Partly Cloudy with a Chance of Sanctions

Practitioners of a certain age will recall the days when e-mail and cellular telephone usage were not considered secure modes of communication for the discussion of confidential or privileged matters. It was not uncommon for clients to ask that anyone participating on a conference call via cellular phone drop off when particularly sensitive information was to be discussed. Similarly, to the extent e-mail was considered an effective mode for business communication, it was never to be used for the transmission of privileged information. These mores were in place throughout the 1990s.

The legal industry always seems to be late in keeping up with ever-evolving business technology. The lag has little to do with the business of law, and everything to do with the restrictive ethics rules that govern all aspects of the practice. A watershed moment came on March 10, 1999, however, when the American Bar Association (ABA) issued Formal Opinion 99-413. The opinion broke through the fog of confusion on these issues with one simple pronouncement:

The Committee believes that e-mail communications, including those sent unencrypted over the [I]nternet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy. The level of legal protection accorded e-mail transmissions, like that accorded other modes of electronic communication, also supports the reasonableness of an expectation of privacy for unencrypted e-mail transmissions. The risk of unauthorized interception and disclosure exists in every medium of communication, including e-mail. It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination of the information is a violation of law. (emphasis added).

The ABA's pronouncement may seem quaint and dated, but the subtle shifting of the burden from the requirement to prove a reasonable expectation of privacy to holding that it is not reasonable to prohibit an entire method of communication because of possible interception risks was a tectonic shift. Following the ABA decision, an explosion in legal technology ensued which has continued unabated from the late 1990s until today. Like those of us practicing in the '90s, today's practitioners are grappling with the ethical uses of yet another technological advance which is being adopted across the business world: The Cloud.

Cloud Basics

To paraphrase Justice Potter Stewart's infamous pronouncement on pornography, it is very difficult to define what we mean by “the cloud,” but we certainly know it when we see it. For the techies in the crowd, the National Institute of Standards and Technology (NIST) has adopted the following definition:

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.

NIST Cloud Computing Program.

It is sufficient for our purposes to state that we are referring to the remote storage of business-critical information that may be accessed over the Internet in a robust and secure setting. Cloud networks can be both public and private and have an infinite array of capabilities, accessibility and security. Typically, there is a contractual agreement between the cloud provider and the business customer that delineates the rights and obligations of the parties. In the cloud vernacular, such an agreement is known as a “Service Level Agreement” (SLA). Like any other contractual arrangement, the terms and conditions of the SLA define the relationship between the cloud provider and the customer. The terms of the SLA are critical, and, as discussed below, may make the difference between a lawyer's defensible use of current technology and an ethics charge.

The ethics barriers that might apply to so-called cloud computing are the same that existed for e-mail in the 1990s, namely that cloud computing does not provide a reasonable expectation of privacy such that the storage of privileged information in the cloud could constitute an ethics violation. The concern here (as it was almost 20 years ago) is Model Rule 1.6(a) which states that “a lawyer shall not reveal information relating to the representation of a client unless a client consents after consultation, except for disclosures that are impliedly authorized in order to carry out the representation.” Inherent in Rule 1.6 is that the lawyer will take steps to safeguard client information from unauthorized access. Thus, the concern is that cloud computing constitutes a sufficient risk of unauthorized disclosure of client information to violate a lawyer's duties under Rule 1.6.

State Bar Ethics Opinions

The good news for attorneys and law firms who want to take advantage of the cost-saving, efficiency and accessibility of the cloud, is that numerous state ethics boards have unequivocally stated that the use of cloud computing and storage does not, in and of itself, constitute a violation of Rule 1.6. See the sidebar below for a list of some state bar association ethics opinions.

Pennsylvania, for example, did not feel the need to spill much ink on the topic: “[A] lawyer may use cloud computing to access and store data, and may use smartphones synchronized through the cloud to remotely access the data, if the lawyer takes appropriate measures to protect client confidentiality.”

