In March, Wisconsin joined the ranks of many other jurisdictions and addressed the ethics of lawyers using Web-based computing in their practices. At issue in Wisconsin Formal Ethics Opinion EF-15-01 was how lawyers could ethically use cloud computing services to store confidential client information.
At the outset, the committee acknowledged that the issue was not whether lawyers could use cloud computing, but instead, how to go about ethically using cloud computing services: “As cloud computing becomes more ubiquitous and as clients demand more efficiency, the question for counsel is no longer whether to use cloud computing, but how to use cloud computing safely and ethically.”
The committee agreed with the other jurisdictions that have addressed the issue and concluded that lawyers may ethically use cloud computing in their practices: “(C)loud computing is permissible as long as the lawyer adequately addresses the potential risks associated with it … (L)awyers must make reasonable efforts to protect client information and confidentiality as well as to protect the lawyer’s ability to reliably access and provide information relevant to a client’s matter when needed. To be reasonable, those efforts must be commensurate with the risks presented. Lawyers must exercise their professional judgment when adopting specific cloud-based services, just as they do when choosing and supervising other types of service providers.”
The committee explained that client consent is not required, but in certain cases, may be advisable and also addressed a lawyer’s obligations in the event of a breach: “While a lawyer is not required in all representations to inform clients that the lawyer uses the cloud to process, transmit or store information, a lawyer may choose, based on the needs and expectations of the clients, to inform the clients. A provision in the engagement agreement or letter is a convenient way to provide clients with this information … If there has been a breach of the provider’s security that affects the confidentiality or security of the client’s information, SCR 20:1.4(a)(3) and SCR 20:1.4(b) require the lawyer to inform the client of the breach.”
Importantly, the committee confirmed that absolute security is not required and is an impossibility, since “(l)awyers are not required to guarantee that a breach of confidentiality cannot occur when using a cloud service provider, and … are not required to use only infallibly secure methods of communication.”
The committee then explained that lawyers do have a duty to make reasonable efforts to secure client data and identified factors to consider when assessing the risks. According to the committee “(t)hese factors, which are not exclusive,” include:
• the information’s sensitivity;
• the client’s instructions and circumstances;
• the possible effect that inadvertent disclosure or unauthorized interception could pose to a client or third party;
• the attorney’s ability to assess the technology’s level of security;
• the likelihood of disclosure if additional safeguards are not employed;
• the cost of employing additional safeguards;
• the difficulty of implementing the additional safeguards;
• the extent to which the additional safeguards adversely affect the lawyer’s ability to represent clients;
• the need for increased accessibility and the urgency of the situation;
• the experience and reputation of the service provider;
• the terms of the agreement with the service provider; and
• the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality.”
Finally, the committee wisely noted that an elastic standard of reasonableness was required and the factors listed were simply recommendations since “lawyers’ ethical duties are continually evolving as technology changes.” Specific requirements would soon become obsolete.
Moreover, the risks vary with the technology involved, the type of practice and the individual needs of a particular client. Lawyers must exercise their professional judgment in adopting specific cloud-based services, just as they do when choosing and supervising other types of service providers, and specific requirements would do little to assist the exercise of professional judgment.”
Also of note was Appendix A to the opinion, which included a useful and in-depth summary of the various cloud computing ethics opinions issued thus far from other U.S. jurisdictions. The Appendix alone is a useful source of information, while the opinion as a whole provides valuable insight into the issues presented when lawyers use cloud computing tools in their practices and provides a measured and thoughtful framework for lawyers seeking to implement any type of new technology into their practices.
Nicole Black is a director at MyCase.com, a cloud-based law practice management platform. She is also of counsel to Fiandach & Fiandach in Rochester and is a GigaOM Pro analyst. She is the author of the ABA book “Cloud Computing for Lawyers,” coauthors the ABA book “Social Media for Lawyers: the Next Frontier,” and co-authors “Criminal Law in New York,” a West-Thomson treatise. She speaks regularly at conferences regarding the intersection of law and technology. She publishes three legal blogs and can be reached at [email protected]