New Hampshire Bar Association Opinion #2012-13/4

New Hampshire Bar Association’s Ethics Committee 

(submitted for publication by the NHBA Board of Governors at its February 21, 2013 meeting)

Topic: The Use of Cloud Computing in the Practice of Law

Summary of the Committee:

The internet has changed the practice of law in many ways, including how data is stored and accessed. ‘Cloud computing’ can be an economical and efficient way to store and use data. However, a lawyer who uses cloud computing must be aware of its effect on the lawyer’s professional responsibilities. The NHBA Ethics Committee adopts the consensus among states that a lawyer may use cloud computing consistent with his or her ethical obligations, as long as the lawyer takes reasonable steps to ensure that sensitive client information remains confidential.

From the Opinion:

As per Rule 1.1 (competence)

a competent lawyer using cloud computing must understand and guard against the risks inherent in it…The facts and circumstances of each case, including the type and sensitivity of client information, will dictate what reasonable protective measures a lawyer must take when using cloud computing…Competent lawyers must have a basic understanding of the technologies they use. Furthermore, as technology, the regulatory framework, and privacy laws keep changing, lawyers should keep abreast of these changes.”

As per Rule 1.6 (confidentiality)

cloud computing comes into wider use, storing and transmitting information in the cloud may be deemed an impliedly authorized disclosure to the provider, so long as the lawyer takes reasonable steps to ensure that the provider of cloud computing services has adequate safeguards…Not all information is alike. For example, where highly sensitive data is involved, it may become necessary to inform the client of the lawyer’s use of cloud computing and to obtain the client’s informed consent [rule 1.0(e)]

As per Rules 1.15(a) and 1.16(d)

In the context of cloud computing, the lawyer must take steps to safeguard data stored in and transmitted through the cloud. What safeguards are appropriate depends on the nature and sensitivity of the data. More particularly, a lawyer must take reasonable steps to ensure that electronic data stored in the cloud is secure and available while representing a client. The data must be returned to the client and deleted from the cloud after representation is concluded or when the lawyer decides to no longer to preserve the file

As per Rule 5.3(a) (Responsibilities Regarding Nonlawyer Assistants)

Cloud computing is a form of outsourcing the storage and transmission of data…[W]hen, instead of directly engaging a cloud computing provider, a lawyer hires an intermediary, such as an information technology professional or other support staff, to find and engage a provider…When engaging a cloud computing provider or an intermediary who engages such a provider, the responsibility rests with the lawyer to ensure that the work is performed in a manner consistent with the lawyer’s professional duties. Rule 5.3 (a). Additionally, under Rule 2.1, a lawyer must exercise independent professional judgment in representing a client and cannot hide behind a hired intermediary and ignore how client information is stored in or transmitted through the cloud…It bears repeating that a lawyer’s duty is to take reasonable steps to protect confidential client information, not to become an expert in information technology. When it comes to the use of cloud computing, the Rules of Professional Conduct do not impose a strict liability standard

The opinion gives a very useful checklist for New Hampshire lawyers to retain a cloud computing service.

 

Rules: New Hampshire Rules of Professional Conduct 1.0(e), 1.1, 1.6, 1.15, 2.1, 5.3

Subjects: Informed Consent, Competence, Confidentiality of Information, Safekeeping Property, Responsibilities Regarding Nonlawyer Assistants

 

The full text is available at http://www.nhbar.org…