There is a significant degree of confusion and lack of awareness about attorney confidentiality and cybersecurity obligations. This issue is especially acute when it comes to using the cloud to store privileged documents. A common myth is that storing privileged documents in the cloud is a breach of attorney-client confidentiality. In other instances, many attorneys and firms are not paying sufficient attention to their obligation to protect the confidentiality and security of the client data they maintain.
Attorney Ethical Rules in the Digital Age
The general rules of professional conduct are written broadly, without specifically addressing privacy and cybersecurity issues. Under Rule 1.6 of the ABA Model Rules of Professional Conduct, “a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.” Lawyers must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
The application of this rule to digital technologies has been dealt with by resolutions and commentary. Fairly recently, the ABA published Resolution 109, calling for firms to “develop, implement, and maintain an appropriate cybersecurity program.” And few years ago, the ABA amended Comment 8 to Model Rule 1.1 (requiring “competent representation to a client”) to state that “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” (added language italicized).
Attorney-Client Privilege in the Cloud
Is it ethical for attorneys and law firms to store privileged documents in the cloud? After all, they are storing such documents on a third party’s computer.
This question has been a widespread concern, enough so that several state bar associations have issued guidance. Their consistent conclusion is that it is ethical to store privileged documents in the cloud. For example, according to the Pennsylvania Bar Association Formal Opinion 2011-200: “An attorney may ethically allow client confidential material to be stored in ‘the cloud’ provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks.”
The New York Bar Association Ethics Opinion 842 concludes that “a lawyer may use an online ‘cloud’ computer data backup system to store client files provided that the lawyer takes reasonable care to ensure that the system is secure and that client confidentiality will be maintained.”
Other state bars have reached similar conclusions. The ABA maintains a page that tracks what state bars are holding on this issue. The states in blue have all issued opinions on the use of the cloud, and all state essentially the same thing: Using the cloud is ethical as long as reasonable care is taken.
In many situations, data stored in the Cloud might have stronger security protections than when stored on the attorney or firm’s own network. This is because some of the best cloud service providers have more sophisticated security practices and more robust technical and other resources to protect the data than a law office or firm. For example, the Panama Papers breach at Mossack Fonseca occurred on the firm’s network, which had numerous security vulnerabilities.
Attorneys don’t have a blank check to store anything with any third party. There still are cybersecurity obligations. According to widespread standards in other industries, there are certain essential practices when selecting and contracting with a cloud service provider. The Pennsylvania Bar Association guidance notes that “reasonable safeguards” must be used “to ensure that the data is protected from breaches, data loss and other risks.” What are such reasonable safeguards? I will discuss that in the part below.
Confidentiality and Cybersecurity Responsibilities
Attorneys and law firms have significant confidentiality and cybersecurity responsibilities. These typically involve using “reasonable care,” which is a standard grounded in common best practices and norms. These standards are mentioned in various state bar opinions and guidance, as well as in data security regulation of other industries.
For example, the FTC cases on data security are useful to study to learn about common best practices across a wide array of industries. The FTC typically enforces standards that are commonly accepted as the norm for reasonable security practices. I have written about the FTC extensively in my article, The FTC and the New Common Law of Privacy, 114 Columbia Law Review 584 (2014) (with Woodrow Hartzog), and this piece includes a listing of the data security deficiencies that the FTC has identified as problematic.
I have written an earlier post about the cybersecurity risks that law firms face and about how a number of firms and attorneys need to step up their efforts to protect data.
State bars have also provided many useful examples. Some of these include (1) eliminating metadata when documents are transmitted to adverse parties; (2) taking precautions when using public wireless connections to communicate with clients, such as using firewalls and encryption; (3) backing up data; (3) implementing audit logging to monitor who is accessing data; (4) having a data breach response plan; and (5) having a firewall on the firm or office network.
With regard to using cloud service providers, relevant responsibilities of attorneys include (1) performing due diligence in selecting a cloud service provider; (2) having an appropriate contract in place with the cloud service provider; (3) exercising good security practices on their own network and when accessing data stored in the cloud; and (4) engaging in continued monitoring of the cloud service provider to ensure that the provider is living up to its obligations.
Due Diligence When Selecting a Cloud Service Provider
Due diligence should involve examining whether a cloud service provider has:
- adequate safeguards in place to maintain accessibility of data in the event of disasters
- sufficient stability and resources
- appropriate procedures to comply with a litigation hold
- appropriate written policies and procedures to protect confidentiality and security
- appropriate back up
- appropriate security protections, including employee training, penetration testing, etc.
Contracts with cloud service providers should require, among other things:
- Ownership of the data remains with the attorney or firm, not the cloud service provider.
- Attorneys must have adequate access to the data.
- Data should be routinely backed up.
- There should be an enforcement provision if the provider fails to meet its obligations.
- The cloud service provider should provide reasonable and appropriate security protections.
- The data is hosted in countries with sufficient legal protections of privacy and security and adequate rules regulating government access.
- The data is returned in the event of termination of the contract.
Good Data Security Practices
Additionally, attorneys and support personnel have obligations for their own behavior when using cloud service providers such as being trained about data security best practices, use of strong passwords, safe practices when using public Wi-Fi, avoiding falling for phishing scams, and so on.
Ongoing Vigilance of Cloud Service Providers
Finally, attorneys or firms must continue to monitor any cloud service provider they use to ensure that the provider is complying with the agreement and to ensure that the provider is keeping up with new technological developments and protecting against emerging security threats.
The above are not exclusive lists, but are examples of some of the kinds of things that are encompassed by the duty to exercise “reasonable care.”
It is clear that attorneys and firms can use cloud services consistent with their obligations to maintain the confidentiality of client information. Reasonable care must be exercised in the process, and that involves due diligence when selecting a cloud service provider, having the appropriate contractual provisions in the agreement with the cloud service provider, and continuing to be vigilant about how well the provider is living up to its obligations.
Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School and the founder of TeachPrivacy, a privacy awareness and security training company. He is the author of 10 books and more than 50 articles. Thanks to Microsoft for its support of this piece. All views in this piece are my own.