Mass. Joins Other States in Ruling that Cloud Computing is Ethical for Lawyers

The Massachusetts Bar Association has issued an ethics opinion concluding that lawyers may use cloud services to store and synchronize digital files containing client information, provided the lawyer takes reasonable measures to ensure that the service’s terms of use and data-privacy policies are compatible with the lawyer’s professional obligations. However, lawyers should not use cloud services for clients who expressly request that their documents not be stored online and lawyers should not store “particularly sensitive” information in the cloud without first obtaining the client’s express consent, the opinion says.

MBA Ethics Opinion 12-03 was drafted by the MBA’s Committee on Professional Ethics and approved by the association’s House of Delegates on May 17, 2012. The MBA is not the official lawyer-discipline board in the state, so its ethics opinions are advisory only. (Note that I am a member of the MBA and have served on various MBA committees over the years.)

Even so, the MBA’s opinion adds to the growing and unanimous list of lawyer-ethics panels that have concluded that lawyers may ethically use cloud applications and services, provided they take reasonable precautions to protect the confidentiality and security of the data. (See our earlier post: Two New Legal Ethics Opinions Suggest Clear Skies Ahead for Cloud Computing.)

This brings to 11 the number of states that have ruled on the ethics of cloud computing. In addition to Mass., the other opinions are:

Notably, all of these states agree that the use of cloud computing is ethical.

Storing Client Files in the Cloud

This latest opinion out of Massachusetts was issued in response to a lawyer who wanted to use Google Docs or some similar service to store and synchronize his work files. The issue was whether the lawyer’s use of such a service would violate his professional obligations under the Massachusetts Rules of Professional Conduct.

In considering this issue, the committee noted that it had twice before issued opinions dealing with lawyers’ use of the Internet and remote access. In its Opinion 00-01, the committee concluded that a lawyer’s use of unencrypted email to communicate with clients does not violate the professional conduct rules. Later, in Opinion 05-04, the committee ruled that a law firm may provide a third-party software vendor with remote access to confidential client information stored on the firm’s computers, provided the law firm undertakes “reasonable efforts” to ensure that the vendor operates in a manner that is consistent with the lawyers’ professional obligations.

The reasoning of these earlier opinions extends to the use of cloud storage, the committee concluded, and “generally would allow Lawyer also to use Google docs or some other Internet based data storage service provider to store confidential information, and to synchronize data using that provider over the Internet.

As other ethics panels have done, the Mass. committee went on to emphasize that a lawyer must take reasonable efforts to ensure the security of client information.

[T]he Committee believes that the use of an Internet based service provider to store confidential client information would not violate Massachusetts Rule of Professional Conduct 1.6(a) in ordinary circumstances so long as Lawyer undertakes reasonable efforts to ensure that the provider’s data privacy policies, practices and procedures are compatible with Lawyer’s professional obligations, including the obligation to protect confidential client information reflected in Rule 1.6(a).

Those “reasonable efforts,” the committee said, would include:

  • Examining the provider’s terms of use and written policies and procedures with respect to data privacy and the handling of confidential information.
  • Ensuring that the provider’s terms of use and written policies and procedures prohibit unauthorized access to data stored on the provider’s system.
  • Ensuring that the provider’s terms of use and written policies and procedures, as well as its functional capabilities, give the lawyer reasonable access to, and control over, the data, in the event that the lawyer’s relationship with the provider is interrupted for any reason.
  • Examining the provider’s practices with regard to data encryption, password protection, and system back-ups, and also its available service history, including reports of known security breaches.
  • Periodically revisiting the provider’s policies, practices and procedures to ensure that they remain compatible with the lawyer’s professional obligations.

The committee also advised that the lawyer is bound to follow any express instructions from his clients against the use of cloud services to store their data. “[H]e should refrain from storing or transmitting particularly sensitive client information by means of the Internet without first seeking and obtaining the client’s express consent to do so,” the committee cautioned.

The committee concludes its opinion with a few observations about Google Docs. It references the service’s terms of service and privacy policy, but then notes that it, “like many, if not most, remotely accessible software systems and computer networks, are not immune from attack by unauthorized persons or other forms of security breaches.” It ends with this advice:

Ultimately, the question of whether the use of Google docs, or any other Internet based data storage service provider, is compatible with Lawyer’s ethical obligation to protect his clients’ confidential information is one that Lawyer must answer for himself based on the criteria set forth in this opinion, the information that he is reasonably able to obtain regarding the relative security of the various alternatives that are available, and his own sound professional judgment.

[A hat tip to the Boston College Legal Eagle blog for bringing this opinion to my attention.]


About Bob Ambrogi

A lawyer and veteran legal journalist, Bob advises Catalyst on strategic communications and marketing matters. He is also a practicing lawyer in Massachusetts and is the former editor-in-chief of The National Law Journal, Lawyers USA and Massachusetts Lawyers Weekly. A fellow of the College of Law Practice Management, he also writes the blog LawSites.

11 thoughts on “Mass. Joins Other States in Ruling that Cloud Computing is Ethical for Lawyers

  1. Pingback: Mass. Joins Other States in Ruling that Cloud Computing is Ethical for Lawyers | Law Practice Strategy

  2. Pingback: Mass. Ethics Panel Rules on Ethics of Cloud Computing · Robert Ambrogi's LawSites

  3. Lee R. Nemchek

    Add these states to the list of those that have issued ethics opinions on cloud computing:
    Iowa Op. 11-01
    Oregon Formal Op. 2011-188
    Vermont Advisory Ethics Op. 2010-6

  4. Pingback: Rodney Brown

  5. Pingback: Massachusetts Bar Association says #CloudComputing is Ethical for Lawyers | Official Clio Blog

  6. Pingback: Legal Cloud Computing Ethics Opinions: Comparison Charts and Resources

  7. Pingback: Ethics and Cloud Computing | Legal Updates Blog

  8. Pingback: Legal Cloud Computing Ethics Opinions: Comparison Charts and Resources - Legal Productivity

Leave a Reply

Your email address will not be published. Required fields are marked *