Sarah Jane Hughes has published an important new article on cloud computing and legal ethics, written from the perspective of the ABA Model Rules of Professional Conduct. Because California’s ethics rules have not yet had the benefit of an update to take changes in technology into consideration, the ABA Model Rules, including comments to those rules which provide additional guidance, are highly instructive. In her article, Hughes updates her prior work regarding the risks posed by storing clients’ data in the cloud, including data breach and government surveillance, with discussions of several recent high profile examples to illustrate the risks posed, including malware threats posed by hackers. Key risks come from data breaches (internal and external) as well as secret back doors in electronic devices including tablets and phones and the encryption breaking software of the National Security Administration. The article questions whether lawyers can rely on safe harbors based on data encryption given NSA capabilities. At the same time, she suggests that disclosure of client data should not constitute a waiver of the attorney client privilege, because it is not intentional or voluntary.
The article also details a scheme for classifying data in terms of three levels of security and provides a well organized range of strategies aimed at minimizing the risks of disclosure and protecting client data. These include understanding the contracts of cloud service vendors, managing issues with clients through disclosure and informed consent, and implementation of training and audit procedures. For sensitive matters she advocates considering reversion to low tech processes including the use of typewriters. She also details lawyers’ obligations regarding notification of clients in data breach scenarios. An excellent read for those tasked with implementation of data management in a legal environment. The topic of legal ethics and cloud computing deserves further attention as lawyers have navigated their practices to the cloud.
Legal ethics issues arise in a number of cloud computing applications. A primary consideration is the ethical duty of confidentiality. What is appropriate depends on many factors including the type of legal matter and sensitivity of the information. An additional ethical consideration is the duty of competence. With the risk of data breach increasing, lawyers should think carefully concerning how they use the cloud. My new article in the Los Angeles County Bar Association’s Update surveys the subject. Read it here.