More typical are states like New York which provide a few caveats to the pronouncement that cloud computing use does not violate Rule 1.6:

A lawyer may use an online data storage system to store and back up client confidential information provided that the lawyer takes reasonable care to ensure that confidentiality will be maintained in a manner consistent with a lawyer's obligations under Rule 1.6. In addition, the lawyer should stay abreast of technological advances to ensure that the storage system remains sufficiently advanced to protect the client's information, and should monitor the changing law of privilege to ensure that storing the information online will not cause loss or waiver of any privilege.

It is, thus, beyond reproach that storage of client data in the cloud is acceptable as long as certain conditions are met. The real conundrum for practicing attorneys, especially those who are not particularly well-versed in technology, is how to effectively use the technology while ensuring that cloud computing and storage does not run afoul of the ethics rules. The New York Bar has issued some guidelines which are generally applicable. They include:

• An enforcement mechanism to ensure that the cloud provider must preserve the confidentiality of information and provide appropriate security;
• A notification requirement so that the lawyer is notified of any service of process on the cloud provider requiring the production of client information;
• Due diligence on the part of the lawyer to ensure that the cloud provider has adequate security measure, policies and recoverability capabilities;
• The employment of currently available technology to safeguard against unauthorized access of stored client data;
• The ability of the cloud provider to completely purge any client data if requested; and
• The ability to transfer data if an attorney chooses to change cloud providers for any reason.

Conclusion

As New York (and most states) makes clear, these protections are not absolute and will change with the ever-evolving technology and security environment. In the authors' view, in order to discharge their professional obligations, at a minimum, attorneys should: i) understand the technology involved in moving, storing, maintaining, retrieving and wiping data from the cloud; ii) effectively negotiate the terms of the SLA with the cloud provider to ensure compliance with all applicable restrictions on the handling of client data; iii) disclose to clients the location of client data and restrictions on access by the attorney or the client; and iv) have an emergency/disaster plan in the event of loss of data or accessibility for a prolonged period of time.

In short, to avoid sanctions, practitioners need to understand the nature and limitations of cloud computing and be forever vigilant to ensure compliance with new security protocols and industry standards. Confused? Luckily, the New York State Bar Association has created a free mobile ethics tool (available at www.nysba.org/ethicsapp) to assist lawyers.

Yes, when it comes to cloud ethics, there's even an app for that.

State Bar Ethics Opinions'On Cloud Computing

• Alabama Bar Association, Ethics Opinion 2010-02 (February 2010)
• State Bar of Arizona, Committee on the Rules of Professional Conduct, Ethics Opinion 09-04 (2009)
• State Bar of California, Standing Committee on Professional Responsibility and Conduct, Formal Opinion No. 08-0002 (2008)
• Iowa State Bar Association, Committee on Ethics and Practice Guidelines, Ethics Opinion 11-01 (2011)
• Nebraska Ethics Advisory Opinion for Lawyers, No. 06-5 (2006)
• State Bar of Nevada, Standing Committee on Ethics and Professional Responsibility, Formal Opinion No. 33 (2006)
• New Jersey Advisory Committee on Professional Ethics, Opinion 701 (2006) ()
• New York State Bar Association, Committee on Professional Ethics, Opinion 842 (2010)
• State Bar Association of North Dakota, Ethics Committee, Opinion No. 99-03 (1999)
• Oregon Bar Association, Board of Governors, Formal Opinion No. 2011-188 (2011)
• Pennsylvania Bar Association, Committee on Legal Ethics and Professional Responsibility, Opinion 2010-60 (2011) (available online only to PA Bar members).

'

Jonathan Sablone is a Partner and trial attorney at Nixon Peabody LLP, splitting his time between the firm's Boston and New York City offices, and chairs Nixon Peabody's global Electronic Discovery and Digital Evidence practice. He is a cum laude graduate of Harvard College and Boston College Law School. Mr. Sablone speaks and writes regularly on law firm technology and e-discovery and can be reached at 212-224-6395 or [email protected]. Robin E. Stewart is an experienced trial attorney at Lathrop & Gage LLP and is the founder and chair of the firm's global eDiscovery, Data, Records and Information Group. In this capacity, she counsels clients in all aspects of eDiscovery and is a known thought leader, speaker and writer in this area. Ms. Stewart can be reached at 816-460-5529 or [email protected].

