Legal Ethics Considerations for Lawyers’ Use of Cloud Computing Services

In Legal Ethics Considerations for Lawyers’ Use of Cloud Computing Services, Internet For Lawyer’s Mark Rosch writes:

We often get questions about the security of “cloud computing” services like Google Apps and whether that security is tight enough for lawyers to use them.

Google Apps, for example, meets the security standards put in place for the online storage of government agencies’ information set out in the Federal Information Security Management Act of 2000 (FISMA 44 U.S.C. § 3541, et seq.).

Cloud computing and “Software as a Service” (SaaS) are two terms used to describe similar services. They allow you to access software, or store files, on computers that are not at your physical location or even in your physical control. defines cloud computing as:
Internet-based computing in which large groups of remote servers are networked so as to allow sharing of data-processing tasks, centralized data storage, and online access to computer services or resources.

Wikipedia defines SaaS as:
“Software as a service (SaaS, typically pronounced [sæs]), sometimes referred to as ‘on-demand software,’ is a software delivery model in which software and its associated data are hosted centrally (typically in the (Internet) cloud) and are typically accessed by users using a thin client, normally using a web browser over the Internet.”
Gmail and Flickr are examples of cloud computing or SaaS products because they give you access to e-mail software and message storage, and photo storage (respectively) on computers at a remote location.

In August 2012, the ABA House of Delegates adopted changes to the Model Rules of Professional Conduct dealing with the question of whether and how lawyers might deal with “confidentiality issues arising from technology.” The changes were suggested by the ABA Commission on Ethics 20/20 and were, “designed to give lawyers more guidance regarding their confidentiality- related obligations when using technology.”

So far, only a few State Bar Associations have issues formal ethics opinions on the questions however, they include (in reverse chronological order):
• Connecticut Bar Association Professional Ethics Committee Informal Opinion 2013-07 • Ohio State Bar Association Informal Advisory Opinion 2013-03 • Virginia State Bar Legal Ethics Opinion 1872 • The Florida Bar Opinion 12-03 • Maine Board of Bar Overseers Professional Ethics Commission Opinion 207 • State Bar of California Standing Committee on Professional Responsibility and Conduct: Formal Opinion 2012-184
Most of the opinions already mentioned in this article point to a lawyer’s duty to exercise “reasonable steps” to insure the confidentiality of their client’s information. Many of them also refer back to Arizona Opinion 05-04 which states that lawyers should:

• “take competent and reasonable steps to assure that the client’s confidences are not disclosed to third parties through theft or inadvertence. In addition, an attorney or law firm is obligated to take reasonable and competent steps to assure that the client’s electronic information is not lost or destroyed. In order to do that, an attorney must be competent to evaluate the nature of the potential threat to client electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end. An attorney who lacks or cannot reasonably obtain that competence is ethically required to retain an expert consultant who does have such competence.”

Conclusion • The reality of computer security requires machines connected to the Internet to be maintained and patched on a regular basis. It’s important for lawyers to know what security measures are practiced by whatever cloud service provider they are considering, as well as where and how often vendors back-up the information stored with their services, among other concerns. Regardless of whether lawyers are storing files “in the cloud” or on their office’s local network, they must make a “reasonable effort” to keep that information secure to insure that those computers are as protected as they can be.
• Originally posted 10/30/2011. Last updated 3/8/15.

As Vice President of Marketing for Internet For Lawyers (IFL), Mark Rosch is the developer and manager of the Internet For Lawyers web site. He is the Editor of IFL’s newsletter, and writes and speaks about legal technology for firms and also on how to use the Internet for research and for marketing. The Internet For Lawyers Internet Investigative Research Update blog keeps readers up to date with the latest free and low-cost investigative and background research resources freely available on the Internet. The blog also covers search engine search tips with a focus on Google and its features, functions and productivity tools.