Given the risk of data breaches and the duty to maintain client confidences, is it ethical for lawyers to use cloud computing? Among the state bar associations that have considered the issue, the consensus is yes—with a catch.

The New Hampshire Bar Association is the latest to address cloud computing in the practice of law. Its Advisory Opinion #2012-13/4 allows lawyers to use cloud computing consistent with their ethical obligations, so long as they take “reasonable steps to ensure that sensitive client information remains confidential.”

To comply, lawyers don’t have to become IT experts; instead, following the latest revisions to the ABA Model Rules of Professional Conduct, which require an awareness of technology’s risks and benefits, they must “have a basic understanding of the technologies they use.”

According to the New Hampshire Bar Association, lawyers must also consider the following questions when choosing a cloud provider (note that the italics below summarize clarifications made by the Bar):

1.    Is the provider of cloud computing services a reputable organization?

2.    Does the provider offer robust security measures?

The minimum required security measures are “password protections or other verification procedures limiting access to the data; safeguards such as data backup and restoration, a firewall, or encryption; periodic audits by third parties of the provider’s security; and notification procedures in case of a breach.”

3.    Is the data stored in a format that renders it retrievable as well as secure?

4.    Does the provider commingle data belonging to different clients and/or different practitioners such that retrieval may result in inadvertent disclosure?

5.    Do the terms of service state that the provider merely holds a license to the store data?

The cloud provider cannot “own” data stored in the cloud: data must be identified as the client’s property.

6.    Does the provider have an enforceable obligation to keep the data confidential?

7.    Where are the provider’s servers located and what are the privacy laws in effect at that location regarding unauthorized access, retrieval, and destruction of compromised data?

8.    Will the provider retain the data—and if so, for how long—when the representation ends or the agreement between the lawyer and provider is terminated for another reason?

9.    Do the terms of service obligate the provider to warn the lawyer if information is subject to a third-party subpoena?

10.    What is the provider’s disaster recovery plan with respect [to] stored data?

So before sending data to the cloud, scrutinize the cloud provider’s terms of service. Then stay up-to-date on technology and data privacy laws to ensure that sensitive client information remains confidential.

Paul Matthews is chief technology officer at Xerox Litigation Services. He can be reached at info@xls.xerox.com.

Xerox Legal Business Services (“Xerox”) is not authorized to practice law, and neither offers legal advice nor provides legal services in any jurisdiction. The services offered by Xerox are limited to the non-legal, administrative aspects of document review and discovery projects. Xerox provides such services solely at the direction and under the supervision of its clients’ authorized legal counsel. - See more at: https://www.xerox.com/en-us/services/litigation-support