The Ethics of Cloud Computing Require Attorneys to Learn or Hire, or Both
Any practitioner with a client or employee who is considered a “millennial” has likely encountered cloud computing. In fact, lawyers and clients across generational lines have turned to the cloud for a variety of services, from ordinary email and document storage to more sophisticated cloud-based services like customer-relationship management software and social media platforms. As a result, practitioners need to be aware of the ethical standards arising from the use of cloud-based technology that is constantly changing.
The California State Bar Committee on Professional Responsibility has issued three opinions since 2010 that address the prevalence of electronic communications, e-discovery, and the “virtual” law practice. Collectively, these opinions make clear that cloud computing triggers due diligence obligations in fulfilling an attorney’s duty of confidentiality, the duty of competence, and the duty to supervise. Ultimately, an attorney is required to take “appropriate steps to ensure [the] use of technology in conjunction with a client’s representation does not subject confidential client information to an undue risk of unauthorized disclosure.”
Formal Opinion Number 2010-179 considered whether an attorney violates the duty of confidentiality or competency by electronically transmitting or storing confidential client information if the technology is susceptible to hacking. The opinion identified several factors to consider when using technology. The first was “the ability of the attorney to assess the level of security afforded by the technology,” including (i) how particular technology differs from other media use; (ii) whether reasonable precautions can be made to increase security; and (iii) limitations on who may use or access the technology. The second factor was the ramifications to third parties who intercepted, or accessed the electronic information illegally or without authorization. Both federal and state law have protections against unauthorized use of computer data, which supports an expectation of privacy with respect to electronic communications. However, the opinion identified several other factors, including the sensitivity of the information, possible impact on client of inadvertent disclosure, the urgency of the situation, and client instructions and circumstances.
Collectively, an attorney must consider all these factors to determine an appropriate use of technology. The committee determined, for example, that the use of a public wireless connection that lacked security features risks violating the duty of confidentiality and competence, unless the attorney “takes appropriate precautions, such as using a combination of file encryption, encryption of wireless transmissions and a personal firewall.”
Two years later, Formal Opinion Number 2012-184 discussed ethical obligations of an attorney establishing a “Virtual Law Office.” This opinion concluded that an attorney wanting to use a vendor for cloud-based communication and storage must “exercise reasonable due diligence both in the selection, and then in the continued use” of a vendor. At a minimum, an attorney must read and be familiar with the terms of service for a particular vendor, which will set forth how data may be used or accessed. He or she should also consider the credentials of any vendor, data security standards, cross-jurisdictional issues, and the attorney’s ability to supervise a vendor. If an attorney is unsure about a vendor’s particular practices, an attorney can request the vendor confirm in writing about how the information may be used or accessed.
In 2015, an opinion on “e-discovery” analyzed the duty of competence in the context of discovery and “electronically stored information.” E-discovery involves the discovery of electronic matter, and is specifically governed by federal and state law. The opinion provides specific examples how the failure to understand “electronically stored information,” such as “metadata,” can result in in the disclosure of confidential information and waiver of attorney-client privileged communications. The opinion concluded that, if an attorney lacks technological knowledge to handle e-discovery, he or she may be “ethically incompetent” and is required to consult an e-discovery expert to continue representing the client.
A 2017 opinion by the American Bar Association affirmed that attorneys have a duty to exercise due diligence to understand a particular type of technology and how it may be used, or misused, and thereby avoid risks of improper disclosure of client confidences and communications. In support of this opinion, the ABA noted that “cyber-threats and the proliferation of electronic communications have changed the landscape and it is not always reasonable to rely on the use of unencrypted email.”
The duty of competence also requires the attorney to consider aspects of technology that might impair the provision of legal services. For instance, an attorney who never meets a client in person must ensure that the client is who he or she says she is, and take appropriate steps to ensure that electronic communication is received and understood. An attorney might also consider whether client disclosures or consents are required before using technology to transmit or store a client’s information.
The use of cloud computing also implicates the duty to supervise and train subordinate attorneys or non-attorney staff. The attorney must make reasonable efforts to ensure that subordinates make proper use of cloud technology, through the use of secure usernames and passwords, providing training, and taking other appropriate measures, such as adopting policies and procedures, to mitigate risks associated with cloud-based data.
Lastly, attorneys should be aware that law firms are increasingly a target for cybersecurity attacks. With cybersecurity attacks creating a threat of tort or statutory liability, law firms now have the option of looking into “cybersecurity insurance.” In addition, there is increased regulation of data privacy, most notably with the European Union’s General Data Protection Regulation, which went into effect in 2018, and the California Consumer Privacy Act, which is scheduled to take effect in 2020. As the use of cloud-based technology continues to garner the attention of business, regulators, and bad actors, attorneys will need to continue to learn about and understand the potential applications, limitations, and risks of using the cloud in conjunction with representing clients.
MCLE Self Study
Earn one hour of general MCLE credit by answering the questions on the Self Study MCLE test. Download the test here. Send your answers along with a check ($30 per credit hour for CCCBA members/ $45 per credit hour for non-members), to the address on the test form. Certificates are processed within 2 weeks of receipt. If you prefer to receive the test form via email, contact Anne K. Wolf at awolf@cccba.org or (925) 370-2540. Send your answers along with payment ($30 for CCCBA members) to the address on the test form.