n Initial Draft Proposals ' Technology and Confidentiality”), available at www.americanbar.org/content/dam/aba/migrated/2011_build/ethics_2020/clientconfidentiality_issuespaper.authcheckdam.pdf).

Rulings by Several Jurisdictions

The ABA 20/20 Commission is not the only organization to wrestle with the ethical implications of cloud computing. At least five jurisdictions have addressed the issue and all five have approved of the use of this technology in the practice of law. (See N.Y. State Bar Assoc. Comm. on Prof'l Eths., Op. 842 (2010); AL Eth. Op. 2010-02 (2010); AZ Eth. Op. 09-04 (2009); NV Eth. Op. 33 (2006); N.J. Eth. Op. 701 (2006)). The general gist of all five opinions is that while the technology may be different, an attorney's ethical obligations remain the same under the ethics rules. As the New York State Bar Committee on Professional Ethics (“NYSBA Committee”) concluded, just as an attorney may hire a third party to store hard copies of client files, so too may an attorney use an online storage system, provided he or she exercises reasonable care to ensure that the information will remain secure.

While it may be relatively clear what constitutes “reasonable care” in the context of traditional third-party storage, those same practices do not seamlessly transfer to online storage. Thankfully, the ethics opinions have provided some basic guidance. The NYSBA Committee opinion offers a non-exhaustive list of four steps attorneys may wish to take in their efforts to exercise reasonable care when using online storage providers. First, attorneys should ensure that the storage provider has “an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information.” Second, attorneys should investigate the storage provider's “security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances.” While the opinion does not directly address what constitutes “adequate under the circumstances,” one can imagine that it might depend on the nature of the client. For example, different security measures might be required for a large corporate or government client that has been the target of hacking. A firm may even want to consider whether cloud storage should be avoided entirely for such a client. Third, the NYSBA Committee's opinion suggests that attorneys utilize “available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored.” Finally, attorneys should investigate the provider's ability to “purge,” “wipe” and “transfer” the data if the attorney decides to use another provider.

What Are the Specifics?

While the NYSBA Committee opinion provides general guidelines on how to avoid ethical problems, the opinion does not elaborate on specific practices attorneys should avoid or undertake when cloud computing. Unfortunately, the other ethics opinions to address this issue are similarly vague. What is clear from the opinions, however, is that attorneys have an affirmative obligation to keep abreast of technological developments and ensure that their security measures remain current. (See N.Y. State Bar Assoc. Comm. on Prof'l Eths., Op. 842, at *3; see also AZ Eth. Op. 09-04 (2009) (“because technology is constantly evolving, the lawyer will have a continuing duty to stay abreast of appropriate safeguards that should be employed by the lawyer and the third-party provider.”). Importantly, the ABA 20/20 Commission has concluded that “competent lawyers must have some awareness of basic features of technology,” and has proposed changes to Comment 6 of Model Rule 1.1 to clarify that minimum competence requires that attorneys keep abreast of changes in the law and practice, including “the benefits and risks associated with technology.”

The ABA soon may provide much-needed clarity regarding what technological standards are required when using online storage providers. In response to the ABA 20/20 Commission's work, the Legal Cloud Computing Association (LCCA) published a letter to the ABA 20/20 Commission requesting, among other things, that the ABA establish minimum technology standards, as well as model terms of service for cloud computing providers. Should the ABA respond to this request, practitioners will have guidance when seeking out a provider and evaluating whether its security measures are adequate. Until then, practitioners should be aware that they have a continuing obligation to monitor the technology they are using to ensure that it remains adequate to protect confidential information.

Ethics and Local Technology

Like cloud computing, the use of “local” technology, for example the use of laptops and Wi-Fi, also raises ethical concerns. Critically, improper use of local technology may result in a breach of a client's confidential information. Reading client e-mails though an unsecured Wi-Fi service may leave an attorney vulnerable to cyber snooping. Similarly, a BlackBerry left in the back seat of a taxi may be accessed by all who come across it, if the attorney has failed to undertake minimal precautions like password-protecting the device.

The ABA 20/20 Commission has proposed amending Model Rule 1.6 to require that “(c) A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client,” and has suggested adding language to Comment 16 of that rule to outline factors to be considered in determining what constitutes reasonable efforts. These factors include: the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, and the cost of employing additional safeguards.

The ABA 20/20 Commission also has outlined certain precautions that lawyers may wish to take when using local technology, including:

• Providing adequate physical protection for devices (e.g., laptops) or having methods for deleting data remotely in the event that a device is lost or stolen;
• Encouraging the use of strong passwords;
• Purging data from devices before they are replaced (e.g., computers, smart phones, and copiers with scanners);
• Installing appropriate safeguards against malware (e.g., virus protection, spyware protection)
• Installing adequate firewalls to prevent unauthorized access to locally stored data; Ensuring frequent backups of data;
• Updating computer operating systems to ensure that they contain the latest security protections;
• Configuring software and network settings to minimize security risks;
• Encrypting sensitive information, and identifying (and, when appropriate, eliminating) metadata from electronic documents before sending them; and
• Avoiding “Wi-Fi hotspots” in public places as a means of transmitting confidential information (e.g., sending an e-mail to a client)

While these precautions are not required, they are certainly informative.

