ETHICS FOR LAWYERS IN THE CLOUD

What the Model Rules are saying about practices in Cyberspace

Donna SeyleLawyer/Writer/Founder

LawPracticeStrategy.com

IntroductionLawyers’ use of cloud computing is growing as the technology becomes safer, the cost-effectiveness becomes more evident, internal productivity increases, and the need to provide a variety of legal services delivery becomes a market imperative. The questions have arisen: the use of technology raises ethical questions related to how lawyers go about choosing cloud vendors, and how they are using cloud products chose.In 2009, the ABA formed a new commission, Ethics 20/20, to investigate just that. As a result, although very few changes have been made to the Model Rules, draft opinions, issue papers seeking comments and their replies have emerged from both the ABA and various state bar associations that address how the rules apply to cloud computing as they are currently written.The Model Rules that have come under scrutiny and will be discussed are:

Confidentiality: Rules 1.6(a) and 1.15 Competence and Diligence: Rules 1.1 and 1.3 Duties to Prospective Clients: Rules 1.18 and 1.2 Unauthorized Practice of Law: Rule 5.5 Duty to Supervise: Rule 5.3

Duty of ConfidentialityM.R. 1.6(a) and 1.15

Confidentiality and Safeguarding Property When client information is transferred and/or stored in a cloud

system Use of 3rd-party cloud applications in communicating Relinquish control of data Rule 1.6 standard: lawyers must take “reasonable precautions”

to safeguard client information and prevent it from going to unintended recipients during the transmission.

Requires due diligence in vetting your choice of vendor Includes hiring a technology advisor if lawyer doesn’t feel

capable of making effective choices States have not attempted to define “reasonable care”;

technology changes too quickly Be sure to stay current on any changes in regulation in your

state

Competency and DiligenceM.R. 1.1 & 1.3

Requires that the lawyer is thoroughly prepared to provide representation to the client

When applied to cloud computing, requires lawyers to understand the technology and security issues when selecting a cloud service provider and devices

To do so, lawyers must do their due diligence in vetting their chosen vendor

Lawyers must also diligently follow best practices in the use of the technology to insure confidentiality

Lawyers’ best practices include using cloud computing to conduct factual research in representing their client

Must also inform client of their use of cloud software in the act of representation

Checklist: Vetting the Vendor

It is reasonable to expect the lawyer to vet the vendor to determine its security protocols. Here is a list of questions lawyers can use:

What kind of facility will host the data and how are they secured? Who else has access to the facility, servers and data and how is authorization for

access determined? How do they screen employees? Does the contract address confidentiality? If not, is the vendor willing to sign a

confidentiality agreement? How frequently are back-ups performed? Is data backed up to more than one server? Are they georedundant? Are all servers located in the United States? What types of encryption are used, and how are passwords stored? Is data encrypted

both in transit and at rest? Has the vendor been certified by a 3rd party service? Are audits available for review? Are there redundant power supplies for the servers? Is there guaranteed uptime? What remedies are provided for in the event of breach? What are the data breach notification procedures? What are your rights upon termination? Does the vendor carry cyberinsurance? Be sure to review Service Level Agreement (SLA) and Terms of Service (TOS)

Unauthorized Practice of LawM.R. 5.5

Issue arises in multijurisdictional virtual practice and when providing clients with self-help software solutions

5.5 (a) and (b) restrict a lawyer from practicing in a jurisdiction where she is unlicensed, or establish “systematic and continuous presence” in this jurisdiction

Lawyer’s online presence must make clear where she is authorized to practice

Should have a jurisdiction check built into the cloud system to ensure client’s residency

A virtual lawyer practicing in the state where he is licensed, but resides elsewhere, may establish “systematic and continuous presence”

However, some states have residency requirements and “bona fide office” rules (e.g., New Jersey)

Lawyers offering self-help software: in Texas, they rewrote their rule that self-help using computer software does not substitute for legal services

Duty to SuperviseM.R. 5.3

Managing lawyers must make reasonable efforts to ensure a non-lawyers conduct is compatible with professional obligations of the lawyer

This includes non-lawyer employees, independent contractors such as paralegals, virtual assistants, and any legal process outsourcing company retained by the firm

Use a permissions-based technology system Conduct an extensive conflicts check or have confidentiality

agreements signed Be certain outsourced contractors are given a copy of the firm’s

policy for use of cloud software and social media

Resources

International Legal Technology Standards Virtual Law Practice – by Stephanie Kimbro Cloud Computing for Lawyers – Nicole Black Law Practice Management Section – American

Bar Association