Ethical Shades of Gray

While this form of outsourcing is touted as fostering firm efficiency and cost-saving, the elusiveness of this new type of data storage has raised eyebrows in the legal community as to its ethical propriety. In particular, potential concerns regarding confidentiality, security, and control surround cloud computing.

About 10 years ago, it was the emergence of e-mail that prompted concerns within the legal community about the ability to relay client confidences securely and confidentially. The ABA issued a Formal Opinion concluding that lawyers may transmit information relating to client representation by unencrypted e-mail sent over the Internet, without violating Rule 1.6 of the Model Rules, because this mode of transmission "affords a reasonable expectation of privacy from a technological and legal standpoint.").

The difficulty with the reasonableness standard is that when it comes to innovation, what is reasonable is constantly changing. For now, lawyers should strongly consider conducting due diligence previously making any decision to dispatch their customers' data to the clouds. For instance, lawyers should ensure the online computer data storage provider they use has an enforceable obligation to preserve confidentiality and security, and that the provider will promptly respond to the lawyer or firm if they are required to produce client documents, files or records relating to a transaction or proceeding. To boot, lawyers should investigate the online data storage provider's own security measures, policies, recoverability methods, and related practices and protocols, including its ability to purge copies of data or transfer data to a different host. This information should be provided in the storage provider's terms of service.

Finally, lawyers should employ available innovation to guard against reasonably foreseeable attempts to infiltrate properly stored data. This process clearly is ongoing. As the research continues to develop, lawyers must stay current with legal developments and potential risks. Taking everything into account, the duty of reasonable care now invokes a duty to keep up.

The ABA Commission on Ethics pointed out in its Issues Paper that cloud computing is a form of outsourcing, and has queried whether the procedures it before outlined on lawyer outsourcing should extend to cloud computing. In 2008, the ABA issued a Formal Opinion addressing a lawyer's obligations when outsourcing nonlegal support services.). The opinion emphasized that pursuant to this agreement Model Rule 5.3, a lawyer who employs, retains or associates with a nonlawyer must make reasonable efforts to ensure that the person's conduct is "compatible with the professional obligations of the lawyer."

Model Rule 5.3 presents many challenges for lawyers who outsource non-legal work. For instance, lawyers must ensure that tasks are delegated to individuals who are competent to perform them and must oversee the execution of the outsourced project satisfactorily and appropriately. These requirements may place a considerable burden on lawyers utilizing cloud computing. To illustrate, if a lawyer wishes to send confidential client information to a data storage vendor, the lawyer should consider investigating the security of the vendor's network, its backup systems, type of data encryption, and policies regarding retrieval of data upon the termination of services.

In December 2010, recognized leaders in legal cloud computing announced the establishment of the Legal Cloud Computing Association, which is tasked with facilitating adoption of cloud computing research within the legal profession under applicable ethics rules. The LCCA has suggested steps that lawyers and law firms can take to protect confidential client information during outsourcing data to the cloud:

• Confidentiality. Lawyers and firms should seek information from their data storage providers regarding the identity of persons who have access to the system and data, and whether and pursuant to this agreement what circumstances the provider's personnel or any third-party business partners are subject to confidentiality obligations.

Cloud computing may have much to offer lawyers and law firms, nevertheless it is not without risks. Ethics authorities seem to agree that cloud computing places a heavy load on a lawyer's shoulders to understand and monitor a vendor's practices and to continue to stay on top of technological changes and advancements.

The benefits

In weighing the benefits and burdens of outsourcing to the cloud, lawyers may want to think about the opportunity that certain customers may be better candidates for cloud computing than others. For instance, large institutional client data relating to multi-billion dollar transactions may be more susceptible to hacking than data belonging to a small business or individual client, where the stakes are presumably much lower. To boot, financial services institutions, which are heavily regulated, need to be able to retrieve and produce large quantities of data on demand from regulators.

On the other hand, larger customers may as well be more inclined to seek the benefits of cloud computing, since their data storage needs are likely to be greater. In this sense, cloud computing creates an interesting tension between volume and security. Ultimately, it is the lawyer's responsibility to carefully evaluate the risks and rewards of cloud computing, without ever losing perspective…through the clouds.