Conclusion

Advances in technology and communications may leave attorneys scratching their heads as to the application of the ethics rules, but this need not be the case. By applying common sense and remembering that the ethics rules do not cease to apply simply because technology is involved, attorneys can tackle the challenges of practicing law in the 21st century with confidence.

Cara E. Greene is an associate at Outten & Golden LLP, where she is a member of the Executives and Professionals Practice Group. She has authored and co-authored numerous articles on employment and partnership law, and regularly speaks and writes on ethics issues in employment law.

Computing, like technology in general, continues to evolve at breakneck speed. Sixty years ago, a single computer commanded an entire room. Ten years ago, hundreds of desktop computers stationed around an office building were powered by servers humming away in a central vault. Most recently, technology has advanced beyond the physical to the ethereal ' computers, which fit in the palm of the hand, now rely on the “Cloud” for storing and retrieving information.

While computing technology has advanced in leaps and bounds, attorneys have struggled to keep pace with the rapid changes to the way our society works and communicates. This is especially true when it comes to legal ethics. Attorneys must remember that while the technology has changed, the ethics rules have not ' the same rules apply in the Cloud as on the Earth, and the benefits of technology do not come without potential ethical pitfalls.

Ethics and Cloud Computing

Cloud computing, a phrase so new that it has yet to be included in the Merriam-Webster Dictionary, has transformed the way attorneys work. In its simplest form, cloud computing allows individuals to access applications and store information remotely, without physically buying and installing software or saving to a local storage device (consider “Gmail” for e-mail or “DropBox” for online storage). This technology undoubtedly offers a number of benefits to law practices of all sizes, the two primary advantages being reduced cost and increased accessibility.

Cloud computing allows a law firm to greatly reduce its need for a large internal IT infrastructure (servers, back-up storage, on-site tech support, etc.) by utilizing online storage systems. This is especially useful for small firms that may not have the capital to establish adequate on-site IT infrastructure. Cloud computing also has transformed the way attorneys work by allowing access to practice management software and client files from anywhere with an Internet connection.

While cloud computing is changing the way attorneys practice law and manage their business, it is not without potential risks; these risks range from the disclosure of confidential client information to the spoliation of evidence. The American Bar Association's Commission on Ethics 20/20 (the “ABA 20/20 Commission”), which has been charged with the task of updating the Model Rules of Professional Conduct (“Model Rules”) to reflect technological changes in the way law is practiced, has identified the following potential risks associated with cloud computing:

• Unauthorized access to confidential client information by a vendor's employees (or sub-contractors) or by outside parties (e.g., hackers) via the Internet;
• The storage of information on servers in countries with fewer legal protections for electronically stored information;
• A vendor's failure to back up data adequately;
• Unclear policies regarding ownership of stored data;
• The ability to access the data using easily accessible software in the event that the lawyer terminates the relationship with the cloud computing provider or the provider changes businesses or goes out of business;
• The provider's procedures for responding to (or when appropriate, resisting) government requests for access to information;
• Policies for notifying customers of security breaches;
• Policies for data destruction when a lawyer no longer wants the relevant data available or transferring the data if a client switches law firms;
• Insufficient data encryption; and
• The extent to which lawyers need to obtain client consent before using cloud computing services to store or transmit the client's confidential information.

(See Am. Bar Ass'n Comm'n on Ethics 20/20 Initial Draft Proposals ' Technology & Confidentiality (May 2, 2011), (“ABA 20/20 Comm'n Initial Draft Proposals ' Technology and Confidentiality”), available at www.americanbar.org/content/dam/aba/migrated/2011_build/ethics_2020/clientconfidentiality_issuespaper.authcheckdam.pdf).

Rulings by Several Jurisdictions

The ABA 20/20 Commission is not the only organization to wrestle with the ethical implications of cloud computing. At least five jurisdictions have addressed the issue and all five have approved of the use of this technology in the practice of law. (See N.Y. State Bar Assoc. Comm. on Prof'l Eths., Op. 842 (2010); AL Eth. Op. 2010-02 (2010); AZ Eth. Op. 09-04 (2009); NV Eth. Op. 33 (2006); N.J. Eth. Op. 701 (2006)). The general gist of all five opinions is that while the technology may be different, an attorney's ethical obligations remain the same under the ethics rules. As the New York State Bar Committee on Professional Ethics (“NYSBA Committee”) concluded, just as an attorney may hire a third party to store hard copies of client files, so too may an attorney use an online storage system, provided he or she exercises reasonable care to ensure that the information will remain secure.

