North Carolina Publishes Final Cloud Computing Ethics Opinion
After nearly two years since publishing its first proposal on the topic, the North Carolina State Bar has adopted its Formal Ethics Opinion on cloud computing (thanks to Steph Kimbro for the heads up). The opinion, titled 2011 Formal Ethics Opinion 6: Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property, concludes that:
a law firm may contract with a vendor of software as a service provided the lawyer uses reasonable care to safeguard confidential client information
Like the Law Society of British Columbia’s Report on Cloud Computing, the final NC Ethics opinion makes it clear that, while cloud computing can be an acceptable computing platform for the storage and transmission of confidential client data, the selection of a particular cloud computing provider should be prefaced with a reasonable level of due diligence. Some of the recommended security measures from the bar’s ethics opinion include:
- Inclusion in the SaaS vendor’s Terms of Service or Service Level Agreement, or in a separate agreement between the SaaS vendor and the lawyer or law firm, of an agreement on how the vendor will handle confidential client information in keeping with the lawyer’s professional responsibilities.
- If the lawyer terminates use of the SaaS product, the SaaS vendor goes out of business, or the service otherwise has a break in continuity, the law firm will have a method for retrieving the data, the data will be available in a non-proprietary format that the law firm can access, or the firm will have access to the vendor’s software or source code. The SaaS vendor is contractually required to return or destroy the hosted data promptly at the request of the law firm.
- Careful review of the terms of the law firm’s user or license agreement with the SaaS vendor including the security policy.
- Evaluation of the SaaS vendor’s (or any third party data hosting company’s) measures for safeguarding the security and confidentiality of stored data including, but not limited to, firewalls, encryption techniques, socket security features, and intrusion-detection systems.
- Evaluation of the extent to which the SaaS vendor backs up hosted data.
The final NC ethics opinion joins a growing body of both ethics opinions and reports with a simple take-away: cloud computing is an acceptable technology to use in a law firm, but do your homework, as the protective provisions granted to your data will vary substantially across cloud computing vendors.
The NC Bar opinion cites the truism that a lawyer need not “use only infallibly secure methods of communication” – but it is equally true that lawyers tend to ignore the conditionality in ethics opinions that permit use of technology. In the late 1990s, ABA Formal Opinion 99-413 and state bar opinions allowed lawyers to use unencrypted email “generally” or “in most instances.” Today, however, lawyers commonly use unencrypted email without exception, even though there are greater risks to cloud-based email today than in the ’90s.
Similarly, lawyers are likely to misinterpret NC 2011 Formal Ethics Opinion 6 and similar guidance as giving blanket permission to use cloud services, albeit perhaps after some initial diligence. That simple take-away is a misimpression. Although cloud storage of most client documents indeed may be ethically permissible, the use of a SaaS storage provider requires an ongoing assessment of the risk environment. It also requires the lawyer to consider the circumstances related to the particular document or communication, and to discuss the use of the technology with the client when the risk may be unreasonable.
A technology that is acceptable for use with one client may be unreasonable to use for another client, based on factors such as those described in CA State Bar Opinion 2010-179. Lawyers should consider . There are some instances, for example, where attorneys would be prudent to pre-encrypt the documents before transmitting them or storing them with a third-party SaaS provider. Simple add-on software, such as and will semi-automatically encrypt and decrypt Dropbox documents.