This week's Daily Record column is entitled "NC Bar Council issues final opinion on the cloud."
NC Bar Council issues final opinion on the cloud
The use of cloud computing products by lawyers in their law practices is an emerging trend — and one that presents unique ethical issues for lawyers who intend to store confidential client data on servers owned and operated by third parties.
A number of ethics committees across the country have offered their take on the issues presented, but none have wrestled with this issue for quite as long as the North Carolina State Bar Council. The council has been drafting (and re-drafting) its opinion addressing this issue for nearly 1 1/2 years now, having released a number of proposed drafts for public comment.
Finally, at long last, the council issued its final opinion, 2011 Formal Ethics Opinion 6 (online: http://tinyurl.com/ncsaas), on Jan. 27. The opinion answered 2 questions: 1) May a law firm use SaaS (Software as a Service — a form of cloud computing)? and 2) Are there measures that a lawyer or law firm should consider when assessing a SaaS vendor or seeking to minimize the security risks of SaaS?
Long story short, the council gave the use of law practice management platforms based in the cloud its stamp of approval.
Specifically, the council concluded that reasonable care must be taken to protect confidential client information: “(A) law firm may use SaaS if reasonable care is taken to minimize the risks of inadvertent disclosure of confidential information and to protect the security of client information and client files. A lawyer must fulfill the duties to protect confidential client information and to safeguard client files by applying the same diligence and competency to manage the risks of SaaS that the lawyer is required to apply when representing clients.”
The council emphasized the lawyers who take advantage of utilizing emerging technologies such as cloud computing law practice management systems in their practices have an obligation to stay abreast of changes in technology. In other words, adopting new technologies into your law practice is not a one-time endeavor, but rather, is a continuous learning process — and an important one at that.
As for the second issue — what steps lawyers must take when utilizing cloud computing services — the council declined to establish specific standards since “mandatory security measures would create a false sense of security in an environment where the risks are continually changing. Instead, due diligence and frequent and regular education are required.”
Although the council did not require that lawyers comply with specific requirements, the opinion set forth a number of suggested security measures, including: 1) that, in the event of a cessation of service, the contracts with the provider include information regarding how the cloud computing vendor will handle confidential client data; 2) that the contracts provide for a method of retrieval of data from the cloud computing provider in a readable, non-proprietary format; 3) that the lawyer carefully review the contracts with the provider and understand the security issues presented; 4) that the lawyer carefully evaluate the security measures used by any company involved in the hosting of the lawyer’s confidential client data, including “firewalls, encryption techniques, socket security features, and intrusion-detection systems;” and 5) that the lawyer thoroughly evaluate the provider’s data back up procedures.
Finally, of particular import was that the council recognized that absolute security is an impossibility and thus is simply not required. Oftentimes, the battle cry of lawyers opposed to using cloud computing platforms to store confidential client data is that such platforms are not, by their very nature, secure since third parties have access to the data.
However, as acknowledged by the council: (W)hile the duty of confidentiality applies to lawyers who choose to use technology to communicate, ‘this obligation does not require that a lawyer use only infallibly secure methods of communication.’ Rather, the lawyer must use reasonable care to select a mode of communication that, in light of the circumstances, will best protect confidential client information.”
Although it took the North Carolina State Bar Council almost two years to reach this decision, the good news is that the end result is a fair and thoughtful opinion that allows North Carolina lawyers to take advantage of emerging technologies like cloud computing in their law practices.
This opinion is an improvement over prior drafts and it is evident that the council listened to and incorporated recommendations from commenters. So, kudos to North Carolina for its hard work and its balanced take on this issue.
Nicole Black is a Rochester, New York attorney and GigaOM Pro Analyst. She is the author of the ABA book Cloud Computing for Lawyers, co-authors the ABA book Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York, a West-Thomson treatise. She is the founder of lawtechTalk.com and speaks regularly at conferences regarding the intersection of law and technology. She publishes four legal blogs and can be reached at firstname.lastname@example.org.