A List of All the Ethics Opinions on Cloud Computing for Lawyers

Can law firms use the cloud? With widespread adoption by both consumers and business, and increasing cloud adoption amongst law firms, there is still a section of lawyers that remain skeptical about legal cloud computing, and whether they can use the cloud in their legal practices. 

Bar Associations and Law Societies within the US and around the world have issued ethics opinions on cloud computing for lawyers. The vast majority highlight that lawyers can use cloud computing, provided they do appropriate due diligence and find a provider that complies with a lawyer’s ethical duties. For example, a provider must be able to ensure a reasonable expectation of security so that a law firm is able to keep it’s clients’ information confidential in the cloud.

Below are charts linking each ethic opinion on cloud computing for lawyers. We’ve also included some high-level guidance to help a law firm with research into their jurisdiction’s requirements, based on relevant language from the opinions.

In total, 30 US States have issued formal or informal ethics opinions on cloud use for lawyers, and the American Bar Association has also issued an opinion. Outside of the US, X different jurisdictions have issued ethics opinions on cloud computing for lawyers as well.

US State Bar Ethics Opinions on Cloud Computing for Lawyers

Jurisdiction Issuer Key Language
ALABAMA

Opinion 2010-02

Alabama State Bar Office of General Counsel
  • Know how provider handles storage/security of data.
  • Reasonably ensure confidentiality agreement is followed.
  • Stay abreast of best practices regarding data safeguards.
ALASKA

Opinion 2014-3

Alaska Bar Association
  • Take reasonable steps to ensure that sensitive client information remains confidential and safeguarded
  • Determine whether the provider of the services is a reputable organization.
ARIZONA

Opinion 09-04 (Note ethics opinions are now governed by the Arizona Supreme Court’s Attorney Ethics Advisory Committee (AEAC), that was created pursuant to Rule 42.1, Ariz. R. Sup. Ct., and Administrative Order No. 2018-110. No past opinions are formally adopted by this committee at this time.) 

State Bar of Arizona
  • “Reasonable security precautions,” including password protection, encryption, etc.
  • Develop or consult someone with competence in online computer security.
  • Periodically review security measures.
CALIFORNIA

Opinion 2010-179

The State Bar of California standing Committee on Professional Responsibility and Conduct
  • Evaluate the nature of the technology, available security precautions, and limitations on third-party access.
  • Consult an expert if lawyer’s technology expertise is lacking.
  • Weigh the sensitivity of the data, the impact of disclosure on the client, the urgency of the situation, and the client’s instructions.
CONNECTICUT

Informal Opinion 2013-07

Connecticut Bar Association Professional Ethics Committee
  • Lawyers ownership and access to the data must not be hindered.
  • Security policies and processes should segregate the lawyer’s data to prevent unauthorized access to the data, including by the cloud service provider.
FLORIDA

Opinion 12-3

Florida Bar Professional Ethics Committee
  • Ensure provider has enforceable obligation to preserve confidentiality and security, and will provide notice if served with process.
  • Investigate provider’s security measures
  • Guard against reasonably foreseeable attempts to infiltrate data.
ILLINOIS

Opinion 16-06

Illinois State Bar Association
  • Takes reasonable measures to ensure that the client information remains confidential
  • Lawyer’s obligation to protect does not end once the lawyer has selected a reputable provider
IOWA

Opinion 11-01

Iowa State Bar Association  Ethics and Practice Guidelines Committee
  • Ensure unfettered access to your data when it is needed, including removing it upon termination of the service.
  • Determine the degree of protection afforded to the data residing within the cloud service.
KENTUCKY

Opinion KBA E-437

Kentucky Bar Association
  • Investigate the qualifications, competence, and diligence of the provider
  • Determine whether the provider is capable of conduct compatible with the lawyer’s ethical responsibilities
  • Consult with the client about the use of the cloud if the matter is sufficiently sensitive
LOUISIANA

Opinion 19-RPCC-021(focusing on technological competency but covering cloud usage)

Louisiana State Bar Association
  • Conduct due diligence research on prospective service providers
  • Take reasonable steps to ensure that ethical standards and responsibilities of the lawyer are also met by the conduct of the service provider
  • Create an enforceable obligation on the vendor’s part to safeguard the confidentiality of data
MAINE

Opinion 207

Maine Professional Ethics Commission
  • Ensure firm technology in general meets professional responsibility constraints.
  • Review provider’s terms of service and/or service level agreements.
  • Review provider’s technology, specifically focusing on security and backup.
MASSACHUSETTS

