As more lawyers struggle to cut costs and boost office efficiency, many are turning to Internet-based data storage and client services computer programs.But those who might have their heads in the clouds when it comes to client confidentiality concerns have been offered a wake-up call by the Connecticut Bar Association.
In an informal advisory opinion released in late June, the CBA's Standing Committee on Professional Ethics issued a report that answers a question many lawyers in the state have been asking: Can a lawyer use cloud computing and not run afoul of the Rules of Professional Conduct?
The answer, of course, rests in the details of how the technology is used. While the opinion does not advise Connecticut lawyers on what steps they might take to protect client data from being lost or compromised, it does remind lawyers to pay attention to what they are doing when using the latest technology.
"This opinion is a starting point for issues raised by a lawyer's use of cloud computing," said John Logan, who is chair of the Committee on Professional Ethics. "Due diligence will require lawyers to keep pace with emerging standards."
Stephen Conover, a partner with Sandak Hennessey & Greco in Stamford and a member of a steering committee that did the research, said the advisory will remind lawyers of their responsibility when deciding how to store client information. "Just like with storing paper documents," he said, "it's important that lawyers know what they are doing is secure. You have to think before you click."
One thing that's clear in all discussions of lawyer responsibility with regard to technology is the reality that technology changes quickly. The CBA committee took a look at a similar issue back in 1999, when it concluded that a lawyer's use of non-password protected email was not a violation of Rules of Professional Conduct. That opinion advised lawyers to get a client's approval when sending sensitive client information "through telephone lines, fax machines or even regular mail."
"While the technology the committee examined in 1999 is now obsolete," the opinion states, "the need for a lawyer to thoughtfully and thoroughly evaluate the risks presented by the use of current technology remains as relevant as ever."
Risks And Benefits
The latest opinion comes on the heels of a proposed change to the Connecticut Rules of Professional Conduct, which would require lawyers to keep up to date on the risks and benefits of technology. The opinion also addresses long-established client confidentiality rules which require lawyers "to make reasonable efforts" to prevent access or disclosure of client confidentiality. For the purposes of the discussion, cloud computing refers to storing, managing and processing data on remote Internet servers, rather than on personal computers or servers in a law office.
"Lawyers may use cloud services in their practice to promote mobility, flexibility, organization and efficiency," the committee summarized in its opinion. "However, lawyers must be conscientious to comply with the rules that require lawyers to make reasonable efforts to meet their obligations."
The choice of the word "reasonable" was not lost on Neyah Kane Bennett, a partner at a Middletown firm that does all of its work "in the cloud."
"I thought the key to the opinion is that you have to use reasonable measures," Bennett said. "They used the word reasonable 12 times in their opinion, and I think that is appropriate, because you don't know how technology is going to change or how it's going to be used in the future."
The main point of concern for lawyers using cloud technology, Bennett said, "is you need to have reliable access to the data, and for the sake of your client and rules of conduct, you need to make reasonable efforts that the data is not going to be inadvertently" lost or disclosed.
His firm, Aeton Law Partners in Middletown, is a five-lawyer firm that handles business law, commercial and complex litigation, and intellectual property legal matters. The office is entirely web-based. The reason, Bennett said, is it allows the firm to access client information from anywhere the lawyer might be.
The digital technology is a time-saver, as it stops lawyers from having to search through piles of paper files. There are also cost-effective reasons for going all-digital. By using a cloud-based storage and computing system, rather than a server and hard drive, a small law firm can save about $1,000 a month in data maintenance costs. "The cost savings are significant," Bennett said.
For a lawyer or firm striving for safe storage, Bennett suggests using a reputable cloud computing vendor. If a lawyer is looking for extra protection, he or she can try to have the vendor sign a contract that it will take steps to avoid confidential information from being lost or accessed by uninvited third-parties.
The trouble is, Bennett said, "a lot of the more reputable companies won't sign those contracts, because they don't want to assume any liability."
To provide extra protection, lawyers who use offsite storage for data and files would benefit greatly by using double and even triple layers of password protections on their computers and smart phones. "That's what I have on my laptop, three different levels of password protection," Bennett said.
Private v. Professional
Barry Hawkins, a Shipman & Goodwin commercial litigation attorney who last week was wrapping up his term as Connecticut Bar Association president, said there has been "constant talk back and forth" about whether information stored in cloud devices is really secure.
The possibility that any storage device can be hacked into, putting a lawyer's professional confidentiality obligations in jeopardy, is reason for all lawyers who use cloud computing to be concerned. For that reason, he said, lawyers must be acutely aware of the line between their personal and private lives when using technology.
"Clearly, in my personal life, I'm not highly concerned about whether my photos or music collection is stored in an Apple iPhone or iPad device or cloud storage, because it's easily accessible," Hawkins said. "But when it comes to keeping client data stores, that's another matter."
Ralph Monaco, a former CBA president and partner with Conway, Londregan, Sheehan & Monaco in New London, keeps up on technology issues. He said the question of how safe lawyers are in using cloud storage in their practices has been a growing topic of conversation.
"I think the issue is more pressing for firms on the administrative side or for newer practitioners who are grappling with what to do with their file storage capabilities," Monaco said. "I'm delighted the Professional Ethics committee decided to take on this issue and provide such an outstanding legal advisory opinion. It's a good framework for lawyers to consider when deciding whether cloud computing is the right thing for them."
In considering the need to protect client data, Conover pointed out that lawyers who use iPhone apps and remote data storage should not be lulled into thinking quick access ensures reliability and security. It's still up to the lawyer to take steps to protect the information, he said. "With data storage, you get what you pay for."•
The informal opinion on cloud computing can be found at the Connecticut Bar Association website, ctbar.org. Once on the website, click the tab for Sections and Committees on top of the page, and go to the Professional Ethics Committee page. A link to the opinion is at the bottom of the page.