Ethics on the Cloud

Recent developments in cloud-based computing have enabled professionals to perform an increasing amount of work remotely.  Because professionals are no longer tied to the office, they are able to work more efficiently and better serve their clients.  However, the use of third-party technology companies to store confidential client data raises several ethics concerns regarding the professional-client relationship.

The Tennessee Board of Professional Responsibility issued a formal ethics opinion earlier this month that addresses the ethical concerns of cloud-based computing.  Cloud computing allows individuals to store and access software and data that is stored at a remote network, which is often controlled by a third party, rather than on the individual’s personal computer.

In addressing this ethics question, the Board recognized that an attorney owes the same duties of care and confidentiality to a client with respect to information stored on the cloud as they would otherwise owe clients pursuant to the rules of professional conduct.  Because the use of cloud computing generally places a service provider between the lawyer and her client’s confidential information, the Board cautioned that cloud computing adds additional level of risk and loss of control over the information that could compromise the attorney’s ethical obligations to her client.

Nevertheless, the Board determined that use of cloud technology was not necessarily improper as long as the lawyer takes reasonable measures to protect client information.  The Board continued that the level of reasonable protection is dependent on the particular nature of the client and sensitivity of the client’s data.  For instance, where an attorney is entrusted with proprietary client information, additional security measures may be necessary to ensure that it does not leak to competitors.  Although professionals are not expected to have expertise in data security, they must nevertheless remain cognizant of how and where data is stored.  This duty of competency also demands that the attorney choose third-party providers that are qualified to provide the particular service that they are engaged to perform.  The lawyer is therefore responsible for investigating the technology company’s ability to protect the information from unauthorized access and unintended loss.

The Board offered several guidelines for attorneys to follow to ensure that their cloud-based activity complies with ethical standards.  These include entering into an agreement with the cloud service provider that specifies how the provider will handle confidential information in accordance with the lawyer’s professional responsibilities, establishing a method for retrieving data if the service provider’s servers are compromised, and conducting due diligence on the cloud service provider to verify its measures for safeguarding the security and confidentiality of client information.  Attorneys who fail to take these precautions could risk violating the rules of professional conduct and potentially open themselves up to a malpractice suit.