Alaska opinion on lawyers using cloud computing
Last week I wrote about a recent opinion from Tennessee wherein the Ethics Committee joined many others across the country in permitting lawyers to store confidential client data in the cloud. While reading that opinion I discovered that an ethics opinion on cloud computing had been handed down in Alaska last year that I somehow missed. So, today I’m going to rectify that.
In Alaska Bar Association’s Ethics Opinion No. 2014-3, the Alaska Bar Association Ethics Committee considered the issue of whether lawyers may ethically store client files in a cloud-based system. In the end, the committee joined the other jurisdictions that have considered this issue and concluded that lawyers may store client data in the cloud as long as reasonable steps to protect that data are taken.
This opinion was very perfunctory, and although it may not have been the intention of the authors, placed what I believe to be an undue burden on Alaska lawyers who use cloud computing. Essentially, the committee concluded that lawyers have an obligation to stay abreast of changes in technology, including “(t)echnological changes, the regulatory framework, and privacy laws.”
While that conclusion comports with the standard applied in other jurisdictions, the committee explained the lawyer’s duty as follows:
“While a lawyer need not become an expert in data storage, a lawyer must remain aware of how and where data are stored and what the service agreement says. Duties of confidentiality and competence are ongoing and not delegable. A lawyer must therefore take reasonable steps to protect client information when storing data in the cloud. The requirement of competence means that even when storing data in the cloud, a lawyer must take reasonable steps to protect client information and cannot allow the storage and retrieval of data to become nebulous.”
Contrary to the conclusion reached in most other jurisdictions, nowhere in the opinion does the committee state that lawyers have the option of hiring a technology consultant to assist in making the decision to use cloud computing and instead the committee seems to require that the burden of assessing the security of data stored in the cloud be placed entirely on the lawyer’s shoulders.
The committee explains that a lawyer must ensure that the provider takes “(a)ppropriate security measures (which) could include password protections or other verification procedures limiting access to the data, safeguards such as data backup and restoration, a firewall or encryption, periodic audits by third parties of the provider’s security, and notification procedures in case of a breach.”
The committee also seems to place the onus of maintaining the cloud computing systems on the attorney — something that typically falls within the jurisdiction of the cloud computing provider — when it states:
“Reasonable steps must be taken to safeguard data stored in and transmitted through the cloud … During the course of representation, a lawyer must take reasonable steps to ensure that the electronic data stored in the cloud are secure and available while maintaining that information on the client’s behalf … The lawyer must know at all times where sensitive client information is stored, be it in the cloud or elsewhere.”
The committee’s decision to require lawyers to understand both the intricacies of cloud computing platforms without the assistance of a consultant and the ins and outs of maintaining data in the cloud, is troubling and seems designed to discourage lawyers in Alaska from using cloud computing tools.
It’s unclear to me if this was the intention of the committee or if the results were instead an unintended result of the rather truncated nature of the opinion. There’s no doubt about it — the committee didn’t mince words — something that may end up working to the detriment of Alaskan attorneys seeking to use 21st century technology tools in their law practices.
Nicole Black is a Rochester, New York attorney and the Legal Technology Evangelist at MyCase, intuitive web-based law practice management software for the modern law firm. She is also the author of the ABA book Cloud Computing for Lawyers, co-authors the ABA book Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York, a West-Thomson treatise. She is the founder of lawtechTalk.com and speaks regularly at conferences regarding the intersection of law and technology. She publishes four legal blogs and can be reached at firstname.lastname@example.org.