In a recent post at Catalyst Secure , my friend Bob Ambrogi not only summarizes Massachusetts’ recent ethics ruling on lawyer use of cloud platforms, but provides a valuable public service with a round up of ethics decisions from 11 other jurisdictions. Like most states, Massachusetts permits lawyers to use cloud based products so long as (1) lawyers make reasonable efforts to ensure that the vendor selected operates in a manner consistent with a lawyer’s professional obligations and (2) obtain clients’ express consent to use cloud products.
Since it seems that the state bars are never going to come to their senses and adopt my oft repeated recommendation that the 50 states pool their resources to develop sound, technology-based guidance for lawyers who wish to use the cloud, we’re now stuck with a dozen copy cat rulings that basically say “It’s OK for you lawyers to use the cloud if you’re reasonable in selecting a secure provider – but just to be on the safe side, you’d better make sure that your clients expressly consent.” Not only does this kind of requirement throw up a red flag that can heighten clients concern, but it makes us lawyers look as if we’re trying to pass the buck on security.
I’ve said this before but I’ll say it again and again and again until someone listens. First, why do the bars discriminate against the cloud when it comes to client disclosure? I’m not required to tell clients which bank I use to house my trust account, or seek special approval for use of online banking services. I’m not required to obtain client approval to conduct research on LEXIS or Westlaw even though it’s conceivable that someone could hack into my account and discover certain search strings that give away my strategy. I’m not required to seek my clients’ consent to store unencrypted information on my computer or use a certain type of lock on my office door or to leave the cleaning service in my office unattended. All of these practices that I’ve listed can potentially compromise the confidentiality or security of client documents or property (in the case of bank accounts). So why is only the cloud singled out?
Second, why must we burden clients with an obligation that should be our responsibility alone. When clients come to us for representation, they’ve got enough on their plate – maybe they’re facing a 20 year jail sentence or they’re about to lose their home or they’re trying to leave an abusive relationship. The last thing they need is to read through a 40 page retainer letter with millions of caveats and “initial here, please.”
Moreover, clients aren’t stupid. Many of them use online banking or patronize doctors’ offices that store files in the cloud. Yet, even though banks and doctors are subject to far more stringent statutory requirements (like HIPPA or consumer credit laws), users aren’t required to sign a special consent form authorizing those entities to store data in the cloud. So when their lawyer requires consent, clients will either wonder (1) whether the cloud products that we lawyers use are inferior to those of banks and doctors (because otherwise, why would a special consent be required), or (2) how they’re expected to know whether the cloud is safe enough for their data to provide informed consent when their lawyer apparently can’t figure it out. Neither scenario makes us look very good.
Oh and by the way, have you ever tried to draft consent language for a retainer agreement? I’ve been going through that exercise as part of preparation of materials on my 21st Century Retainer Agreement and am hard pressed to come up with a clause that doesn’t make it seem like I’m trying to slough off liability for careless security practices to clients. At the very least, if the bars are going to come up with this nonsense, why not provide some stock language to include in our retainer agreements?
Though I’m coming out swinging at the bars, I’m not unsympathetic. Most disciplinary committees are overworked and underpaid, and drafting an ethics ruling, even one that essentially lifts the reasoning from another jurisdiction’s opinion is a time consuming task, involving research, analysis and endless rounds of review. Moreover, many committee members simply don’t use this technology and they’re intimidated by the unknown. So rather than do what real scientists do in the face of uncertainty (gather data, learn more and adapt course to new developments), the bars do what lawyers do (after all, regulators are lawyers!) which is to figure out a way to CYA.
The cloud is here, and it’s here to stay. If the bars are serious about protecting client data, instead of wasting already scarce resources to draft stupid opinions that scare lawyers and clients away from the cloud, each bar should each fork up $20,000 for a total of $1 million and then use the money to interview doctors, banks, government officials and technology companies (heck, Google itself uses googledocs) on best practices in their industries and to hire bonafide security consultants to test various cloud products and identify those suitable for use by lawyers. Taking this approach will help lawyers and our clients gain additional clarity on using the cloud.
A final note – isn’t this just completely and utterly obvious? Isn’t there anyone else out there who agrees with that the approach that the bars are taking is utterly ridiculous? Ethics experts? Technology gurus? Anyone?