As online practice management solutions and cloud technology become increasingly prevalent, lawyers face the challenge of assuaging client concerns around the security and confidentiality of hosted online data. They also face the task of gaining informed consent from clients when using such tools for engagement and information management.
How can lawyers implement and use secure communication tools, online client portals, and online practice management solutions while protecting themselves from the confidentiality rules that govern such technologies?
Register now for this webinar with legal technology expert Chad Burton, who will go over salient facts that lawyers need to know when engaging with clients in the cloud, including:
• State ethics opinions on using cloud computing vendors
• Obtaining informed client consent
• Common client concerns related to cloud computing
6. Lawyers’Duties
• Communication
• Respond to or acknowledge client communications
• Diligence
6
• On behalf of your client
• Competence
• Awareness of changes in the law & practice
• Benefits and of relevant technology
• Continuity
• Records retention
• Confidentiality
6
7. R. 1.6 - Confidentiality
• Lawyers must make reasonable efforts to prevent the
inadvertent or unauthorized disclosure of, or unauthorized
access to, information relating to the representation of a
client.
• Exemptions exist
• Disclosure is impliedly authorized in order to carry out
representation of the client’s interests
• Duty extends to the use of nonlawyers assisting the lawyer
• R. 5.3
8. Rules specifically allow lawyers to
disclose confidential client
information with informed consent.
9. Informed Consent
• “The agreement by a person to a proposed course of conduct
after the lawyer has communicated adequate information and
explanation about the material risks of and reasonably
available alternatives to the proposed course of conduct.”
• Affirmative Response is Required
• Written Affirmation NOT Required on Disclosing Confidential
Information
10. Informed Consent
• Requirements
• Lawyer must make reasonable efforts to inform
• Client possesses information reasonably adequate to make an
informed decision
• Reasonable Standard
• Reasonably prudent and competent lawyer
• R. 1.0(H)
11. Reasonable and Cloud Computing
• Basic understanding of electronic protections afforded by
technology
• Consultation with experts
• Use providers that have
• Reasonable security procedures
• Understanding of lawyers’ professional obligations
12. Security Procedures
• explicitly agrees that it has no ownership or security interest in the data;
• has an enforceable obligation to preserve security;
• will notify the lawyer if requested to produce data to a third party, and provide the lawyer
with the ability to respond to the request before the provider produces the requested
information;
• has technology built to withstand a reasonably foreseeable attempt to infiltrate data,
including penetration testing;
• includes in its “Terms of Service” or “Service Level Agreement” an agreement about how
confidential client information will be handled;
• provides the firm with right to audit the provider’s security procedures and to obtain copies
of any security audits performed;
• will host the firm’s data only within a specified geographic area. If by agreement, the data
are hosted outside of the United States, the law firm must determine that the hosting
jurisdiction has privacy laws, data security laws, and protections against unlawful search
and seizure that are as rigorous as those of the United States and Pennsylvania;
• provides a method of retrieving data if the lawyer terminates use of the SaaS product, the
SaaS vendor goes out of business, or the service otherwise has a break in continuity; and,
• provides the ability for the law firm to get data “off” of the vendor’s or third party data
hosting company’s servers for the firm’s own use or in-house backup offline.
14. TRUSTe – Privacy Policy
• How is sensitive information being handled?
“ TRUSTe ’ s program requirements are based
upon the Fair Information Principles and OCED
Guidelines around notice, choice, access,
security, and redress - the core foundations of
privacy and building trust.
Sealholders are
required to undergo a rigorous review process
to assess the accuracy of privacy disclosures and
compliance with TRUSTe’s requirements in order
to obtain certification.”
16. Conclusion
• Lawyers’ duty of confidentiality can be a
mine field
• Reasonable efforts on the part of the
lawyer are required to use any tool that
may risk disclosure – including cloud
computing
• Informed consent protect lawyers from
misconduct claims
Notas do Editor
First drafted in 1983 and adopted by 52 jurisdictions, the MRPC has guided the responsibilities and actions of lawyers for decades. These rules are designed to promote competence and diligence by lawyers in representing the interests of clients. Several duties are imposed on lawyers as part of these rules, including those of confidentiality.
In the official comments associated with the rules creating the duty of confidentiality, the MRPC discusses some factors that can govern the reasonable efforts a lawyer must take to maintain confidentiality. These factors can include:the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients.
In order to consider a client informed, a lawyer must make reasonable efforts to ensure that the client or other person possesses information reasonably adequate to make an informed decision. Clients should be made aware of the material advantages and disadvantages of the proposed course of conduct and a discussion of the client's or other person's options and alternatives as part of informing the client. Lawyers must also promptly inform the client of any decision or circumstance with respect to which the client's informed consent.Model Rules of Prof'l Conduct R. 1.0 cmt. 6.Id.Model Rules of Prof'l Conduct R. 1.4(a)(1).Competency includes keeping abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology. In determining whether the information and explanation provided are reasonably adequate, relevant factors include whether the client or other person is experienced in legal matters generally and in making decisions of the type involved, and whether the client or other person is independently represented by other counsel in giving the consent.Model Rules of Prof'l Conduct R. 1.1 cmt. 8.Model Rules of Prof'l Conduct R. 1.0 cmt. 6.
Pennsylvania Bar Association Committee On Legal Ethics And Professional Responsibility, “Ethical Obligations For Attorneys Using Cloud Computing/ Software As A Service While Fulfilling The Duties Of Confidentiality And Preservation Of Client Property.” (Formal Opinion 2011-200).