N.Y. Bar Association Provides Opinion on ‘Cloud Computing’

1/25/2011 COMMENTS (0)

In September, the New York State Bar Association’s Committee on Professional Ethics released its Opinion 842, which was issued in response to an inquiry from a lawyer seeking guidance as to whether or not lawyers may use online computing resources — often referred to as “cloud computing” resources — to backup and store confidential client information.  The committee indicated that the use of such resources is permitted so long as a lawyer takes reasonable steps to ensure that the information will be kept confidential and meets certain other requirements.   

This post summarizes the committee’s decision and provides some additional factors counsel (both inside and outside) may want to consider to ensure that the use of on line resources does not compromise their obligations to their clients.

The committee’s opinion hinged on its interpretation of Rule 1.6 of the New York Rules of Professional Conduct that establishes a lawyer’s affirmative duty to safeguard confidential client information.  Other states have similar if not identical confidentiality requirements.  The duty applies not only to the lawyer but extends to service providers, such as online providers, the lawyer retains in the course of working for a client.  Relying on a prior decision of the committee concerning the use of e-mail, and opinions from New Jersey and Arizona concerning the use of on line resources, the committee concluded that a lawyer may make use of cloud computing resources “provided that the lawyer takes reasonable care to ensure that the system is secure and that client confidentiality will be maintained.”

Reasonable care requires a lawyer, at a minimum, to ensure that the service provider has an obligation to keep data confidential.  The lawyer is duty bound to investigate whether or not the provider has adequate security in place (including technology in place to thwart hackers), has the ability to erase data when needed, can shift data to a different provider if necessary.  A lawyer is further required to obtain the provider’s agreement to notify the lawyer if a subpoena is served seeking access to a data stored with the provider.   

The committee also added that a lawyer should from time to time reconfirm that the provider meets the applicable requirements in light of technological advancements.  Additionally, a lawyer needs to monitor legal developments to ensure that a given use of cloud computing resources does not compromise the client’s privilege as the law evolves.

In addition to precautions laid out by the committee, an outside lawyer would be well advised to seek the active involvement of appropriate personnel from the client in the decision to utilize on line resources.  For example, on line databases for the collection, review and coding of discovery documents are becoming increasingly popular, particularly where productions contain large amounts of electronic data and e-mail.   

The range of information that can wind up in such a system is potentially enormous.  In addition to the legal department, the client’s IT, compliance, or other personnel may want to be involved in decisions about where such information will be stored and how it will be protected.  Not only can such consultation ensure that all of the client’s concerns are addressed before there is any hand over of confidential information to an outside provider, such consultation also allows the lawyer to potentially draw on the IT expertise of the client concerning its own data and can help ensure that any company policies concerning data or confidentiality are identified and complied with.

Given the context of the committee’s opinion, it does not directly speak to the issues cloud computing raises for in house counsel.  The increasing popularity of cloud computing resources in the corporate world, however, certainly could present challenges for in house lawyers as well.  In addition to those factors specifically enumerated in Opinion 842, in house lawyers may wish to engage their own IT departments in a discussion of how the legal department’s data and documents will be managed if there is company-wide use of cloud computing resources.  At a minimum, in house lawyers will want to ensure that controls are in place that limit access to privileged information and documents and that all such information will be kept confidential.

While Opinion 842 is only advisory, and only applicable to the New York attorney rules, it highlights issues of interest to attorneys, both inside and outside counsel, wherever they may practice in the US.  It is likely only one of the first decisions we will see in this area, but an important milestone nevertheless.