Criminal and privacy implications of drones
Another NYS Bar Decision On Virtual Offices

NY bar on ethics of cloud computing – again

Stacked3This week's Daily Record column is entitled "NY bar on ethics of cloud computing – again."  My past Daily Record articles can be accessed here.


 NY bar on ethics of cloud computing – again 

New York state has long been on the cutting edge of addressing the ethics of using different technologies in the practice of law. So it was no surprise when the New York State Bar was one of the first to confront the ethics of cloud computing when the Committee on Professional Ethics handed down Op. 842 in 2010, which addressed the ethics of storing confidential client data online.

In that opinion, the committee held that “(a) lawyer may use an online data storage system to store and back up client confidential information provided that the lawyer takes reasonable care to ensure that confidentiality is maintained in a manner consistent with the lawyer’s obligations under Rule 1.6.”

In two different opinions handed down in the latter half of this year, the committee further clarified its position on the use of cloud computing by lawyers. In both opinions, the committee reaffirmed the applicability of the longstanding duty of due diligence when assessing the security of third party service providers, explaining that a lawyer must assess whether the technology offers reasonable protections against disclosure and must also take reasonable precautions when using technology.
At issue in Op. 1019, issued in August, was whether a law firm may “provide its lawyers with remote access to its electronic files.” The committee concluded that it was permissible to do so in the absence of client consent, so long as the attorney concluded that the security precautions exercised by the third party provider were reasonable.

In doing so, the committee recognized the need for a flexible standard: “Because of the fact-specific and evolving nature of both technology and cyber risks, this committee cannot recommend particular steps that constitute reasonable precautions to prevent confidential information from coming into the hands of unintended recipients. If the firm cannot conclude that its security precautions are reasonable, then it may request the informed consent of the client to its security precautions, as long as the firm discloses the risks that the system does not provide reasonable assurance of confidentiality, so that the consent is ‘informed’…”

In Op. 1020, which was handed down in September, the issue addressed was whether “a lawyer representing a party to a transaction (may) use a cloud-based technology so as to post documents and share them with others involved in the transaction.” The committee reached the same conclusion as it did in Op. 1019: “Whether a lawyer for a party in a transaction may post and share documents using a ‘cloud’ data storage tool depends on whether the particular technology employed provides reasonable protection to confidential client information and, if not, whether the lawyer obtains informed consent from the client after advising the client of the relevant risks.”

Importantly, in reaching its decision, the committee noted that lawyers have a duty to stay abreast of changes in technology explaining that the “use of electronically stored information may not only require reasonable care to protect that information under Rule 1.6, but may also, under Rule 1.1, require the competence to determine and follow a set of steps that will constitute such reasonable care.”

By way of example, the committee explained in a footnote that “the duty of competence may require litigators, depending on circumstances, to possess a basic or even a more refined understanding of electronically stored information.”

So, once again, New York leads the way when it comes to the ethics of the use of technology by lawyers. In this case, the Committee on Professional Ethics offered two well-reasoned opinions centered around elastic standards that will undoubtedly withstand the tests of time.

Nicole Black is a Rochester, New York attorney and Director of Business Development and Community Relations at MyCase, intuitive web-based law practice management software for the modern law firm. She is also a GigaOM Pro Analyst and is the author of the ABA book Cloud Computing for Lawyers, co-authors the ABA book Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York, a West-Thomson treatise. She is the founder of and speaks regularly at conferences regarding the intersection of law and technology. She publishes four legal blogs and can bereached at [email protected].