Two New Legal Ethics Opinions Suggest Clear Skies Ahead for Cloud Computing

Here is the latest legal-ethics forecast for cloud computing in the legal profession: Clear skies ahead.

Two new ethics opinions in recent weeks on lawyers’ use of the cloud add further weight to what has so far been the consensus of state ethics panels–that it is ethical for lawyers to store client documents in the cloud and use cloud-based applications, provided the lawyers take reasonable safeguards to ensure the safety and security of the data.

The first of the two latest opinions is yet another in a series of proposed opinions from the North Carolina State Bar. As I wrote in an earlier post here, the North Carolina Ethics Committee deserves credit for the careful and thoughtful consideration it is giving this issue. On Oct. 20, it issued Proposed 2011 Formal Ethics Opinion 6, Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property. [Hat tip to Jack Newton at Slaw.]

This is the committee’s third version of this proposed opinion. The first version, issued in April 2010, said that a lawyer may ethically use SaaS, “provided steps are taken effectively to minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property, including file information, from risk of loss.”

Although commentators generally praised that opinion, the Ethics Committee withdrew it and, on April 21, 2011, filed a revised proposed opinion. While this second proposed opinion again endorsed lawyers’ use of cloud computing, it also set out mandatory minimum requirements a lawyer should adhere to in selecting a cloud provider. This time, the comments were less favorable, with many in the legal computing arguing that the requirements were so onerous as to effectively block the use of many cloud applications.

Clearly, the North Carolina Ethics Committee heard and was swayed by those arguments. In this latest opinion, it once again endorsed a lawyer’s use of SaaS, provided the lawyer takes care to protect confidential information:

[A] law firm may use SaaS if reasonable care is taken to minimize the risks of inadvertent disclosure of confidential information and to protect the security of client information and client files. A lawyer must fulfill the duties to protect confidential client information and to safeguard client files by applying the same diligence and competency to manage the risks of SaaS that the lawyer is required to apply when representing clients.

This time, however, the opinion omits any list of specific requirements a lawyer must follow in selecting a SaaS provider. Instead, it cautions lawyers to “make reasonable efforts to ensure that the services are provided in a manner that is compatible with the professional obligations of the lawyer,” taking into consideration “the experience, stability, and reputation of the vendor.” It then goes on to list five “recommended” security measures to consider:

  • Agreement with the vendor on how it will handle confidential client information.
  • Ability to retrieve the data if the lawyer terminates the vendor or the vendor goes out of business.
  • Careful review of the terms of the lawyer’s agreement with the vendor, including its security policy.
  • Evaluation of the vendor’s measures for safeguarding the security and confidentiality of data.
  • Evaluation of the vendor’s back-up procedures.

The opinion suggests that lawyers, in considering these issues, may want to consult with “professionals competent in the area of online security.”

Pennsylvania Says ‘Yes’ to the Cloud

The second new opinion comes from the Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility (with a hat tip to Dan Pinnington at Slaw for posting it). In Formal Opinion 2011-200, the Pennsylvania committee address the ethical obligations of attorneys using cloud computing and SaaS while fulfilling their duties of confidentiality and preservation of client property.

The short answer it gives (within a lengthy and thoughtful opinion) is this:

Yes. An attorney may ethically allow client confidential material to be stored in “the cloud” provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks.

In addressing the reasonable safeguards a lawyer should follow, the committee follows the lead of other states in declining to list mandatory standards. “This Committee acknowledges that the advances in technology make it difficult, if not impossible to provide specific standards that will apply to every attorney,” it explains. Even so, it provides a fairly detailed list of the steps that a standard of reasonable care “may include.” Some of these steps address internal law firm measures–such as backing up data, installing firewalls, and using encryption–and others address measures a law firm should ask of a vendor. In the latter category, the opinion recommends that a lawyer ensure that the provider:

  • Explicitly agrees that it has no ownership or security interest in the data.
  • Has an enforceable obligation to preserve security.
  • Will notify the lawyer if requested to produce data to a third party and provide the lawyer with the ability to respond to the request before the provider produces the requested information.
  • Has technology built to withstand a reasonably foreseeable attempt to infiltrate data, including penetration testing.
  • Includes in its terms of service or service level agreement an agreement about how confidential client information will be handled.
  • Provides the firm with right to audit the provider’s security procedures and to obtain copies of any security audits performed.
  • Hosts the data only within a specified geographic area.
  • Provides a method for the lawyer to retrieve the data.
  • Provides the ability to get data off the vendor’s servers for the lawyer’s own use or in-house backup offline.

The Pennsylvania opinion also includes a discussion of lawyers’ use of Web-based email services such as Gmail and Hotmail. While cautioning that such services carry risks “that attorneys should be aware of and mitigate,” the opinion nonetheless indicates that lawyers are free to use such services. In most cases, these services may be used without encryption, although certain matters may require heightened security, including encryption, the committee says.

The Pennsylvania committee cites with approval a 1998 ethics opinion in which the District of Columbia Bar concluded: “In most circumstances, transmission of confidential information by unencrypted electronic mail does not per se violate the confidentiality rules of the legal profession. However, individual circumstances may require greater means of security.”

What this Means for Cloud Computing

On this blog, we have been following and writing about the ethics of cloud computing for a year now. To date, not a single ethics panel has found any ethical concern with lawyers’ use of cloud computing, provided the lawyer exercises reasonable care in selecting and vetting a vendor. The Pennsylvania opinion includes a state-by-state review of relevant ethics opinions and sums them up this way:

Generally, the consensus is that, while “cloud computing” is permissible, lawyers should proceed with caution because they have an ethical duty to protect sensitive client data. In service to that essential duty, and in order to meet the standard of reasonable care, other Committees have determined that attorneys must (1) include terms in any agreement with the provider that require the provider to preserve the confidentiality and security of the data, and (2) be knowledgeable about how providers will handle the data entrusted to them.

