If you practice in Texas and use a cloud-based data storage system, do you have a general understanding of how cloud technology works?
And have you trained your staff on best practices for security and confidentiality?
If you can’t answer “yes” to both of those questions, you might be in violation of state ethics rules.
In Texas Ethics Opinion 680, the State Bar addressed a range of professional issues regarding cloud-based storage and software systems.
The bottom line: it’s okay to venture into the cloud, so long as you are aware of the risks and take certain precautions.
“A lawyer may use cloud-based electronic data systems and document preparation software for client confidential information,” the opinion says. “However, lawyers should remain continually alert to the vulnerability of cloud-based vendors and systems to data breaches and whether a particular vendor or system appears to be unusually vulnerable.”
Read or download a PDF version of the full opinion here.
Want more pointers to protect yourself in the cloud? Attend a free CLE webinar on August 14: “Top 10 Things to Prevent a Data Breach?” You can register here. Just another benefit of membership in Alta Pro Lawyers RPG.
Texas Ethics Opinion 680
Here’s the factual scenario addressed in the opinion:
“A lawyer is considering subscribing to various cloud-based electronic storage and software systems that allow users to store confidential client information or prepare form legal documents by uploading confidential client information for insertion into those form documents. The lawyer is concerned because these cloud-based electronic storage and software systems are owned by private companies, the various computer servers on which this client confidential information would reside are or may be located in other countries, the client information could be accessed by employees of these private companies, and there is the possibility of these servers and the confidential information residing on them being hacked by third parties or being rendered inaccessible as a result of a cloud storage vendor going out of business. The lawyer questions whether it is ethical to use cloud-based electronic storage or software systems given these conditions and the potential disclosure risks to confidential client information.”
Cloud computing is ethical, the State Bar concluded, so long as lawyers take “reasonable precautions,” including:
- Acquiring a general understanding of how the cloud technology works;
- Reviewing the “terms of service” to which the lawyer submits when using a specific cloud-based provider just as the lawyer should do when choosing and supervising other types of service providers;
- Learning what protections already exist within the technology for data security;
- Determining whether additional steps, including but not limited to the encryption of client confidential information, should be taken before submitting that client information to a cloud-based system;
- Remaining alert as to whether a particular cloud-based provider is known to be deficient in its data security measures or is or has been unusually vulnerable to “hacking” of stored information; and
- Training lawyers and staff on appropriate protections and considerations.
Four Key Takeaways
- Keep client data private. Texas Rule 1.05 prohibits unauthorized disclosure of confidential information. This applies to everything from cloud computing to sending email (Ethics Opinion 648) or using an outside copy service (Opinion 572).
- You don’t have to become a cloud expert. But you must “become and remain vigilant about data security issues from the outset of using a particular technology in connection with client confidential information.”
- Some client info may be too sensitive for the cloud. “A lawyer should remain reasonably aware of changes in technology and the associated risks—without unnecessarily retreating from the use of new technology that may save significant time and money for clients.”
- Talk to your client. “In some circumstances it may be appropriate to confer with a client regarding these risks as applicable to a particular matter and obtain a client’s input regarding or consent to using cloud-based electronic data systems and document preparation software. If a client has given specific instructions regarding the use and protection of its client confidential information in a matter those instructions must be followed except when otherwise required or permitted.”
Protect your practice with cybersecurity insurance. Alta Pro can help you get the right coverage for your needs. Get a free quote or more information here.