NYC bar issues odd report on cloud computing

 Nicole Black, The Daily Record Newswire

In November, the New York City Bar Association’s Committee on Small Law Firms issued a lengthy 28-page report entitled “The Cloud and the Small Law Firm: Business, Ethics and Privilege Considerations.”

I obtained a copy and eagerly began to read it, but when I reached this sarcastic sentence smack dab in the middle of the introduction (no embellishments added), I knew I was in for a doozy of a report: “For small firms, particularly, these (IT) costs were astronomical, if not utterly prohibitive. There had to be a better way, but where? And then this new prayer seemed to be answered; THE ‘CLOUD’ BURST FORTH!”

Things only went downhill from there. The entire report had a somewhat surreal, outdated quality about it, almost as if it had been written in 2007, when cloud computing first emerged on the scene.

The report was fraught with strange assertions like this one, found in the conclusion: “Lawyers have a wide variety of choices in Cloud services, and these will expand as Internet access gains nationwide reach and portable devices to access those services become cheaper, more durable and more secure.”

It was if the committee had written the report years ago, when Internet access was not readily available and mobile devices were as big as a brick, and then inexplicably decided to hold off on releasing it until 2013.

So, you probably won’t be surprised to learn that the committee’s analysis and recommendations regarding lawyers’ use of cloud computing were overly cautious, at best, and antiquated, at worst.

For example, the committee advised that “the provider should not possess the encryption key unless there is a compelling reason for it to have the key.”

This suggestion presumes lawyers seek only data storage in the cloud and ignores the fact that most cloud-based products are software products (software as a service or SaaS), such as email, billing, document management or law practice management software. These platforms run software on the provider’s end that necessarily requires the ability for the programs to interpret, create connections, organize and categorize the data. If the data is encrypted from the provider (as opposed to being encrypted from unauthorized prying eyes) while on the provider’s servers, the software is inoperable and useless to the attorney hoping to use it.

Another problematic recommendation was that lawyers should “obtain (their) clients’ consent before storing their information in the cloud or relying on cloud-based software for client-critical functions.“ Client consent is generally not a requirement when attorneys outsource the storage or handling of confidential client data in paper format, such as when storing old paper files in a warehouse or providing a process server with confidential documents. Electronic data should be treated no differently simply because the confidential information is stored in a different format.

Next up, the committee also recommended that lawyers ensure that they have the ability to access their data in the absence of an Internet connection: “(Find) a vendor who offers synchronization and storage of the cloud data to your device, or gives you the option of backing up your data automatically or manually to your local device.”

In other words, according to the committee, lawyers should continue to pay for and maintain costly on-site servers, thus defeating one of the primary benefits of cloud computing products: affordability and reduced IT costs.

One last example is the committee’s advisement that lawyers must supervise the cloud vendor’s provision of services: “Rule 5.3 requires an attorney to make reasonable efforts to supervise the work of nonlawyers that are ‘associated with’ the lawyer. Ethics opinions have extended this supervisory duty to the outsourcing context.”

This requirement is problematic since it holds lawyers to the same standard no matter what type of function is being outsourced. There is a big difference between outsourcing legal and administrative functions as opposed to outsourcing data management and storage to online legal service providers. Quite frankly it’s unreasonable to expect lawyers — or even some legal IT consultants — to oversee complex tasks requiring very specific expertise such as computer programming, encryption, data storage, and the delivery of said services. Asking them to do so is unrealistic.

At the end of the day, I don’t expect the recommendations in this report will withstand the test of time. In fact, I would argue that many of them are outdated already. At least, one can only hope.


Nicole Black is a director at, a cloud-based law practice management platform. She is also of counsel to Fiandach & Fiandach in Rochester and is a GigaOM Pro analyst. She is the author of the ABA book “Cloud Computing for Lawyers,” coauthors the ABA book “Social Media for Lawyers: the Next Frontier,” and co-authors “Criminal Law in New York,” a West-Thomson treatise. She speaks regularly at conferences regarding the intersection of law and technology. She publishes three legal blogs and can be reached at