Quick Tip - 4 Ways to Find Balance
CNA Professional Counsel - Family Law - Professional Liability Fact Sheet

Cyber Liability - To Cloud or Not to Cloud: How Do Lawyers Decide What Cloud Based System is Right

Shutterstock_562750231 - cloud computing
Cloud based systems have become more common place and widely used by law firms. Generally, cloud computing allows for the storage and access of data and programs with compatible devices over the Internet instead of utilizing your computer’s hard drive. Cloud based systems can give us the ability to share large files, backup and sync files making the practice of law more efficient and streamlined. Clients entrust attorneys with their most important and critical information—settlements, financials, intellectual property, medical records, tax returns. Disclosure of any of this information could cripple any individual or business.

Should law firms use a cloud based system to store their client’s information? What should a law firm be looking for in selecting cloud based system? Law firms should consider confidentiality, ethical issues and critical protections of their client’s data before selecting a cloud based system.

Law firms must be aware of all of the ethical and state requirements with regard to cloud based systems. A law firm’s first obligation is to ensure the confidentiality of their client’s information. This obligation is generally found in state rules of professional conduct similar to the Model Rules of Professional Conduct 1.6 that states that lawyers “shall not reveal information relating to the representation of a client unless the client gives informed consent.”1 The August 2012 revisions to the ABA Model Rules of Professional Conduct provide guidance regarding a lawyer’s use of technology and confidentiality.2 Over twenty states and local bar associations have also issued opinions on law firm’s ethical obligations regarding use of cloud based systems. Generally, these opinions focus the duty to preserve the confidentiality of client data, undertake proper due diligence and “reasonable care” to ensure that the selected cloud based system is taking proper precautions to secure client information.

In Connecticut and Massachusetts, the client’s information maintained in the cloud must be subject to a lawyer’s “reasonable access and control” and requires lawyers to ensure that cloud service providers take adequate steps to prevent unauthorized access to data.3 Whereas in Alabama, the lawyer’s duty of reasonable care requires them to: 1) understand how the vendor secures the data; 2) reasonably ensure that the cloud service provider abides by confidentiality agreements; and 3) “the lawyer will have a continuing duty to stay abreast of appropriate security safeguards that should be employed by the lawyer and the third-party provider.”4 

Some states define the obligations and a lawyer’s duty of due diligence in selection of the vendor. In the Pennsylvania opinion, several steps of “due diligence should be taken prior to selection of a cloud based vendor, including ensuring:

a. the existence of an obligation imposed on the vendor to preserve security;
b. a mechanism for the vendor to notify the lawyer if a third party requests access to the stored information;
c. the existence of systems that are sufficient to protect the data from unauthorized access;
d. an agreement about how confidential client information will be protected;
e. the ability to review the vendor’s security systems; and
f. tools to protect the lawyer’s ability to access and retrieve the data.5

However, in Iowa, a lawyer may rely “on the due diligence services of independent companies, bar associations or . . . its own qualified employees.”6

Law firms should also be aware of the international security data laws in the countries in which it exports or imports data from. The European Union, the EU General Data Protection Regulation (“GDPR”) in particular, has very strict policies on how their citizen’s personal information is collected, processed and demands that “reasonable and appropriate” measures be taken to secure that data. The penalties for failing to comply with the new GDPR are greater than 20 million Euros or 4% of an organization’s annual revenue for non-compliance.

Generally, the physical security of the cloud based system should be continuous, with the physical access of the computers limited to authorized personnel in charge of the servers and use of security checkpoints. Cloud vendors should also have firewalls preventing any unauthorized access to the information with third-party audits of firewall security. Law firms should also insist on an independent audit performed on a regular basis with reports to be provided for review. The cloud based security system should be required to apply security patches and software updates within thirty days of the publication. Law firms should insist on the transmission of all sensitive data, including client information, using a secure sockets layer.

Further, law firms should be particularly critical in their review of the cloud system vendor agreement before execution. Law firms should focus on the provisions that hold the vendor fully accountable in the event of a breach and security incident obligations. Law firms should secure contractual rights to audits of the cloud service provider and require that they provide auditing reports from third-parties. Law firms should ensure the right to subrogation in the event of an incident. The vendor agreement should include vendor insurance screening criteria regarding additional insured analysis and coverage. The agreement should secure provisions regarding warranties, indemnification, security, privacy and limitations of liability. Law firms should also insist on jurisdiction and arbitration provisions.

Law firms are also responsible for securing the files from possible degradation (natural disaster or system failure) and destruction of the client’s files. Prior to selection of a cloud system vendor, a law firm must inquire how the client’s data would be secured and backed up. In the event of an incident, is the data available “offline.” The vendor’s service level agreement must address confidentiality and security. Vendors of cloud computing services should be treated like other third party vendors who have access to client information. Cloud computing vendors often have AICPA SAS 70 Type II audits available for customers to provide to their auditors in order to analyze the adequacy of security. These reports can provide detail about security procedures in place.

Similar to traditional storage and retention of client files, a lawyer cannot guarantee that client confidentiality will never be breached, whether by an employee or some other third-party. However, law firms have a duty of reasonable care in selecting and entrusting the storage of confidential client data to the cloud based provider. And, the ability to access client’s data securely and efficiently is critical to any law firm’s practice. Therefore, a law firm should be confident and secure in the cloud based provider it selects to be entrusted to properly protect client’s data in compliance with all ethical and professional rules of conduct.

This article was prepared by Carolyn Purwin Ryan, Esq. of Cipriani & Werner, P.C.  We trust that the above article was useful and thought provoking; however, please note that it is intended a general guide only, not a complete analysis of the issues addressed, and readers should always seek specific legal guidance on particular matters.

For more information on LPL coverage generally and Cyber Liability insurance, contact Greg Cooke USI Affinity today.

  1. ABA Model Rule of Professional Conduct 1.6(c).
  2. American Bar Association, Commission on Ethics 20/20 Report to the House of Delegates (Aug. 2012); “Ethics 20/20 Report”, available at http://www.americanbar.org/content/dam/aba/administrative/ethics_2020/20120808_revised_resolution_1 05a_as_amended.authcheckdam.pdf..
  3. Massachusetts Bar Association Opinion 12-03 https://www.massbar.org/publications/ethics-opinions and Connecticut Bar Association Professional Ethics Committee Informal Opinion 2013-07 http://www.ctbar.org/?page=ProfessionalEthics
  4. Alabama’s Disciplinary Commission Opinion 2010-02, https://www.alabar.org/resources/office-of-general-counsel/formal-opinions/2010-02/
  5. Pennsylvania Bar Association Formal Opinion 2011-200, https://www.pabar.org/members/catalogs/Ethics%20Opinions/formal/F2011-200.pdf
  6. Iowa Bar Association’s Ethics Committee Opinion 11-01, http://www.iowabar.org/group/Ethics


Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)