We often get questions about the security of "cloud computing" services like Google Apps and whether that security is tight enough for lawyers to use them.

Google Apps, for example, meets the security standards put in place for the online storage of government agencies' information set out in the Federal Information Security Management Act of 2000 (FISMA 44 U.S.C. § 3541, et seq.).

Cloud computing and "Software as a Service" (SaaS) are two terms used to describe similar services.  They allow you to access software, or store files, on computers that are not at your physical location or even in your physical control. Dictionary.com defines cloud computing as:

Internet-based computing in which large groups of remote servers are networked so as to allow sharing of data-processing tasks, centralized data storage, and online access to computer services or resources.

Wikipedia defines SaaS as:

"Software as a service (SaaS, typically pronounced [sæs]), sometimes referred to as 'on-demand software,' is a software delivery model in which software and its associated data are hosted centrally (typically in the (Internet) cloud) and are typically accessed by users using a thin client, normally using a web browser over the Internet."

Gmail and Flickr are examples of cloud computing or SaaS products because they give you access to e-mail software and message storage, and photo storage (respectively) on computers at a remote location.

In August 2012, the ABA House of Delegates adopted changes to the Model Rules of Professional Conduct dealing with the question of whether and how lawyers might deal with "confidentiality issues arising from technology." The changes were suggested by the ABA Commission on Ethics 20/20 and were, "designed to give lawyers more guidance regarding their confidentiality- related obligations when using technology."

Share this artice:          

The compilation below provides an overview of the existing Ethics Opinions produced, to date, by Bar Associations around the country.

So far, only a few State Bar Associations have issued formal ethics opinions on the questions. In reverse chronological order, those states include:

• Board of Professional Responsibility of the Tennessee Supreme Court Formal Ethics Opinion 2015-F159
• Wisconsin Formal Ethics Opinion EF-15-01 (Ethical Obligations of Attorneys Using Cloud Computing) (Note: Wisconsin Ethics Opinions are only available online to members of the State Bar of Wisconsin. This link leads to a State Bar of Wisconsin Article explaining the opinion.)
• Alaska Bar Association Ethics Opinion No. 2014-3
• Kentucky Bar Association Formal Ethics Opinion KBA E-437 (March 21, 2014)
• Connecticut Bar Association Professional Ethics Committee Informal Opinion 2013-07
• Ohio State Bar Association Informal Advisory Opinion 2013-03
• Virginia State Bar Legal Ethics Opinion 1872
• The Florida Bar Opinion 12-03
• Maine Board of Bar Overseers Professional Ethics Commission Opinion 207
• State Bar of California Standing Committee on Professional Responsibility and Conduct: Formal Opinion 2012-184

In 2012 Opinion 2012-184, the Committee took its second look at technology and client confidentiality. Unlike its earlier opinion (Opinion 2010-179; see below) this time they actually used the term "cloud computing" . However, it added a new twist by focusing on a virtual law office practice ("VLO") and whether an attorney can "maintain a virtual law office practice ("VLO") and still comply with her ethical obligations if the communications with the client, and storage of and access to all information about the client’s matter, are all conducted solely through the internet using the secure computer servers of a third-party vendor (i.e., "cloud computing")?"

The opinion explained that, "As it pertains to the use of technology, the Business and Professions Code and the Rules of Professional Conduct do not impose greater or different duties upon a VLO practitioner operating in the cloud than they do upon an attorney practicing in a traditional law office. While an attorney may maintain a VLO in the cloud where communications with the client, and storage of and access to all information about the client’s matter, are conducted solely via the internet using a third-party’s secure servers, Attorney may be required to take additional steps to confirm that she is fulfilling her ethical obligations due to distinct issues raised by the hypothetical VLO and its operation. Failure of Attorney to comply with all ethical obligations relevant to these issues will preclude the operation of a VLO in the cloud as described herein." The opinion refers attorneys back to Opinion 2010-179 for a fuller discussion on the analysis that the Committee believes attorneys should undertake when considering the use of a particular form of technology (see the quote below from Opinion 2010-179 for a synopsis of the analysis attorneys should undertake).

• Washington State Bar Association Ethics Advisory Opinion 2215
• New Hampshire Bar Association Ethics Committee Advisory Opinion 2012-13/4: "The Use of Cloud Computing in the Practice of Law"
• Massachusetts Bar Association Ethics Opinion 12-03

Massachusetts specifically addressed the question of “whether it [the use of cloud computing] would violate Lawyer’s obligations under the Massachusetts Rules of Professional Conduct to store confidential client information using “Google docs” or some other Internet based storage solution, and to synchronize his computers and other devices that contain or access such information over the Internet.”

