A Cloud on the Horizon? Attorneys’ Obligations when Using a Third-Party’s Cloud-Based Services
When we think of clouds, we likely picture cumulus, stratus, and cirrus ones, not the type of “cloud” that holds data and software. The latter type of cloud is generally controlled by a third-party service provider and is used to store and transmit information in a shared environment. The use of clouds is ever-increasing, including by attorneys. This wide-spread use has prompted recent Illinois State Bar Association’s Professional Conduct Advisory Opinion Number 16-06 (the “Opinion”), which details attorneys’ obligations when using a cloud, which is allowed in Illinois.
First, the Opinion imposes the duty on attorneys using clouds to understand cloud technology and to evaluate risks to confidentiality.
Second, attorneys are required to exercise due diligence when selecting a third-party cloud service provider. While the Opinion does not give details as to what exactly is required because of on-going changes to technology, it provides some examples of what such a reasonable investigation “could” involve:
Reviewing cloud computing industry standards and familiarizing oneself with the appropriate safeguards that should be employed;
Investigating whether the provider has implemented reasonable security precautions to protect client data from inadvertent disclosures, including but not limited to the use of firewalls, password protections, and encryption;
Investigating the provider’s reputation and history;
Inquiring as to whether the provider has experienced any breaches of security and if so, investigating those breaches;
Requiring an agreement to reasonably ensure that the provider will abide by the lawyer’s duties of confidentiality and will immediately notify the lawyer of any breaches or outside requests for client information;
Requiring that all data is appropriately backed up completely under the lawyer’s control so that the lawyer will have a method for retrieval of the data; and
Requiring provisions for the reasonable retrieval of information if the agreement is terminated or if the provider goes out of business.
Third, attorneys using a cloud are required to “supervise” and “oversee” the third-party service provider, in addition to making on-going evaluations of the effectiveness of client security, taking into account advancements in technology. Id.
In issuing the Opinion, Illinois joins a growing list of states that have regulated attorneys’ use of clouds and have come to similar conclusions: Alabama (Ethics Opinion 2010-2 (2010)), Arizona (Ethics Opinion 09-04 (2009)), Iowa (Ethics Opinion 11-01 (2011)), Nevada (Formal Opinion No. 33 (2006)), Tennessee (Formal Ethics Opinion 2015-F-159 (2015)), and Washington (State Bar Association Advisory Opinion 2215 (2012)).
Thus, when considering the use of a cloud, attorneys must be aware of their obligations to exercise diligence, which exist before, during, and after the selection of a third-party service provider.