NC Proposed Ethics Opinion on Cloud Computing

We’ve just received some great news: the North Carolina Bar Association, the first in North America to study the ethics of using cloud computing or Software-as-a-Service (SaaS) in a law firm, has finished drafting a proposed Formal Ethics Opinion that explicitly allows for the use of cloud computing in a law office.

The question put specifically to the NC Bar centered on a firm’s proposed use of Clio to manage its practice online:

Is it within the RPC for an attorney/law firm to use online (“cloud computing”) practice management programs (e.g., the Clio program) as part of the practice of law?  These are instances where the software program is accessed online with a password and is not software installed on a computer within the firm’s office.

In its proposed Formal Ethics Opinion, the response is as follows:

Yes, provided steps are taken effectively to minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property, including file information, from risk of loss.

Although a lawyer has a professional obligation to protect confidential information from unauthorized disclosure, the Ethics Committee has long held that this duty does not compel any particular mode of handling confidential information nor does it prohibit the employment of vendors whose services may involve the handling of documents or data containing client information.  See RPC 133 (no requirement that firm’s waste paper be shredded if lawyer ascertains that persons or entities responsible for the disposal employ procedures that effectively minimize the risk that confidential information may be disclosed).  Moreover, the committee has held that, while the duty of confidentiality extends to the use of technology to communicate, “this obligation does not require that a lawyer use only infallibly secure methods of communication.”  RPC 215.  Rather, the lawyer must use reasonable care to select a mode of communication that, in light of the circumstances, will best protect confidential communications and the lawyer must advise effected parties if there is reason to believe that the chosen communications technology presents an unreasonable risk to confidentiality.

The proposed Formal Ethics Opinion is also pragmatic in its assessment of cloud computing security:

In light of the above, the Ethics Committee concludes that a law firm may use SaaS if reasonable care is taken effectively to minimize the risks to the confidentiality and to the security of client information and client files.  However, the law firm is not required to guarantee that the system will be invulnerable to unauthorized access.

While a properly secured cloud computing provider can be one of the safest ways to store client data, the Ethics Committee has the practical insight that no system is immune to compromise: just as any physical office can be broken into, with enough time, money and resources any electronic system can be compromised. It is not reasonable to ask attorneys using a cloud computing provider to prove that a system is invulnerable to unauthorized access, as it’s an impossible goal. As Carolyn Elefant points out in her response to the committee, the use of technology within a law firm - cloud computing or otherwise – should be viewed in a risk minimization framework.

We’re thrilled to see such a balanced and insightful Proposed Ethics Opinion from the NC Bar. It will be published for comment in the next issue of the North Carolina Bar Journal, and published as a final opinion once comments have been received and addressed. We’ve also included the full opinion below and on JD Supra.

We also hope the NC Ethics Opinion serves as a useful precedent for other Bar Associations examining the ethics of cloud computing, and hope that the American Bar Association will address the ever-increasing call for guidance on cloud computing by providing its own Ethics Opinion as a model opinion for state bars to adopt.