Search practiceblawg posts:

Did you know there is more to practicelaw than just forms?  practicelaw is designed to be a repository of resources intended to help your practice.  Similarly, the MSBA’s practiceblawg is a blog for the Association to share with you how the MSBA can help you improve your efficiency and grow your practice.  The MSBA offers members a number of products and services and is always looking for ways to better serve its members and provide greater value.

Got questions, complaints, suggestions, or any thoughts in general?  Let us know:

Cloud computing and the 'reasonable care' standard

by Joe Kaczrowski | Jul 20, 2015

"To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject." That's the relevant comment to Rule 1.1, but what does that mean with regard to cloud computing? 

Cloud computing is a hot topic these days, and one lawyers probably have a duty to keep abreast of. Many cloud-based legal services are available to attorneys today offering greater efficiency and ease-of-use for a number of different facets of the practice of law.

A lawyer has a number of other ethical obligations besides just maintaining the requisite knowledge and skill. For example, do these cloud-based systems allow the lawyer to satisfy the confidentiality requirement under Rule 1.6? As noted last week, Minnesota hasn't weighed in yet on cloud computing, but we can perhaps look to our friends across the borders for some insight.

With the Cloud, as Obi-Wan said about Mos Eisley, we must be cautious. Most states that have weighed in have adopted a reasonable care standard regarding the use of cloud computing. But what is reasonable? Wisconsin says that to determine reasonableness, an attorney should understand computer security concepts such as firewalls, virus and spyware programs, operating system updates, strong passwords and multifactor identification, encryption for stored information, dangers of using public wi-fi, risks of file-sharing sites, options for using a virtual private network (VPN), and the importance of regularly backing up data. Not up to speed on all of that? Wisconsin also says that a lawyer should consult an expert if his or her technical expertise is lacking.

Similarly, our neighbors to the south also suggest reasonable care includes determining the degree of protection afforded by the cloud services. Iowa also notes that a lawyer must ensure unfettered access to the data and be able to control data retention (i.e. the ability to remove data completely from the service).

Many states, like California, suggest the lawyer must not only evaluate the security measures employed by the service but also weigh the sensitivity of the data and the potential impact of disclosure.

The Wisconsin opinion states that “the lawyer’s efforts must be commensurate with the risks presented.” In the cloud or even with hard copies, it is impossible to completely eliminate all risk. Rather the advice is that an attorney must make "reasonable efforts." Tison Rhine, practice management advisor for the State Bar’s Law Office Management Assistance Program, offers some factors for consideration, including:

  • The information’s sensitivity.
  • The client’s instructions and circumstances.
  • The possible effect that inadvertent disclosure or unauthorized interception could pose to a client or third party.
  • The attorney’s ability to assess the technology’s level of security.
  • The likelihood of disclosure if additional safeguards are not employed.
  • The cost of employing additional safeguards.
  • The difficulty of implementing the safeguards.
  • The extent to which the safeguards adversely affect the lawyer’s ability to represent clients.
  • The need for increased accessibility and the urgency of the situation.
  • The experience and reputation of the service provider.
  • The terms of the agreement with the service provider.
  • The legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality.