Lawyers have an ethical duty to protect client confidential information and safeguard client files. Most ethics panels agree that lawyers may use cloud computing services if they take reasonable steps to minimize risks, such as understanding the technology, ensuring access to and protection of data, and verifying security measures of cloud providers. Competent use of cloud computing requires diligence in areas like company reviews, access to data, encryption, backup procedures, and network and physical security.

1. Ethics and Security of
Cloud Computing for Lawyers
Clio Cloud Conference
September 23, 2013
Robert J. Ambrogi, Esq.

4. 17 ethics
panels ...

10. The ethical issues at stake
Lawyers have duty to
safeguard confidential
client information.
Lawyers have duty to
protect client
property, including client
files, from loss.
Lawyers have a duty to be
competent in technology.

11. Every ethics panel agrees on two points ...
1. Lawyers may use the
cloud.
2. Must take reasonable
steps to minimize risk to
confidential information
and client files.

12. Alabama State Bar
Ethics Opinion
2010-02
Arizona State Bar
Formal Opinion 09-
04
California Formal
Opinion No. 2010-
179
Connecticut Bar
Association Informal
Opinion 2013-07
Florida Bar Opinion
12-3
Iowa State Bar
Ethics Opinion 11-
01
Maine Professional
Ethics Commission
Opinion 194
Massachusetts Bar
Association Opinion
12-03
New Hampshire Bar
Association Opinion
2012-13/4
New Jersey
Advisory Committee
on Professional
Ethics Opinion 701
Nevada State Bar
Formal Opinion No.
33
New York State Bar
Association Opinion
842 of 2010
North Carolina 2011
Formal Ethics
Opinion 6
Oregon Formal
Opinion No. 2011-
188
Pennsylvania
Formal Opinion
2011-200
Vermont Bar
Association Opinion
2010-6
Virginia Legal Ethics
Opinion 1872

14. North Carolina 2011
“A law firm may use SaaS if reasonable care is
taken to minimize the risks of inadvertent
disclosure of confidential information and to
protect the security of client information and client
files.”
“A lawyer must fulfill the duties to protect
confidential client information and to safeguard
client files by applying the same diligence and
competency to manage the risks of SaaS that the
lawyer is required to apply when representing
clients.”

15. “The degree of protection to be afforded client
information varies with the client, matter and
information involved. But it places on the lawyer the
obligation to perform due diligence to assess the
degree of protection that will be needed and to act
accordingly.”
“Whatever form of SaaS is used, the lawyer must
ensure that there is unfettered access to the data
when it is needed. Likewise the lawyer must be able
to determine the nature and degree of protection that
will be afforded the data while residing elsewhere.”
Iowa State Bar Ethics Opinion 11-01

16. “A competent lawyer using cloud computing must
understand and guard against the risks inherent in it.”
“There is no hard and fast rule as to what a lawyer must do
with respect to each client when using cloud computing.
The facts and circumstances of each case, including the
type and sensitivity of client information, will dictate what
reasonable protective measures a lawyer must take when
using cloud computing.”
“Competent lawyers must have a basic understanding of
the technologies they use. Furthermore, as technology, the
regulatory framework, and privacy laws keep
changing, lawyers should keep abreast of these changes.”
New Hampshire 2012-13/4

17. Florida Bar Opinion 12-3
Lawyers have an obligation to remain current not
only in developments in the law, but also
developments in technology that affect the
practice of law.
Lawyers who use cloud computing … have an
ethical obligation to understand the technology
they are using and how it potentially impacts
confidentiality of information relating to client
matters, so that the lawyers may take appropriate
steps to comply with their ethical obligations.

18. Massachusetts Bar Ethics Opinion 12-03
“Lawyer remains bound to follow an
express instruction from his client that the
client's confidential information not be
stored or transmitted by means of the
Internet.”
“He should refrain from storing or
transmitting particularly sensitive client
information by means of the Internet without
first seeking and obtaining the client's
express consent.”

