Ethical Considerations for Attorneys Using Cloud-Based Servers to Store Client Information

The Illinois State Bar Association recently addressed the issue of whether Lawyers could store client information on cloud-based servers. See ISBA Professional Conduct Advisory Opinion No. 16-06. Given the increasing popularity of cloud-based services like Dropbox, Microsoft OneDrive, and Google Drive as means for easy file storage and sharing, the Illinois State Bar’s Ethics Opinion provides some much-needed guidance for attorneys.

Lawyers using cloud-based services usually contract with third-party internet service providers to store client information in a remote location not controlled by the lawyer. Id. According to the Illinois State Bar Association, the lawyer’s lack of direct control over the servers on which client data is stored raises ethical concerns of competence, confidentiality, and proper supervision of non-lawyers. Id. Although the Illinois State Bar declined to provide specific requirements for lawyers when choosing and utilizing outside providers for cloud-based services, it did provide some useful guiding principles and considerations. See id. A lawyer’s duty to provide competent representation requires that he keep abreast of changes in the law and its practice, “including the benefits and risks associated with relevant technology.” Id. As such, the Illinois State Bar believes lawyers who use cloud-based services must obtain and maintain a sufficient understanding of the technology they are using to properly assess the risks of unauthorized access and/or disclosures of confidential information.” Id. Lawyers are thus required to make a due diligence investigation when selecting a cloud provider. Id. The Illinois State Bar’s Ethics Opinion offers a non-exclusive list of reasonable inquiries and practices for lawyers contemplating cloud-based services. See id. These include:

  1. Reviewing cloud computing industry standards and familiarizing oneself with the appropriate safeguards that should be employed;
  2. Investigating whether the provider has implemented reasonable security precautions to protect client data from inadvertent disclosures, including but not limited to the use of firewalls, password protections, and encryption;
  3. Investigating the provider’s reputation and history;
  4. Inquiring as to whether the provider has experienced any breaches of security and if so, investigating those breaches;
  5. Requiring an agreement to reasonably ensure that the provider will abide by the lawyer’s duties of confidentiality and will immediately notify the lawyer of any breaches or outside requests for client information;
  6. Requiring that all data is appropriately backed up completely under the lawyer’s control so that the lawyer will have a method for retrieval of the data;
  7. Requiring provisions for the reasonable retrieval of information if the agreement is terminated or if the provider goes out of business.

Id. A few of the above inquiries and practices underscore the importance of properly supervising the third-party cloud service providers to ensure that their actions do not result in a breach of the lawyer’s duty of confidentiality. The Illinois State Bar Ethics Opinion makes it clear that a lawyer’s due diligence at the time he enters into an agreement with a cloud service provider will be inadequate to avoid an ethical violation should a breach of confidentiality later occur due to a failure of the provider or due to the actions of hackers. Id. This is because a lawyer has ongoing obligations to protect confidential client information and to supervise non-lawyers under Rules 1.6 and 5.3. Id. Lastly, as future advances in technology can render a lawyer’s current reasonable protective measures obsolete, the Illinois State Bar believes that “a lawyer must conduct periodic reviews and regularly monitor existing practices to determine if the client information is adequately secured and protected.” Id.

The Illinois State Bar’s careful consideration of the ethical challenges posed by ever-increasing use of cloud-based services in the legal profession is commendable. It provides helpful guidance to attorneys who are already using cloud-based services as well as those who are contemplating cloud-based services but are unsure how to implement them in an ethically responsible way. In today’s technological world, advisory ethics opinions like Illinois’ are vital as they help maintain the integrity of the legal profession.