Maintaining confidentiality in the information age
A New Law Blog: Small Firm Innovation

Do lawyers have a duty to supervise cloud computing providers?

Drlogo11

This week's Daily Record column is entitled "Do lawyers have a duty to supervise cloud computing providers?."

A pdf of the article can be found here and my past Daily Record articles can be accessed here.

*****

Do lawyers have a duty to supervise cloud computing providers?

In a column that I wrote last October, I explained that American Bar Association’s Commission on Ethics 20/20 was eliciting comments on the issue of whether the Model Rules of Professional Conduct 5.3 should be revised to incorporate the concept that lawyers should be required to “supervise” cloud computing providers, just as lawyers are required to supervise other non-lawyer assistants such as paralegals.

By way of background, the Commission on Ethics Committee was established in 2009 (online at www.abanet.org/ethics2020) and the stated purpose of the Commission is to “perform a thorough review of the ABA Model Rules of Professional Conduct and the U.S. system of lawyer regulation in the context of advances in technology and global legal practice developments.”

In the letter calling for comments on this issue, the Committee explained that it welcomed “feedback on the extent to which procedures outlined in ABA Formal Ethics Opinion 08-451 (describing a lawyer’s obligations when outsourcing work to lawyers and non-lawyers) should apply in the cloud computing context.”

In Opinion 08-451, it was suggested that “to minimize the risk of potentially wrongful disclosure, the outsourcing lawyer should verify that the outside service provider does not also do work for adversaries of their clients on the same or substantially related matters; in such an instance, the outsourcing lawyer could choose another provider.”

In my prior column on this issue, I expressed alarm at the idea that lawyers might have a duty to “supervise” cloud computing providers since there is a fundamental difference between outsourcing legal and administrative functions and outsourcing data management and storage to online legal service providers given that most lawyers simply do not have the IT qualifications to oversee tasks like computer programming, encryption, data storage, and the delivery of said services. I also submitted comments to the Commission outlining my concerns in this regard.

Last week the committee released its initial draft proposals (which are available for further comment through July 15, 2011) regarding the proposed amendment to Rule 5.3. The gist of the rule is that lawyers are required to make reasonable efforts to ensure that non-lawyers retained by the firm provide services consistent with lawyers’ professional obligations.

The Committee proposed revising the title of Rule 5.3 from “Responsibilities Regarding Nonlawyer Assistants” to “Responsibilities Regarding Nonlawyer Assistance.”

Aside from the minor change to the title, the rule stayed the same.

However, the comments to the rule were revised substantially to include the following language in proposed Comment [3], which addresses an attorney’s obligations when outsourcing tasks to a non-lawyer such as a cloud computing provider:

“[3] When using such services outside the firm, a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations. The extent of this obligation will depend upon the circumstances, including the education, experience and reputation of the nonlawyer; the nature of the services involved; the terms of any arrangements concerning the protection of client information; and the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality…When retaining or directing a nonlawyer outside the firm, a lawyer should communicate directions appropriate under the circumstances to give reasonable assurance that the nonlawyer's conduct is compatible with the professional obligations of the lawyer.”

Following the suggestions of proposed changes to the Model Rules and comments to the Rules, the Committee provided an explanatory report that outlined the basis for its proposed revisions. In that report, the Committee described the rationale behind the proposed changes to the Comment regarding Rule 5.3:

“The last sentence of Comment [3] emphasizes that lawyers have an obligation to give appropriate instructions to nonlawyers outside the firm when retaining or directing those nonlawyers. For example, a lawyer who instructs an investigative service may not be in a position to directly supervise how a particular investigator completes a particular assignment, but the lawyer’s instructions must be reasonable under the circumstances…” (Emphasis added).

Given my previously expressed concerns, I was happy to note that the Commission limited the scope of an attorney’s duty to oversee the activities of non-lawyers retained to provide services on behalf of the firm. The italicized section is particularly important since it acknowledges that lawyers may not always have the necessary expertise to supervise non-lawyers, depending on the services provided.

However, I do hope that the italicized language will be included in the Comments to the final version of Model Rule 5.3 as opposed to the comments explaining the proposed revisions. I fear that the failure to include the italicized language in the Comments will result in a rule that provides insufficient guidance for lawyers who are unsure of their obligations in regard to overseeing the services provided by cloud computing providers.

Nicole Black is of counsel to Fiandach & Fiandach in Rochester. She co-authors the ABA book Social Media for Lawyers: the Next Frontier, co-authors Criminal Law in New York, a West-Thomson treatise, and is currently writing a book about cloud computing for lawyers that will be published by the ABA in early 2011. She is the founder of lawtechTalk.com and speaks regularly at conferences regarding the intersection of law and technology. She publishes four legal blogs and can be reached at [email protected].

Enhanced by Zemanta