My friend, co-author and cloud guru Nicole Black recently reported on Connecticut’s new opinion on cloud computing. To its credit, Connecticut did not mandate obtaining client consent for use of the cloud. Rather, it suggested that lawyers consider seeking consent commensurate with the level of security required. Thus, if you’re representing Edward Snowden, you’d probably want his express consent before posting your litigation playbook in the cloud for his review. By contrast, for most cases (which don’t involve NSA surveillance), this level of caution isn’t necessary – and client consent shouldn’t be either.
Still, many lawyers are apt to “over read” the Connecticut decision as mandating client consent for cloud use in all cases or may, as a prophylactic measure, obtain advance client consent. That’s a problem – because requiring client consent for cloud computing has numerous unintended consequences.
First, many lawyers who use the cloud offer unbundled or virtual services. These lawyers have enough time convincing consumers why they should pay a few hundred dollars to retain a virtual law firm and have a lawyer incorporate an LLC or draft a will on line instead of doing it through a non-lawyer service like Legal Zoom that may charge under one hundred bucks. But if clients not only have to pay a virtual firm more but jump through all kinds of hoops of consenting to the cloud, they’ll run screaming for Legal Zoom. I certainly would.
Second, even doctors aren’t required to obtain client consent to store or exchange data in the cloud under HIPAA. Clients, accustomed to doctors using the cloud without their consent, may suspect that they need to consent to lawyer use of the cloud because the lawyer’s platform is sub-standard. That’s not a great message to send.
Third, requiring client consent removes the responsibility for security from the entity with which it should lie: the vendor. If clients consent to lawyers using the cloud, then if something goes wrong, clients can’t sue the lawyer for damages (absent a showing of gross negligence or lawyer conduct that violated ethics rules or standards of care). If clients can’t sue for harm, lawyers don’t have much of a cause of action against the vendor either – and if the vendor isn’t on the hook for damages, it has less incentive to improve the level of security provided. In fact, it’s no surprise that most cloud vendors don’t vehemently object to the client consent requirement – and in fact, some actively promote obtaining client consent as a best practice.
My 21st Century Retainer program (sign up here for the August 1 event) includes sample language for a client consent clause – not because I endorse it but because I know some bars do require it (and in some instances, consent may be justified). But I don’t believe that it’s a good idea in most cases – and because of the unintended consequences, neither should you.