Ethical Considerations for Lawyers
Using the Cloud
Maine State Bar Association Summer Meeting
June 22, 2012
Presentation by Peter J. Guffin, Esq. Pierce Atwood LLP
[email protected] (207) 791-1199
Maine Rules of Professional Conduct
Rule 1.1 Competence
A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation
reasonably necessary for the representation.
Maine Rules of Professional Conduct
Rule 1.1 Competence (cont’d.)
Maintaining Competence
Comment [6] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, engage in continuing study and education and comply with all continuing legal
education requirements to which the lawyer is subject.
Maine Rules of Professional Conduct
Rule 1.6 Confidentiality of Information
(a) A lawyer shall not reveal a confidence or secret of a client unless, (i) the client gives informed consent; (ii) the lawyer reasonably believes that disclosure is authorized in order to carry out the representation; or (iii) the disclosure is permitted by paragraph (b).
Maine Rules of Professional Conduct
Rule 1.6 Confidentiality of Information (cont’d.)
Acting Competently to Preserve Confidentiality Comment [16] A lawyer must act competently to
safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.
Maine State Bar Professional Ethics
Opinion #194 (06/30/2008)
Client Confidences: Confidential firm data held electronically and handled by technicians for third-party vendors
Conclusion: “With appropriate safeguards, an attorney may utilize transcription and computer server backup services remote from both the lawyer’s physical office and lawyer’s direct control or supervision without
violating the attorney’s ethical obligation to maintain client confidentiality.” (Emphasis added.)
Maine State Bar Professional Ethics
Opinion #194 (06/30/2008) (cont’d.)
“The precise parameters of what constitutes
‘appropriate standards’ are not defined in the rules or opinions, but are based on reasonable efforts to
prevent the disclosure of confidential information.”
“At a minimum, the lawyer should take steps to ensure that the company providing transcription or
confidential data storage has a legally enforceable
obligation to maintain the confidentiality of the client data involved.”
Maine State Bar Professional Ethics
Opinion #194 (06/30/2008) (cont’d.)
In addition, “[i]n some circumstances . . . the lawyer would be well advised to include a contract provision requiring the contractor to inform the lawyer in the event the contractor becomes aware of any
inappropriate use or disclosure of the confidential information.”
Iowa State Bar Association Committee on
Ethics and Practice Guidelines
Ethics Opinion 11-01 Use of Software as a Service – Cloud Computing (09/09/2011)
“[The Rule] recognizes that the degree of protection to be afforded client information varies with the client, matter and information involved.”
“Whatever form of SaaS is used, the lawyer must
ensure that there is unfettered access to the data when it is needed. Likewise the lawyer must be able to
determine the nature and degree of protection that will be afforded the data while residing elsewhere.”
New York State Bar Association Committee
on Professional Ethics: Opinion #842
(09/10/2010)
Using an outside online storage provider to store client confidential information
“[A] lawyer may use an online “cloud” computer data backup system to store client files provided that the lawyer takes reasonable care to ensure that the system is secure and that client confidentiality will be
maintained. ‘Reasonable care’ . . . may include consideration of the following steps:
New York State Bar Association Committee
on Professional Ethics: Opinion #842
(09/10/2010) (cont’d.)
• Ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality
and security, and that the provider will notify the lawyer if served with process requiring the
production of client information;
• Investigating the online data storage provider’s
security measures, policies, recoverability methods, and other procedures to determine if they are
New York State Bar Association Committee
on Professional Ethics: Opinion #842
(09/10/2010) (cont’d.)
• Employing available technology to guard against
reasonably foreseeable attempts to infiltrate the data that is stored;”
New York State Bar Association Committee
on Professional Ethics: Opinion #842
(09/10/2010) (cont’d.)
“[T]he lawyer should periodically reconfirm that the
provider’s security measures remain effective in light of advances in technology.”
“If the lawyer learns information suggesting that the security measures used by the online data storage provider are insufficient to adequately protect the confidentiality of client information, or if the lawyer learns of any breach of confidentiality by the online storage provider, then the lawyer must investigate
New York State Bar Association Committee
on Professional Ethics: Opinion #842
(09/10/2010) (cont’d.)
whether there has been any breach of his or her own clients’ confidential information, notify any affected clients, and discontinue use of the service unless the lawyer receives assurances that any security issues have been sufficiently remediated.”
