LACBA Update Back Issues - December 2014
Legal Ethics and Cloud Computing
By Carole J. Buckner, member, LACBA Professional Responsibility and and Ethics Committee; Dean, St. Francis School of Law; and President, Buckner Law Corp. The opinions expressed are her own.
Many ethics opinions have deemed cloud computing permissible when “reasonable,” but numerous data breaches and hacking incidents put confidential client information in the cloud at risk.1 Data breaches in California grew by 600% in 2013.2 Exchanges between the ABA and the U.S. National Security Agency (NSA) concerning the attorney-client privilege highlight the risk of government intrusion via technology.3 National Security Letters (NSLs) issued by the Federal Bureau of Investigation (FBI) allow the government to obtain records from Internet, banking, and telephone companies, while barring the companies' disclosure.4 Device manufacturers improve encryption,5 which the government reportedly circumvents.6 Fourteen percent of law firms responding to an ABA survey experienced a data breach or theft.7 In this environment, what are a lawyer’s ethical obligations concerning cloud computing?
Without getting overly technical, “the ‘cloud’ is ‘merely a fancy way of saying stuff’s not on your [own] computer.’”8 Your clients’ information is stored in the “cloud” if you use software as a service (SaaS), a third-party vendor to provide data storage or backup for your computer systems, or many popular forms of e-mail. 9
Attorneys have a duty to preserve the secrets of their clients10 and arguably a duty of “compu-tence.”11 While cloud computing generally is permissible when reasonable,12 where an attorney using any technology is “aware that others have access to the client’s electronic devices or accounts and may intercept or be exposed to confidential client information, then such technology should not be used in the course of the representation.”13
In California, ethics analysis focuses on the duties of confidentiality14 and competence,15 and a laundry list of due diligence factors.16 California lawyers have a duty “to keep clients reasonably informed of significant developments in matters with regard to which the attorney has agreed to provide legal services,”17 including significant developments relating to the representation.18
ABA rules require that lawyers consult with clients about the means by which the client’s objectives will be accomplished,19 explaining matters to the extent reasonably necessary to facilitate informed decision-making by clients.20 Ethics opinions from other jurisdictions (not binding in California) reference a lawyer’s duty to safeguard client property and a lawyer’s duty of supervision.21 Many ethics opinions recognize that security measures become obsolete over time, requiring periodic review.22
Given data instability and a deficit of effective regulation,23 how should lawyers address cloud computing with their clients? First, lawyers should carefully evaluate cloud services.24 A lawyer should make “appropriate disclosures” and obtain client consent to the technology.25 Lawyers should follow any express instructions from clients directing that confidential information not be stored or transmitted via the Internet.26 In addition, “the greater the sensitivity of the information, the less risk an attorney should take with technology.”27 Lawyers should advise clients regarding the security measures they are using and obtain informed consent, especially for highly sensitive information.28 In ESI-intensive litigated matters, economics may favor use of cloud technology but not without risks.29 To obtain informed consent, lawyers should advise clients of the risks and the alternatives.30 Clients should also be told how an unauthorized disclosure of confidential information will be handled.31 For example, the loss of a computer must be reported under data breach disclosure laws.32
Because data breaches can occur from hacking and malware, physical loss or theft of unencrypted devices, unintentional errors, and intentional misuse by insiders,33 law firms should implement suitable policies as well as vendor security programs to protect against loss of data to contractors.34
Consider the client: Some may have specialized concerns based on political or geographic considerations, or the nature of their particular business.35 Lawyers may need to advise such clients in greater detail regarding cloud services and provide clients with the opportunity to modify or enhance data security.36 Some clients may decide not to use cloud computing; others may employ additional security measures.37
Avoiding the cloud altogether may be best for some. Sensitive trade secrets may not be appropriate for cloud storage.38 In-person meetings with foreign clients may be preferable to digital communication.39 Use of prepaid phones for attorney-client communications should be considered.40For sensitive matters, a stand-alone computer not connected to the Internet may be preferable.41 Cloud storage may not be suitable where client documents are subject to permanent preservation obligations.42
Lawyers should consider how the cloud vendor holding client data responds to government or judicial attempts to require disclosure.43 Cloud computing may diminish a client’s ability to protect client information from government surveillance, since a cloud provider has less incentive than a law firm would to protect against government intrusion.44
Taking these matters into careful consideration, lawyers can fulfill their ethical obligations to their clients in connection with data in the ominous cloud.
1 Report, ABA Resolution 118, Adopted by House of Delegates August 12-13, 2013, at 10 (ABA Report) available at http://www.abajournal.com/files/2013_hod_annual_meeting_118.authcheckdam_.pdf
2 Kibkabe Araya, More Than 18 Million Californians Affected by Data Breaches, Los Angeles Daily Journal, October 29, 2014, at 3.
3 David L. Hudson Jr., NSA Surveillance Policies Raise Questions about the Viability of the Attorney Client Privilege, ABA JOURNAL, 9/1/2014,available at http://www.abajournal.com/magazine/article/nsa_surveillance_policies_raise_questions_about_the_viability_of_the_attorn
4 18 U.S.C. §2709; Jim Carlton and Zusha Elinson, Government Asks Court to Overturn NSL Ruling, The Wall Street Journal, October 9, 2014, at A6.
