The security of confidential information is an increasingly hot topic in the age of cloud-based commerce. Indeed, the all-important attorney-client privilege could be subject to waiver if confidential information is revealed to a third party. Yet, in the age of e-communications, almost all contact between attorney and client involves a third party. Consider the Dropbox program for example, which is utilized by many professionals to store client and case information in the cloud. Does the attorney-client privilege still apply given that this third-party may have access to confidential materials stored in the program? Perhaps you’ve overlooked the danger that cloud based storage constitutes a disclosure of confidential information and constitutes a waiver of any privilege.

This risk has become a reality in several instances. Last year, it was revealed that the FBI and NSA had secretly intruded into Verizon’s customer data. Other major internet presences like Google, Microsoft and Facebook send similar information, while the NASA’s PRISM system strips data directly from emails, video, photographs, and other digital data.

Leaving aside any debate about the practice of data sweeping, this practice highlights a growing concern among attorneys that sending or storing confidential client information or privileged communications via the cloud may be tantamount to a knowing exposure of those communications, and arguably, even a resultant waiver of any claim of privilege.

The practice of data sweeping means that an attorney’s cloud-based storage systems can be accessed by government agencies. With an unfettered portal to all of the major data houses, lawyers must be wary of the safety of client data, especially in light of MRPC 1.6, which stipulates that “a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.”  Arguably, an attorney could run afoul of this rule if a government agency accessed client data in the cloud. On the other hand, Rule 1.6 also provides that “a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” In light of this clause, perhaps a clandestine “tap” by a government agency constitutes an “inadvertent” disclosure of information.

With regard to whether e-mail constitutes sharing with a third party, a 2008 ethics opinion by the New York State Bar Association, stated that internet providers are “agents” of the email owner, akin to a paralegal working in a lawyer’s office. However, as e-mail providers continually change their privacy policies, it is unclear if this opinion is still valid. Beyond e-mail, things only get more complex for attorneys using the cloud, and it is important to balance privacy with convenience, with an eye toward compliance with the ethical rules. The norms are in constant flux, and it is not safe to assume they are always in line with a lawyer’s ethical duties.

If your practice does rely on the cloud, here are some reminders to ensure that your cloud usage complies with the ethical rules:

  • Enhance and encrypt. Talk with an IT professional about beefing up protections and encrypting data, if possible.
  • Vet the vendor. Ask how the vendor safeguards the privacy/confidentiality of stored data. Ensure that the vendor has an enforceable obligation to preserve confidentiality and security and will notify you if the cloud provider is requested to produce client information to a third party. See if the vendor’s Terms of Service address confidentiality and security – if not, ask the vendor to sign a confidentiality agreement in keeping with your professional responsibilities?
  • Short term storage. Consider adopting a policy of no “long term” cloud storage – only storing recent work and files in the cloud, and transitioning them to an offline source once they are no longer frequently used or accessed.
  • Keep updated. The interface between the cloud and the practice of law continues to evolve. Keep abreast of any new developments to make sure your practices are in compliance.

By Seth L. Laver and Jessica L. Wuebker