Chapter § 9.05 Client Data in the Cloud

JurisdictionUnited States
Publication year2020

§ 9.05 Client Data in the Cloud

Cloud computing, or “the cloud” for short, refers to the availability of computing resources (e.g., servers, storage, and software) over the Internet. Although moving to cloud computing often involves an uneasy transfer of control over a company’s data to a cloud provider, the cloud’s benefits—namely, the cost savings versus “on-premise” models—are frequently too tempting to let pass. For instance, users typically only pay for the costs of the cloud services they use, helping them save considerable capital and operating costs through reduced spending on hardware, software, infrastructure, IT staff, and energy consumption.

Nowadays, almost everyone uses some cloud technology in their daily lives. In fact, many law firms have email and document management servers hosted on the cloud. Also, lawyers routinely use cloud-based technology like Dropbox, Microsoft OneDrive, and Google Drive for file storage and to share files with clients that are too large to send by email. Because the use of the cloud is now so common in our profession, it’s critical for lawyers to understand their ethical obligation to protect client data when using the cloud. We discuss that duty below.

[1] Ethical Obligation

Over 20 state bar associations have issued ethics opinions concluding that lawyers may “use cloud-based electronic data systems and document preparation software for client confidential information,” provided that they use reasonable care in adopting and using the technology.80 The standard of reasonable care for cloud computing should include, among other things, ensuring that the cloud provider:

• explicitly agrees that the provider has no ownership or security interest in the data;
• has an enforceable obligation to preserve data security and privacy;
• will notify the lawyer if requested to produce data to a third party and provide the lawyer with the ability to respond to the request before the provider produces the requested information;
• has technology built to withstand a reasonably foreseeable attempt to access data (e.g., penetration testing);
• includes in its “Terms of Service” or “Service Level Agreement” (“SLA”) 81 an agreement about how the provider will handle confidential client data;
• provides the law firm with the right to audit the provider’s security procedures and to obtain copies of any security audits the provider performs;
• will host the firm’s data only within a specified geographic area; if, by agreement, the data are hosted outside of the United States, the law firm must determine that the hosting jurisdiction has privacy laws, data security laws, and protections against unlawful search and seizure that are as rigorous as those of the United States;
• provides a method of retrieving data if the lawyer terminates use of the cloud product, the provider goes out of business, or the service otherwise has a break in continuity; and
• provides the ability for the law firm to retrieve data from the provider’s or third-party data hosting company’s servers for the firm’s
...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT