There have been two important and encouraging developments on the ethics of cloud computing over the last month.
First, the ABA Commission on Ethics 20/20 has issued an initial set of draft proposals addressing lawyers’ confidentiality-related obligations when using technology. The Commission’s draft report proposes:
- The development of a centralized, user-friendly website that contains continuously updated and detailed information about confidentiality-related ethics issues arising from lawyer’s use of technology, including the latest data security standards.
- Amendments to several Model Rules of Professional Conduct and their Comments to offer specific guidance and expectations relating to technology.
The amendments to the Model Rules of Professional Conduct do not relate to a specific technology (e.g. cloud computing), as the Commission recognizes that “unlike the proposed website, which can be regularly updated in light of new technology and changing security concerns, the rule and comment-based proposals necessarily offer more general guidance that are not tied to the use of any particular form of technology.”
The Commission also notes that technology has become an integral part of virtually every law practice, and as such a basic working knowledge of technology’s benefits and risks should be regarded as a baseline requirement to practice law competently:
The Commission concluded that competent lawyers must have some awareness of basic features of technology. To make this point, the Commission is recommending an amendment to Comment  of Model Rule 1.1 (Competence) that would emphasize that, in order to stay abreast of changes in the law and its practice, lawyers need to have a basic understanding of technology’s benefits and risks.
The Commission also proposes amendments to make the ethical obligation to safeguard client data more explicit:
Proposed new Model Rule 1.6(c) would make clear that a lawyer has an ethical duty to take reasonable measures to protect a client’s confidential information from inadvertent disclosure and unauthorized access. This duty is already implicit in Model Rule 1.6 and is described in several existing comments, but the Commission concluded that, in light of the pervasive use of technology to store and transmit confidential client information, this obligation should be stated explicitly in the black letter of Model Rule 1.6.
The Commission has made a set of well-reasoned recommendations that would see a set of technology-related but implementation-neutral amendments to the Model Rules of Professional Conduct. The proposed changes are good news for cloud computing vendors and users alike, as the Commission has recognized that the Rules of Professional Conduct should not be bound to a specific type of technology, whether it’s on-premise computing, cloud computing, or mobile computing, but should rather detail the expectation for a lawyer to both understand and minimize the risks relating to his or her use of technology. The educational website the Commission recommends developing would be a valuable resource to help lawyers meet this obligation.
The second major cloud computing ethics development comes from North Carolina, where the NC State Bar has updated its Proposed Formal Ethics Opinion on the use of Software-as-a-Service in a law firm. The NC State Bar opinion is one of the first ethics opinions in North America to explicitly deal with the ethical issues relating to cloud computing. The following is the question posed of the ethics committee in Proposed 2011 Formal Ethics Opinion 6 – Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property:
SaaS for law firms may involve the storage of a law firm’s data, including client files, billing information, and work product on remote servers rather than on the law firm’s own computer and, therefore, outside the direct control of the firm’s lawyers. Lawyers have duties to safeguard confidential client information, including protecting that information from unauthorized disclosure, and to protect client property from destruction, degradation, or loss (whether from system failure, natural disaster, or dissolution of a vendor’s business). They also have a continuing need to retrieve client data in a form that is usable outside of a vendor’s product. Given these duties and needs, may a law firm use SaaS?
The proposed ethics opinion answers:
Yes, provided steps are taken effectively to minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property, including the information in a client’s file, from risk of loss.
The opinion goes on outline minimum security measures to be employed by a SaaS-using law firm and references other best security practices, such as the newly-formed ILTSO standards.
The ABA Commission on Ethics 20/20 proposal and the NC State Bar proposed ethics opinion both represent important steps forward in clarifying the ethics of cloud computing, and it’s encouraging to see both organizations take forward-looking positions on the use of technology in law firms.