20. 1. Company Due Diligence
Is this a solid company with a good operating record?
Do others recommend the company?
What is in the TOS and privacy policy?

21. 2. Unrestricted access to data
Can I get my data whenever I want?
Is the data stored elsewhere in the event I'm denied
access?
“Optionally, upon request by the Subscriber, all Content
associated with the subscription will be replicated at a
regular interval, to an offsite storage server accessible
only to a reputable data escrow agent (“Escrow Agent”).
The replicated Content (“Escrowed Data”) will be held
under the terms of a separate agreement among
Themis, the Subscriber, and the Escrow Agent (“Escrow
Agreement”).”

22. 3. Termination of relationship
If I terminate the service, can I retrieve my
data?
If the service is terminated due to my non-
payment, what happens to my data?
If the company shuts down, can I get my data?
Will the data be available in a non-proprietary
format?

23. “At LexisNexis we believe strongly that the data you
place in LexisNexis Firm Manager belongs to you! To
provide you with the comfort that you retain control of
your critical client-privileged information and work
product:
• “Your administrator can export your data at any time.
• “If you cancel your subscription, we maintain your data
online for 6 months. … At any time you can decide to
purge your data, removing it from LexisNexis systems.
• “If you purge your data, your client privileged work
product is removed from our systems … [and] from
our backup tapes as well.”

24. 4. Password Protection
Passwords required?
Is two-step verification available?
Automatic log-out?
Account monitoring for suspicious activity?

25. 5. Protection of confidentiality
Lawyer must ensure “that the online
data storage provider has an
enforceable obligation to preserve
confidentiality and security, and that
the provider will notify the lawyer if
served with process requiring the
production of client information.”
-NYSBA Ethics Opinion 842

26. 6. Data Encryption

27. SSL = encryption in transit

28. Encryption at rest

29. Data backed up at least daily.
Back-ups to multiple locations.
7. Data back-up

30. Firewalls.
Intrusion detection.
Virus detection.
Network usage.
Application usage.
Port scanning.
8. Network security

31. Building access and security
24x7 on-site
security.
Multi-level access
verification.
Video monitoring
of entrances and
internal.
Uninterruptible, redundant
power
At least two
power grid
connections.
Battery banks.
N+1 on-site
generators.
Cooling system
HVAC systems
with N+1
redundancy to
keep climate at
the optimum
temperature and
humidity levels.
Fire detection and
suppression
Automatic, multi-
zoned detection
and suppression.
Off-site alarm
monitoring and
dispatch.
System monitoring
Real-time
monitoring of all
systems.
9. Physical security of data centers

32. • Auditing standards verifying that controls are in place to protect financial
information.
• Can apply to:
• Data centers and colocation facilities.
• SaaS providers.
• Payroll processing companies.
• Loan servicing companies.
• Medical claims processors.
SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II).
• Reporting option specifically designed for data centers, SaaS vendors, and
cloud-based businesses.
• Evaluates:
• System security.
• System availability.
• System processing integrity.
• Confidentiality of information.
• Privacy of personal information.
SOC 2
Data Center Seals of Approval

35. 10. Get Extra Security
• Client-side encryption for Mac, Windows, iOS and
Android.
• Works with Dropbox, Box, Google Drive and Skydrive.
• Can share with others, but they must also install Viivo.
Viivo, www.viivo.com
• Free, geeky disk encryption software for Windows, Mac
and Linux.
• Can be used to encrypt files before sending to Dropbox.
TrueCrypt, www.truecrypt.org
• Client-side encryption for Dropbox and other systems.
Safebox, www.safeboxapp.com
• Easy email encryption, works with webmail services
such as Gmail as well as with Outlook.
Enlocked, www.enlocked.com

36. You need
only Be
reasonable
… not
paranoid

37. www.lawsitesblog.com
@bobambrogi
ambrogi@legaline.com