Opinion 2215

This opinion addresses certain ethical obligations related to the use of online data storage managed by third party vendors to store confidential client documents.

Illustrative Facts:

Law Firm contracts with third-party vendor to store client files and documents online on remote server so that Lawyer and Client could access the documents over the Internet from any remote location.

Rules of Professional Conduct Implicated:

RPC 1.1, 1.6, 1.15A

Analysis:

Various service providers are offering data storage systems on remote servers that can be accessed by subscribers from any location over the Internet. This is one aspect of so-called “cloud computing,” and lawyers may be interested in using these services to store confidential client documents and other data. Use of these third party storage systems, however, means that confidential client information is outside of the direct control of the lawyer and raises particular ethical questions.

Under RPC 1.6, a lawyer owes a client the duty to keep all client information confidential, unless the information falls within a specified exception. The duty of confidentiality extends beyond deliberate revelations of client information and requires a lawyer to protect client information against all disclosure. Comment 16 to RPC 1.6 states: “A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1 and 5.3.” In order to use online data storage, a lawyer is under a duty to ensure that the confidentiality of all client data will be maintained.

In addition to client confidentiality, the lawyer is also under a duty to protect client property, under RPC 1.15A. A lawyer using online data storage of client documents is therefore under a duty to ensure that the documents will not be lost.

It is impossible to give specific guidelines as to what security measures should be in place with a third party service provider of online data storage in order to provide adequate protection of client material, because the technology is changing too rapidly and any such advice would be quickly out of date. It is also impractical to expect every lawyer who uses such services to be able to understand the technology sufficiently in order to evaluate a particular service provider’s security systems. A lawyer using such a service must, however, conduct a due diligence investigation of the provider and its services and cannot rely on lack of technological sophistication to excuse the failure to do so. While some lawyers may be able to do more thorough evaluations of the services available, best practices for a lawyer without advanced technological knowledge could include:

1. Familiarization with the potential risks of online data storage and review of available general audience literature and literature directed at the legal profession, on cloud computing industry standards and desirable features.

2. Evaluation of the provider’s practices, reputation and history.

3. Comparison of provisions in service provider agreements to the extent that the service provider recognizes the lawyer’s duty of confidentiality and agrees to handle the information accordingly.

4. Comparison of provisions in service provider agreements to the extent that the agreement gives the lawyer methods for retrieving the data if the agreement is terminated or the service provider goes out of business.

5. Confirming provisions in the agreement that will give the lawyer prompt notice of any nonauthorized access to the lawyer’s stored data.

6. Ensure secure and tightly controlled access to the storage system maintained by the service provider.

7. Ensure reasonable measures for secure backup of the data that is maintained by the service provider.

A lawyer has a general duty of competence under RPC 1.1, which includes the duty “to keep abreast of changes in the law and its practice.” RPC 1.1 Comment 6. To the extent that a lawyer uses technology in his or her practice, the lawyer has a duty to keep informed about the risks associated with that technology and to take reasonable precautions. The lawyer’s duties discussed in this opinion do not rise to the level of a guarantee by the lawyer that the information is secure from all unauthorized access. Security breaches are possible even in the physical world, and a lawyer has always been under a duty to make reasonable judgments when protecting client property and information. Specific practices regarding protection of client property and information have always been left up to individual lawyers’ judgment, and that same approach applies to the use of online data storage. The lawyer must take reasonable steps, however, to evaluate the risks involved with that practice and to ensure that steps taken to protect the information are up to a reasonable standard of care.

Because the technology changes rapidly, and the security threats evolve equally rapidly, a lawyer using online data storage must not only perform initial due diligence when selecting a provider and entering into an agreement, but must also monitor and regularly review the security measures of the provider. Over time, a particular provider’s security may become obsolete or become substandard to systems developed by other providers.

Conclusion

A lawyer may use online data storage systems to store and back up client confidential information as long as the lawyer takes reasonable care to ensure that the information will remain confidential and that the information is secure against risk of loss.