Professor Andrew Perlman in his article “The Twenty First Century Lawyer’s Evolving Ethical Duty of Competence” (The Professional Lawyer, Vol. 22, No. 4) observed:
"Technological competence is not just a disciplinary or malpractice concern. It is becoming essential in a marketplace where clients handle more of their own legal work and use non-traditional legal service providers (i.e., providers other than law firms). To compete, lawyers need to learn how to leverage “New Law” – technology and other innovations that facilitate the delivery of legal services in entirely new ways."
Professor Perlman provides these examples of New Law Technology:
- Automated document assembly,
- Expert systems (e.g., automated processes that generate legal conclusions after users answer a series of branching questions),
- Knowledge management (e.g., tools that enable lawyers to find information efficiently within a lawyer’s own firm, such as by locating a pre-existing document addressing a legal issue or identifying a lawyer who is already expert in the subject),
- Legal analytics (e.g., using “big data” to help forecast the outcome of cases and determine their settlement value),
- Virtual legal services, and
- Cloud-based law practice management.
A recent Wisconsin Bar Association ethics opinion (EF 15-01, 3/23/2015) concerning the ethical use of cloud computing opined that:
"(C)loud computing is permissible as long as the lawyer adequately addresses the potential risks associated with it … (L)awyers must make reasonable efforts to protect client information and confidentiality as well as to protect the lawyer’s ability to reliably access and provide information relevant to a client’s matter when needed. To be reasonable, those efforts must be commensurate with the risks presented. Lawyers must exercise their professional judgment when adopting specific cloud-based services, just as they do when choosing and supervising other types of service providers."
The opinion includes the following considerations in determining what are reasonable efforts:
- Information’s sensitivity;
- Client’s instructions and circumstances;
- Possible effect that inadvertent disclosure or unauthorized interception could pose to a client or third party;
- Attorney’s ability to assess the technology’s level of security;
- Likelihood of disclosure if additional safeguards are not employed;
- Cost of employing additional safeguards;
- Difficulty of implementing the additional safeguards;
- Extent to which the additional safeguards adversely affect the lawyer’s ability to represent clients;
- Need for increased accessibility and the urgency of the situation;
- Experience and reputation of the service provider;
- Terms of the agreement with the service provider; and
- Legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality. The Wisconsin opinion notes that it is not possible to give specific requirements for reasonable efforts because of constant technology change. “Lawyers must exercise their professional judgment in adopting cloud based services, just as they do when choosing and supervising other types of service providers.” The opinion, however, includes the following general guidance:
- Lawyers should have “at least a base level comprehension of the technology and the implications of its use.” While attorneys are not required to understand precisely how the technology works, competence requires at least a cursory understanding of the technology used. Such a cursory understanding is necessary to explain to the client the advantages and risks of using the technology in the representation.
- Lawyers should understand the importance of computer security, such as the use of firewalls, virus and spyware programs, operating system updates, strong passwords and multifactor authentication, and encryption for information stored both in the cloud and on the ground. Lawyers should also understand the security dangers of using public Wi-Fi and file sharing sites.
- Lawyers who outsource cloud-computing services should understand the importance of selecting a provider that uses appropriate security protocols. “While complete security is never achievable, a prudent attorney will employ reasonable precautions and thoroughly research a cloud storage vendor’s security measures and track records prior to utilizing the service. Knowing the qualifications, reputation, and longevity of the cloud-service provider is necessary, just like knowing the qualifications, reputation, and longevity of any other service provider.”
- Lawyers should also understand the importance of regularly backing up data and storing data in more than one place.
- Lawyers who do not have the necessary understanding should consult with someone who has the necessary skill and expertise, such as technology consultant, to help determine what efforts are reasonable.
- Lawyers should also consider including a provision in their engagement agreements or letters that, at least, informs and explains the use of cloud-based services to process, transmit, store and access information. Including such provisions not only gives the client an opportunity to object, but also provides an opportunity for the lawyer and client to discuss the advantages and the risks. (footnotes omitted)