The Ethics of Communicating With Your Clients Online
I’ve been writing about cloud computing — where your data and software are stored on servers owned and maintained by a third party — since 2008. And for years now I’ve asserted that Web-based computing is the future and that lawyers can ethically use it for the purposes of storing confidential client information as long as they exercise reasonable care in choosing their legal software providers.
This is a position supported by all applicable ethics decisions handed down throughout the United States in recent years, including the most recent one from the New York State Bar Association, Op. 1020. In this decision, the Committee for Professional Ethics concluded: “Whether a lawyer for a party in a transaction may post and share documents using a ‘cloud’ data storage tool depends on whether the particular technology employed provides reasonable protection to confidential client information and, if not, whether the lawyer obtains informed consent from the client after advising the client of the relevant risks.”
However, even though cloud computing has repeatedly received the green light by ethics committees across the country, some lawyers continue to express reticence about cloud computing, citing security concerns. This reluctance is misguided in light of recent revelations about security issues affecting more traditional means of client communication and information storage provide.
For example, as proof that traditional methods of storing information are not foolproof, there’s the report of a recent breach notification issued by a California criminal defense law firm after a hard drive containing backup files from one of the firm’s server’s was stolen from the trunk of a car. The breach notification letter that was sent out to their clients in August can be found here: http://tinyurl.com/breachletter. So, even though the firm used onsite servers to store their client data, confidential client information was nevertheless obtained by outsiders.
In another recent case, the security of encrypted email was called into question. Lawyers have long used traditional unencrypted email to communicate with clients, ever since bar associations began to approve this practice in the late 1990s.
However, more recently the American Bar Association cast some doubt on the use of email for all client communications when it acknowledged the lack of security offered by unencrypted email and issued ABA Formal Opinion 11-459 and concluded: “Whenever a lawyer communicates with a client by email, the lawyer must first consider whether, given the client’s situation, there is a significant risk that third parties will have access to the communications. If so, the lawyer must take reasonable care to protect the confidentiality of the communications by giving appropriately tailored advice to the client.”
Due to fears about the security of unencrypted email, some lawyers have turned to encrypted email in an effort to address this perceived security risk. Unfortunately, the Electronic Frontier Foundation recently reported that many ISPs have been intercepting customer data and stripping emails of their encryption layer (http://tinyurl.com/effemail). So even encrypted email is susceptible to tampering.
In another case, we learn that even communications relayed using “snail mail” are now at increased risk of interception. The ABA Journal reported last month that “(t)he U.S. Postal Service approved nearly 50,000 requests last year to monitor the mail of Americans in its ‘mail covers’ program, raising concerns about lack of oversight.” (http://tinyurl.com/abamail). The monitoring requests were made by “both by law enforcement and the Postal Service’s own inspections unit” and attorney-client communications were sometimes targeted, with no requirement in place to notify lawyers when this type of information is accessed.
In other words, no matter how your law firm stores information or communicates with clients, there are risks. Whether your firm uses paper, server-based software, or cloud-based software, outside access to confidential client information is a possibility.
There is no such thing as absolute security and the ethics committees have long recognized this fact. Instead, regardless of how the information is stored or transmitted, your duty is not to ensure absolute security but to instead take reasonable steps to protect that information. Vet any third-party provider who will have access to confidential client data and carefully consider the sensitivity of the data that will be discussing, regardless of the format of your communication.
The use of cloud computing tools to store confidential client data and discussions is no more or less ethical than any other type of method. Instead, your ethical obligation is to ensure that whatever method you choose is reasonable under the circumstances.
Nicole Black is a Rochester, New York attorney and Director of Business Development and Community Relations at MyCase, intuitive web-based law practice management software for the modern law firm. She is also a GigaOM Pro Analyst and is the author of the ABA book Cloud Computing for Lawyers, co-authors the ABA book Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York, a West-Thomson treatise. She is the founder of lawtechTalk.com and speaks regularly at conferences regarding the intersection of law and technology. She publishes four legal blogs and can be reached at firstname.lastname@example.org.