Disaster Planning Series #5: Ethical Considerations and The Cloud[1]

Lawyers Mutual of Kentucky understands the idea of tackling a disaster plan can often feel overwhelming. In this series, we will explore small yet impactful steps attorneys can take each month to begin preparing for the inevitable. Click here for our other installments and more disaster preparedness resources.

In our first installment, we noted that one option for backing-up client files and other client information is to utilize a cloud server. Pennsylvania Ethics Opinion 2011-200 stated cloud computing is “merely a fancy way of saying stuff’s not on your computer.” (internal citations omitted). In the legal software market, lawyers have a variety of cloud-based solutions available from practice management software to full document management. There are also a variety of combinations of cloud-only data storage to hybrid systems with physical servers on location and supported by a cloud back-up.

Cloud storage can offer lawyers several advantages2, including:

  • Reduced infrastructure and management;
  • Cost identification and effectiveness;
  • Improved work production;
  • Quick, efficient communication;
  • Reduction in routine tasks, enabling staff to elevate work level;
  • Constant service;
  • Ease of use;
  • Mobility;
  • Immediate access to updates; and
  • Possible enhanced security

In the wake of a localized disaster, cloud storage can assist a lawyer to continue practicing with little or minimal interruption. Remote access to cloud-based client information not only allows for quicker contact with clients to provide any required notice of possible file destruction, but for seamless handling of client matters in a timely fashion.

However, there are risks associated with the use of cloud computing providers, including:

  • Storage in countries with less legal protection for data;
  • Unclear policies regarding data ownership;
  • Insufficient encryption;
  • Unclear data destruction policies;
  • Hackers;
  • Server crashes;
  • Viruses;
  • Business interruption (e.g., weather, accident, terrorism); and,
  • Absolute loss

Lawyers must scrutinize the security of any cloud-storage provider they are considering utilizing in their practice. Although these risks seem ominous, none of these risks are quite as risky as having little or no back-up system in place for practice interruptions. A little research can go a long way in mitigating some of these risks and maximizing the potential so the lawyer can quickly and ethically face the unexpected.

A Lawyer’s Ethical Obligations in the Use of Cloud Computing

The Kentucky Bar Association Formal Ethics Opinion E-437 opined lawyers can use cloud computing. The opinion explains that, although cloud computing is new, the lawyers ethical obligations have remained the same. “[L]awyers must follow the Rules of Professional Conduct with regard to safeguarding client confidential information, acting competently in using cloud computing, properly supervising the provider of the cloud service, and communicating with the client about cloud computing when such communication is necessary due to the nature of the representation.”

  • Safeguarding client confidential information
  • “[A] lawyer has a duty to take reasonable measures to protect confidential client information in any setting: bricks-and-mortar law office, offsite warehouse, or online storage or service site in the cloud.”
  • See SCR 3.130(1.6), (1.9), (1.15), (1.18)
  • Acting competently in using cloud computing
  • “[T]he lawyer [is required] to investigate the qualifications, competence, and diligence of the provider. A lawyer who does not investigate whether a warehouse he or she is considering for the storage of files has adequate security to safeguard client files fails in his or her confidentiality and competence obligations to the client. Likewise, an attorney selecting an online provider of storage or other service must investigate the provider to be sure that client information is reasonably sure to remain confidential and secure.”
  • See SCR 3.130(1.1), (1.6, comment 14)
  • Properly supervising the provider of the cloud service
  • The “rules require supervision of a provider of online storage just as they require supervision of an offsite provider of services such as a storage warehouse operator and just as they require supervision of a paralegal working within a bricks-and-mortar law firm.”
  • See SCR 3.130(5.3).
  • Communicating with the client about cloud computing when such communication is necessary due to the nature of the representation.
  • “While cloud computing does not always require client consultation, there may be situations in which consulting with the client may be proper. A lawyer must exercise judgment to determine if a particular client matter involves highly sensitive information such that the lawyer should consult with the client about the use of the cloud.”
  • See SCR 3.130(1.4).

In light of these duties, the opinion provides a list of questions for lawyers to consider when reviewing potential cloud-based service providers:

  • What protections does the provider have to prevent disclosure of confidential client information?
  • Is the provider contractually obligated to protect the security and confidentiality of information stored with it?
  • Does the service agreement state that the provider “owns” the data stored by the
  • provider?
  • What procedures, including notice procedures to the lawyer, does the provider use when responding to governmental or judicial attempts to obtain confidential client information?
  • At the conclusion of the relationship between the lawyer or law firm and the provider, will the provider return all information to the lawyer or law firm?
  • Does the provider keep copies of the confidential client information after the relationship is concluded or the lawyer or law firm has removed particular client information from the provider?
  • What are the provider’s policies and procedures regarding emergency situations such as natural disasters and power interruption?
  • Where, geographically, is the server used by the provider for long-term or short-term storage or other service located?

While this list is not exhaustive, it is comprehensive and provides a great starting point in researching. Narrow in on two or three cloud storage providers that offer the services you desire and then ask these questions. Make notes, compare, and determine which cloud service provides you with what you need to manage your practice and meet your duties to your clients.

Stay tuned for more, small yet impactful steps you can take to prepare for the inevitable.

1 Compiled from Lawyers Mutual of Kentucky Risk Manager Articles appearing in Summer 2012 (Vol. 23, Issue 3; Del O’Roark) and Winter 2016 (Vol. 28, Issue 1; author Jake A. Thompson, Crawford and Baxter, P.S.C.)
2 Committee on Legal Ethics and Professional Responsibility Formal Opinion 2011-200.