After nearly two years since publishing its first proposal on the topic, the North Carolina State Bar has adopted its Formal Ethics Opinion on cloud computing (thanks to Steph Kimbro for the heads up). The opinion, titled 2011 Formal Ethics Opinion 6: Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property, concludes that:
a law firm may contract with a vendor of software as a service provided the lawyer uses reasonable care to safeguard confidential client information
Like the Law Society of British Columbia's Report on Cloud Computing, the final NC Ethics opinion makes it clear that, while cloud computing can be an acceptable computing platform for the storage and transmission of confidential client data, the selection of a particular cloud computing provider should be prefaced with a reasonable level of due diligence. Some of the recommended security measures from the bar's ethics opinion include:
- Inclusion in the SaaS vendor’s Terms of Service or Service Level Agreement, or in a separate agreement between the SaaS vendor and the lawyer or law firm, of an agreement on how the vendor will handle confidential client information in keeping with the lawyer’s professional responsibilities.
- If the lawyer terminates use of the SaaS product, the SaaS vendor goes out of business, or the service otherwise has a break in continuity, the law firm will have a method for retrieving the data, the data will be available in a non-proprietary format that the law firm can access, or the firm will have access to the vendor’s software or source code. The SaaS vendor is contractually required to return or destroy the hosted data promptly at the request of the law firm.
- Careful review of the terms of the law firm’s user or license agreement with the SaaS vendor including the security policy.
- Evaluation of the SaaS vendor’s (or any third party data hosting company’s) measures for safeguarding the security and confidentiality of stored data including, but not limited to, firewalls, encryption techniques, socket security features, and intrusion-detection systems.
- Evaluation of the extent to which the SaaS vendor backs up hosted data.
The final NC ethics opinion joins a growing body of both ethics opinions and reports with a simple take-away: cloud computing is an acceptable technology to use in a law firm, but do your homework, as the protective provisions granted to your data will vary substantially across cloud computing vendors.