Cloud Computing Ethics for Law Firms
Most law firms now use cloud services. Email, document storage, practice management, legal research. Cloud computing is standard.
But cloud computing raises ethics questions for lawyers. Rules of Professional Conduct apply to technology decisions.
Here's what law firms need to know about cloud computing ethics.
Ethics Rules That Apply
Duty of Confidentiality
Lawyers must protect client confidential information. This extends to how data is stored and transmitted.
Rule 1.6 in most jurisdictions requires reasonable efforts to prevent unauthorized access to client information.
Duty of Competence
Lawyers must maintain reasonable competence, including understanding benefits and risks of technology.
Comment 8 to Rule 1.1 explicitly mentions technology competence.
Communication with Clients
Rule 1.4 requires keeping clients informed. This includes how their information is stored and protected.
Is Cloud Computing Ethical?
Short answer: Yes, when done properly.
ABA Formal Opinion 477R (2017) concluded that lawyers may use cloud computing if reasonable care is taken to ensure confidentiality and security.
Most state bars have issued similar opinions.
Key word: "reasonable care." Cloud computing itself isn't unethical, but failure to implement reasonable safeguards is.
What Is "Reasonable Care"?
Vendor Due Diligence
Research cloud vendor security practices before use:
- What security measures do they implement?
- Where is data stored geographically?
- Do they have security certifications (SOC 2, ISO 27001)?
- What is their track record on security incidents?
- How do they respond to data breaches?
Service Agreements
Review terms of service and privacy policies:
- Who owns the data?
- Can vendor access or use client data?
- What happens to data if relationship ends?
- Are there data retention and deletion obligations?
- What are breach notification requirements?
Data Protection Measures
Implement appropriate security measures:
- Strong passwords and multi-factor authentication
- Encryption for data in transit and at rest
- Access controls limiting who can see what
- Regular security updates
- Monitoring for suspicious activity
Common Cloud Services
Email (Office 365, Google Workspace)
Email contains confidential client communications. Cloud email is widely accepted as ethical when:
- Strong passwords and MFA enabled
- Email encryption available for sensitive communications
- Reasonable vendor (Microsoft, Google) with strong security
Document Storage (OneDrive, Dropbox, Box)
Client documents in cloud storage require:
- Encryption of sensitive documents
- Access controls
- Vendor with appropriate security measures
- Understanding of where data is stored
Practice Management Software
Cloud-based practice management is widely used ethically:
- Choose reputable vendors serving legal industry
- Verify security measures and certifications
- Enable MFA and strong access controls
- Understand backup and disaster recovery
Legal Research Platforms
Westlaw, Lexis, Bloomberg Law. Cloud-based legal research is standard.
These vendors understand legal confidentiality requirements.
Client Consent
Do you need client consent to use cloud services?
Generally Not Required
Most ethics opinions conclude that explicit client consent not required for using reasonable cloud services.
Lawyers make technology decisions as part of representing clients.
When Consent May Be Needed
- Highly sensitive matters requiring extraordinary precautions
- Client specifically requests information about data storage
- Unusual cloud services with higher risk
- International data storage for clients concerned about jurisdiction
Client Communication
Even if consent not legally required, informing clients about general technology practices builds trust.
International Considerations
Data Location
Where is data physically stored? Some cloud providers store data in multiple countries.
This can create issues with:
- Foreign government access to data
- Different privacy laws in different jurisdictions
- Client concerns about data location
CLOUD Act
US law giving government potential access to data stored abroad by US companies.
Law firms with international clients should understand implications.
GDPR and International Privacy Laws
European and other international privacy laws affect how client data can be stored and transferred.
Firms with international clients need compliance strategies.
Specific Cloud Services Issues
Consumer vs. Business Services
Consumer versions of cloud services (free Gmail, Dropbox Basic) have different terms than business versions.
Business versions typically have better security, clearer data ownership, and appropriate terms of service.
Use business-grade services for client data.
Free Services
Free cloud services may monetize by analyzing data or advertising.
Read terms carefully. Free services may not be appropriate for confidential client data.
Third-Party Apps
Apps that integrate with cloud services may request broad access.
Evaluate third-party apps carefully before granting access to client data.
Mobile Devices
Smartphones and tablets accessing cloud services create additional considerations:
Device Security
- Strong passwords or biometric locks
- Encryption enabled
- Remote wipe capability if device lost
- Automatic updates enabled
App Security
Use official apps from trusted sources. Avoid third-party apps with unnecessary permissions.
Lost or Stolen Devices
Have procedures for immediately revoking access if device lost or stolen.
Training and Competence
Technology Competence
Ethics rules require understanding technology you use.
This doesn't mean deep technical expertise, but reasonable understanding of:
- What cloud services you're using
- How they protect data
- What risks exist
- How to use services securely
Staff Training
Everyone with access to cloud services needs security training:
- Password security
- Phishing recognition
- Proper use of cloud services
- Mobile device security
- Reporting suspicious activity
Vendor Changes
Terms of Service Changes
Cloud vendors change terms of service. Review changes when notified.
Significant changes may require reassessing whether vendor remains appropriate.
Acquisitions
Cloud vendors get acquired. New ownership may change privacy practices or data handling.
Service Discontinuation
Vendors discontinue services. Have data portability plans for migrating if needed.
Incident Response
If Vendor Has Data Breach
- Determine what client data was affected
- Assess whether notification required
- Consider ethics obligation to inform affected clients
- Document response
- Evaluate whether to continue using vendor
If Your Firm Has Security Incident
- Contain incident
- Assess scope of compromise
- Notify affected clients
- Report to authorities if required
- Review and improve security practices
Documentation
Written Technology Policies
Document firm policies about:
- Approved cloud services
- Security requirements
- Data handling procedures
- Incident response
Vendor Assessments
Document due diligence on cloud vendors. Shows reasonable care was taken.
Practical Recommendations
For law firms using cloud services:
- Use reputable business-grade cloud services
- Enable multi-factor authentication everywhere
- Implement strong access controls
- Encrypt sensitive documents
- Train staff on security
- Review vendor security practices
- Have written technology policies
- Monitor for security issues
- Plan for incident response
- Stay informed about evolving security and ethics guidance
State Bar Guidance
Many state bars have issued ethics opinions on cloud computing:
- Most approve cloud computing with reasonable safeguards
- Some provide specific guidance on due diligence
- Check your jurisdiction for specific guidance
Our Perspective
At Robell Technologies, we help law firms implement cloud services ethically:
- Vendor assessment and selection
- Security configuration and hardening
- MFA implementation
- Staff training on secure cloud use
- Policy development
- Ongoing security monitoring
- Incident response planning
Twelve years serving Arizona law firms means understanding both technology and legal ethics requirements.
Cloud computing is ethical when implemented properly. The key is taking reasonable care to protect client confidentiality.
If your firm needs help evaluating cloud services, implementing appropriate security measures, or developing technology policies that meet ethics obligations, we can help.
Technology changes. Ethics principles remain constant. Use reasonable care to protect client information, whatever technology you choose.