As all Kentucky attorneys are aware, the Kentucky Supreme Court Rules of Professional Conduct (SCR 3.130) impose many professional obligations on attorneys in their handling and safekeeping of client information and property. When client files, communications, documents, or other client data are stored in digital form, it becomes subject to the risks of a cyber attack. Attorneys must be aware of these risks and ensure compliance with their ethical obligations when managing them.
One technological advancement that holds appeal for many attorneys, and also implicates many ethical considerations, is ‘cloud-computing.' Cloud-computing is processing power, storage space, software, or other computing services, often accessed via a web browser.2 As one state bar association pointed out, the term cloud-computing includes the use of smartphones; iPhones; web-based email such as Gmail, Yahoo, Hotmail, or AOL Mail; and products such as Google Docs, Microsoft Office 365, or Dropbox, along with many others.3
Some of these services are email services. Others provide solely for the storage of documents in the cloud on servers owned by third party server-providers. These servers can be located in a distant warehouse, out of state, or out of country. They are accessible only on the Internet. Some are complete cloud-based programs in which the software is not installed on the user's computer, but is accessed on the Internet. Younger attorneys learned to rely heavily on cloud-computing in law school. They realize the value of cloud-computing and use some form of it every day. As useful as cloud-computing is, it introduces significant new ethical considerations for attorneys because client data is no longer in the sole possession of the attorney.
This article addresses the cyber security risks and professional responsibility duties this technology raises and offers risk management considerations in avoiding malpractice claims and bar complaints for failing to competently use technology in your practice.
The KBA in Ethics Opinion KBA E-437 (3/21/14) approved the use of the cloud by Kentucky lawyers as follows:
A lawyer may use cloud-based services with regard to confidential client information. In using cloud-based services, a lawyer must use reasonable care to assure that client confidentiality is protected and client property is safeguarded. See SCR 3.130(1.6(a)) & (1.15(a)). A lawyer must act consistent with his or her duty of competence in selecting and monitoring the providers of cloud-based services. See SCR 3.130(1.1). A lawyer must use "reasonable efforts" to ensure that the conduct of providers of cloud-based services assisting him or her is compatible with ethical obligations of the lawyer, and, if the lawyer is a partner or otherwise has managerial authority in a law firm, the lawyer must use "reasonable efforts" to make sure that the firm has measures in place to assure that providers of cloud-based services engage in conduct compatible with ethical obligations of the lawyer. See 3.130(5.3(a) & (b)). Finally, a lawyer must consult with the client about the use of the cloud if the matter is sufficiently sensitive such that the duty to "reasonably consult with the client about the means by which the client's objectives are to be accomplished" is implicated.
See SCR 3.130(1.4(b)).
The opinion offered this guidance in meeting professional responsibility requirements:
Just as a lawyer should review the terms of storage for a warehouse for storage of client files, so too should a lawyer review the terms of the arrangement regarding online storage or treatment of confidential client information or other cloud-based service. Some questions that a lawyer should consider in this regard include the following:
A. First, an attorney must act competently and reasonably in handling and storing client data. SCR 3.130 (1.1) of the Kentucky Rules of Professional Conduct requires attorneys to provide competent representation, and to utilize the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation. Kentucky has not adopted the ABA's changes to Model Rule 1.1 that, in comment (8), advises that for an attorney to maintain the requisite knowledge and skill, the attorney must keep abreast of the changing benefits and risks of relevant technology. The ABA made it clear that this change was not a new requirement. Rather it makes explicit what was heretofore implicit. KBA E-437 removes any doubt that Kentucky lawyers must be competent in the use of technology in their practice.
B. SCR 3.130 (5.3) governs the responsibilities of attorneys for the conduct of nonlawyers employed by the attorney. The rule makes it clear that an attorney can be held responsible if a server-provider improperly handles client data. Attorneys cannot simply put client data into the cloud and blindly trust that the server-provider will protect the data. Attorneys need to investigate the server-provider to ensure the provider is reputable.
C. SCR 3.130(1.6) requires attorneys to protect the confidentiality of client data. An attorney cannot simply put client data into the cloud, and assume it will remain confidential. The storage of data in the cloud is like storing client files in an offsite warehouse. In such a case, the attorney will review the contract with the warehouse to ensure there are enforceable requirements that the warehouse keep files secure, prevent third parties from accessing the files, and that the employees of the warehouse protect the confidentiality of the files.
The same obligations and considerations apply to online storage. Attorneys must:
D. SCR 3.130 (1.15) governs the safekeeping of client property that includes client data. To comply with this rule attorneys should:
A. Continued Access: In addition to keeping client property safe, attorneys must ensure continued access to client data. To accomplish this attorneys should:
B. What Files Should Go on the Cloud? While retention and access are concerns whether the files stored in the cloud are backups or the primary client files, special concern should be given to any client data that does not have a backup outside of the cloud. It is noteworthy that when many state bar associations issued specific opinions on storing client files in the cloud, they framed the question as whether it was proper to use the cloud as a backup.8
Whether it is reasonable to maintain the only complete copy of client files in the cloud, is a very different question. Prudence would caution any attorney to be wary of relying on the cloud as the only access to client data. The Alabama State Bar noted that while certain client documents could be destroyed after scanning and converted to digital format, the best practice is to follow the procedure used for ordinary paper documents.9 The Alabama State Bar also noted that unlike traditional paper files, a lawyer must back up all electronically stored files, and approved the use of cloud storage for this purpose.10 The easiest and best practice for Kentucky lawyers is to backup all digital client data.
C. Firing Your Server-Provider: If the attorney becomes dissatisfied with the server-provider or otherwise decides to use a different service to store the data, the attorney must be able to move the data from the server-provider to another server, whether private or in the cloud. Attorneys should investigate whether, after such a move is made, the server-provider can, and will, wipe the client data from its servers so that no data will be left with the old server. Attorneys should not merely stop using the server and leave client data on that server.
D. Special Risks of Smartphones and Tablets: Smartphones and tablets due to their cloud-connectivity pose an added risk to client data. Attorneys must be aware of whether client data stored in the cloud is easily accessed from their smartphone or tablet if it is lost or stolen.
Attorneys should ask the question: "If my smart phone or tablet is lost or stolen, how easy would it be for someone to access my client data, and how much client data would be available to them?" Documents stored in servers such as Google Drive, iCloud, and many others, can often be accessed from a smartphone without having to re-enter a password if the user remains logged in. One way to manage this risk is to always log out of cloud-based programs. Then, if your phone is compromised, the data in the cloud is still password-protected.
Attorneys should also be aware of some of the more traditional cyber defense tools to protect their smartphones, such as passwords and encryption. When a strong password is coupled with encryption, some think that the device is rendered essentially secure.11
Technology is constantly changing, with the result that attorneys will use the Internet and cloud-computing in new and different ways in the future. For this reason, there is no one solution for complying with an attorney's ethical duties associated with cloud computing and cyber security risks. Attorneys must understand the technology they choose to use in their practice and recognize they have a professional duty of obtaining and maintaining competence in the technology that now pervades the practice of law.