When I was quite young, my family traveled to my grandparent’s house about six hours away. Midway through the trip my brother asked, “Are we there yet?” We weren’t. Instead of playing another game of I spy, I closed my eyes in hopes of falling asleep. When I awoke, I learned that my grandparents had moved. Their new house did not have a front porch or a swing for me to sit and listen to my grandfather’s stories. I liked their new house, but it wasn’t what I expected.
Recently, I was in a conference room listening to a vendor extol the virtues of cloud computing. Cloud computing generally involves storing client data on a third-party vendor’s servers, rather than on the law firm’s servers. Typically, the data is accessed by the lawyer or her staff online.
During the meeting, I thought about the jurisdictions that have issued ethics opinions on cloud computing. I caught myself asking, “Are we there yet?” My research reflects that each of the ethics committees agree that cloud computing can be available to lawyers. These opinions have focused on determining what the lawyer must do in order to satisfy the ethics rules. Nevertheless, at the present, the professional ethics committee for the state of Texas has not directly spoken on cloud computing. However, there are some opinions in Texas that might signal what the committee may say.
Opinion 572, written in the context of using an independent copy service, advises that a lawyer should consider the independent contractor’s reputation, the lawyer’s prior experiences, and whether a written confidentiality agreement is signed. Under Opinion 572, the lawyer should reasonably believe the vendor will not disclose or misuse the materials and retention of the service is in furtherance of the client’s representation. Interestingly, Opinion 572 does not require the client to consent to the lawyer’s retention of the copy service.
In contrast, Ethics Opinion 552, which speaks to sending attorney fee statements to a third-party auditor for an insurance company, specifically required consent by the client to the disclosure, and a discussion with the client of how the arrangement could affect the client’s legal position and the possible loss of the information’s protected status.
Among the 16 states that have addressed cloud computing, there are a wide variety of requirements. On one end of the spectrum, Nevada found that cloud computing was no different from storage of paper documents in a warehouse. Nevada advised its lawyers that a client’s consent to storage of confidential information in a cloud was preferable, but not required. In Nevada, an attorney only needs to take reasonable safeguards to ensure that the information will be kept confidential. New Hampshire, on the other hand, has stated that client consent may be necessary when information is highly sensitive before it can be uploaded to the cloud. Other states, such as Massachusetts, require a lawyer to obtain a client’s express consent.
According to Alabama, an attorney must: (1) know how the provider will handle storage and security of the information; (2) reasonably ensure the provider abides by a confidentiality agreement in handing the data; and (3) stay abreast of safeguards that should be used by the attorney and third-party vendor.
California has created a list of factors for an attorney to undertake before using a particular form of technology, including: (1) consideration of the attorney’s own level of technological competence; (2) the necessity to consult with or hire an expert; (3) the client’s instructions; and (4) the legal ramifications if any electronic information is intercepted or interfered with by a third party.
Florida recently took the position that an attorney is required to be up to date on technological developments, but the opinion did not discuss whether the lawyer can delegate the technological savvy to a paralegal or outside expert. Both Iowa and North Carolina have cautioned attorneys to ensure they would have unfettered access to any client information stored online, even if the vendor goes out of business.
Of course, for law firms whose practices reach outside Texas, there is an open question of whether law firms must comply with compliance requirements for each of the states in which they practice. The most likely result will be the law firm will have to follow the most stringent requirements of each of the states in which it practices.
Conclusion Are we there yet on cloud computing in Texas? Perhaps, but maybe not. The likely question will be what requirements will apply to Texas lawyers who choose to engage in cloud computing. Will the professional ethics committee of Texas follow some or all of the requirements identified by other ethics committees around the country? Will the committee adopt its own unique set of requirements? The requirements could look like what other states adopted, but then again, they might not. Bruce A. Campbell