Recent State Bar Opinion Offers Law Firms Guidance on Cloud Data Security


Thought Leadership

Recent State Bar Opinion Offers Law Firms Guidance on Cloud Data Security

Zix Staff

With the American Bar Association (ABA) TECHSHOW coming up later this month in Chicago, it’s an opportune time to review a recent state bar opinion regarding law firms’ use of cloud-based Software-as-a-Service (SaaS). Because our ZixCorp Email Encryption Services are SaaS security solutions for Web-based email, this subject is near and dear to me.

In late January, the North Carolina State Bar published 2011 Formal Ethics Opinion 6: Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property. The opinion cites the state’s ethics rules about protecting confidential client communications and preserving client property, including information. I discussed the ABA’s model ethics rules on those topics in my post – Are Lawyers Required to Encrypt Email.

The opinion concluded that law firms may use SaaS, including Web-based email, provided they take reasonable steps to minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property, including the information in a client’s file, from risk of loss. The opinion does not require that lawyers use only infallibly secure communications methods. Instead, the opinion says lawyers must use reasonable care to select a mode of communication that, in light of the circumstances, will best protect confidential client information.

The opinion notes that lawyers have an ethical obligation to use “reasonable precautions to prevent the information from coming into the hands of unintended recipients.” The opinion does not mandate encryption, nor any particular technology, but recommends that law firms evaluate the SaaS vendor’s measures for safeguarding the security and confidentiality of data, including encryption techniques. The State Bar of California, in Formal Opinion 2010-179, said more directly that “encrypting email may be a reasonable step for an attorney to take … when the circumstance calls for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous.” If you’re wondering how to evaluate interception risks and the actions appropriate to secure email communications, read my post - “Reasonable” Steps to Prevent Disclosure.

The North Carolina opinion also says that lawyers must advise the client and other affected parties if there is reason to believe a chosen communications technology presents an unreasonable risk to confidentiality. In that regard, the opinion is generally consistent with the ABA’s Formal Opinion 11-459, Duty to Protect the Confidentiality of E-mail Communications with One’s Client.

The North Carolina State Bar has influenced other state bars on matters of ethics related to lawyer use of technology. It wouldn’t be a stretch for other states’ bars to follow suit and publish similar opinions on SaaS and client confidentiality, because personal privacy and data security issues continue to appear regularly in the headlines.