A List of All the Ethics Opinions on Cloud Computing for Lawyers

Opinion 2010-02

• Know how provider handles storage/security of data.
• Reasonably ensure confidentiality agreement is followed.
• Stay abreast of best practices regarding data safeguards.

Opinion 2014-3

• Take reasonable steps to ensure that sensitive client information remains confidential and safeguarded
• Determine whether the provider of the services is a reputable organization.

Opinion 09-04 (Note ethics opinions are now governed by the Arizona Supreme Court’s Attorney Ethics Advisory Committee (AEAC), that was created pursuant to Rule 42.1, Ariz. R. Sup. Ct., and Administrative Order No. 2018-110. No past opinions are formally adopted by this committee at this time.) 

• “Reasonable security precautions,” including password protection, encryption, etc.
• Develop or consult someone with competence in online computer security.
• Periodically review security measures.

Opinion 2010-179

• Evaluate the nature of the technology, available security precautions, and limitations on third-party access.
• Consult an expert if lawyer’s technology expertise is lacking.
• Weigh the sensitivity of the data, the impact of disclosure on the client, the urgency of the situation, and the client’s instructions.

Informal Opinion 2013-07

• Lawyers ownership and access to the data must not be hindered.
• Security policies and processes should segregate the lawyer’s data to prevent unauthorized access to the data, including by the cloud service provider.

Opinion 12-3

• Ensure provider has enforceable obligation to preserve confidentiality and security, and will provide notice if served with process.
• Investigate provider’s security measures
• Guard against reasonably foreseeable attempts to infiltrate data.

Opinion 16-06

• Takes reasonable measures to ensure that the client information remains confidential
• Lawyer’s obligation to protect does not end once the lawyer has selected a reputable provider

Opinion 11-01

• Ensure unfettered access to your data when it is needed, including removing it upon termination of the service.
• Determine the degree of protection afforded to the data residing within the cloud service.

Opinion KBA E-437

• Investigate the qualifications, competence, and diligence of the provider
• Determine whether the provider is capable of conduct compatible with the lawyer’s ethical responsibilities
• Consult with the client about the use of the cloud if the matter is sufficiently sensitive

Opinion 19-RPCC-021(focusing on technological competency but covering cloud usage)

• Conduct due diligence research on prospective service providers
• Take reasonable steps to ensure that ethical standards and responsibilities of the lawyer are also met by the conduct of the service provider
• Create an enforceable obligation on the vendor’s part to safeguard the confidentiality of data

Opinion 207

• Ensure firm technology in general meets professional responsibility constraints.
• Review provider’s terms of service and/or service level agreements.
• Review provider’s technology, specifically focusing on security and backup.

Opinion 12-03 

• Review (and periodically revisit) terms of service, restrictions on access to data, data portability, and vendor’s security practices.
• Follow clients’ express instructions regarding use of cloud technology to store or transmit data.
• For particularly sensitive client information, obtain client approval before storing/transmitting via the internet.

Opinion RI-355 (declares cloud use permissible in dicta)

Opinion RI-381 (focusing on technological competency but covering cloud usage)

• Ensure that she retains ownership and has ability to access the file materials upon termination of the vendor relationship
• Exercise reasonable care to ensure that the third-party vendor itself uses reasonable security measures

Informal Opinion 2018-09 

• Maintain competence in the use of relevant technology
• Make reasonable efforts to safeguard confidential information from inadvertent or unauthorized disclosure or access

Opinion 19-01

• Undertake  reasonable  efforts  to: (1)  prevent inadvertent or unauthorized access to that information
• (2) maintain the confidentiality of the information;
• and (3) establish reasonable safeguards to ensure the information is protected from loss, breaches, business interruptions, and other risks

• Chose a vendor that can be reasonably relied upon to keep client information confidential.
• Instruct and require the vendor to keep client information confidential.

Opinion #2012-13/4

• Have a basic understanding of technology and stay abreast of changes, including privacy laws and regulations.
• Consider obtaining client’s informed consent when storing highly confidential information.
• Delete data from the cloud and return it to the client at the conclusion of representation or when the file must no longer be preserved.
• Make a reasonable effort to ensure cloud providers understand and act in a manner compatible with a lawyer’s professional responsibilities.

Opinion 701

• Vendor must have an enforceable obligation to preserve confidentiality and security.
• Use available technology to guard against foreseeable attempts to infiltrate data.

