With January’s arrival, we are no longer December’s Children. Which, for a reason I doubt many will understand, reminds me of how often I’m asked “is it ethical to store client files in the cloud?”
When people ask the question, they don’t want me to address the ethical issues of cloud computing. They want me to answer “yes” or “no.” Well folks, you can’t always get what you want.
It’s like asking me whether it’s ethical to use a file cabinet to store manila folders that are full of clients’ papers. I don’t know…is it a file cabinet that you keep in a secure office? Or, do you leave it unattended in the parking lot? Are you aware that some manufacturers make file cabinets with drawers that lock? Some have cheap locks that can be picked with paper clips, while others come with locks that are virtually pick-proof. Is it your file cabinet? Or do you share it with some girls who rent the other half of your office space? What happens to your client files if the girls move and take the cabinet with them?
The issue is a bit more complex than “is it ethical to store client info in the cloud?”
Fortunately, in 2010, the Vermont Bar Association issued an advisory ethics opinion in which its Professional Responsibility Committee tried to shine a light on the issue. The opinion is well thought out. It can be summarized as follows: when storing client information in the cloud, an attorney must take reasonable precautions to ensure that the information remains confidential and retrievable should the attorney or client want to access it.
The opinion is entirely consistent with an attorney’s duties under Rules 1.1, 1.6, and 1.16.*
So, what are “reasonable precautions” when choosing whether to store client information in the cloud? While my tongue was firmly in cheek when I asked questions about file cabinets a few paragraphs ago, those questions aren’t terribly different than those you should be asking. Can anyone else access the client information that you store in the cloud? With or without a password? With or without the vendor notifying you? What happens to the client information if you don’t pay your bill? What happens if the vendor goes out of business?
The VBA opinion lists several relevant questions on page 6. If you missed it above, it’s HERE. Also, the ABA’s Legal Technology Resource Center has a handy primer on questions to ask when considering storing client information in the cloud HERE.
I think this is the end….of today’s post. I’ll post Part 2 next week, a follow-up inspired by Attorney Drew Palcsik.
Drew practices at Schneider & Palcsik. Last year, he was instrumental in helping me prepare a CLE on tech ethics for the Vermont Association of Justice. A few weeks ago, Drew suggested we move beyond the “yes” or “no” question and try to provide practitioners with some practical tips. For instance, what are reasonable precautions? Or, as Drew wrote, “practical suggestions as to how to evaluate terms of service and privacy polices . . .[or] the subtle differences between” different vendors and providers.
These are great topics, but topics beyond the scope of this introductory post. Plus, if I go on any longer, people will be leaving dead flowers on my grave.
And, as always, it’s only rock’n roll, but I like it.
*Refresher: Rule 1.6 imposes a duty not to disclose information related to a representation, with Comments 16 and 17 indicating that the duty includes acting competently to safeguard client information that is transmitted and stored electronically. Meanwhile, upon the termination of a representation, Rule 1.16 imposes a duty to surrender papers and property to which the client is entitled. In other words, if you store client information in the cloud, you better know how to retrieve and provide it to the client in a format the client can use. Finally, Rule 1.1 and the duty of competence includes a duty to understand and explain to the client the benefits and risks of current technology, a duty that I covered HERE.