New Hampshire has become the latest state to weigh in on the ethics of using cloud computing in the practice of law. The Ethics Committee of the New Hampshire Bar Association recently published Advisory Opinion #2012-13/4, in which it adopted the consensus opinion among states that a lawyer may use cloud computing consistent with his or her ethical obligations, as long as the lawyer takes reasonable steps to ensure that sensitive client information remains confidential.
While the opinion mirrored much of what other states have said on the ethics of cloud computing, it took a slightly different tack from some of the other opinions in its discussion of lawyer competence as it relates to cloud computing.
Last August, I wrote here about the American Bar Association’s vote to amend the Model Rules of Professional Conduct to make clear that a lawyer’s duty of competence extends to technology. In a revised comment to Model Rule 1.1 governing competence, the ABA said that a lawyer has a duty to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”
Referring to this change, the NHBA’s Ethics Committee said that the duty of competence requires a lawyer who uses the cloud to “understand and guard against the risks inherent in it.”
There is no hard and fast rule as to what a lawyer must do with respect to each client when using cloud computing. The facts and circumstances of each case, including the type and sensitivity of client information, will dictate what reasonable protective measures a lawyer must take when using cloud computing. ….
Competent lawyers must have a basic understanding of the technologies they use. Furthermore, as technology, the regulatory framework, and privacy laws keep changing, lawyers should keep abreast of these changes.
In other respects, the opinion tracked those issued by other states. It addressed a lawyer’s duty to maintain the confidentiality of client information stored in the cloud and to ensure that the cloud provider will take steps to safeguard client data. It also analogized a cloud provider to a nonlawyer assistant under the ethics rules, cautioning that “the lawyer must make reasonable efforts to ensure that the provider understands and is capable of complying with its obligation to act in a manner consistent with the lawyer’s own professional responsibilities.”
Similar to what some other states’ opinions have done, the NHBA opinion set out 10 points a lawyer should consider before using a cloud computing service:
- Is the provider of cloud computing services a reputable organization?
- Does the provider offer robust security measures?
- Is the data stored in a format that renders it retrievable as well as secure?
- Does the provider commingle data in a way that could result in inadvertent disclosure?
- Do the terms of service state that the provider merely holds a license to the stored data?
- Does the provider have an enforceable obligation to keep the data confidential?
- Where are the provider’s servers located and what are the privacy laws in effect at that location?
- Will the provider retain the data when the representation ends or the agreement between the lawyer and provider is terminated?
- Do the terms of service obligate the provider to warn the lawyer if information is subpoenaed by a third party?
- What is the provider’s disaster recovery plan with respect to stored data?
In summing up its opinion, the NHBA Ethics Committee once again emphasizes a lawyer’s duty of competence with respect to technology:
The New Hampshire Ethics Committee concurs with the consensus among states that a lawyer may use cloud computing in a manner consistent with his or her ethical duties by taking reasonable steps to protect client data. Granted, a lawyer may not find a provider of cloud computing services whose terms of service address all of the issues addressed above, but it bears repeating, that while a lawyer need not become an expert in data storage, a lawyer must remain aware of how and where data is stored and what the service agreement says. Although the New Hampshire Rules of Professional Conduct do not impose a strict liability standard, the duties of confidentiality and competence are ongoing and not delegable. The requirement of competence means that even when storing data in the cloud, a lawyer must take reasonable steps to protect client information and cannot allow the storage and retrieval of data to become nebulous.
For other posts on this blog about legal ethics and cloud computing, view the posts collected in the ethics category.