Practitioners of a certain age will recall the days when e-mail and cellular telephone usage were not considered secure modes of communication for the discussion of confidential or privileged matters. It was not uncommon for clients to ask that anyone participating on a conference call via cellular phone drop off when particularly sensitive information was to be discussed. Similarly, to the extent e-mail was considered an effective mode for business communication, it was never to be used for the transmission of privileged information. These mores were in place throughout the 1990s.

The legal industry always seems to be late in keeping up with ever-evolving business technology. The lag has little to do with the business of law, and everything to do with the restrictive ethics rules that govern all aspects of the practice. A watershed moment came on March 10, 1999, however, when the American Bar Association (ABA) issued Formal Opinion 99-413. The opinion broke through the fog of confusion on these issues with one simple pronouncement:

The Committee believes that e-mail communications, including those sent unencrypted over the [I]nternet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy. The level of legal protection accorded e-mail transmissions, like that accorded other modes of electronic communication, also supports the reasonableness of an expectation of privacy for unencrypted e-mail transmissions. The risk of unauthorized interception and disclosure exists in every medium of communication, including e-mail. It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination of the information is a violation of law. (emphasis added).

The ABA's pronouncement may seem quaint and dated, but the subtle shifting of the burden from the requirement to prove a reasonable expectation of privacy to holding that it is not reasonable to prohibit an entire method of communication because of possible interception risks was a tectonic shift. Following the ABA decision, an explosion in legal technology ensued which has continued unabated from the late 1990s until today. Like those of us practicing in the '90s, today's practitioners are grappling with the ethical uses of yet another technological advance which is being adopted across the business world: The Cloud.

Cloud Basics

To paraphrase Justice Potter Stewart's infamous pronouncement on pornography, it is very difficult to define what we mean by “the cloud,” but we certainly know it when we see it. For the techies in the crowd, the National Institute of Standards and Technology (NIST) has adopted the following definition:

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.

NIST Cloud Computing Program.

It is sufficient for our purposes to state that we are referring to the remote storage of business-critical information that may be accessed over the Internet in a robust and secure setting. Cloud networks can be both public and private and have an infinite array of capabilities, accessibility and security. Typically, there is a contractual agreement between the cloud provider and the business customer that delineates the rights and obligations of the parties. In the cloud vernacular, such an agreement is known as a “Service Level Agreement” (SLA). Like any other contractual arrangement, the terms and conditions of the SLA define the relationship between the cloud provider and the customer. The terms of the SLA are critical, and, as discussed below, may make the difference between a lawyer's defensible use of current technology and an ethics charge.

The ethics barriers that might apply to so-called cloud computing are the same that existed for e-mail in the 1990s, namely that cloud computing does not provide a reasonable expectation of privacy such that the storage of privileged information in the cloud could constitute an ethics violation. The concern here (as it was almost 20 years ago) is Model Rule 1.6(a) which states that “a lawyer shall not reveal information relating to the representation of a client unless a client consents after consultation, except for disclosures that are impliedly authorized in order to carry out the representation.” Inherent in Rule 1.6 is that the lawyer will take steps to safeguard client information from unauthorized access. Thus, the concern is that cloud computing constitutes a sufficient risk of unauthorized disclosure of client information to violate a lawyer's duties under Rule 1.6.

State Bar Ethics Opinions

The good news for attorneys and law firms who want to take advantage of the cost-saving, efficiency and accessibility of the cloud, is that numerous state ethics boards have unequivocally stated that the use of cloud computing and storage does not, in and of itself, constitute a violation of Rule 1.6. See the sidebar below for a list of some state bar association ethics opinions.

Pennsylvania, for example, did not feel the need to spill much ink on the topic: “[A] lawyer may use cloud computing to access and store data, and may use smartphones synchronized through the cloud to remotely access the data, if the lawyer takes appropriate measures to protect client confidentiality.”

