Perspective: The Legal Ethics of Using the Cloud

Editor’s Note: The author of this post is an assistant general counsel for Microsoft-based in Chicago.

By Dennis Garcia, Assistant General Counsel, Microsoft Corporation

All law firms continue to face a highly competitive marketplace for legal services. Embracing leading technology like cloud computing provides law firms with opportunities to differentiate their firms and better serve their clients as the cloud can help law firms save money, be more collaborative, increase productivity, and enhance the security of client information – assuming a law firm is working with a trusted cloud provider.

However, since cloud solutions can involve entrusting sensitive client data with a third-party cloud provider, concerns may arise regarding the legal ethics associated with a lawyer’s use of the cloud. Fortunately, a growing number of US state legal ethics organizations – more than twenty in total and the latest being Tennessee from last September – have rendered opinions generally clarifying that lawyers can ethically use cloud solutions (or similar technology) so long as they exercise “reasonable care” in protecting their client’s information. While these opinions are not technically legally binding, they offer important guidance in an area that has little or no case law. Since only a handful of these opinions (e.g., Pennsylvania, Wisconsin) provide some clarity as to what constitutes “reasonable care,” employing these best practices will help enable lawyers to use cloud solutions in a legally ethical manner:

Skill Up on the Cloud

Rule 1.1 of the ABA Model Rules of Professional Conduct requires lawyers to competently represent their clients and includes an important comment [8] that to maintain such competence, “….. a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology…” So while lawyers are not expected to be cloud experts, they still need to understand the pros and cons of cloud solutions. Employ a “growth mindset” to being cloud savvy by enlisting the active support of technology specialists, attending cloud-related CLEs and using resources from leading cloud-centric organizations like the Cloud Security Alliance.

Conduct Due Diligence & Select a Trusted Cloud Provider

Nowadays organizations should only use technology they can confidently trust. Engage in a thorough and well-documented review of potential cloud providers – perhaps via a Request for Proposal or detailed questionnaire process – to identify a reliable and trusted cloud provider. This link to my earlier article provides additional guidance in this area.

Sign a Smart Cloud Contract

Make sure that your contract with a cloud provider is both comprehensive and clear. Here are some “must-have” provisions for any cloud contract: detailed data protection terms; meaningful service level obligations; prompt security incident notification; clarity on third party (e.g., law enforcement) access to data; no use of data by a cloud provider for advertising or similar commercial purposes; customer ownership of data; data location specificity; independent verification of key commitments; and cloud provider responsibility for third party subcontractors.

Actively Manage Your Cloud Contract

After signing a cloud contract don’t just file it away and forget about it. Be sure that your cloud provider is honoring its commitments. Also since the data privacy regulatory environment continues to evolve, consider whether your cloud contract may need to be updated to address new applicable laws and regulations.

Client Notification & Consent

Before providing client data to a cloud provider, be sure to provide prior written notice to your client and/or obtain express written consent to do so from your client’s authorized representative – perhaps as part of your retainer agreement.

Develop a WISP & Educate Employees

Every law firm should have a meaningful internal written information security policy (WISP). Proactively educate your employees to embrace a “data privacy first” and “data security first” mindset. Your training should also focus on effective password hygiene, utilizing multi-factor authentication practices and identifying social engineering and phishing schemes.

Consider a Hybrid Approach

You don’t need to go “all in” in the cloud. There may be certain types of highly sensitive information regarding your firm or clients that you want to retain on-premises and not entrust to a cloud provider. Consider working with those cloud providers that offer customers true choice with both on-premises and cloud-based options.

Don’t be afraid of the cloud. Using cloud technology in a thoughtful manner can transform lawyers and law firms into disrupters and prevent them from being the disrupted.