Proposed NC bar opinion limits cloud computing
Last May I discussed the North Carolina State Bar’s Proposed 2010 Formal Ethics Opinion 7, which was issued in response to a lawyer’s inquiry as to whether it was permissible for a firm to use Software as a Service (SaaS) products in its law practice.
After reading the opinion, I concluded that it provided a broadly framed, elastic standard that permitted individual attorneys to make careful choices about the technologies that best fit their individual practices. The opinion also included a very useful list of suggested questions that lawyers were advised to ask cloud computing vendors prior to using their products.
A few weeks ago, the Bar issued a revised opinion, Proposed 2011 Formal Ethics Opinion 6 (available online at http://www.ncbar.gov/ethics/propeth.asp), which replaced the Bar’s prior proposed opinion on this issue.
I am disappointed with the new opinion. It’s overly broad and far too rigid, serving to severely limit North Carolina lawyers’ ability to use cloud computing products in their practices.
The new proposed opinion answers this very broad question: “May a law firm use SaaS”? Note that is inquiry does not address the type of information that a lawyer seeks to store in the cloud, but rather, lumps confidential and non-confidential data together.
The Ethics Committee’s answer to this broadly framed question was “yes.” The Committee explained that “(A) law firm may use SaaS if reasonable care is taken to effectively minimize the risks to the disclosure of confidential information and to the security of client information and client files.”
However, the Committee then stated that in order to sufficiently exercise reasonable care when using any type of SaaS product, lawyers must take a number of steps.
First, lawyers must ensure that an agreement is in place with the vendor that ensures that the confidentiality of client data will be protected. Second, the vendor agreement must limit the geographical region in which the data will be stored. Third, lawyers must be able to retrieve their data in a readable format, on demand. Fourth, the lawyer’s employees must receive training on certain security issues such as strong password creation.
While I agree that all of these measures are important to take into consideration when choosing a cloud computing service, I object that the Committee made these steps mandatory. The Committee fails to recognize that the cloud computing needs of every law firm will differ greatly, as will each firm’s implementation considerations.
One problem with the Committee’s mandate is that it makes a number of potentially false assumptions in regard to lawyers’ use of cloud computing products. These assumptions include, but are not limited to, the following: that lawyers will store only confidential data in the cloud, that all lawyers’ employees will necessarily have access to data stored in the cloud, and that lawyers will not maintain local back ups of their data on their own servers or elsewhere.
For example, some attorneys may choose to utilize the cloud for the storage of non-confidential data, including legal forms, administrative forms, redacted memos of law for future reference, and excerpts from legal research. Others may choose to choose to test the cloud computing waters by using cloud computing services for tasks that don’t require the input of confidential information, such as billing or time tracking.
For these lawyers, many of the mandatory requirements would be unnecessary and requiring them to implement these procedures is pointless and unnecessarily impedes their cloud computing choices.
Likewise, if lawyers maintain local back ups of their data, the ability to extract readable data on demand may be an unnecessary requirement. Similarly, law firms with local back ups may not be concerned with the very remote possibility that their data will be “held hostage” due to the operation of the European Union’s Data Protections laws.
The bottom line is that I disagree with the imposition of any mandatory requirements upon lawyers choosing to use cloud computing products. Instead, requiring lawyers to exercise reasonable care in choosing a provider and providing a list of security and privacy issues to take into consideration makes more sense. Doing so allows lawyers to choose a provider based upon their law firm’s needs and their unique situation.
Here, the Committee’s most recent proposed opinion on cloud computing use in law firms establishes unnecessarily rigid standards that impede the ability of individual lawyers to determine the technologies that best fit their practice. Hopefully, the Committee will reconsider its position and will soon issue a revised opinion that offers more elastic standard for North Carolina lawyers.
Nicole Black is of counsel to Fiandach & Fiandach in Rochester. She co-authors the ABA book Social Media for Lawyers: the Next Frontier, co-authors Criminal Law in New York, a West-Thomson treatise, and is currently writing a book about cloud computing for lawyers that will be published by the ABA in early 2011. She is the founder of lawtechTalk.com and speaks regularly at conferences regarding the intersection of law and technology. She publishes four legal blogs and can be reached at firstname.lastname@example.org.