Hello everyone and welcome to this JACPA Ethics Alert blog which will discuss the recent (and lengthy) Pennsylvania Bar Association Ethics Opinion which opines that storing confidential client information and documents electronically in the ‘cloud’ is permissible if the lawyer implements appropriate safeguards. The Ethics Opinion is attached.
The Pennsylvania Ethics Opinion states that “(a)n attorney may ethically allow client confidential material to be stored in “the cloud” provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks.” The opinion also concludes that “the Pennsylvania Rules of Professional Conduct require attorneys to make reasonable efforts to meet their obligations to ensure client confidentiality, and confirm that any third-party service provider is likewise obligated.”
The ethics opinion sets forth guidance and recommendations for lawyers to insure that client confidential information is protected, including backing up the data, installing firewalls, and using encryption. The opinion also addresses questions and issues related to the provider of the cloud storage and recommends that, in addition to fully investigating the provider, the lawyer should insure that:
- the provider explicitly agrees that it has no ownership or security interest in the data,
- the provider agrees there is an enforceable obligation to preserve security,
- the provider is required to notify the lawyer if requested to produce data to a third party and provide the lawyer with the ability to respond to the request before the provider produces the requested information,
- the provider’s system has technology built to withstand a reasonably foreseeable attempt to infiltrate data, including penetration testing,
- the terms of service or service level agreement includes an agreement regarding how confidential client information will be handled (and kept confidential),
- the terms of service or service level agreement provides the firm with right to audit the provider’s security procedures and to obtain copies of any security audits performed,
- the provider keeps the data only within a specified geographic area,
- there is a specific method for the lawyer to retrieve the data, when and if necessary,
- the lawyer has the ability to obtain data off the vendor’s servers for the lawyer’s own use or in-house backup offline.
The ethics opinion also discusses lawyers’ use of Web-based e-mail services such as Gmail and Hotmail is permitted; however, lawyers “should be aware of and mitigate” any potential confidentiality issues. The opinion states that these services may typically be used without encryption, although certain circumstances may require heightened security, including encryption.
Bottom line: As a reminder, Bar Ethics Opinions (particularly out of state opinions) are not binding; however, they can be very useful for guidance and mitigation, if necessary. The Pennsylvania Bar Ethics Opinion sets forth detailed recommendations and guidance for lawyers who will be (or are) storing client data in the “cloud”. There is no Florida Bar Ethics Opinion which specifically addresses the issue of storing client data in the “clouds”; however, Florida Bar Ethics Opinion 10-2 addresses the storage of confidential information on digital devices, such as smart phones and digital printers.
…be careful out there!
As always, if you have any questions about this Ethics Alert or need assistance, analysis, and guidance regarding these or any other ethics, risk management, or other issues, please do not hesitate to contact me.
THE LAW OFFICE OF JOSEPH A. CORSMEIER, P.A.
PROVIDES ETHICS ADVICE AND EXPERT OPINIONS TO LAWYERS AND LAW FIRMS
DEFENDS LAWYERS IN BAR ADMISSION AND DISCIPLINE CASES
(AND MUCH MORE!)
My law firm focuses on review, analysis, and interpretation of the Rules Regulating The Florida Bar, advice and representation of lawyers in Bar disciplinary matters, defense of applicants for admission to The Florida Bar before the Board of Bar Examiners, defense of all Florida licensed professionals in discipline and admission matters before all state agencies and boards, expert ethics opinions, and practice management for lawyers and law firms. If there is a lawyer or other Florida professional license involved, I can defend the complaint or help you get your license.
If you have any questions or comments, please call me at (727) 799-1688 or e-mail me at email@example.com. You can find my law firm on the web at www.jac-law.com. In addition to handling individual cases, matters, problems and issues for my clients, I also am on retainer to provide ethics advice to numerous lawyers and law firms throughout the state of Florida. I also provide legal assistance and advice to numerous individuals and non-legal entities to help insure compliance with the law and rules related to UPL and other issues.