This week's Daily Record column is entitled "Connecticut latest state to address cloud computing."
A pdf of the article can be found here and my past Daily Record articles can be accessed here.
Connecticut latest state to address cloud computing
If you’ve been reading my column for any amount of time, you know that I believe that cloud computing is the future of computing — for law firms and for any other type of business. In fact, I’ve been saying this since 2008.
Back then, very few state bar associations had addressed the ethics of lawyers using cloud computing in their law practices. My, how times have changed!
Since that time, a number of states have handed down opinions which green light the use of cloud computing by lawyers, including Alabama (Formal Opinion No. 2012-184), Arizona (Opinion 09-04), California (Opinion 2010-179), Florida (Proposed Advisory Opinion 12-3), Iowa (Opinion 11-01), Maine (Opinion 194), Massachusetts (Opinion 12-03), New Hampshire (Opinion 2012-13/4), New Jersey (Opinion 701), New York (Opinion 842 and Opinion 940), Nevada (Opinion 33), North Carolina (2011 Formal Ethics Opinion 6), Oregon (Opinion 2011-188), Pennsylvania (Opinion 2011-200), Vermont (Opinion 2010-6), and Virginia (Legal Ethics Opinion 1872).
Now, Connecticut has added its voice to the mix with its issuance of Informal Opinion 2013-07 just last month. In this opinion, the Committee on Professional Ethics considered whether it was ethically permissible for Connecticut lawyers to use cloud computing in their law practices.
At the outset, the committee explained that lawyers have always outsourced the handling of confidential client data to third parties: “Lawyers’ remote storage of data is not a new phenomenon; lawyers have been using off-site storage providers for many years, and the issues remain the same whether tangible records are stored in a “brick-and-mortar” warehouse or intangible data is stored on third-party servers.”
Next, in keeping with the conclusions reached in many other cloud computing ethics decisions, the committee acknowledged that absolute security is an impossibility and thus lawyers are not held to that standard: “The duty of confidentiality described in Rule 1.6 is rigid but tempered by the recognition that even when a lawyer acts competently to preserve the confidentiality of the data, reasonable safeguards sometimes fail …”
The committee then enunciated the standard that Connecticut lawyers seeking to use cloud computing in their practices must follow: “The Rules permit a lawyer to use the Internet to transmit, store and process data using shared computer facilities from the reasonably reliable cloud service provider as long as the lawyer undertakes reasonable efforts to prevent unauthorized access to or disclosure of such data.” This is essentially the same language used by the other ethics committees that have addressed this issue, so Connecticut’s adoption of this standard wasn’t surprising.
What came next was surprising, however, and and somewhat worrisome. The committee concluded that as part of a lawyer’s duty to stay abreast of changes in technology as required by Rule 1.1 and the duty to exercise due diligence when researching a cloud computing provider, lawyers must adequately supervise cloud computing providers.
The committee cited Rule 5.3, which addresses the lawyer’s responsibilities to supervise nonlawyer assistants, stating: “Cloud computing online outsourcing is subject to Rule 5.1 and Rule 5.3 governing the supervision of those who are hired by and associated with the lawyer. This means that the lawyer outsourcing cloud computing tasks (of transmitting, storing and processing data) must exercise reasonable efforts to select a cloud service provider whose conduct is compatible with the professional obligations of the lawyer and is able to limit authorized access to the data, ensure that the data is preserved (“backed up”), reasonably available to the lawyer, and reasonably safe from unauthorized intrusion.”
This requirement is troublesome since it implies that lawyers may have a duty to supervise cloud computing providers in the performance of their duties, even though most lawyers have no IT expertise. As I’ve explained in past articles, there is a fundamental difference between outsourcing legal and administrative functions and the outsourcing of data management and storage to online legal service providers. The bottom line is that most lawyers simply do not have the IT qualifications to oversee tasks like computer programming, encryption, data storage and the delivery of said services.
As it stands, I believe that the standard established by the committee is overly broad and fails to acknowledges that lawyers may not always have the necessary expertise to supervise non-lawyers, depending on the services provided. A better option would be to require that a lawyer’s supervision be reasonable under the circumstances, thus limiting the scope of an attorney’s supervision to areas which fall within their areas of expertise.
Nicole Black is a Rochester, New York attorney and Director of Business Development and Community Relations at MyCase, an intuitive cloud-based law practice management platform for the modern law firm. She is also a GigaOM Pro Analyst and is the author of the ABA book Cloud Computing for Lawyers, co-authors the ABA book Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York, a West-Thomson treatise. She is the founder of lawtechTalk.com and speaks regularly at conferences regarding the intersection of law and technology. She publishes four legal blogs and can be reached at [email protected]