The ethical issues at stake
Lawyers have duty to
Lawyers have duty to
property, including client
files, from loss.
Lawyers have a duty to be
competent in technology.
Every ethics panel agrees on two points ...
1. Lawyers may use the
2. Must take reasonable
steps to minimize risk to
and client files.
Alabama State Bar
Arizona State Bar
Formal Opinion 09-
Opinion No. 2010-
Florida Bar Opinion
Iowa State Bar
Ethics Opinion 11-
New Hampshire Bar
Ethics Opinion 701
Nevada State Bar
Formal Opinion No.
New York State Bar
842 of 2010
North Carolina 2011
Opinion No. 2011-
Virginia Legal Ethics
North Carolina 2011
“A law firm may use SaaS if reasonable care is
taken to minimize the risks of inadvertent
disclosure of confidential information and to
protect the security of client information and client
“A lawyer must fulfill the duties to protect
confidential client information and to safeguard
client files by applying the same diligence and
competency to manage the risks of SaaS that the
lawyer is required to apply when representing
“The degree of protection to be afforded client
information varies with the client, matter and
information involved. But it places on the lawyer the
obligation to perform due diligence to assess the
degree of protection that will be needed and to act
“Whatever form of SaaS is used, the lawyer must
ensure that there is unfettered access to the data
when it is needed. Likewise the lawyer must be able
to determine the nature and degree of protection that
will be afforded the data while residing elsewhere.”
Iowa State Bar Ethics Opinion 11-01
“A competent lawyer using cloud computing must
understand and guard against the risks inherent in it.”
“There is no hard and fast rule as to what a lawyer must do
with respect to each client when using cloud computing.
The facts and circumstances of each case, including the
type and sensitivity of client information, will dictate what
reasonable protective measures a lawyer must take when
using cloud computing.”
“Competent lawyers must have a basic understanding of
the technologies they use. Furthermore, as technology, the
regulatory framework, and privacy laws keep
changing, lawyers should keep abreast of these changes.”
New Hampshire 2012-13/4
Florida Bar Opinion 12-3
Lawyers have an obligation to remain current not
only in developments in the law, but also
developments in technology that affect the
practice of law.
Lawyers who use cloud computing … have an
ethical obligation to understand the technology
they are using and how it potentially impacts
confidentiality of information relating to client
matters, so that the lawyers may take appropriate
steps to comply with their ethical obligations.
Massachusetts Bar Ethics Opinion 12-03
“Lawyer remains bound to follow an
express instruction from his client that the
client's confidential information not be
stored or transmitted by means of the
“He should refrain from storing or
transmitting particularly sensitive client
information by means of the Internet without
first seeking and obtaining the client's
1. Company Due Diligence
Is this a solid company with a good operating record?
Do others recommend the company?
2. Unrestricted access to data
Can I get my data whenever I want?
Is the data stored elsewhere in the event I'm denied
“Optionally, upon request by the Subscriber, all Content
associated with the subscription will be replicated at a
regular interval, to an offsite storage server accessible
only to a reputable data escrow agent (“Escrow Agent”).
The replicated Content (“Escrowed Data”) will be held
under the terms of a separate agreement among
Themis, the Subscriber, and the Escrow Agent (“Escrow
3. Termination of relationship
If I terminate the service, can I retrieve my
If the service is terminated due to my non-
payment, what happens to my data?
If the company shuts down, can I get my data?
Will the data be available in a non-proprietary
“At LexisNexis we believe strongly that the data you
place in LexisNexis Firm Manager belongs to you! To
provide you with the comfort that you retain control of
your critical client-privileged information and work
• “Your administrator can export your data at any time.
• “If you cancel your subscription, we maintain your data
online for 6 months. … At any time you can decide to
purge your data, removing it from LexisNexis systems.
• “If you purge your data, your client privileged work
product is removed from our systems … [and] from
our backup tapes as well.”
4. Password Protection
Is two-step verification available?
Account monitoring for suspicious activity?
5. Protection of confidentiality
Lawyer must ensure “that the online
data storage provider has an
enforceable obligation to preserve
confidentiality and security, and that
the provider will notify the lawyer if
served with process requiring the
production of client information.”
-NYSBA Ethics Opinion 842
Building access and security
of entrances and
At least two
keep climate at
Fire detection and
monitoring of all
9. Physical security of data centers
• Auditing standards verifying that controls are in place to protect financial
• Can apply to:
• Data centers and colocation facilities.
• SaaS providers.
• Payroll processing companies.
• Loan servicing companies.
• Medical claims processors.
SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II).
• Reporting option specifically designed for data centers, SaaS vendors, and
• System security.
• System availability.
• System processing integrity.
• Confidentiality of information.
• Privacy of personal information.
Data Center Seals of Approval
10. Get Extra Security
• Client-side encryption for Mac, Windows, iOS and
• Works with Dropbox, Box, Google Drive and Skydrive.
• Can share with others, but they must also install Viivo.
• Free, geeky disk encryption software for Windows, Mac
• Can be used to encrypt files before sending to Dropbox.
• Client-side encryption for Dropbox and other systems.
• Easy email encryption, works with webmail services
such as Gmail as well as with Outlook.