My job includes educating lawyers as to the duties imposed by the Rules of Professional Conduct. With respect to client information, the duty is to take reasonable precautions to protect against inadvertent disclosure or unauthorized access.
Lawyers often push back. I’m asked:
- if I encrypt email and data, I’m good, right?
- if I use ABC Cloud Storage company, I’m good, right?
- XYZ Cloud Storage company is risky, right?
I will not answer “yes” or “no.”
For instance, what encryption tool do you use? Does your cloud storage vendor encrypt data in transmission, at rest, or both?
Further, I will not bless, endorse, or disapprove of companies, vendors, or products. Maybe when I leave this job and go work for one of the legal tech companies. For now, however, that is not my role.
I understand your frustration. But, I explained myself in this post when I wrote:
So, people often ask “what are reasonable precautions?”
Nobody likes that answer. But it’s correct.
For instance, do you mean “what are reasonable precautions when it comes to cloud storage?” Or, are you asking whether a lawyer has a duty to encrypt e-mail? Wait, maybe you’re talking about your duties when crossing the border? No, no, I get it now: you’re asking if a lawyer has a duty to disable auto-complete. Oh my gosh, no – you’re referring to the hallmarks of trust account scams.
No matter the mode of communication, no matter the place that information is stored, a lawyer must safeguard client information. And, as I explained here, it makes perfect sense not to get into the habit of re-evaluating a lawyer’s duty with every new technology. Whatever the next new thing is, a lawyer’s duty will remain the same: to take reasonable precautions against the inadvertent disclosure of or unauthorized access to client information.
A lawyer’s duty to take reasonable precautions to protect client information does not change with technology. Today’s duty is the same that would exist if we lived in Westeros and communicated with clients by raven. As I blogged here:
No, the question should not be “is this new way of storing information ethical?” Nor should it be “is it okay to use smoke signals to communicate with my client?” Rather, whenever the next big thing comes along, the question should be “does this means of transmitting and storing client information provide reasonable precautions and safeguards against unauthorized access and disclosure.”
It’s not just me. As the ABA indicated in Formal Opinion 477:
“What constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors. In turn, those factors depend on the multitude of possible types of information being communicated (ranging along a spectrum from highly sensitive information to insignificant), the methods of electronic communications employed, and the types of available security measures for each method.”
The ABA went on:
“Therefore, in an environment of increasing cyber threats, the Committee concludes
that, adopting the language in the ABA Cybersecurity Handbook, the reasonable efforts
. . . rejects requirements for specific security measures (such as firewalls,
passwords, and the like) and instead adopts a fact-specific approach to business
security obligations that requires a ‘process’ to assess risks, identify and implement
appropriate security measures responsive to those risks, verify that they are
effectively implemented, and ensure that they are continually updated in response
to new developments.”
Again, when transmitting, communicating, and storing client information and data, a lawyer has a duty to take reasonable precautions against inadvertent disclosure or unauthorized access.
Which gets us back to the beginning of this post.
I’ve not avoided the question “what are reasonable precautions?” Indeed, 2.5 years ago, I posted: The Could: What are Reasonable Precautions? Last November, I re-posted it. I’m going to paste it in again at the end of this post.
For now, I’ll leave you with this: a lawyer’s duty is to take to reasonable precautions to protect against the inadvertent disclosure of and authorized access to client information.
- Competence, Confidences, and PDFs
- ABA Addresses an Attorney’s Obligations in Response to a Data Breach
- Court Adopts Duty of Tech Competence
- Encryption & The Evolving Duty to Safeguard Client Information
- Ransomware & Cybersecurity Insurance
- Cybersecurity for Lawyers: lessons from other professions
- Tech Competence: Don’t Let the Web Bugs Bite
- Thaw Bound? Protect Client Data at the Border
- Protecting Client Data
- The Cloud: What are Reasonable Precautions?
- To Encrypt or not to Encrypt? THAT is the question
- Competence Includes Tech Competence
And, the full text of the post The Cloud: What are Reasonable Precautions?
Last Friday, I presented a CLE for the Rutland County Bar Association. My assigned topic: the ethics of storing client information in the cloud. I started by saying that I hoped it was my final seminar on the topic. I was serious.
Let’s walk through this.
In general, a lawyer has a duty not to disclose information relating to the representation of a client absent client consent. See, Rule 1.6. A lawyer also has a duty to keep client property safe. See, Rule 1.15.
I view the cloud as the latest in a long line of different places to store information. In that sense, the cloud is not different than manila folders, boxes, offices, attics, basements, barns, file cabinets, file cabinets with locks, storage facilities, hard drives, floppy disks, CDs, and thumb drives.
No matter where a lawyer stores client information, a lawyer must act competently to protect the information against inadvertent or unauthorized disclosure. See, Rule 1.6, Comment . When transmitting client information, a lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. Rule 1.6, Comment .
So, think about cloud storage like this: client information is electronically transmitted to a place where it will be kept. Thus, a lawyer must take reasonable precautions to protect client information both while it is in transit and while it is at rest.
In fact, that’s almost exactly what the VBA’s Professional Responsibility Committee said – SIX YEARS AGO when it issued Advisory Ethics Opinion 2010-06. Here’s the digest of the opinion:
- “Vermont attorneys can utilize Software as a Service in connection with confidential client information, property, and communications, including for storage, processing, transmission, and calendaring of such materials, as long as they take reasonable precautions to protect the confidentiality of and to ensure access to these materials.”
(Aside: for anyone wondering why I included an advisory opinion about “Software as a Service” in a post on cloud computing, I remind you that Rule 1.0’s duty of competence includes tech competence.)
The question I hear most often is this: “what are reasonable precautions?” In Rutland, I suggested to the audience that they already know the answer, if only by treating the cloud as if it were a storage facility out on Old County Road. Some questions you might ask when considering that facility:
- who do you let into this facility?
- do you require a passcode or badge for the gate?
- are there locks on the individual units?
- who besides me has a key or knows the combination?
- can i get into my unit whenever i want to?
- what happens to my files if I don’t pay or if you go out of business?
Indeed, take a look at page 6 of the VBA Opinion. The Committee suggested some of those exact questions when considering a cloud vendor.
Or, take a look at this post from Robert Ambrogi. He writes that “[s]ome basic questions to ask of a cloud vendor, distilled from various ethics opinions, include:
- Is it a solid company with a good reputation and record?
- Can you get access to your data whenever you want, without restrictions?
- If your service is terminated – by you or by the company – can you retrieve your data?
- Does it allow use of advanced password protocols and two-step verification?
- What are its internal policies regarding employee and third-party access to your data?
- Is your data encrypted both while in transit and while at rest on the company’s servers?
- How is your data backed up?
- What security protections are in place at the data centers the company uses?”
Finally, remember that asking the questions isn’t enough. You need to understand the answers or find someone who does. For example, imagine this:
- You: Will my data be encrypted in transmission and at rest?
- Vendor: Yes. In transmission, we use a BTTF Flux Capacitor. At rest, we use the latest cloaking technology from Romii.
- You. Sounds awesome. Sign me up.
Umm, no. You just signed up to star in the next entry in Was That Wrong.
In conclusion, you may store client information in the cloud so long as you take reasonable precautions. This entry includes links that will help you determine what “reasonable precautions” are. Don’t fear the cloud but know what you don’t know.