Florida Legal Ethics Opinion Clears Way for Cloud Computing

Regarding the steps a lawyer should take to research a cloud provider, the Florida bar Ethics Committee endorsed the recommendations suggested by New York State Bar Ethics Opinion 842 (Sept. 10, 2010), which included:

• Ensure that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information.
• Investigate the online data storage provider's security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances.
• Employ available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored.

The Florida committee also cited Iowa Ethics Opinion 11-01, “Software As a Service ' Cloud Computing” (Sept. 9, 2011), as being of particular practical assistance to lawyers facing this issue:

As suggested by the Iowa opinion, lawyers must be able to access the lawyer's own information without limit, others should not be able to access the information, but lawyers must be able to provide limited access to third parties to specific information, yet must be able to restrict their access to only that information. Iowa Ethics Opinion 11-01 also recommends considering the reputation of the service provider to be used, its location, its user agreement and whether it chooses the law or forum in which any dispute will be decided, whether it limits the service provider's liability, whether the service provider retains the information in the event the lawyer terminates the relationship with the service provider, what access the lawyer has to the data on termination of the relationship with the service provider, and whether the agreement creates “any proprietary or user rights” over the data the lawyer stores with the service provider.

In addition, the Florida committee agreed with Iowa's suggestion that a lawyer determine whether the information is password protected, whether the information is encrypted, and whether the lawyer will have the ability to further encrypt the information if additional security measures are required because of the special nature of a particular matter or piece of information.

Under the Florida Bar's rules, members of the bar will now be invited to submit comments on the proposed opinion. When the committee next meets on June 28, it will consider any comments it has received. Anyone wishing to submit comments should direct them to Elizabeth Clark Tarbert, Ethics Counsel, The Florida Bar, 651 E. Jefferson Street, Tallahassee, FL, 32399-2300.

Robert J. Ambrogi is a Massachusetts lawyer and media consultant. A member of this newsletter's Board of Editors, he writes the blogs LawSites 'and Media Law. He can be reached at [email protected].

Florida has become the latest state to weigh in on the legal ethics of cloud computing, joining other states that have done so in concluding that lawyers may ethically use cloud computing, provided they exercise due diligence to ensure that the cloud provider maintains adequate safeguards to protect the confidentiality and security of client information.

The Professional Ethics Committee of the the Florida Bar issued the proposed opinion (Proposed Advisory Opinion 12-3) on Jan. 25. The committee concluded:

[L]awyers may use cloud computing if they take reasonable precautions to ensure that confidentiality of client information is maintained. The lawyer should research the service provider to be used, should ensure that the service provider maintains adequate security, should ensure that the lawyer has adequate access to the information stored remotely, and should consider backing up the data elsewhere as a precaution.

For lawyers, the primary concern about cloud computing is confidentiality, the committee explained. “A lawyer has the obligation to ensure that confidentiality of information is maintained by nonlawyers under the lawyer's supervision, including nonlawyers that are third parties used by the lawyer in the provision of legal services.”

The committee noted that other states that have addressed the issue of cloud computing have generally determined that lawyers may ethically use cloud services as long as they take reasonable steps. The committee said that it agrees with these other states' opinions.

Regarding the steps a lawyer should take to research a cloud provider, the Florida bar Ethics Committee endorsed the recommendations suggested by New York State Bar Ethics Opinion 842 (Sept. 10, 2010), which included:

• Ensure that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information.
• Investigate the online data storage provider's security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances.
• Employ available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored.

The Florida committee also cited Iowa Ethics Opinion 11-01, “Software As a Service ' Cloud Computing” (Sept. 9, 2011), as being of particular practical assistance to lawyers facing this issue:

As suggested by the Iowa opinion, lawyers must be able to access the lawyer's own information without limit, others should not be able to access the information, but lawyers must be able to provide limited access to third parties to specific information, yet must be able to restrict their access to only that information. Iowa Ethics Opinion 11-01 also recommends considering the reputation of the service provider to be used, its location, its user agreement and whether it chooses the law or forum in which any dispute will be decided, whether it limits the service provider's liability, whether the service provider retains the information in the event the lawyer terminates the relationship with the service provider, what access the lawyer has to the data on termination of the relationship with the service provider, and whether the agreement creates “any proprietary or user rights” over the data the lawyer stores with the service provider.

In addition, the Florida committee agreed with Iowa's suggestion that a lawyer determine whether the information is password protected, whether the information is encrypted, and whether the lawyer will have the ability to further encrypt the information if additional security measures are required because of the special nature of a particular matter or piece of information.

Under the Florida Bar's rules, members of the bar will now be invited to submit comments on the proposed opinion. When the committee next meets on June 28, it will consider any comments it has received. Anyone wishing to submit comments should direct them to Elizabeth Clark Tarbert, Ethics Counsel, The Florida Bar, 651 E. Jefferson Street, Tallahassee, FL, 32399-2300.

Robert J. Ambrogi is a Massachusetts lawyer and media consultant. A member of this newsletter's Board of Editors, he writes the blogs LawSites 'and Media Law. He can be reached at [email protected].