In finding the use of cloud services permissible, the Massachusetts Opinion analogizes cloud services to “lawyer's use of unencrypted Internet e-mail to engage in confidential communications with his or her client” and third-party vendors accessing law firm networks in order to maintain the firm’s hardware or software that the Bar had found permissible in previous Opinions.

Like the earlier Opinions discussed below, Massachusetts instructs lawyers to undertake “reasonable efforts to ensure that the provider's terms of use and data privacy policies, practices and procedures are compatible with the lawyer's professional obligations, including the obligation to protect confidential client information reflected in Rule 1.6(a).” Unlike some other Opinions, the Massachusetts Opinion states that lawyers should get their clients’ prior consent before, “storing or transmitting particularly sensitive client information by means of the Internet.”

• Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility Opinion 2011-200

Specifically, the committee addressed the question, “May an attorney ethically store confidential client material in ‘the cloud’?” The committee’s conclusion is a qualified “yes.” Like some of the other opinions on this topic, Pennsylvania Opinion 2011-200 instructs attorneys that they “may ethically allow client confidential material to be stored in ‘the cloud’ provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is [sic] protected from breaches, data loss, and other risks.”

This opinion includes a bullet point list describing what “the standard of reasonable care for ‘cloud computing’ may include.” In addition to addressing the whole category of cloud computing services that lawyers might use, the Pennsylvania opinion also points to the use of web-based e-mail (naming Gmail among others) as “ordinarily permissible” for lawyers in most circumstances but, “may not be acceptable in the context of a particularly heightened degree of concern or in a particular set of facts.”

The full opinion is ordinarily available online to Pennsylvania Bar members only. However, some other organizations have posted it online.

• Oregon State Bar Association Formal Ethics Opinion Number 2011-188: "Information Relating to the Representation of a Client: Third-Party Electronic Storage of Client Materials"

In this Opinion, the Bar offered a "Yes, qualified" answer to the question of whether lawyers may contract "with third-party vendor to store client files and documents online on remote server so that Lawyer and/or Client could access the documents over the Internet from any remote location." In offering this guidance, the Opinion points to Oregon RPC 1.6 which cover the attorney's duty to "not reveal information relating to the representation of a client."

The opinion stated that, "[a] Lawyer may store client materials on a third-party server so long as Lawyer complies with the duties of competence and confidentiality to reasonably keep the client’s information secure within a given situation.² To do so, the lawyer must take reasonable steps to ensure that the storage company will reliably secure client data and keep information confidential. Under certain circumstances, this may be satisfied though a third-party vendor’s compliance with industry standards relating to confidentiality and security, provided that those industry standards meet the minimum requirements imposed on the Lawyer by the Oregon RPCs. This may include, among other things, ensuring the service agreement requires the vendor to preserve the confidentiality and security of the materials. It may also require that vendor notify Lawyer of any nonauthorized third-party access to the materials. Lawyer should also investigate how the vendor backs up and stores its data and metadata to ensure compliance with the Lawyer’s duties.³" (Note that the footnote material is not included here. To access the footnotes in this Ethics Opinion use the link above to the full text of the Opinion.)

• North Carolina State Bar Association Proposed 2011 Formal Ethics Opinion 6: "Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property" (10/20/11) - scroll down to read
• Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility: Formal Opinion 2011-200 (available online to Pennsylvania Bar members only)

Like New York Opinion #842 (below), this Opinion answers two separate questions regarding lawyers' subscribing to software as a service (SaaS) rather than purchasing and installing software from disks.

First, the Opinion tackles whether lawyers should even be using SaaS products for "for case or practice management, document management, and billing/financial management," or "the storage of a law firm’s data, including client files, billing information, and work product, on remote servers rather than on the law firm’s own computer and, therefore, outside the direct control of the firm’s lawyers." The Opinion answered this question by stating, "Yes, provided steps are taken to minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property, including the information in a client’s file, from risk of loss." The Opinion point to Comments 17 and 18 of North Carolina's Rule of Professional Conduct 1.6 - "Comment [17] explains, 'A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.' Comment [18] adds that, when transmitting confidential client information, a lawyer must take “reasonable precautions to prevent the information from coming into the hands of unintended recipients.'"

