Can Lawyers Use The Cloud? Should Lawyers Use The Cloud?

Cloud computing is one of the biggest technology revolutions in recent history -- so you use it and do so responsibly, according to tech columnist Jeff Bennion.

cloud computing computersI think that cloud computing is one of the biggest technology revolutions in recent history. It gives us the ability to share large files, backup and sync files across multiple computers, and undelete things. As a solo, it’s not just a convenience, but it also has huge implications for me – I can grow my practice or shrink my practice without having to buy storage servers and enter into IT maintenance contracts. I can also access my cloud-stored files remotely from my phone or from home and spend less days in the office.

As we all know, the way lawyers store our confidential files is highly regulated. Cloud storage means that your files are stored on someone else’s server in some other location and you remotely access those files. So, can you or should you do that? Is it ethical to store your highly confidential files in someone else’s office? The answer is mostly yes. The ABA has put together a chart of the ethics opinions of the bar organizations that have looked into whether its lawyers can store client files in the cloud.

ABA cloud

Blue states mean there is an ethics opinion that attorneys can use the cloud. Grey states have not issued an opinion yet. Source: www.Americanbar.org

So far, no state has said no, and about half of the states have said yes, with a caveat. Each opinion that says yes has stated that attorneys have to use “reasonable care.” I know what reasonable care is for drivers of automobiles and for doctors and common carriers, but what does “reasonable care” mean in using the cloud?

Let’s look at Ohio’s opinion. Ohio gives its lawyers four factors to evaluate on whether the cloud is appropriate:

1. Competently select a vendor. It goes on to say that you should look into the vendor’s reputation and review the terms of service. The opinion highlights several key items to look for in a terms of service agreement, but offers no further guidance as to what is and is not appropriate. That would be like if I went into buy an air conditioner and the salesman says, “You’re going to want to look at BTUs, wattage, and brand name, but I don’t really know exactly what to look for, just that those things are important.”

2. Preserve confidentiality. Here they state that attorneys should ensure that the vendor has systems in place to protect client data from destruction, loss, or unavailability. So, what does it mean to ensure that a vendor has these systems in place? Dropbox told me they had those systems in place, but then deleted thousands of my files. Did I not ensure that properly? Should I call to check how operations are going over there with the Jeff Bennion folder? How often? The next point in this heading is that lawyers should avoid terms of service that suggest that the service provider owns the data. So, does that mean Google Drive is out? If it does, that would contradict this article from the ABA, or this ethics opinion from New York.

Sponsored

3. Supervise cloud vendors. It says use your professional judgment to ascertain whether the vendor will be capable of conduct consistent with the lawyer’s obligations. So, is it okay to never call or check in with the people at Box.com, or do I have to send a yearly e-mail to their “contact us” page to do my due diligence to make sure they are still doing a good job with my files?

4. Communication with client. It says that you don’t need to tell the client that you are storing documents in the cloud, unless there are circumstances that make it appropriate.

In sum, I need to choose a good vendor and make sure that I’m agreeing to certain terms, make sure somehow that the vendor is doing its job, but I don’t need to check in on them if I don’t feel it necessary, and I don’t need to tell my client about it unless I feel it necessary. I don’t mean to pick on Ohio. Everyone else is equally vague. California says that you can store client data on the cloud without taking additional precautions if it is urgent, as in “I need 2 gbs of cloud storage. Stat.”

So, is it below the standard of care to use Dropbox? Is it below the standard of care if I do not have enterprise-level controls over user accounts that let me disable access from other users? Is it below the standard of care if my shared links don’t expire, or aren’t password-protected? Is it below the standard of care if I can’t see a log of file access attempts? Is it below the standard of care if I install the Dropbox app on my phone, but then don’t password-protect the app or my phone? By the way, some of those features are on the Dropbox paid accounts, but not the free ones.

I do a lot of work in e-discovery. In the e-discovery world, we have lots of vague guidelines. We also have a private organization, the Sedona Conference, that gives us further suggestions on how we should handle electronic discovery. The Sedona Principles are cited throughout the federal judiciary’s e-discovery pocket book for judges. So, they are not mandatory authority, but they are influential at the highest levels.

Sponsored

Similar to what the the Sedona Conference does for e-discovery, the Legal Cloud Computing Association (LCCA) has recently published a set of standards for additional guidance for how lawyers should handle cloud computing issues. Mind you, there is no state bar opinion that specifically addresses the set of questions I raised a few paragraphs above, but those are all things you should look into. When it comes to safeguarding your client files, the goal is not minimum competency to avoid state bar discipline. The goal is maximum competency to avoid losing your clients’ files, and in turn, losing those clients and your reputation. If you go the minimum competency route, potential state bar discipline will be just one of the many problems you will face. So, even though the LCCA’s guidelines are not mandatory, they are definitely something that each lawyer who wants to use the cloud should look into to avoid disaster and to continue enjoying the convenience of cloud computing that we all love.

LCCA Publishes First ‘Cloud Security Doctrine’ for Law Firms [Legal Cloud Computing Association]
LCCA Security Standards [Legal Cloud Computing Association]


Jeff Bennion is Of Counsel at Estey & Bomberger LLP, a plaintiffs’ law firm specializing in mass torts and catastrophic injuries. He serves as a member of the Board of Directors of San Diego’s plaintiffs’ trial lawyers association, Consumer Attorneys of San Diego. He is also the Education Chair and Executive Committee member of the State Bar of California’s Law Practice Management and Technology section. He is a member of the Advisory Council and instructor at UCSD’s Litigation Technology Management program. His opinions are his own. Follow him on Twitterhere or on Facebook here, or contact him by email at jeff@trial.technology.

CRM Banner