Illinois Bar permits lawyers to use cloud computing
When I first started writing about cloud computing use by lawyers in 2008, most lawyers had no idea what cloud computing was. These days, the concept of cloud computing - where your law firm’s data is stored offsite on servers owned and maintained by a third party - is much more familiar and accepted. It’s no longer the mystery that it once was, in large part because its use is so prevalent in the business world and because more than 20 jurisdictions have already addressed the issue of whether it’s ethical for lawyers to use cloud computing software to store their confidential client information and have concluded that it is permissible.
The latest jurisdiction to weigh in is Illinois. Last fall, in Opinion No. 16-06 (online: https://www.isba.org/sites/default/files/ethicsopinions/16-06.pdf), the Illinois State Bar Association considered this issue and concluded that the use of cloud computing by lawyers is permissible as long as reasonable care is taken to ensure that “client confidentiality is protected and client data is secure.”
In reaching this decision, the Committee acknowledged that mandating lawyers to take specific steps when vetting a cloud computing provider would be unwise due to the rapid pace of change in today’s world: “Because technology changes so rapidly, we decline to provide specific requirements for lawyers when choosing and utilizing an outside provider for cloud-based services. Lawyers must insure (sic.) that the provider reasonably safeguards client information and, at the same time, allows the attorney access to the data.”
However, the Committee did offer the following suggested areas of focus for lawyers to consider when questioning a potential cloud computing vendor: “Reasonable inquiries and practices could include: 1. Reviewing cloud computing industry standards and familiarizing oneself with the appropriate safeguards that should be employed; 2. Investigating whether the provider has implemented reasonable security precautions to protect client data from inadvertent disclosures, including but not limited to the use of firewalls, password protections, and encryption; 3. Investigating the provider’s reputation and history; 4. Inquiring as to whether the provider has experienced any breaches of security and if so, investigating those breaches; 5. Requiring an agreement to reasonably ensure that the provider will abide by the lawyer’s duties of confidentiality and will immediately notify the lawyer of any breaches or outside requests for client information; 6. Requiring that all data is appropriately backed up completely under the lawyer’s control so that the lawyer will have a method for retrieval of the data; 7. Requiring provisions for the reasonable retrieval of information if the agreement is terminated or if the provider goes out of business.”
Importantly, the Committee clarified that lawyers have a continuing duty to ensure that each vendor they use to store confidential client data in the cloud remains in compliance: “We do not believe that the lawyer’s obligations end when the lawyer selects a reputable provider. Pursuant to Rules 1.6 and 5.3, a lawyer has ongoing obligations to protect the confidentiality of client information and data and to supervise non-lawyers. Future advances in technology may make a lawyer’s current reasonable protective measures obsolete. Accordingly, a lawyer must conduct periodic reviews and regularly monitor existing practices to determine if the client information is adequately secured and protected.”
This Committee isn’t the first to require lawyers to revisit a cloud computing provider’s security measures on a regular basis. New York, is one of the many other jurisdictions that requires this as well. Because of this continuing duty, many lawyers choose to limit the number of integrations that connect to their primary cloud-computing platform. That way, the number of third parties that have access to your law firm's data is reduced and you have fewer companies to vet on a regular basis, making it easier to maintain your ethical obligations.
So, Illinois now joins the ranks of other jurisdictions that have considered this issue and green lighted lawyers’s use of cloud computing. It’s clear that cloud computing is here to stay. It offers law firms incredible benefits, including affordability, mobility, flexibility, convenience, data backup, and secure online storage. If you haven’t already considered using cloud computing software, such as legal practice management software, in your law firm, perhaps the time is now.
Nicole Black is a Rochester, New York attorney and the Legal Technology Evangelist at MyCase, intuitive web-based law practice management software for the modern law firm. She is also the author of the ABA book Cloud Computing for Lawyers, co-authors the ABA book Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York, a West-Thomson treatise. She is the founder of lawtechTalk.com and speaks regularly at conferences regarding the intersection of law and technology. She publishes four legal blogs and can be reached at firstname.lastname@example.org