“Not only technology itself but also the law relating to technology and the protection of confidential
New York State Bar Association Committee
on Professional Ethics: Opinion #842
(09/10/2010) (cont’d.)
developments,
especially regarding instances whenusing technology may waive an otherwise applicable privilege.”
New York State Bar Association Committee
on Professional Ethics: Opinion #842
(09/10/2010) (cont’d.)
“[E]xercising ‘reasonable care’ under Rule 1.6 does not mean that the lawyer guarantees that the information is secure from any unauthorized access.”
ABA Proposed Amendment to Comment 6 of
Model Rule 1.1
Maintaining Competence
Comment [6] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with technology, engage in continuing study and education and comply with all continuing legal
ABA Proposed Amendment to
Model Rule 1.6
Rule 1.6 Confidentiality of Information
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or
unauthorized access to, information relating to the representation of a client.
ABA Proposed Amendment to
Comment 16 of Model Rule 1.6
Acting Competently to Preserve Confidentiality
Comment [16] Paragraph (c) requires a A lawyer must to act competently to safeguard information relating to the representation of a client against unauthorized
access by third parties and against inadvertent or
unauthorized disclosure by the lawyer or other persons or entities who are participating in the representation of the client or who are subject to the lawyer’s
supervision or monitoring. See Rules 1.1, 5.1 and 5.3. The unauthorized access to, or the inadvertent or
Acting Competently to Preserve Confidentiality (cont’d.)
unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in
determining the reasonableness of the lawyer’s efforts include the sensitivity of the information, the
likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the
Acting Competently to Preserve Confidentiality (cont’d.)
lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively
difficult to use). A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forego
security measures that would otherwise be required by this Rule. Whether a lawyer may be required to take additional steps to safeguard a client’s information
Acting Competently to Preserve Confidentiality (cont’d.)
in order to comply with other law, such as state and
federal laws that govern data privacy or that impose notification requirements upon the loss of, or
unauthorized access to, electronic information, is beyond the scope of these Rules.
Iowa State Bar Ass’n, Comm. on Ethics and Practice
Guidelines, Op. 11-01 (2011), available at
http://www.iabar.net/ethics.nsf/e61beed77a215f6
686256497004ce492/02566cb52c2192e28625791f00
834cdb?OpenDocument
.
Me. Bar Ass’n, Prof’l Ethics Comm., Op. 194 (2008),
available at
http://www.maine.gov/tools/whatsnew/index.php
?topic=mebar_overseers_ethics_opinions&id=86894
&v=article
.
N.Y. Comm. On Prof’l Ethics, Op. 842 (2010),
available at -
http://www.nysba.org/AM/TemplateRedirect.cfm?t
emplate=/CM/ContentDisplay.cfm&Section=Ethics_
Opinions&ContentID=55952
.
THANK YOU!
Peter J. Guffin [email protected] Pierce Atwood LLP Merrill’s Wharf 254 Commercial Street Portland, ME 04101 Tel: (207) 791-1199ETHICAL CONSIDERATIONS FOR LAWYERS USING THE CLOUD Maine State Bar Association
Summer Meeting June 22, 2012
Evaluating SaaS Vendors
Listed below are common questions used to evaluate cloud-based service providers to determine if they will work for you. While no list is complete, it can serve as an evaluative baseline through which to consider a potential vendor.
A. DATA PROTECTION
1. What type of encryption is used to protect my data?
2. What are their third party certifications and/or other industry certifications? 3. How secure is their physical environment?
4. How – and how often – do they test their systems? 5. Do they monitor for intrusions in real time? 6. Are their data centers U.S. based?
B. DATA OWNERSHIP
1. What are their contract terms and conditions?
2. What systems are in place to restore my data in case of disaster? 3. What happens if I terminate my service?
4. Who “owns” the data?
5. Who has access to my data, besides me and my authorized staff?
6. Does the vendor outsource any of their services to third parties providers, and if so, what are their credentials?
8. In what ways, if any, do they make use of my data (i.e. anonymously to track usage, etc.)?
C. DATA AVAILABILITY
1. What are their uptime guarantees?
2. What financial penalties do they impose for late payments? 3. Do they have backups of their own data?
4. Do they offer a trial period?
5. How many data centers do they have in total?
6. If the vendor goes out of business, will I have access to the data and the software or source code?
7. Do they have a data recovery plan of their own in place? 8. Do they have a business continuity plan of their own in place? 9. Is there 24/7 customer service? Can you get someone on the phone?
Peter J. Guffin, Esq. Pierce Atwood LLP