While it may be relatively clear what constitutes “reasonable care” in the context of traditional third-party storage, those same practices do not seamlessly transfer to online storage. Thankfully, the ethics opinions have provided some basic guidance. The NYSBA Committee opinion offers a non-exhaustive list of four steps attorneys may wish to take in their efforts to exercise reasonable care when using online storage providers. First, attorneys should ensure that the storage provider has “an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information.” Second, attorneys should investigate the storage provider's “security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances.” While the opinion does not directly address what constitutes “adequate under the circumstances,” one can imagine that it might depend on the nature of the client. For example, different security measures might be required for a large corporate or government client that has been the target of hacking. A firm may even want to consider whether cloud storage should be avoided entirely for such a client. Third, the NYSBA Committee's opinion suggests that attorneys utilize “available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored.” Finally, attorneys should investigate the provider's ability to “purge,” “wipe” and “transfer” the data if the attorney decides to use another provider.

What Are the Specifics?

While the NYSBA Committee opinion provides general guidelines on how to avoid ethical problems, the opinion does not elaborate on specific practices attorneys should avoid or undertake when cloud computing. Unfortunately, the other ethics opinions to address this issue are similarly vague. What is clear from the opinions, however, is that attorneys have an affirmative obligation to keep abreast of technological developments and ensure that their security measures remain current. (See N.Y. State Bar Assoc. Comm. on Prof'l Eths., Op. 842, at *3; see also AZ Eth. Op. 09-04 (2009) (“because technology is constantly evolving, the lawyer will have a continuing duty to stay abreast of appropriate safeguards that should be employed by the lawyer and the third-party provider.”). Importantly, the ABA 20/20 Commission has concluded that “competent lawyers must have some awareness of basic features of technology,” and has proposed changes to Comment 6 of Model Rule 1.1 to clarify that minimum competence requires that attorneys keep abreast of changes in the law and practice, including “the benefits and risks associated with technology.”

The ABA soon may provide much-needed clarity regarding what technological standards are required when using online storage providers. In response to the ABA 20/20 Commission's work, the Legal Cloud Computing Association (LCCA) published a letter to the ABA 20/20 Commission requesting, among other things, that the ABA establish minimum technology standards, as well as model terms of service for cloud computing providers. Should the ABA respond to this request, practitioners will have guidance when seeking out a provider and evaluating whether its security measures are adequate. Until then, practitioners should be aware that they have a continuing obligation to monitor the technology they are using to ensure that it remains adequate to protect confidential information.

Ethics and Local Technology

Like cloud computing, the use of “local” technology, for example the use of laptops and Wi-Fi, also raises ethical concerns. Critically, improper use of local technology may result in a breach of a client's confidential information. Reading client e-mails though an unsecured Wi-Fi service may leave an attorney vulnerable to cyber snooping. Similarly, a BlackBerry left in the back seat of a taxi may be accessed by all who come across it, if the attorney has failed to undertake minimal precautions like password-protecting the device.

The ABA 20/20 Commission has proposed amending Model Rule 1.6 to require that “(c) A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client,” and has suggested adding language to Comment 16 of that rule to outline factors to be considered in determining what constitutes reasonable efforts. These factors include: the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, and the cost of employing additional safeguards.

The ABA 20/20 Commission also has outlined certain precautions that lawyers may wish to take when using local technology, including:

• Providing adequate physical protection for devices (e.g., laptops) or having methods for deleting data remotely in the event that a device is lost or stolen;
• Encouraging the use of strong passwords;
• Purging data from devices before they are replaced (e.g., computers, smart phones, and copiers with scanners);
• Installing appropriate safeguards against malware (e.g., virus protection, spyware protection)
• Installing adequate firewalls to prevent unauthorized access to locally stored data; Ensuring frequent backups of data;
• Updating computer operating systems to ensure that they contain the latest security protections;
• Configuring software and network settings to minimize security risks;
• Encrypting sensitive information, and identifying (and, when appropriate, eliminating) metadata from electronic documents before sending them; and
• Avoiding “Wi-Fi hotspots” in public places as a means of transmitting confidential information (e.g., sending an e-mail to a client)

While these precautions are not required, they are certainly informative.

Conclusion

Advances in technology and communications may leave attorneys scratching their heads as to the application of the ethics rules, but this need not be the case. By applying common sense and remembering that the ethics rules do not cease to apply simply because technology is involved, attorneys can tackle the challenges of practicing law in the 21st century with confidence.

Cara E. Greene is an associate at Outten & Golden LLP, where she is a member of the Executives and Professionals Practice Group. She has authored and co-authored numerous articles on employment and partnership law, and regularly speaks and writes on ethics issues in employment law.