Maintaining Confidentiality in the Cloud | Practical Law

Maintaining Confidentiality in the Cloud | Practical Law

As lawyers' use of the internet continues to grow, so do the risks of exposing their clients' confidential information. This Update discusses protecting a client's confidential information on the cloud and ensuring that the client is aware of the risks of using the cloud to transmit or store its confidential data.

Maintaining Confidentiality in the Cloud

Practical Law Legal Update 9-572-4050 (Approx. 4 pages)

Maintaining Confidentiality in the Cloud

by Practical Law Litigation
Law stated as of 24 Jun 2014USA (National/Federal)
As lawyers' use of the internet continues to grow, so do the risks of exposing their clients' confidential information. This Update discusses protecting a client's confidential information on the cloud and ensuring that the client is aware of the risks of using the cloud to transmit or store its confidential data.
The use of the internet for data storage and sharing continues to grow. While cloud computing, which involves the transmittal or storage of data on the internet, provides litigators with an efficient way to share documents, draft litigation papers and communicate with their clients, its use could expose a client's confidential information to disclosure. In fact, it may be a breach of a lawyer's obligation to protect the client's confidences.
The use of the internet is now so commonplace that most people do not hesitate to provide their credit card information to make purchases or disclose personal information on social media sites and in employment applications submitted online. Similarly, when using a file transfer protocol (FTP) site, logging into the law firm's network or accessing a network through software like Citrix or a Virtual Private Network (VPN), lawyers frequently communicate their client's information over the internet without thinking about confidentiality, other than who might be glancing over their shoulder as they type.
Attorneys must be mindful of protecting their client's information from more than a wandering eye, especially when transmitting or storing data in the cloud. Generally, using the cloud to transmit or store information involves an outside service provider that provides lawyers with access to the data over the internet by using a web browser (like Google Chrome, Firefox or Internet Explorer) or smartphone application (app). Using this technology to transmit or store client information may make that information more susceptible to unauthorized access by third parties. The unintentional disclosure of a client's confidential information may result in a waiver of the attorney-client privilege. For more on the unintentional waiver of the attorney-client privilege, see Practice Note, Attorney-Client Privilege: Waiver (Federal): Unintentional (Inadvertent) Express Waiver.
Some states have issued opinions on whether an attorney violates her duty of confidentiality when using the cloud for the transmission or storage of her client's confidential information. For example:
  • The State Bar of California's Standing Committee on Professional Responsibility and Conduct has stated that a lawyer must take appropriate steps to ensure that her use of technology does not subject a client's confidential information to an "undue risk of unauthorized disclosure" (Ca. State Bar Formal Op. 2010-179).
  • The Professional Ethics Committee of the Florida Bar permits lawyers to use the cloud if the lawyers:
    • take reasonable precautions to maintain the confidentiality of the client's information;
    • take reasonable precautions to ensure that the service provider maintains adequate security, including researching the provider; and
    • have adequate access to the information stored remotely.
    (Fla. Ethics Op. 12-3.)
  • The New York State Bar Association's Committee on Professional Ethics determined that the use of online data storage to preserve client data is ethically permissible if the lawyer exercises reasonable care to ensure that the system is secure and that client confidentiality is maintained (N.Y. State 842).
To avoid conflict about the use of the cloud for the dissemination or storage of a client's privileged information, lawyers and their clients should address the issue at the start of their relationship when drafting the engagement letter. The engagement letter should specify the scope of the use of the internet during the engagement, such as:
  • Whether the cloud can be used for the dissemination of the client's privileged information (for example, the use of Microsoft Outlook Express to send e-mails).
  • Whether the cloud can be used to store the client's confidential information (for example, to store a client's documents on an FTP site so that the case team can access the information from any location).
  • The agreed-to methods for communicating over the internet.
For more information on drafting an engagement letter, see Standard Documents: