“Reasonable Care” in the Cloud: Decision-Making Pointers

By | Oct.18.12 | Cloud Computing, Daily Dispatch, Ethics, Legal Technology

Many firms use cloud computing services for remote access to data, email filtering, contacts and calendars, system backups and other hosted IT functions. In particular, lawyers are finding that cloud transfer and storage services (like Box, Dropbox, Google Drive and iCloud) are a great way to access client materials on their smartphones, tablets or off-site computers when working away from the office.

According to state ethics authorities that have spoken on the topic and the American Bar Association Commission on Ethics 20/20, a firm or an individual attorney may store client materials in the cloud ethically, provided that the lawyer takes reasonable care to protect the confidentiality of confidential client information. Most of these opinions explain that “reasonable care” includes learning enough about the technology you chose to use to make an informed decision about where to store client materials and staying up to date on developments in whatever technology you decide to use.

Steps to Address Cloud-y Ethical Issues

Using reasonable care to protect client confidences is nothing new for lawyers, of course—we make decisions about protecting client confidences when we read files on a crowded subway, discuss matters in elevators, decide what can be included in an email, or even take written notes during a conversation. But what might “reasonable care” entail in the context of cloud computing? While admittedly not comprehensive, here is a list to consider.

1. Know that the cloud will not be appropriate for all clients and materials.

  • You need to think carefully about the types of clients you handle. Clients who work in heavily regulated industries or who are extremely security-conscious (for whatever reason) may not permit any of their materials to be stored in the cloud.
  • You must decide what can be stored in the cloud on a document-by-document basis. Publicly available information, like PDFs downloaded from PACER, can easily be stored in the cloud—but with more-sensitive documents you may decide to apply additional encryption before you move the materials to the cloud, or even to your tablet through cables.
  • Even when you decide that a copy of a client-related document may be stored in the cloud, you should probably not store the only copy of an important document there.
  • Know your options for the various materials you will store. Different cloud service providers may be appropriate for different client materials, depending on the sensitivity of each document.

2. Assess the agreements of every cloud service provider you use.

  • Read the promises being made concerning your data—especially any promises regarding what notice the provider will give you if someone else seeks access to your materials—and consider whether and how those promises can be enforced.
  • Find out where your data will be kept, how it will be backed up, who will have access to it, and whether it will really be deleted from the cloud service when you delete it or when you close your account with the provider.
  • Check online periodically for any changes to the agreement and, of course, whenever you get an e-mail notifying you that the terms of service have changed. Remember to save copies of all your latest agreements, too.

3. Keep informed—and keep notes.

  • Search for news reports regarding security breaches or service outages at any cloud service provider you intend to use. You might also want to set up a news feed to track reports on the topic.
  • If you don’t see particular information you need online or in the provider’s documentation, or you don’t understand the information you’re given, call the company for clarification. Or choose another service.
  • Keep notes about your conversations with each service provider, as well as other research you’ve done to support your decision, in case a problem ever arises.

4. Know that sometimes you get what you pay for.

  • You can find free cloud storage options, but you may get better security or better service with a paid account from the same provider.
  • Even if your materials are secure once they get to the cloud, you should not use free, public, unencrypted networks to send them. Use your firm’s secure cloud-access system. If no firmwide system is available, use a password-protected home network or consider investing in a mobile hotspot so you can create a secure connection wherever you are.

Cloud storage services can give you flexibility in how and where you practice, and can allow you to be more responsive to your clients. You can use these services ethically, but it will take some due diligence and some decision-making each time you entrust clients’ materials to the cloud.

Carol J. Gerber is a lawyer and the owner and founder of Gerber Amalgamated LLC, a legal technology consulting company devoted to helping attorneys make better use of technology in their practices. 

Illustration ©ImageZoo.

Sponsored Links
»How I Increased My Billable Time by $2,000 Each Month (and Actually Worked Less)
»Learn More About the Easiest Way to Get Paid.
»Quality Attorney Leads. Reach Prospects Online. 10 Free Leads.
»Free Demo: JuraLaw for Case, Calendar and Docket Management.
»Automate Your Documents. Save Time. Save Money! Free 90-Day Trial.

Sponsored Links

Recommended Reading

5 Responses to ““Reasonable Care” in the Cloud: Decision-Making Pointers”

  1. Jim Brashear
    18 October 2012 at 9:53 am #

    These bar opinions distinguish Cloud file storage and transfer services from Cloud email services in ways that are not defensible. The state bars impose restrictions on lawyers’ use of Cloud file storage and transfer services, but they do not apply similar restrictions to Cloud email services. The state bar opinions from the 1990s say lawyers are simply entitled to rely on an expectation of privacy in email.

    There is no logical basis for this ethics rules distinction. Email is a Cloud service that is used to transmit and store content. It makes no sense to differentiate the transmission and storage of documents using Cloud email services versus the transmission and storage of documents using other types of Cloud services. The key functions of Cloud document transmission and storage solutions are essentially the same as transmitting and storing documents via Cloud email. From an ethics perspective, it should not matter whether the server on which a confidential document is stored belongs to a document storage provider (such as Dropbox) or a webmail provider (such as Yahoo!).

    Pundits often claim that we should rely on an expectation of privacy in email because of laws that criminalize intercepting email or accessing email without authorization. The South Carolina Supreme Court recently ruled (Jennings v. Jennings, et al.) that accessing online e-mail without permission does not violate the 1986-era Stored Communications Act (SCA). The Court reasoned that an opened email on a webmail provider’s servers is not stored for “backup” and is therefore not protected by the SCA. Thus, at least in South Carolina, it is unreasonable to point to the SCA as creating any expectation of privacy in stored webmail.

    More fundamentally, the assertion that email should be deemed confidential because the law criminalizes its interception or unauthorized access is like saying that because burglaries are illegal we should pretend they never occur so there’s no need to lock client files or law offices. Lawyers should take the same reasonable, proactive steps to protect the content of email that they take to protect other content that is stored or transmitted via the Cloud.

    See my post here:

  2. Carol Gerber
    18 October 2012 at 11:38 am #

    You raise an interesting point. I was practicing when attorneys first started using email and there was more consideration then than there is now about what should be sent in an email and what should not.

    I think your last paragraph sums it up nicely.

    — Carol