James M. McCauley, ethics counsel for the Virginia State Bar, has written an article for the February issue of the Virginia Lawyer Magazine, entitled “Cloud Computing — A Silver Lining or Ethical Thunderstorm for Lawyers?”
Even if you aren’t licensed to practice in Virginia, I would recommend reading this well-balanced article on cloud computing.
McCauley summarizes the benefits of the technology for practice management, but spends the majority of the article answering the questions I’m sure he and other ethics counsel hear all the time from attorneys trying to figure out how to implement cloud computing in their practices. He starts out by stating that “there is no basis in the Virginia Rules of Professional Conduct for an unqualified prohibition of lawyers managing their office software applications and client data using cloud computing.” And then explains how Rule 1.6(a) gives attorneys an ethical duty to protect our clients’ confidential information. From there the discussion moves to concerns about security and reliability of cloud computing.
From what I could find, the Virginia Bar has not published an ethics opinion specifically discussing cloud computing or third-party storage of law office data. In September of 2008, the Bar published Ethics Opinion 1842, “Obligations of a Lawyer Who Receives Confidential Information Via Law Firm Website or Telephone Voicemail”. However, this 2008 opinion doesn’t go into the use of the technology which one would assume these days is cloud-based if it’s via a law firm website. Perhaps the Virginia State Bar decided that instead of attempting to write an ethics opinion on technology that might quickly become outdated, they would publish guidelines and provide education to their members instead. Kudos.
The article cites the ethics opinions of Alabama, Arizona, Massachusetts and Nevada regarding security of third-party hosting of law office data. He notes that Alabama’s Ethics Opinion is similar to Virginia’s Rule 1.6(b)(6) which permits attorneys to share confidential information with a third-party if “necessary for statistical, bookkeeping, accounting, data processing, printing, or other similar office management purposes, provided the lawyer exercises due care in the selection of the agency, advises the agency that the information must be kept confidential and reasonably believes that the information will be kept confidential” and does not require client consent for such a disclosure.
The article concludes with best practices for cloud computing vendors and questions that attorneys should get answers to from those vendors before subscribing. From the list of questions, only one of them is new to me: “Does the customer have the right to approve in advance any transfer of data to another state or country?” Presumably this would occur if the vendor switches servers or adds another level of redundancy and wants to transfer the law office data to that new server in a different data center. I would think that if the attorney receives assurance in the SLA about where the data will be housed, especially that it won’t be located in an overseas server subject to international laws, that would suffice. But with the way that cloud vendors need to occasionally reallocate resources for their users, the potential for the data to be moved after the attorney is already set up as a user is a real one.
Overall, it’s a solid breakdown of the basic ethics issues in adopting cloud computing in law practice. I’m pleased to see that this is the way Virginia handled the issue and hope that other state bars’ ethics counsels act similarly in providing educational materials.