Last September the New York State Bar Association issued Opinion 842 (link to official site) which addressed the question of ‘cloud storage’ or online storage of client information. In today’s world, where cloud storage is cheap and easy to use, lawyers are increasingly embracing online storage services such as SugarSync and DropBox. The NY Bar opinion is a good starting point for any discussion about the ethical implications of online storage, even if you are located in a state other than New York.
The key questions presented in Ethics Opinion 842 were these:
May a lawyer use an online system to store a client’s confidential information without violating the duty of confidentiality or any other duty? If so, what steps should the lawyer take to ensure that the information is sufficiently secure?
The New York opinion concludes that lawyers may use online storage provided that certain steps are taken to ensure that the information is adequately protected. First of all, the opinion repeatedly cautions that lawyers who adopt online storage methods must “periodically review security measures as technology advances over time….” In other words, you can’t just adopt an online storage system that is reasonable to use today and then stop paying attention to how technology is changing.
Paying attention to technological advances is certainly of critical importance, regardless of purely ethical considerations. But now we see, perhaps for the first time, a prominent legal group urging that the need to pay attention to technological changes is an ethical obligation. Granted, it’s an obligation that only kicks in if you use online storage (at least if you’re in New York and being guided by this opinion). But one can easily see this reasonable admonition being applied in other contexts where lawyers use technology.
So to repeat the point for emphasis: you can’t just adopt a new technology, set it up, and then stop paying attention to how advances in technology affect your ability to protect clients information.
The New York opinion offers four specific considerations that should guide lawyers who use online storage services. The opinion says that lawyers should consider the following steps:
(1) Ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information;
(2) Investigating the online data storage provider’s security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances;
(3) Employing available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored; and/or
(4) Investigating the storage provider’s ability to purge and wipe any copies of the data, and to move the data to a different host, if the lawyer becomes dissatisfied with the storage provider or for other reasons changes storage providers.
Let me address each of these in turn, explaining in ordinary terms what they seem to mean for using services such as SugarSync or DropBox.
First, services such as SugarSync and DropBox have as much interest as anyone in keeping your data private. As a practical matter, if their services were easily hacked into and the information stored there was easily compromised their ability business customers (and regular customers too) would immediately be impaired. Of course, you should carefully review the terms of service of such sites to make sure that you (1) understand what rights and liabilities you might have, and (2) are aware of potential perils.
You can be sure that the terms of service will be written to the benefit of the online provider for the most part. They will not accept liability for compromised security that results from you (1) having an inherently insecure password system, (2) giving your password to someone you shouldn’t, or (3) accessing your account from an insecure location such as a WiFi hotspot at a coffee shop, where there is limited security. These three issues are the most likely way that your client’s data would be compromised and all three of these scenarios are things that you should be responsible for.
You also want to make sure that you can get your data down from the online provider if they go out of business or if you change hosts. Both SugarSync and DropBox are easy to download your data from, so make sure you use a similar provider. With SugarSync and DropBox you can also use their services to synchronize across multiple computers. Then you essentially have your data in two or more places at all times, and so you aren’t completely dependent on them to get copies of your data if you should lose it on one computer. Those services will, of course, purge your data once you leave because they have no interest in clogging their servers with the data of former clients who aren’t paying them anymore.
A key obligation is the obligation to be informed about what the terms governing your relationship with the online provider. Lawyers are not going to get off the hook by arguing that they didn’t understand what their obligations were, and what limitations were placed upon their service by the online provider. Some lawyers will shudder at the thought that their online provider might get a subpoena and turn over confidential client information. For me this is not a likely scenario. But, according to the NY Ethics opinion, it’s my obligation to make sure I know what SugarSync or DropBox would do if they got such a request. An online storage provider such as SugarSync or DropBox should, at a minimum, notify me that such a request has been issued and not simply turn over the information without giving me an opportunity to legally challenge such the request.
The New York opinion could easily be interpreted to apply to client communications such as those that are hosted by web-based email providers such as Google. After all, web-based email is stored online.
So what’s a nervous lawyer to do? Avoid online storage altogether? I imagine that many lawyers will, until one day it becomes such an impediment to their practice that they find it too difficult to avoid. Federal appellate judge Alex Kozinski addressed this concern in the context of a criminal case where the government had obtained too much electronic information and then improperly used that information.
The advent of fast, cheap networking has made it possible to store information at remote third-party locations, where it is intermingled with that of other users. For example, many people no longer keep their email primarily on their personal computer, and instead use a web-based email provider, which stores their messages along with billions of messages from and to millions of other people. Similar services exist for photographs, slide shows, computer code, and many other types of data. As a result, people now have personal data that are stored with that of innumerable strangers. Seizure of, for example, Google’s email servers to look for a few incriminating messages could jeopardize the privacy of millions.
It’s no answer to suggest…that people can avoid these hazards by not storing their data electronically. To begin with, the choice about how information is stored is often made by someone other than the individuals whose privacy would be invaded by the search. Most people have no idea whether their doctor, lawyer or accountant maintains records in paper or electronic format, whether they are stored on the premises or on a server farm in Rancho Cucamonga, whether they are commingled with those of many other professionals or kept entirely separate.
US v. Comprehensive Drug Testing, 579 F.3d 959, 1005 (9th Cir. 2009). (emphasis added)
Judge Kozinski’s observations should be a guidepost for lawyers who deal with electronically stored information, and for bar associations that create ethical rules regarding online storage. The reality is that online storage is beneficial to everyone in many ways. Yes, there are perils, and lawyers should be mindful of them and minimize the risks in sensible ways. But avoiding online storage altogether is not likely to be a practical or sensible option in many cases.