Opinion 12-03 

Massachusetts Bar Association
  • Review (and periodically revisit) terms of service, restrictions on access to data, data portability, and vendor’s security practices.
  • Follow clients’ express instructions regarding use of cloud technology to store or transmit data.
  • For particularly sensitive client information, obtain client approval before storing/transmitting via the internet.
MICHIGAN

Opinion RI-355 (declares cloud use permissible in dicta)

Opinion RI-381 (focusing on technological competency but covering cloud usage)

State Bar of Michigan
  • Ensure that she retains ownership and has ability to access the file materials upon termination of the vendor relationship
  • Exercise reasonable care to ensure that the third-party vendor itself uses reasonable security measures
MISSOURI

Informal Opinion 2018-09 

Missouri Bar Legal Ethics Counsel
  • Maintain competence in the use of relevant technology
  • Make reasonable efforts to safeguard confidential information from inadvertent or unauthorized disclosure or access
NEBRASKA

Opinion 19-01

Nebraska State Bar Association Ethics Advisory Committee
  • Undertake  reasonable  efforts  to: (1)  prevent inadvertent or unauthorized access to that information
  • (2) maintain the confidentiality of the information;
  • and (3) establish reasonable safeguards to ensure the information is protected from loss, breaches, business interruptions, and other risks
NEVADA State Bar of Nevada Standing Committee on Ethics and Professional Responsibility
  • Chose a vendor that can be reasonably relied upon to keep client information confidential.
  • Instruct and require the vendor to keep client information confidential.
NEW HAMPSHIRE

Opinion #2012-13/4

New Hampshire Bar Association Ethics Committee
  • Have a basic understanding of technology and stay abreast of changes, including privacy laws and regulations.
  • Consider obtaining client’s informed consent when storing highly confidential information.
  • Delete data from the cloud and return it to the client at the conclusion of representation or when the file must no longer be preserved.
  • Make a reasonable effort to ensure cloud providers understand and act in a manner compatible with a lawyer’s professional responsibilities.
NEW JERSEY

Opinion 701

New Jersey Advisory Committee on Professional Ethics
  • Vendor must have an enforceable obligation to preserve confidentiality and security.
  • Use available technology to guard against foreseeable attempts to infiltrate data.
NEW YORK

Opinion 842

New York State Bar Association Committee on Professional Ethics
  • Vendor must have an enforceable obligation to preserve confidentiality and security, and should notify lawyer if served with process for client data.
  • Use available technology to guard against foreseeable attempts to infiltrate data.
  • Investigate vendor security practices and periodically review to be sure they remain up-to-date.
  • Investigate any potential security breaches or lapses by vendor to ensure client data was not compromised.
NORTH CAROLINA

2011 Formal Ethics Opinion 6

North Carolina State Bar Ethics Committee
  • Review terms and policies, and if necessary re-negotiate, to ensure they’re consistent with ethical obligations.
  • Evaluate vendor’s security measures and backup strategy.
  • Ensure data can be retrieved if vendor shuts down or lawyer wishes to cancel service.
OHIO

Informal Advisory Opinion 2017-05

Ohio Board of Professional Conduct
  • Diligently investigate the measures undertaken by the vendor to ensure its operations are compatible with the lawyer’s professional obligations.
  • Require that the vendor give the lawyer notice of subpoenas for client

data, nonauthorized access to the stored data, or other breach of Security.

Reliable means of retrieving the data if the agreement is

terminated or the vendor goes out of business.

NORTH DAKOTA

Opinion 99-03 (examining cloud backups)

State Bar Association of North Dakota Ethics Committee
  • Ensure the security of the data transmission
  • Ensure the security of the data storage is adequate for the sensitivity of the records to be transmitted and stored
OREGON

Opinion 2011-188

Oregon State Bar
  • Ensure service agreement requires vendor to preserve confidentiality and security.
  • Require notice in the event that lawyer’s data is accessed by a non-authorized party.
  • Ensure adequate backup.
  • Re-evaluate precautionary steps periodically in light of advances in technology.
PENNSYLVANIA

Opinion 2011-200

Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility
  • Exercise reasonable care to ensure materials stored in the cloud remain confidential.
  • Employ reasonable safeguards to protect data from breach, data loss, and other risk.
  • See full opinion for 15 point list of possible safeguards.
TENNESSEE

Opinion 2015-F-159

Board of Professional Responsibility of Tennessee Supreme Court
  • Lawyer takes reasonable care to assure that: (1) all such information or materials remain confidential, and
  • (2) Reasonable safeguards are employed to ensure that the information is protected from breaches, loss, and other risks.
TEXAS

