North Carolina Revisits Cloud Computing Ethics Opinion

The North Carolina State Bar has revisited its proposed Formal Ethics Opinion (FEO) on cloud computing and addressed many of the concerns the legal cloud computing community had previously expressed.

The main point of concern with the previous opinion was a list of minimum mandatory requirements that an attorney had to ensure was met by their cloud computing provider. In an open letter to the NC State Bar, the Legal Cloud Computing Association outlined its concerns with the proposed FEO; prominent bloggers such as Carolyn Elefant, Stephanie Kimbro, Erik Mazzone and Niki Black also outlined their concerns about the potential implications of the FEO as written.

The NC State Bar had published the proposed FEO for comments, and to their credit they listened carefully to the feedback they received and have re-issued an updated Proposed 2011 FEO 6 that addresses many of the concerns the LCCA and others had expressed relating to the previous draft.

The NC State Bar has eliminated the mandatory minimum requirement “checklist” from the opinion, rightly pointing out that such checklists are fraught with issues:

This opinion does not set forth specific security requirements because mandatory security measures would create a false sense of security in an environment where the risks are continually changing. Instead, due diligence and frequent and regular education are required.

Instead, the proposed FEO opts for a more flexible set of due diligence requirements:

This opinion does not set forth specific security requirements because mandatory security measures would create a false sense of security in an environment where the risks are continually changing. Instead, due diligence and frequent and regular education are required.

Although a lawyer may use nonlawyers outside of the firm to assist in rendering legal services to clients, Rule 5.3(a) requires the lawyer to make reasonable efforts to ensure that the services are provided in a manner that is compatible with the professional obligations of the lawyer. The extent of this obligation when using a SaaS vendor to store and manipulate confidential client information will depend upon the experience, stability, and reputation of the vendor. Given the rapidity with which computer technology changes, law firms are encouraged to consult periodically with professionals competent in the area of online security. Some recommended security measures are listed below.

• Inclusion in the SaaS vendor’s Terms of Service or Service Level Agreement, or in a separate agreement between the SaaS vendor and the lawyer or law firm, of an agreement on how the vendor will handle confidential client information in keeping with the lawyer’s professional responsibilities.

• If the lawyer terminates use of the SaaS product, the SaaS vendor goes out of business, or the service otherwise has a break in continuity, the law firm will have a method for retrieving the data, the data will be available in a non-proprietary format that the law firm can access, or the firm will have access to the vendor’s software or source code. The SaaS vendor is contractually required to return or destroy the hosted data promptly at the request of the law firm.

• Careful review of the terms of the law firm’s user or license agreement with the SaaS vendor including the security policy.

• Evaluation of the SaaS vendor’s (or any third party data hosting company’s) measures for safeguarding the security and confidentiality of stored data including, but not limited to, firewalls, encryption techniques, socket security features, and intrusion-detection systems.4

• Evaluation of the extent to which the SaaS vendor backs up hosted data.

The NC Bar’s proposed FEO, like the ABA 20/20 Ethics Commission Proposals, makes the “reasonable care” standard the baseline to be adhered to, and affirms that a lawyer’s duty to protect the confidentiality of client data “does not compel any particular mode of handling confidential information nor does it prohibit the employment of vendors whose services may involve the handling of documents or data containing client information.”

The new proposed FEO strikes the right balance of providing guidance to the Bar’s members without overly restricting technological freedom. The opinion, as written, can serve as a model for other Bars looking to provide increased clarity on the ethics of cloud computing to their membership.

Comments are closed.