This week's Daily Record column is entitled "NC Bar to Issue Cloud Computing Opinion."
NC Bar to Issue Cloud Computing Opinion
The North Carolina State Bar has been asked by a member of its bar to determine whether her intent to use Clio, a Web-based practice management system, in her law practice violates that state’s ethics rules.
The exact question being posed is: “Is it within the RPC for an attorney/law firm to use online (“cloud computing”) practice management programs (e.g., the Clio program) as part of the practice of law? These are instances where the software program is accessed online with a password and is not software installed on a computer within the firm’s office.”
The concept of third-party electronic storage of client data is not a new one to the North Carolina Bar. Similar issues were addressed on at least two prior occasions.
First, in 1996 RPC 234 addressed the electronic storage of client files. The bar concluded inactive client files may be stored in electronic format, provided original documents with legal significance — such as wills, contracts, stock certificates, etc. — are culled from the paper file and stored in a safe place or returned to the client. The documents also must be stored in an electronic format can be reproduced in a paper format. Rule 2.8(a)(1) and RPC 209.
In 2008, a formal ethics opinion addressed the issue of third- party storage of digital client data. In that ruling, the bar said a lawyer must take steps to minimize the risk confidential client information will be disclosed to other clients or to third parties. See RPC 133 and RPC 215. “If the law firm will be contracting with a third party to maintain the Web-based management system, the law firm must ensure that the third party also employs measures which effec- tively minimize the risk that confidential information might be lost or disclosed,” RPC 133. (2008 Formal Ethics Opinion 5) states.
At least two other states have issued ethics opinions regarding the storage of client data on third-party servers, New Jersey (N.J. Supreme Court Advisory Comm. on Prof’l Ethics, Op. 701 ) and Nevada (Nev. State Bar Standing Comm. on Ethics & Prof’l Responsibility, Formal Op. 33 ).
Both opinions concluded attorneys must exercise reasonable care when choosing a third-party storage provider. In order to meet the obligation, attorneys must be knowledgeable about how the third-party provider will handle data entrusted to it, and also ensure all agreements with a provider include terms requiring the preservation of the confidentiality and security of the data.
In other words, common sense prevails, and dictates that the same confidentiality standards applied to physical client files should be applied to computer-generated and stored data. That is because parties always have had access to confidential client information, including building cleaning crews, summer interns, document processing companies, external copy centers and legal document delivery services.
Lawyers who use such traditional services or third-party digital storage services have the same ethical obligations, and must ensure that employees who manage and have access to client information preserve its confidentiality and security. Software as a Service (SaaS) platforms, like Clio,which store both law practice management software and client data are no different from other third-party service providers, including those that simply store digital versions of confidential client data on third- party servers.
Regardless of the service provided by the third party, a lawyer’s ethical obligation is the same: Ensure the third-party provider employs security measures that effectively minimize the risk confidential information will be lost or disclosed.
For the future of the profession as a whole, the legal field must adapt to and embrace technology. Absolute security, while ideal in a Utopian world, is a real-world impossibility. To require absolute security, or issue a decision that effectively micromanages law offices’ technology choices, would prohibit lawyers from using emerging technologies in their law practices altogether — an unrealistic alternative in the 21st century.
A more reasonable course of action — and one that will allow the business of law to adapt to fast-paced, ever-changing technologies — would be to create a broadly framed, elastic standard that allows individual attorneys to make careful choices about the technologies that best fit their individual practices. I sincerely hope the North Carolina Bar follows that path when issuing its decision in this matter.