State bar associations are starting to address the issue of law firms storing confidential client information in the cloud and are rolling out ethics opinions to guide law firm conduct. You can find a list of these opinions here on the American Bar Association web site. The basic standard that is emerging is that the attorney must use "reasonable care" under the circumstances. This makes sense. It leaves to the attorney the responsibility of making a management judgment about the risks in choosing one cloud solution over another. This assumes that the law firm has sufficient technical knowledge to evaluate these new risks created by the development of new information technologies. [This is the subject of a future blog post!].
The Massachusetts Bar Opinion Ethics Opinion on this subject is troubling because it explicitly requires:
"Consistent with its prior opinions, the Committee further believes that the Lawyer remains bound to follow an express instruction from his client that the client's confidential information not be stored or transmitted by means of the Internet, and that he should refrain from storing or transmitting particularly sensitive client information by means of the Internet without first seeking and obtaining the client's express consent to do so"
The requirement that in every case the client's express consent to store confidential information in the cloud is not realistic and not consistent with the way web technology is evolving. There are clearly situations where it would would be reasonable under the circumstances to secure a client's consent for storing confidential information in the cloud, but the way this Opinion is framed law firms will interpret to this mean that in every case the client's express consent needs to be explicitly secured. This adds unnecessary "friction" to creating the lawyer/client relationship.
This requirement actually puts Massachusetts lawyers, particularly solos and small law firms at a competitive disadvantage. Solos and small law firms now have to compete against software powered non-lawyer sites such as LegalZoom, LegacyWriter, MyLawyer.com, and RocketLawyer, to name only a few. None of these non-lawyer web sites require that their customers provide express consent to store their confidential data in the cloud, and if they do, the consent is buried so deep in the fine print that the average user is completely unaware of what they are consenting to.
The Opinion cites Google Docs as its leading example, which is a good example of how out of touch the Bar is with emerging technological trends. It won't be long before a person will be able to create a Will using a mobile app on their cell phones.
Must the user then be required to give their express consent before storing their data? What does that "express consent" mean in a mobile application context? The necessity of preserving the integrity of the lawyer/client relationship through the appropriate application of ethical rules is clearly appropriate. But adding unnecessary "friction" to accessing legal services for the average consumer is just going to result them turning to alternative non-lawyer providers who operate with less restrictions. Restrictions like this impede innovation in the delivery of legal services by the legal profession. No wonder the legal profession is lagging behind every other service industry in adapting to the mobile social web.
For a similar viewpoint see: Carolyn Elefant's Blog Post: The Bar Associations Have Their Head in the clouds When it Comes to Cloud Computing.
For a thoughtful analysis of bar association ethical opinions on the use of cloud computing by lawyers see also: Bob Ambrogi's blog posts at Catalyst.