5 Danny Yadron, Tech Leader Fires Back on Encryption—Google’s Schmidt Says Plans to Scramble Phone Data Won’t Undermine Law Enforcement, The Wall Street Journal, October 9, 2014, at A4; Michael S. Schmidt and Nicole Periroth, FBI Director Calls ‘Dark’ Devices a Hindrance to Crime Solving, Los Angeles Daily Journal, October 17, 2014, at 8.
6 Sharon Nelson and John Simek, What NSA Surveillance Means to Law Firms: What Lawyers Today Need to Know about Cyber Security, 74 Or. St. Bar Bull. 19 (February/March 2014).
7 Jennifer Smith and Emily Glazer, Firms Raise Hacking Defense: Big Banks Demand That Lawyer Do More to Shut Down Cybersecurity Risks, The Wall Street Journal, October 27, 2014, at B5.
8 Ohio State Bar Informal Adv. Op. No. 2013-3 (2013).
9 Cloud Ethics Opinions around the U.S., American Bar Association, available at http://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/saas.html (last visited October 31, 2014).
10 Cal. Bus. & Prof. Code §6068(e)(1); Cal. Rules of Prof’l Conduct R. 3-100.
11 ABA Model Rules of Prof’l Conduct R. 1.1, cmt 8; Andrew M. Vogel, Should California Lawyers Have a Duty of “Compu-tence”?, L.A. County Bar Ass'n, County Bar Update October 2013.
12 Cloud Ethics Opinions, supra note 9.
13 Cal. State Bar Formal Op. No. 2010-179, at 6 (2010).
14 Cal. Bus. & Prof. Code §6068(e)(1); Cal. Rules of Prof’l Conduct R. 3-100.
15 Cal. Rules of Prof’l Conduct R. 3-110.
17 Cal. Bus. & Prof. Code §6068(m).
18 Cal. Rules of Prof’l Conduct R. 3-500.
19 ABA Model Rules of Prof’l. Conduct R. 1.4(a)(2).
20 ABA Model Rules of Prof’l. Conduct R. 1.4(b).
21 Ohio State Bar Informal Adv. Op. No. 2013-3 (2013).
22 Ariz. State Bar Ethics Op. No. 09-04 (2009); Ohio State Bar Informal Adv. Op. No. 2013-3 (2013).
23 Peter Toren, Congress Drags Feet as Hackers Run Amuck, Los Angeles Daily Journal, October 22, 2014, at 1.
24 Cal. State Bar Formal Op. No. 2012-184 (2012).
25 See Cal. State Bar Formal Op. No. 2012-184 (2012) at 4.
26 Mass. Bar Ass’n Ethics Op. No. 12-03 (regarding Google Docs).
28 Cal. State Bar Formal Op. No. 2010-179 at 6 (2010).
29 See Philip J. Favro, Inviting Scrutiny: How Cloud Technologies Are Eroding the Attorney-Client Privilege, 20 Rich. J.L. & Tech. 2 (2013).
30 New Hampshire Bar Ass’n Ethics Comm. Adv. Op. No. 2012-13/4.
31 ABA Report, supra note 3, at 14.
32 Data Security Breach Reporting, State of Cal., Dept. of Justice, Office of Atty Gen’l, available at http://oag.ca.gov/ecrime/databreach/reporting (last visited on November 5, 2014).
33 Kamala D. Harris, California Data Breach Report, October 2014, at iv.
34 Smith and Glazer, supra note 7.
35 Roland L. Trope and Sarah Jane Hughes, Contemporary Issues in Cyberlaw: Red Skies in the Morning—Professional Ethics at the Dawn of Cloud Computing, 38 Wm. Mitchell L. Rev. 111, 226, 234 (2011) (hereinafter “Cyberlaw”).
36 Id. at 227.
37 Fla. State Bar Op. No. 12-3 (2013); Ohio State Bar Informal Adv. Op. No. 2013-3 (2013).
38 Vermont Bar Ass’n Advisory Ethics Op. No. 2010-6 (trade secrets).
39 Hudson, supra note 3.
41 Smith and Glazer, supra note 7.
42 Vermont Bar Ass’n Advisory Ethics Op. No. 2010-6 (use of SaaS) (wills, trusts, deeds, contracts and corporate bylaws or minutes).
43 Ohio State Bar Informal Adv. Op. No. 2013-3 (2013).
44 Cyberlaw, supra note 35 at 227, 234; Joris V.J. van Hoboken and Ira S. Rubenstein, Privacy and Security in the Cloud: Some Realism about Technical Solutions to Transnational Surveillance in the Post-Snowden Era, 66 Me. L. Rev. 487 (2014) (discussing front-door and backdoor access, packet sniffing, and industry responses to government surveillance).
LACBA's Professional Responsibility and Ethics Committee welcomes new inquiries from LACBA members regarding ethical issues or concerns about professional responsibilities. The identity of the inquirer is kept confidential within the committee. The committee, however, does not publish formal opinions that are the subject of any pending litigation involving the inquirer. If you have an ethical question that you would like the committee to consider, you can mail your written inquiry to Los Angeles County Bar Association, Professional Responsibility and Ethics Committee, P.O. Box 55020, Los Angeles, CA 90055-2020, or e-mail your inquiry marked “Confidential” to Member Services at firstname.lastname@example.org.