Opinion 680

Professional Ethics Committee for the State Bar of Texas
  • Lawyers should remain continually alert to the vulnerability of cloud-based vendors and systems to data breaches and whether a particular vendor or system appears to be unusually vulnerable
  • Lawyer must take reasonable precautions in the adoption and use of cloud-based technology for client document and data storage 
VERMONT

Opinion 2010-6

Vermont Bar Association
  • Take reasonable precautions to ensure client data is secure and accessible.
  • Consider whether certain types of data (e.g. wills) must be retained in original paper format.
  • Discuss appropriateness of cloud storage with client if data is especially sensitive (e.g. trade secrets).
VIRGINIA

Legal Ethics Opinion 1872

Virginia State Bar Standing Committee on Legal Ethics
  • Exercise care in selection of the vendor.
  • Have a reasonable expectation the vendor will keep data confidential and inaccessible.
  • Instruct the vendor to preserve the confidentiality of information.
WASHINGTON

Advisory Opinion 2215

Washington State Bar Association Committee on Professional Ethic
  • Conduct a due diligence investigation of any potential provider.
  • Stay abreast of changes in technology.
  • Review providers security procedures periodically.
WISCONSIN

Opinion EF-15-01

State Bar of Wisconsin Professional Ethics Committee
  • Consider the sensitivity of the data, the impact of the disclosure, the client’s circumstances and instructions
  • Consult an expert if lawyer’s technology expertise is lacking.
  • Understand/know the experience and reputation of the service provider and the terms of their agreement. 

Other US Bar Association Ethics Opinions on Cloud Computing for Lawyers

 

Issuer Key Language
AMERICAN BAR ASSOCIATION

Formal Opinion 95-398: Access of Nonlawyers to a Lawyer’s Data Base

  • …ensure that the service provider has in place, or will establish, reasonable procedures to protect the confidentiality of information to which it gains access, and moreover, that it fully understands its obligations in this regard.
  • [A] lawyer might be well-advised to secure from the service provider in writing, along with or apart from any written contract for services that might exist, a written statement of the service provider’s assurance of confidentiality.

Global Ethics Opinions on Cloud Computing for Lawyers

Jurisdiction Issurer Key Language
CANADA, BRITISH COLUMBIA

Cloud computing due diligence guidelines

Law Society of British Columbia
  • Lawyers must ensure that the service provider and technology they use support the lawyer’s professional obligations …
  • Lawyers must take steps to ensure the confidentiality and privilege of their clients’ information is protected.  Clear contractual language should be used to accomplish this objective. 
EUROPE

CCBE Guidelines on the Use Of Cloud Computing Services By Lawyers

Council of Bars and Law Societies of Europe [D]ata protection laws and  professional secrecy principles should be taken  into account by lawyers as a primary step when considering using cloud computing services.
SINGAPORE

Guidance Note 3.4.1

Law Society of Singapore
  • Ensure contractual terms state that your provider will not access your data for any secondary purpose (i.e. any purpose other than for providing the service to you –such as advertising)
  • Select a service provider with appropriate security measures in place(e.g.accreditation, encryption technology that meets or exceeds international standards)
SCOTLAND

Cloud Computing Guide

Law Society of Scotland
  • Your cloud provider should give assurance that your information will be treated as confidential and not used or disclosed to third parties.
  • [Y]ou should retain full ownership of the data stored on your provider’s system and have an explicit right to get your data back on demand.
ENGLAND The Law Society of England and Wales

Can your law firm use the cloud?

If the state or jurisdiction you practice in is featured within this list, make sure any cloud computing providers you use align with the recommendations within your state’s ethics opinion. No matter what, make sure your provider has strong security standards.

If you’re not sure which legal cloud computing tools your firm needs, check out this list of what technology your law firm actually needs.

If your state or jurisdiction is not on this list, that doesn’t necessarily mean your law firm is prohibited from using the cloud. Make sure you’re following data security best practices, and reach out to your bar association’s ethics committee if you have concerns.

Today, cloud technology has a wealth of benefits that outweigh any potential risks for law firms, including increased efficiency, lower overhead, and ease of use for their teams. Law firms should feel confident exploring cloud providers, allowing them to benefit from the flexibility and adaptability the cloud provides in a modern environment.

Note: The information in this article applies only to US practices. This post is provided for informational purposes only. It does not constitute legal, business, or accounting advice.