The measures these various ethics panels suggest are reasonable and sensible. For the most part, lawyers should select cloud vendors that have proven themselves to be reputable, stable and competent. Lawyers should expect agreements with these vendors that clearly address issues of confidentiality and security.

That said, these latest opinions underscore what we said at the outset: The forecast for cloud computing in the legal profession is clear skies ahead.

If you are interested in reading our prior posts on this topic, see:


About Bob Ambrogi

A lawyer and veteran legal journalist, Bob advises Catalyst on strategic communications and marketing matters. He is also a practicing lawyer in Massachusetts and is the former editor-in-chief of The National Law Journal, Lawyers USA and Massachusetts Lawyers Weekly. A fellow of the College of Law Practice Management, he also writes the blog LawSites.

15 thoughts on “Two New Legal Ethics Opinions Suggest Clear Skies Ahead for Cloud Computing

  1. Pingback: Two New Legal Ethics Opinions Suggest Clear Skies Ahead for Cloud Computing | Law Practice Strategy

  2. Carolyn Elefant


    Thanks for your solid coverage of this issue. However, I think that these agreements (which granted, I’ve skimmed and not read with the same focus as you) pose significant barriers to adoption of the cloud.

    First, I think that it is dangerous to analogize cloud computing services to “non-legal assistance” under Model Rule 5.3, as the PA opinion does. Whereas lawyers have ample discretion in selecting and monitoring human providers (e.g., document reviewers, paralegals), the same discretion does not apply to passive services like the cloud, computerized legal research or IOLTA accounts. Most lawyers lack the bargaining power to negotiate the requirements that you list with a cloud provider. If the bars were to step up and negotiate on lawyers behalf (as has been done with banks & IOLTA or GAO and Facebook/use by government employees), then the requirements might be OK. But to expect individual lawyers to be able to secure these requirements is unreasonable.

    Second, why do we need special opinions for cloud computing that go beyond how lawyers use trust accounts, phone service and computerized legal research. With all of these passive products, lawyers must be prudent in selection – for example, putting client funds in a trust account run by Bernie Madoff wouldn’t fit the bill. Likewise, we must be prudent in monitoring use – for example, if the bank tells us that someone stole $100,000 from a client trust and the lawyer just ignored the letter, there’d be an ethics violation. But to require lawyers to audit a company’s security or or continuously oversee where the data is kept, particularly where a breach poses low risk, goes too far.

    1. mmBob Ambrogi Post author

      With regard to the analogy to Model Rule 5.3, I don’t read the Pennsylvania opinion as onerous. In explaining this, the opinion says, “any service provider who handles client information needs to be able to limit authorized access to the data to only necessary personnel, ensure that the information is backed up, reasonably available to the attorney, and reasonably safe from unauthorized intrusion.” These strike me as minimum standards you would expect from a vendor handling client data. Even Gmail’s privacy policy explicitly says that is protects against unauthorized access and limits access to essential employees who are bound by confidentiality obligations. This is not something lawyers should have to negotiate for — the majority of cloud providers will already offer this level of security.

      As for your second point, I agree it would be unreasonable to require lawyers to audit a vendor’s security procedures. The opinion does not do that. Instead, it recommends that the vendor allow the firm to do that. I doubt many firms ever would ask to audit a vendor (except maybe for major hosting contracts) and I doubt that many vendors would routinely allow such audits. Again, however, the opinion describes this as a recommendation, not a requirement.

      I do think there is difference between the kinds of “passive products” you describe (trust accounts, phone services, research services) and cloud services that store documents and emails. While the research you do and the banking you do may provide “hints” about confidential client matters, documents and emails are explicit in the confidential information they contain. Unauthorized access to even a single client email could be far more damaging than snooping through your legal research trail. None of this should happen, but they’re not quite apples and apples.

  3. Pingback: Two New Ethics Opinions on Cloud Computing · Robert Ambrogi's LawSites

  4. Pingback: Cloud computing gets green light in two states (with conditions) | Third Apple

  5. Winski

    What this means is that a SHAM, North Carolina beer-drinking club got BRIBED to render a decision, couched as a ‘legal’ opinion, on a subject that NONE of them have a clue about. ‘Lawyers’ in North Carolina rendering opinion on technology…. Are you joking?

  6. Pingback: Is it Ethical to Store Client Data in the Cloud? | WalkingOffice: Mobile Solutions for Legal Professionals

  7. Pingback: State Bar #CloudComputing Ethics Opinion Roundup | Official Clio Blog

  8. Pingback: Are We Regulating the Wrong Problem When It Comes to The Cloud? « Small Firm Innovation

  9. Pingback: Living in the Cloud(s) - Tech Law Notes Tech Law Notes

  10. Pingback: Legal Cloud Computing : More State Bar Ethics Opinions Vote Yes

  11. Pingback: Mass. Joins Other States in Ruling that Cloud Computing is Ethical for Lawyers

  12. Pingback: Law Firms and Cloud Computing: Ethics Guidelines : eLawyering Blog

  13. Pingback: Two New Legal Ethics Opinions Suggest Clear Ski...

  14. Pingback: Law Firms and Cloud Computing: Ethics Guidelines | eLawyering Blog

Leave a Reply

Your email address will not be published. Required fields are marked *