Second, the Opinion tackles what measures lawyers should take to assess SaaS vendors to minimize potential security risks. Recognizing that criteria for assessing the security of these SaaS services would change with technology, the Opinion outlines a list of points lawyers should consider rather than spell out a specific set of guidelines lawyers must follow. The Opinion introduces this list thusly, "This opinion does not set forth specific security requirements because mandatory security measures would create a false sense of security in an environment where the risks are continually changing. Instead, due diligence and frequent and regular education are required." Some of the security measures the Opinions suggest to be considered are: 

a specific agreement covering "how the vendor will handle confidential client information in keeping with the lawyer’s professional responsibilities" 

the ability to retrieve the lawyer's data if "the SaaS vendor goes out of business, or the service otherwise has a break in continuity"

careful review of the SaaS license agreement and security policy 

evaluation of security measures, "including, but not limited to, firewalls, encryption techniques, socket security features, and intrusion-detection systems⁴ 

evaluation of the SaaS vendors backup policies for the lawyer's data

• Iowa State Bar Association Committee on Ethics and Practice Guidelines: Ethics Opinion 11-01: "Use of Software as a Service – Cloud Computing" (9/9/11)

The Iowa State Bar Ethics Opinion (Number 11-01) pointed to Comment 17 to Iowa's Rule 32:1.6 as establishing a "reasonable and flexible approach to guide a lawyer’s use of ever-changing technology. It recognizes that the degree of protection to be afforded client information varies with the client, matter and information involved. But it places on the lawyer the obligation to perform due diligence to assess the degree of protection that will be needed and to act accordingly." 

Comment 17 to Iowa's Rule 32:1.6 reads:

"[17] When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this rule."

Also, recognizing the changing nature of cloud computing services, the Iowa State Bar Association Committee on Ethics and Practice Guidelines chose to offer "basic guidance regarding the implementation of the standard described in Comment 17," in the form of a list of considerations lawyers should take into account when performing their due diligence in reviewing cloud services for their firms. 

• Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility: Informal Opinion 2010-60 (1/11/11; available online to Pennsylvania Bar members only)
• Vermont Bar Association: Advisory Ethics Opinion 2010-06
• State Bar of California Standing Committee on Professional Responsibility and Conduct: Formal Opinion 2010-179 (2010)

Opinion, 2010-179 does not use the term "cloud computing," but the opinion can still be used to guide attorneys on their use of cloud computing because it deals with "using technology to transmit or store confidential client information when the technology may be susceptible to unauthorized access by third parties." The 2010-179 opinion explains that, "An attorney’s duties of confidentiality and competence require the attorney to take appropriate steps to ensure that his or her use of technology in conjunction with a client’s representation does not subject confidential client information to an undue risk of unauthorized disclosure. Because of the evolving nature of technology and differences in security features that are available, the attorney must ensure the steps are sufficient for each form of technology being used and must continue to monitor the efficacy of such steps." The opinion further states:

"Whether an attorney violates his or her duties of confidentiality and competence when using technology to transmit or store confidential client information will depend on the particular technology being used and the circumstances surrounding such use. Before using a particular technology in the course of representing a client, an attorney must take appropriate steps to evaluate: 1) the level of security attendant to the use of that technology, including whether reasonable precautions may be taken when using the technology to increase the level of security; 2) the legal ramifications to a third party who intercepts, accesses or exceeds authorized use of the electronic information; 3) the degree of sensitivity of the information; 4) the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product; 5) the urgency of the situation; and 6) the client’s instructions and circumstances, such as access by others to the client’s devices and communications."

The opinion explains that if client information is highly sensitive and a particular technology presents a risk of disclosure, then the attorney needs to consider other alternatives unless the client provides informed consent.

• New York State Bar Association Committee on Professional Ethics: Opinion 842 (9/10/10)

This Opinion tackled two questions:

May a lawyer use an online system to store a client's confidential information without violating the duty of confidentiality or any other duty?

If so, what steps should the lawyer take to ensure that the information is sufficiently secure?

The Opinion cited Rule 1.6 of the New York Rules of Professional Conduct that covers confidentiality, as well as Rule 1.0(j) that covers informed consent from clients in reaching the following conclusion:

"A lawyer may use an online data storage system to store and back up client confidential information provided that the lawyer takes reasonable care to ensure that confidentiality is maintained in a manner consistent with the lawyer’s obligations under Rule 1.6. A lawyer using an online storage provider should take reasonable care to protect confidential information, and should exercise reasonable care to prevent others whose services are utilized by the lawyer from disclosing or using confidential information of a client. In addition, the lawyer should stay abreast of technological advances to ensure that the storage system remains sufficiently advanced to protect the client’s information, and the lawyer should monitor the changing law of privilege to ensure that storing information in the 'cloud' will not waive or jeopardize any privilege protecting the information."

