Legal Ethics Practice of Law Uncategorized

Don’t Let Your Ethical Duties Get Lost in the Cloud

The following is a guest blog post by Perry L. Segal, an attorney and management consultant at Charon Law, Redwood City. Mr. Segal has over 25 years of combined experience in law and technology. He is co-chair of the California Council of State Bar Sections, special advisor and past-chair of the Law Practice Management and Technology Section Executive Committee, and a member of the bar’s Social Media Task Force.

Few technologies create more puzzlement and worry for attorneys than “the cloud.” Attorneys, quite reasonably, want to know how they can stay on the right side of their ethical obligations when it comes to using it. As always, attorneys need to practice in accordance with the standard of reasonable care and effort. But there’s a caveat: Attorneys will be charged with the standard of an attorney who is competent in the understanding and use of technology. What does this actually mean? And as a practical matter, what can an attorney do?

The cloud isn’t an entirely new world when it comes to ethical duties. Existing rules addressing an attorney’s duty of confidentiality apply to the cloud in the same way that they apply to a physical office.

But the duty to act competently does have a new wrinkle when it comes to protecting client data in the cloud: You have to carefully choose a service provider and review the service agreement. At a minimum, you should

  • Read the vendor’s terms of use and privacy policies;
  • Ensure that these policies prohibit unauthorized access to your client data;
  • Ensure that these policies grant you reasonable access to, and control of, the data; and
  • Vet the vendor to ensure it has a reliable reputation.

These guidelines may be easy to state, but for the attorney who isn’t competent in technology, the question is obvious: “Great. But, how do I vet the vendor when I don’t understand how any of this stuff works?” Here’s the good news: You don’t have to do so personally—but whomever you hire to manage the process does have to do so.

Whoever reviews the agreement should watch for a trap door where some vendors insert a clause generally claiming that once a user places data on the vendor’s systems, the vendor owns it. And even when a contract appears to be favorable on its face, that doesn’t ensure that the provider itself or its hardware or software will protect the user.

And, in addition to reviewing the vendor’s terms of use and privacy policies, you’ll need to conduct due diligence on the vendor’s cybersecurity measures and other practices to ensure that your legal and ethical obligations will be met. These security measures must ensure that the confidentiality of client data will be maintained. The vendor must identify the various security protocols that it follows for a customer’s content, either in transmission or at rest.

Get more detail on this information and a checklist of questions to ask about the cloud before entrusting client data to a vendor in Mr. Segal’s article Working in the Cloud in the Summer 2017 issue of CEB’s Business Law Practitioner. For more on cloud computing generally, turn to CEB’s Internet Law and Practice in California, chap 6.

Other CEBblog™ posts you may find interesting:

© The Regents of the University of California, 2017. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.

2 replies on “Don’t Let Your Ethical Duties Get Lost in the Cloud”

Add your comment to the blog post

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s