NY bar on ethics of cloud computing again

New York state has long been on the cutting edge of addressing the ethics of using different technologies in the practice of law. So it was no surprise when the New York State Bar was one of the first to confront the ethics of cloud computing when the Committee on Professional Ethics handed down Op. 842 in 2010, which addressed the ethics of storing confidential client data online.

In that opinion, the committee held that “(a) lawyer may use an online data storage system to store and back up client confidential information provided that the lawyer takes reasonable care to ensure that confidentiality is maintained in a manner consistent with the lawyer’s obligations under Rule 1.6.”

In two different opinions handed down in the latter half of this year, the committee further clarified its position on the use of cloud computing by lawyers. In both opinions, the committee reaffirmed the applicability of the longstanding duty of due diligence when assessing the security of third party service providers, explaining that a lawyer must assess whether the technology offers reasonable protections against disclosure and must also take reasonable precautions when using technology. At issue in Op. 1019, issued in August, was whether a law firm may “provide its lawyers with remote access to its electronic files.” The committee concluded that it was permissible to do so in the absence of client consent, so long as the attorney concluded that the security precautions exercised by the third party provider were reasonable.

In doing so, the committee recognized the need for a flexible standard: “Because of the fact-specific and evolving nature of both technology and cyber risks, this committee cannot recommend particular steps that constitute reasonable precautions to prevent confidential information from coming into the hands of unintended recipients. If the firm cannot conclude that its security precautions are reasonable, then it may request the informed consent of the client to its security precautions, as long as the firm discloses the risks that the system does not provide reasonable assurance of confidentiality, so that the consent is ‘informed’…”

In Op. 1020, which was handed down in September, the issue addressed was whether “a lawyer representing a party to a transaction (may) use a cloud-based technology so as to post documents and share them with others involved in the transaction.” The committee reached the same conclusion as it did in Op. 1019: “Whether a lawyer for a party in a transaction may post and share documents using a ‘cloud’ data storage tool depends on whether the particular technology employed provides reasonable protection to confidential client information and, if not, whether the lawyer obtains informed consent from the client after advising the client of the relevant risks.”

Importantly, in reaching its decision, the committee noted that lawyers have a duty to stay abreast of changes in technology explaining that the “use of electronically stored information may not only require reasonable care to protect that information under Rule 1.6, but may also, under Rule 1.1, require the competence to determine and follow a set of steps that will constitute such reasonable care.”

By way of example, the committee explained in a footnote that “the duty of competence may require litigators, depending on circumstances, to possess a basic or even a more refined understanding of electronically stored information.”

So, once again, New York leads the way when it comes to the ethics of the use of technology by lawyers. In this case, the Committee on Professional Ethics offered two well-reasoned opinions centered around elastic standards that will undoubtedly withstand the tests of time.

For Reference See Also: Formal Opinion 2014-2: USE OF A VIRTUAL LAW OFFICE BY NEW YORK ATTORNEYS

Editor’s Note – republished with permission of the author – Nicole Black, Director | MyCase, a cloud-based law practice management system. Lawyer | Author | GigaOM Pro Analyst.

Posted in: Legal Ethics