• Alabama Disciplinary Commission Ethics Opinion 2010-02: Retention, Storage, Ownership, Production and Destruction of Client Files
• State Bar of Arizona Ethics Opinion 09-04: Confidentiality; Maintaining Client Files; Electronic Storage; Internet

In this 2009 Ethics Opinion, the State Bar of Arizona addressed a question similar to the one addressed by Maine the previous year. In it, Arizona cited back to its 2005 Opinion and New Jersey’s 2006 Opinion to validate attorneys’ use of remote, electronic file storage systems, and stated that the “lawyer’s duty to take reasonable precautions does not require a guarantee that the system will be invulnerable to unauthorized access.”

The Bar went on to state that “the Committee also recognizes that technology advances may make certain protective measures obsolete over time. Therefore, the Committee does not suggest that the protective measures at issue in Ethics Op. 05-04 or in this opinion necessarily satisfy ER 1.6’s requirements indefinitely. Instead, whether a particular system provides reasonable protective measures must be ‘informed by the technology reasonably available at the time to secure data against unintentional disclosure.’ N.J. Ethics Op. 701. As technology advances occur, lawyers should periodically review security measures in place to ensure that they still reasonably protect the security and confidentiality of the clients’ documents and information.”

• New York State Bar Association Committee on Professional Ethics: Opinion 820 (2/8/08) 

This New York State Bar Association’s Committee on Professional Ethics Opinion concluded that “A lawyer may use an e-mail service provider that conducts computer scans of e-mails to generate computer advertising, where the e-mails are not reviewed by or provided to other individuals.” While not named in the opinion, the question’s description of an “e-mail service provider that scans e-mails for advertising purposes” clearly describes Gmail.

• Maine State Bar Professional Ethics Commission: “Client Confidences: Confidential firm data held electronically and handled by technicians for third-party vendors;” Opinion 194 (6/30/08)

The Maine Commission concluded that, “with appropriate safeguards, an attorney may utilize transcription and computer server backup services remote from both the lawyer's physical office and the lawyer's direct control or supervision without violating the attorney's ethical obligation to maintain client confidentiality.”

• New Jersey Bar Advisory Committee on Professional Ethics: "Electronic Storage and Access of Client Files;" Opinion 701 (4/24/06)

In this Opinion, the New Jersey Committee stated, “The critical requirement under RPC 1.6, therefore, is that the attorney ‘exercise reasonable care’ against the possibility of unauthorized access to client information. A lawyer is required to exercise sound professional judgment on the steps necessary to secure client confidences against foreseeable attempts at unauthorized access. ‘Reasonable care,’ however, does not mean that the lawyer absolutely and strictly guarantees that the information will be utterly invulnerable against all unauthorized access. Such a guarantee is impossible, and a lawyer can no more guarantee against unauthorized access to electronic information than he can guarantee that a burglar will not break into his file room, or that someone will not illegally intercept his mail or steal a fax.”

• State Bar of Nevada Committee on Ethics and Professional Responsibility: Formal Opinion 33 (2/09/06)
• State Bar of Arizona Ethics Opinion 05-04: Electronic Storage; Confidentiality (07/05)

Most of the opinions already mentioned in this article point to a lawyer's duty to exercise "reasonable steps" to insure the confidentiality of their client's information. Many of them also refer back to Arizona Opinion 05-04 which states that lawyers should:

"take competent and reasonable steps to assure that the client’s confidences are not disclosed to third parties through theft or inadvertence. In addition, an attorney or law firm is obligated to take reasonable and competent steps to assure that the client's electronic information is not lost or destroyed. In order to do that, an attorney must be competent to evaluate the nature of the potential threat to client electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end. An attorney who lacks or cannot reasonably obtain that competence is ethically required to retain an expert consultant who does have such competence."

Conclusion

The reality of computer security requires machines connected to the Internet to be maintained and patched on a regular basis. It’s important for lawyers to know what security measures are practiced by whatever cloud service provider they are considering, as well as where and how often vendors back-up the information stored with their services, among other concerns.  Regardless of whether lawyers are storing files "in the cloud" or on their office’s local network, they must make a  “reasonable effort” to keep that information secure  to insure that those computers are as protected as they can be.

Originally posted 10/30/2011. Last updated 11/8/15.