With the increased use of cloud services such as Google Docs, Box, Dropbox, Carbonite, iCloud, and Basecamp, attorneys should be aware of possible ethical implications of using these services to store sensitive client or case information. What are your considerations in selecting a cloud service? Our Internet Law experts, Jessica Ballard-Barnett and Tony Rose, are here to assist you in answering that question properly.
First, a reminder about which Rules of Professional Conduct apply:
Rule 1.1 – “A lawyer shall provide competent representations to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” Comment 8 to Rule 1.1. – “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology…”
Rule 1.6(a) – “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Comment 18 reads, in part: “Whether a lawyer may be required to take additional steps to safeguard a client’s information in order to comply with other law, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information, is beyond the scope of these Rules.”
Rule 5.3 – Responsibilities Regarding Non-Lawyer Assistance. Comment 3 – “A lawyer may use nonlawyers outside the firm to assist the lawyer in rendering legal services to the client. Examples include the retention of an investigative or paraprofessional service, hiring a document management company to create and maintain a database for complex litigation, sending client documents to a third party for printing or scanning, and suing an Internet-based service to store client information. When using such services outside the firm, a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations. The extent of this obligation will depend upon the circumstances, including the education, experience and reputation of the nonlawyer; the nature of the services involved; the terms of any arrangements concerning the protection of client information; and the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality. When retaining or directing a nonlawyer outside the firm, a lawyer should communication directions appropriate under the circumstances to give reasonable assurance that the nonlawyer’s conduct is compatible with the professional obligations of the lawyer.”
Not all cloud service providers are created equal. Some things to consider:
– Is the provider reputable, experienced, and well-established? Does the provider have experience in protecting confidential and sensitive information? Is the provider likely to remain in business for the foreseeable future?
– What security measures and protocols does the provider have in place? Does the provider have firewalls, encryption, robust passwords, intrusion detection system, employee background checks, and other similar protocols? Does the provider conduct periodic audits to monitor the effectiveness of its protocols? Does the provider regularly update these protocols to be consistent with current best practices, as they evolve to make the ingenuity of hackers?
– Is the provider relying on any third parties to maintain or support its servers? If so, who are those third parties, and what is their competence and experience in handling confidential or sensitive information?
– Where are the provider’s servers located? What laws govern this location, especially those regarding privacy?
– Is the provider obligated to notify you promptly in the event of a confidentiality breach, and how does the service agreement define “promptly”? Make sure this time frame matches up with any obligations you have under state and federal law in the event of a security breach.
– What does the cloud service agreement provide with regard to ownership and licensing of data stored with your provider? Remember Rule 1.15 requires client property be identified as property of the client. Also consider what your rights are to access client information should there be a payment dispute.
– What are the provider’s obligations in responding to subpoenas or other government or civil process? Is the provider obligation to notify you if it is served with process requiring production of your client’s information, and if so, is that notice required to be provided in sufficient time to permit you to intervene and object to the subpoena? Is the provider empowered to resist production if appropriate and permissible?
– What happens to your stored data when the relationship with the provider ends? What are the provider’s obligations if it is bought, sold, goes into bankruptcy, or shuts down for any other reason?
– Does the cloud service agreement allow your provider to unilaterally modify its privacy and acceptable use policies without notice to you?
– What is your recourse if something goes wrong? Does the provider’s service agreement contain a disclaimer or limitation of liability provision?
I appreciate Tony and Jessica highlighting these important considerations for the use of cloud services to store client information. As you give some thought to the issues above, they suggest these online materials for more guidance:
About our Law Tips faculty participants:
Jessica L. Ballard-Barnett, Judicial Law Clerk, Hon Melissa S. May, Judge, Indiana Court of Appeals, Indianapolis, IN. Ms. Ballard-Barnett earned her JD in 2010 from McKinney School of Law – Indianapolis. In addition to her position with the Court of Appeals, she is an adjunct instructor at Harrison College, Columbus Campus and Online. She is also a deputy on the operations team for GenCon and a columnist for HistoricIndianapolis.com.
Anthony J. Rose, Meitus Gelbert Rose LLP, Indianapolis, IN. Tony Rose has over twenty five years experience practicing law in both the private and public sectors. He joined Geitus Gelbert Rose in 2005, where he advises clients on copyright, trademark, technology, entertainment, and Internet issues. He has taught Internet Law at IU School of Law since 2006. Tony served as Vice President and General Counsel to an Indianapolis-based technology services firm, helping to grow the company from 60 to over 400 employees and to nearly $100 million in annual revenue.
About our Law Tips blogger:
Nancy Hurley has long-standing connections with Indiana lawyers. She was formerly a member of the ISBA and IBF staffs for over 30 years. Nancy’s latest lifestyle venture is with ICLEF. We are utilizing her exceptional writing and interviewing skills while exploring how her Indiana-lawyer background fits with ICLEF’s needs. When she isn’t ferreting out new topics for Law Tips, her work can be found in our Speaker Spotlight blogs, postings on the ICLEF Facebook and Twitter pages, and other places her legal experience lends itself.
Thank you for reading Law Tips. You may subscribe to this weekly blog through the RSS link at the top of this page. Also, you are encouraged to comment below or email Nancy. She welcomes your input as she continues to sift through the treasure trove of knowledge of our CLE faculty to share with you.