Oregon Ethics Board on lawyers, cloud computing

By Nicole Black The Daily Record Newswire As cloud computing picks up speed and becomes more commonplace, lawyers are beginning to sit up and take notice. And, understandably, many who are considering using cloud computing services in their law practice wonder about the ethics of using these services, since doing so means that confidential client information is stored on servers owned and maintained by third parties. As a result, over the last year or two, ethics committees from across the country have issued opinions which address that very issue, including: Professional Ethics Committee of the Florida Bar Op. 10-2 (2011), New York State Bar Association's Committee on Professional Ethics Op. 842 (2010), Pennsylvania Bar Association Ethics Opinion No. 2010-060 (2010), North Carolina Bar Proposed 2011 Formal Ethics Opinion 6 (2011), and Iowa Committee on Practice Ethics and Guidelines Ethics Opinion 11-01 (2011). The Oregon State Bar recently joined the pack in December of 2011 when it issued Formal Opinion No. 2011-188 (http://tinyurl.com/iowa-cloud-op) concluded that Oregon attorneys may store client materials on a third-party servers as long as there is compliance with the Oregon Rules of Professional Responsibility's duties of competence and confidentiality which require lawyers to take reasonable steps to ensure the security of confidential client information. According to the opinion, the reasonable steps that must be taken to ensure the security and confidentiality of client information include: "(E)nsuring the service agreement requires the vendor to preserve the confidentiality and security of the materials. It may also require that vendor notify Lawyer of any nonauthorized third-party access to the materials. Lawyer should also investigate how the vendor backs up and stores its data and metadata to ensure compliance with the Lawyer's duties." Of course, technology changes rapidly these days and cloud computing services are no exception. The method of delivery of the cloud computing services, the location of the servers, and the security measures used to protect the data stored on the third party servers may change at any time. Accordingly, it is imperative that lawyers stay abreast of the changing nature of the cloud computing services provided to their law firms. This fact was acknowledged in the opinion and of import was the emphasis placed on the continuing obligation of attorneys to reevaluate the security measures used by a cloud computing vendor: "Although the third-party vendor may have reasonable protective measures in place to safeguard the client materials, the reasonableness of the steps taken will be measured against the technology 'available at the time to secure data against unintentional disclosure.' As technology advances, the third-party vendor's protective measures may become less secure or obsolete over time. Accordingly, Lawyer may be required to reevaluate the protective measures used by the third party vendor to safeguard the client materials." Compared to some of the opinions issued by other ethics committees, the Oregon opinion provided less detailed guidance for attorneys considering a move to the cloud. But, that's not necessarily a bad thing because, as acknowledged in the opinion, technology changes rapidly. Committees that choose to impose upon attorneys very specific requirements relating to current technology limit the longevity and applicability of the opinion, quickly rendering it obsolete. The wiser course is to follow the Oregon Bar's example and draft an opinion that offers elastic, broadly framed guidelines that will apply to future technological advances and thus withstand the test of time. ---------- Nicole Black is of counsel to Fiandach & Fiandach in Rochester, New York. She co-authors the ABA book Social Media for Lawyers: the Next Frontier, co-authors Criminal Law in New York, a West-Thomson treatise, and is currently writing a book about cloud computing for lawyers that will be published by the ABA. She is the founder of lawtechTalk.com and speaks regularly at conferences regarding the intersection of law and technology. She publishes four legal blogs and can be reached at nblack@nicoleblackesq.com. Published: Wed, Jan 18, 2012