Recently, the Illinois State Bar Association (ISBA) issued a Professional Conduct Advisory Opinion stating that lawyers may use cloud-based services to store client information.
However, the ISBA warned that the use of cloud-based services raises ethical implications of “…competence, confidentiality and the proper supervision of non-lawyers.”
The ISBA quoted Nevada Formal Opinion 33 (2006), which analogized the duty to protect client information on a cloud-based service to the duty to protect client information on a physical server. The Nevada Opinion concluded, “[t]he question in either case is whether the attorney acted reasonabl[y] and competently to protect the confidential information.”
To help lawyers select a cloud-based service provider, the ISBA outlined 7 non-exhaustive practices lawyers could engage in (summarized):
- Reviewing industry standards and appropriate safeguards;
- Investigating whether the provider has implemented reasonable security precautions;
- Investigating the provider’s reputation and history;
- Inquiring as to whether the provider has experienced any breaches of security;
- Requiring an agreement;
- Requiring that all data is appropriately backed up;
- Requiring provisions for the reasonable retrieval of information.
Further, the ISBA warned that the duties implicated by using cloud-based services do not end with choosing a reputable provider. This is in part due to the fact that the Illinois Supreme Court recently amend Comment 8 to Rule 1.1 of the Illinois Rules of Professional Conduct. The Comment now reflects Comment 8 to Rule 1.1 of the Model Rules of Professional Conduct and says “…lawyers must keep abreast of changes in law and its practice, including the benefits and risks associated with relevant technology…” (Emphasis added).
This led the ISBA to echo Arizona Ethics Op. 09-04 (2009) and Washington State Bar Association Advisory Op. 2215 (2012) (among others) and conclude that lawyers using cloud-based services must, “…conduct periodic reviews and regularly monitor existing practices to determine if the client information is adequately secured and protected.”
Read the full opinion here.