Is a cloud backlash on the horizon?
In the mid-1990s, email was a fairly new phenomenon and a number of state bar associations wanted nothing to do with it. For example, ethics committees in both South Carolina (Opinion 94-27 1995)) and Iowa (Iowa Ethics Opinion 96-1 1996) concluded that the use of email by lawyers to communicate with clients breached confidentiality unless precautions were taken to prevent interception or client consent acknowledging the risks of using of email was obtained.
A few years later, in 1999, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility helped to reverse the email backlash trend when it issued ABA Formal Opinion No. 99-413. In this opinion, the Committee determined that client consent regarding the use of email was unnecessary.
Thus, the ABA gave its blessing to the use of email for communications with clients. By doing so, the Committee implicitly condoned attorneys’ use of unencrypted electronic communications with their clients. The green light was given for sending confidential communications through an untold number of servers owned by third parties located in any number of geographic regions, and, in many cases, if either the attorney or the client used a web-based email service, the emails and any confidential information contained therein or attached thereto were stored on servers owned by third parties.
For those of you familiar with cloud computing, the above description of the storage of email on third party servers should sound familiar, since web-based email is simply a form of cloud computing--the only difference being that with most cloud computing platforms, the data is sent via a secure connection, and, in many cases, is either encrypted en route or is encrypted while stored on third party servers.
Fast forward to August 2011, when the Committee issued its decision on the use of email in employment cases by clients via employer-owned technologies. In Formal Opinion No. 11-459, the Committee, after reaching the narrow conclusion that in employment cases lawyers have an obligation to warn clients of the risk of discussing the case using employer-owned devices or accounts, then offered the following very broadly-worded proposition, applicable to all type of cases, not just employment matters: “A lawyer sending or receiving substantive communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, to which a third party may gain access. The risk may vary.”
As I explained in an earlier column (September 5, 2011), this language troubles me since it appears to be a step backwards to the mindset of the mid-1990s email backlash. This apparent shift of focus from the type of information being discussed to the method of communication implies that any type of electronic communication poses a risk simply by virtue of the method of dissemination of information.
So, I was all the more concerned when I read the most recent version of the report accompanying the ABA Commission on Ethics 20/20‘s suggested revisions to the ABA Model Rules of Professional Conduct.
By way of background, the ABA Commission on Ethics 20/20 was established in 2009 (online at www.abanet.org/ethics2020) and the stated purpose of the Commission is to “perform a thorough review of the ABA Model Rules of Professional Conduct and the U.S. system of lawyer regulation in the context of advances in technology and global legal practice developments.” Over the past year, the Commission has released multiple versions of proposed changes to the Rules and has sought input from the legal community prior to issuing its final recommendations.
On pages 6 and 8 of the most recent September report accompanying the latest version of suggested revisions to the Model Rules, when discussing the proposed changes to Model Rule 5.3, which applies to the use on nonlawyer assistance outside of a firm, the Commission states: “As an initial matter, nonlawyer services are provided not only by individuals...but also by entities, such as...“cloud computing” providers...The proposed Comments do not describe the lawyer’s obligation to obtain consent when disclosing confidential information to nonlawyer service providers outside the firm. The Commission concluded that there are many circumstances where such consent is unnecessary. For example, lawyers regularly send documents to outside vendors for scanning or copying, but there is ordinarily no need to obtain the client’s consent to have those services performed. There are, however, other situations where client consent might be advisable or required. The Commission concluded that lawyers would benefit from further clarification of this issue in the form of an opinion from the Standing Committee on Ethics and Professional Responsibility and has requested that the Committee undertake consideration of this issue." (Emphasis added).
In light of my prior suspicions regarding the possibility of a cloud backlash, this new development seems ominous to me. My hope is that I’m wrong, and that if the ABA Committee on Ethics and Responsibility does address the issue of consent when using any form of electronic communication, it concludes that the standard applicable to unencrypted email communications should likewise apply to the use of cloud computing platforms, which are inherently more secure than unencrypted email.
In other words, as was stated in ABA Formal Opinion No. 99-413, understanding gained regarding new technologies like cloud computing should always trump fear: “Although earlier state bar ethics opinions on the use of Internet e-mail tended to find a violation of the state analogues of Rule 1.6 because of the susceptibility to interception by unauthorized persons and, therefore, required express client consent to the use of e-mail, more recent opinions reflecting lawyers' greater understanding of the technology involved approve the use of unencrypted Internet e-mail without express client consent.”
Nicole Black is a Rochester, New York attorney and GigaOM Pro Analyst. She co-authors the ABA book Social Media for Lawyers: the Next Frontier, co-authors Criminal Law in New York, a West-Thomson treatise, and is currently writing a book about cloud computing for lawyers that will be published by the ABA in late 2011. She is the founder of lawtechTalk.com and speaks regularly at conferences regarding the intersection of law and technology. She publishes four legal blogs and can be reached at email@example.com.