More typical are states like New York which provide a few caveats to the pronouncement that cloud computing use does not violate Rule 1.6:

A lawyer may use an online data storage system to store and back up client confidential information provided that the lawyer takes reasonable care to ensure that confidentiality will be maintained in a manner consistent with a lawyer's obligations under Rule 1.6. In addition, the lawyer should stay abreast of technological advances to ensure that the storage system remains sufficiently advanced to protect the client's information, and should monitor the changing law of privilege to ensure that storing the information online will not cause loss or waiver of any privilege.

It is, thus, beyond reproach that storage of client data in the cloud is acceptable as long as certain conditions are met. The real conundrum for practicing attorneys, especially those who are not particularly well-versed in technology, is how to effectively use the technology while ensuring that cloud computing and storage does not run afoul of the ethics rules. The New York Bar has issued some guidelines which are generally applicable. They include:

• An enforcement mechanism to ensure that the cloud provider must preserve the confidentiality of information and provide appropriate security;
• A notification requirement so that the lawyer is notified of any service of process on the cloud provider requiring the production of client information;
• Due diligence on the part of the lawyer to ensure that the cloud provider has adequate security measure, policies and recoverability capabilities;
• The employment of currently available technology to safeguard against unauthorized access of stored client data;
• The ability of the cloud provider to completely purge any client data if requested; and
• The ability to transfer data if an attorney chooses to change cloud providers for any reason.

Conclusion

As New York (and most states) makes clear, these protections are not absolute and will change with the ever-evolving technology and security environment. In the authors' view, in order to discharge their professional obligations, at a minimum, attorneys should: i) understand the technology involved in moving, storing, maintaining, retrieving and wiping data from the cloud; ii) effectively negotiate the terms of the SLA with the cloud provider to ensure compliance with all applicable restrictions on the handling of client data; iii) disclose to clients the location of client data and restrictions on access by the attorney or the client; and iv) have an emergency/disaster plan in the event of loss of data or accessibility for a prolonged period of time.

In short, to avoid sanctions, practitioners need to understand the nature and limitations of cloud computing and be forever vigilant to ensure compliance with new security protocols and industry standards. Confused? Luckily, the New York State Bar Association has created a free mobile ethics tool (available at www.nysba.org/ethicsapp) to assist lawyers.

Yes, when it comes to cloud ethics, there's even an app for that.

State Bar Ethics Opinions'On Cloud Computing

• Alabama Bar Association, Ethics Opinion 2010-02 (February 2010)
• State Bar of Arizona, Committee on the Rules of Professional Conduct, Ethics Opinion 09-04 (2009)
• State Bar of California, Standing Committee on Professional Responsibility and Conduct, Formal Opinion No. 08-0002 (2008)
• Iowa State Bar Association, Committee on Ethics and Practice Guidelines, Ethics Opinion 11-01 (2011)
• Nebraska Ethics Advisory Opinion for Lawyers, No. 06-5 (2006)
• State Bar of Nevada, Standing Committee on Ethics and Professional Responsibility, Formal Opinion No. 33 (2006)
• New Jersey Advisory Committee on Professional Ethics, Opinion 701 (2006) ()
• New York State Bar Association, Committee on Professional Ethics, Opinion 842 (2010)
• State Bar Association of North Dakota, Ethics Committee, Opinion No. 99-03 (1999)
• Oregon Bar Association, Board of Governors, Formal Opinion No. 2011-188 (2011)
• Pennsylvania Bar Association, Committee on Legal Ethics and Professional Responsibility, Opinion 2010-60 (2011) (available online only to PA Bar members).

'

Jonathan Sablone is a Partner and trial attorney at Nixon Peabody LLP, splitting his time between the firm's Boston and New York City offices, and chairs Nixon Peabody's global Electronic Discovery and Digital Evidence practice. He is a cum laude graduate of Harvard College and Boston College Law School. Mr. Sablone speaks and writes regularly on law firm technology and e-discovery and can be reached at 212-224-6395 or [email protected]. Robin E. Stewart is an experienced trial attorney at Lathrop & Gage LLP and is the founder and chair of the firm's global eDiscovery, Data, Records and Information Group. In this capacity, she counsels clients in all aspects of eDiscovery and is a known thought leader, speaker and writer in this area. Ms. Stewart can be reached at 816-460-5529 or [email protected].