Law firms have been using premise-based legal software for many years now. Then, about a decade ago, along came the much more convenient, affordable, and flexible cloud-based legal software tools. In the early years, lawyers weren’t sure whether it was ethically permissible for them to use cloud computing tools, but over time, it’s become quite clear that cloud-based legal software is a viable, secure option for law firms of all sizes.
Some of the first jurisdictions weighed in on the ethics of cloud computing use by lawyers nearly 10 years ago. Since then, more than 20 other states have concluded that cloud-based legal software, such as legal practice management software, is permissible for lawyers to use in their practices. The most recent state to weigh in on this issue was Texas.
In September 2018, in Opinion 680, the Professional Ethics Committee for the State Bar of Texas considered whether Texas lawyers may “use cloud-based client data storage systems or use cloud-based software systems for the creation of client-specific documents where confidential client information is stored or submitted to a cloud-based system.”
At the start of the opinion, the Committee provided an overview of cloud computing use by lawyers, and concluded that over the years, its use has become commonplace: “Cloud-based electronic storage and software systems are in wide use among the general public and lawyers.”
Next, the Committee explained that online communication and data storage systems are no different than any other type of offline systems used for communication or document storage. That’s why the Committee aptly concluded that no matter what tools law firms use—there’s no such thing as absolute security, regardless of where your law firm’s information is stored. Instead, the reasonable security standard applies:
“While wide usage of an information storage method or software document creation system is not, in itself, justification for its use by lawyers, alternative methods of information storage and document preparation also have an inherent risk of disclosure or misuse—just as a privileged letter to a client through the U.S. Postal Service (versus transmission through email) can be intercepted or accessed by third parties and a client’s file in a lawyer’s office may be susceptible to access or disclosure by unauthorized parties without the lawyer ‘knowingly’ revealing that information.”
The Committee addressed the reasonable security standard, explaining that whenever a third party handles your law firm’s confidential client data—whether it’s an offline provider like a process server or an online provider such as a cloud-based legal software platform—lawyers have an ethical obligation to thoroughly vet the third-party vendor. Certainly, the questions asked will vary depending on the services that the third party provider offers, but the general thrust of the questions remains the same. Ultimately, lawyers have an obligation to understand who has access to your firm’s data, how it will be handled, and what steps will be taken to prevent its access by unauthorized third parties.
When it comes to digital law firm data, the Committee highlighted some of the “reasonable precautions” that lawyers must take when vetting a cloud computing provider. Issues to cover include:
- Acquiring a general understanding of how cloud technology works
- Reviewing the “terms of service” to which the lawyer submits when using a specific cloud-based provider just as the lawyer should do when choosing and supervising other types of service providers
- Learning what protections already exist within the technology for data security
- Determining whether additional steps, including but not limited to the encryption of client confidential information, should be taken before submitting that client information to a cloud-based system
- Remaining alert as to whether a particular cloud-based provider is known to be deficient in its data security measures or is or has been unusually vulnerable to “hacking” of the stored information
- Training for lawyers and staff regarding appropriate protections and considerations
The Committee acknowledged that the benefits of cloud computing were many and that as long as lawyers sufficiently vet third party cloud-based software providers, the use of cloud-based legal software by lawyers does not violate ethical regulations: “Considering the present state of technology, its common usage to store confidential information, and the potential cost and time savings for clients, a lawyer may use cloud-based electronic data systems and document preparation software for client confidential information.”
With this opinion, Texas joins the ranks of many other jurisdictions and green lights the use of cloud-based legal software by Texas lawyers.