Cloud and proud

Seven tips for moving your practice to the cloud

Counsel's Corner

Dennis C. Garcia

Dennis C. Garcia is an assistant general counsel for Microsoft based in Chicago. He leads the legal support function to Microsoft's U.S. Central Region Enterprise & Partner Group team that is based in an 18-state region and across six Microsoft districts.

April 2017

Whether we realize it or not, cloud computing aka the “cloud,” is becoming a ubiquitous part of our lives as the cloud is the engine that powers many of the routine technology-related activities that all of us perform every day like engaging in social media, sending personal e-mails or using our smartphones.

Lawyers are increasingly using cloud-based services — which allows them to access software and store data in a remote location like a data center that is controlled by a third-party cloud provider — to achieve more and to become more cybersecure, assuming those services are provided by a highly trustworthy cloud provider. However, some lawyers and law firms have remained hesitant to move to the cloud and store client information with a cloud provider due to potential legal ethical concerns.

Fortunately, last October the Illinois State Bar Association issued a four-page Professional Conduct Advisory Opinion (Opinion No. 16-06) that provides clarity regarding the ethics of using cloud computing by lawyers. This advisory opinion concluded the following: “A lawyer may use cloud-based services to store confidential client information provided the attorney uses reasonable care to ensure that client confidentiality is protected and client data is secure. A lawyer must comply with his or her duties of competence in selecting a provider, assessing the risks, reviewing existing practices and monitoring compliance with the lawyer’s professional obligations.”

Professional Conduct Advisory Opinions are provided by the ISBA as an educational service to the legal profession and are not binding on the courts or disciplinary agencies. However, they are often considered when assessing lawyer conduct and they can be highly instructive — especially regarding matters such as cloud computing where there is little to no relevant case law in the state of Illinois.

The advisory opinion is built off an earlier advisory opinion from 2009 (Opinion No. 10-01) that “previously determined that a lawyer may retain or work with a private vendor to monitor the firm’s computer server and network, provided that the lawyer takes reasonable steps to ensure that the vendor protects the confidentiality of client information.”

This advisory opinion highlighted the recently amended Comment 8 to Rule 1.1 of the Illinois Rules of Professional Conduct that, as part of a lawyer’s duty of competence, lawyers must understand the “benefits and risks associated with relevant technology” and stated that “lawyers who use cloud-based services must obtain and maintain a sufficient understanding of the technology they are using to properly assess the risks of unauthorized access and/or disclosures of confidential information.”

Since technology changes so quickly the advisory opinion avoided providing specific requirements for lawyers when selecting and using a provider of cloud-based services. However, the advisory opinion stated that “lawyers must conduct a due diligence investigation when selecting a provider” and also identified these seven “reasonable inquires and practices” that a lawyer may want to consider as they move to the cloud:

  1. “Reviewing cloud computing industry standards and familiarizing oneself with the appropriate safeguards that should be employed;
  2. Investigating whether the provider has implemented reasonable security precautions to protect client data from inadvertent disclosures, including but not limited to the use of firewalls, password protections and encryption;
  3. Investigating the provider’s reputation and history;
  4. Inquiring as to whether the provider has experienced any breaches of security and, if so, investigating those breaches;
  5. Requiring an agreement to reasonably ensure that the provider will abide by the lawyer’s duties of confidentiality and will immediately notify the lawyer of any breaches or outside requests for client information;
  6. Requiring that all data is appropriately backed up completely under the lawyer’s control so that the lawyer will have a method for retrieval of the data;
  7. Requiring provisions for the reasonable retrieval of information if the agreement is terminated or if the provider goes out of business.”

This advisory opinion is consistent with the opinions provided by more than other state bar associations — including our neighbor to the north Wisconsin, which issued a cloud ethics opinion in March 2015.

If you or your organization are thinking about moving to the cloud in order to take advantage of its many benefits, please be sure to read this advisory opinion.