This fall, the Illinois State Bar Association Committee on Professional Ethics reached two conclusions regarding use of cloud-based services. In Opin. 16-06, the Committee opined that:
(1) a lawyer may use cloud-based services to store confidential client information, so long as the attorney uses reasonable care to make sure that client confidentiality and client information is protected; and
(2) a lawyer is responsible for complying with her duties of competence in selecting a cloud-based services provider, assessing cloud-based services practices, and monitoring compliance with the lawyer’s professional obligations.
This opinion expands Illinois’s prior opinion where a lawyer may work with a private vendor to monitor the law firm’s computer server, so long as the lawyer takes reasonable steps to ensure the vendor protects client’s confidential information. See, ISBA Op. 10-01 (2009).
Rule 1.1 Competence provides that lawyers must provide competent representation to their clients. Illinois recently amended this rule to include that lawyers who use cloud-based services must have a sufficient understanding of the technology to properly consider the risks of disclosure of confidential information. See Illinois Rule 1.1 Comment 8. Lawyers must also make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, confidential information. See Rule 1.6(e) Confidentiality. Because lawyers hire third-party providers for cloud-based services, lawyers will be subject to the professional rules regarding employing and supervising subordinates. See Rule 5.3 Comment 3.
Due to technology constantly changing, Illinois does not provide any specific requirements for lawyers when choosing a provider. However, Illinois does provide some tips for lawyers when inquiring about a cloud-based services provider, which are:
- Review cloud computing industry standards and what protections should be put in place when using a cloud-based service;
- Investigate whether the provider has employed reasonable security measures to protect client data from unintentional disclosures;
- Investigate the provider’s reputation and history;
- Look into whether the provider has experiences any security breaches in the past;
- Demand an agreement to reasonably safeguard that the provider will abide by the lawyer’s duties of confidentiality and will immediately notify the lawyer of any breaches of information;
- Require that all data is backed up and under the lawyer’s control; and
- To require reasonable recovery of information if the agreement with the provider is terminated, or if the provider goes out of business.
Several other states have allowed lawyers to use cloud-based services to help with storing client information. See e.g., Alabama Ethics Op. 2010-2; Iowa Ethics Op. 11-01; Tennessee Formal Ethics Op. 2015-F-159; see generally “Cloud Ethics Opinions Around the U.S.”, American Bar Association, Legal Technology Resource Center.
To read the full opinion, click here.