Opinion 842

• Vendor must have an enforceable obligation to preserve confidentiality and security, and should notify lawyer if served with process for client data.
• Use available technology to guard against foreseeable attempts to infiltrate data.
• Investigate vendor security practices and periodically review to be sure they remain up-to-date.
• Investigate any potential security breaches or lapses by vendor to ensure client data was not compromised.

2011 Formal Ethics Opinion 6

• Review terms and policies, and if necessary re-negotiate, to ensure they’re consistent with ethical obligations.
• Evaluate vendor’s security measures and backup strategy.
• Ensure data can be retrieved if vendor shuts down or lawyer wishes to cancel service.

Informal Advisory Opinion 2017-05

• Diligently investigate the measures undertaken by the vendor to ensure its operations are compatible with the lawyer’s professional obligations.
• Require that the vendor give the lawyer notice of subpoenas for client

data, nonauthorized access to the stored data, or other breach of Security.

Reliable means of retrieving the data if the agreement is

terminated or the vendor goes out of business.

Opinion 99-03 (examining cloud backups)

• Ensure the security of the data transmission
• Ensure the security of the data storage is adequate for the sensitivity of the records to be transmitted and stored

Opinion 2011-188

• Ensure service agreement requires vendor to preserve confidentiality and security.
• Require notice in the event that lawyer’s data is accessed by a non-authorized party.
• Ensure adequate backup.
• Re-evaluate precautionary steps periodically in light of advances in technology.

Opinion 2011-200

• Exercise reasonable care to ensure materials stored in the cloud remain confidential.
• Employ reasonable safeguards to protect data from breach, data loss, and other risk.
• See full opinion for 15 point list of possible safeguards.

Opinion 2015-F-159

• Lawyer takes reasonable care to assure that: (1) all such information or materials remain confidential, and
• (2) Reasonable safeguards are employed to ensure that the information is protected from breaches, loss, and other risks.

Opinion 680

• Lawyers should remain continually alert to the vulnerability of cloud-based vendors and systems to data breaches and whether a particular vendor or system appears to be unusually vulnerable
• Lawyer must take reasonable precautions in the adoption and use of cloud-based technology for client document and data storage 

Opinion 2010-6

• Take reasonable precautions to ensure client data is secure and accessible.
• Consider whether certain types of data (e.g. wills) must be retained in original paper format.
• Discuss appropriateness of cloud storage with client if data is especially sensitive (e.g. trade secrets).

Legal Ethics Opinion 1872

• Exercise care in selection of the vendor.
• Have a reasonable expectation the vendor will keep data confidential and inaccessible.
• Instruct the vendor to preserve the confidentiality of information.

Advisory Opinion 2215

• Conduct a due diligence investigation of any potential provider.
• Stay abreast of changes in technology.
• Review providers security procedures periodically.

Opinion EF-15-01

• Consider the sensitivity of the data, the impact of the disclosure, the client’s circumstances and instructions
• Consult an expert if lawyer’s technology expertise is lacking.
• Understand/know the experience and reputation of the service provider and the terms of their agreement. 

Formal Opinion 95-398: Access of Nonlawyers to a Lawyer’s Data Base

• …ensure that the service provider has in place, or will establish, reasonable procedures to protect the confidentiality of information to which it gains access, and moreover, that it fully understands its obligations in this regard.
• [A] lawyer might be well-advised to secure from the service provider in writing, along with or apart from any written contract for services that might exist, a written statement of the service provider’s assurance of confidentiality.

Cloud computing due diligence guidelines

• Lawyers must ensure that the service provider and technology they use support the lawyer’s professional obligations …
• Lawyers must take steps to ensure the confidentiality and privilege of their clients’ information is protected.  Clear contractual language should be used to accomplish this objective. 

CCBE Guidelines on the Use Of Cloud Computing Services By Lawyers

Navigating to the Cloud:
A Framework for Trust

• Ensure contractual terms state that your provider will not access your data for any secondary purpose (i.e. any purpose other than for providing the service to you –such as advertising)
• Select a service provider with appropriate security measures in place(e.g.accreditation, encryption technology that meets or exceeds international standards)

• Your cloud provider should give assurance that your information will be treated as confidential and not used or disclosed to third parties.
• [Y]ou should retain full ownership of the data stored on your provider’s system and have an explicit right to get your data back on demand.