Summary: A lawyer generally may store
and synchronize electronic work files containing confidential
client information across different platforms and devices using an
Internet based storage solution, such as "Google docs," so long
as the lawyer undertakes reasonable efforts to ensure that the
provider's terms of use and data privacy policies, practices and
procedures are compatible with the lawyer's professional
obligations, including the obligation to protect confidential
client information reflected in Rule 1.6(a). A lawyer remains
bound, however, to follow an express instruction from his or her
client that the client's confidential information not be stored or
transmitted by means of the Internet, and all lawyers should
refrain from storing or transmitting particularly sensitive client
information by means of the Internet without first obtaining the
client's express consent to do so.
Facts: A lawyer ("Lawyer") wishes to
store and synchronize the electronic work files that he creates in
the course of his law practice across multiple computers and
devices (e.g., smartphones, iPads, etc.) so that
he can access them remotely. Some of the work files contain
privileged or other confidential client information. Lawyer is
considering several potential solutions to address his needs,
including storing and synchronizing his electronic files remotely
using a third-party service that is accessible through the
Internet, such as "Google docs." As described by Google, Google
docs is a private service that permits users to store their
documents and other data on Google's servers and access that
information remotely over the Internet using multiple devices and
platforms. Numerous other "cloud" based storage options, such as
Microsoft's "Windows Azure," Apple's "iCloud," and Amazon.com's
"S3" service, exist. The issue presented is whether it would
violate Lawyer's obligations under the Massachusetts Rules of
Professional Conduct to store confidential client information using
Google docs or some other Internet based storage solution, and to
synchronize his computers and other devices that contain or access
such information over the Internet.
Discussion: Rule 1.6 of the
Massachusetts Rules of Professional Conduct governs the
confidentiality of client information. Subsection (a) of Rule 1.6
provides, in relevant part, that "[a] lawyer shall not reveal
confidential information relating to the representation of a client
unless the client consents after consultation...." The duty of
confidentiality dictated by Rule 1.6 (as well as other rules)
imposes upon Lawyer the obligation to avoid using means of
communication with the client that pose an unreasonable risk of
inadvertent disclosure to third persons.
In this context, the question posed is whether Lawyer's use of
Google docs or another Internet based data storage service
provider, which carries with it a small, but genuine risk of
unauthorized access or interception, presents an unreasonable risk
of inadvertent disclosure and, therefore, violates Rule 1.6(a).
The Committee on Professional Ethics previously has addressed
issues of client confidentiality posed by a lawyer's use of the
Internet and remote access capabilities. For example, in Opinion
00-01, the Committee concluded that a lawyer's use of unencrypted
Internet e-mail to engage in confidential communications with his
or her client does not violate Massachusetts Rule of Professional
Conduct 1.6(a) in ordinary circumstances. We said, in relevant
part,
[i]t is the Committee's opinion that the use of unencrypted
Internet e-mail for the purpose of transmitting confidential or
privileged client communications does not, in most instances,
constitute a violation of any applicable ethical rule, including
Rule 1.6. The Committee reaches this conclusion primarily because
it believes that both the lawyer and the client typically have a
reasonable expectation that such communications will remain legally
and effectively private. See, e.g., 18 U.S.C.A. 2510,
et seq. (the "Electronic Communications Privacy Act"). The
technological possibility that a privileged or confidential e-mail
communication could be intercepted in disregard of federal law does
not diminish that expectation. Other standard forms of
communication, including the telephone and the United States mail,
also carry with them some risk of interception. Legal prohibitions
on the interception of private telephone calls and letters,
however, generally provide protection against unauthorized
disclosure sufficient to make those means of communication
reasonably secure for purposes of Rule 1.6(a). The Committee
believes that, in light of statutes such as the Electronic
Communications Privacy Act, the same reasoning now applies to
unencrypted Internet e-mail.
Similarly, in Opinion 05-04, the Committee concluded that a law
firm may provide a third-party software vendor with remote access
to confidential client information stored on the firm's computers
for the purpose of allowing the vendor to support and maintain a
computer software application utilized by the law firm so long
as the law firm undertakes "reasonable efforts" to ensure that
the conduct of the software vendor "is compatible with the
professional obligations of the lawyer[s]," including the
obligation to protect confidential client information reflected in
Rule 1.6(a). The Committee stated that "reasonable efforts" in the
circumstances would include, among other things,
(a) notifying the vendor of the confidential nature of the
information stored on the firm's servers and in its document
database; (b) examining the vendor's existing policies and
procedures with respect to the handling of confidential
information; (c) obtaining written assurance from the vendor that
confidential client information on the firm's computer system will
only [be] utilized solely for technical support purposes and will
be accessed only on an "as needed" basis; (d) obtaining written
assurance from the vendor that the confidentiality of all client
information will be respected and preserved by the vendor and its
employees; and (e) drafting and agreeing upon additional
procedures for protecting any particularly sensitive client
information that may reside on the firm's computer system, to the
extent necessary.
The Committee believes that the reasoning set forth in Opinion
00-01 and Opinion 05-04 generally would allow Lawyer also to use
Google docs or some other Internet based data storage service
provider to store confidential client information, and to
synchronize data using that provider over the Internet. More
specifically, the Committee believes that the use of an Internet
based service provider to store confidential client information
would not violate Massachusetts Rule of Professional Conduct 1.6(a)
in ordinary circumstances so long as Lawyer undertakes
reasonable efforts to ensure that the provider's data privacy
policies, practices and procedures are compatible with Lawyer's
professional obligations, including the obligation to protect
confidential client information reflected in Rule 1.6(a).
"Reasonable efforts" by Lawyer with respect to such a provider
would include, in the Committee's opinion:
(a) examining the provider's terms of use and written policies
and procedures with respect to data privacy and the handling of
confidential information;
(b) ensuring that the provider's terms of use and written
policies and procedures prohibit unauthorized access to data stored
on the provider's system, including access by the provider itself
for any purpose other than conveying or displaying the data to
authorized users;
(c) ensuring that the provider's terms of use and written
policies and procedures, as well as its functional capabilities,
give the Lawyer reasonable access to, and control over, the data
stored on the provider's system in the event that the Lawyer's
relationship with the provider is interrupted for any reason
(e.g., if the storage provider ceases operations or shuts
off the Lawyer's account, either temporarily or permanently);
(d) examining the provider's existing practices (including data
encryption, password protection, and system back ups) and available
service history (including reports of known security breaches or
"holes") to reasonably ensure that data stored on the provider's
system actually will remain confidential, and will not be
intentionally or inadvertently disclosed or lost; and
(e) periodically revisiting and reexamining the provider's
policies, practices and procedures to ensure that they remain
compatible with Lawyer's professional obligations to protect
confidential client information reflected in Rule 1.6(a).
Consistent with its prior opinions, the Committee further
believes that Lawyer remains bound to follow an express instruction
from his client that the client's confidential information not be
stored or transmitted by means of the Internet, and that he should
refrain from storing or transmitting particularly sensitive client
information by means of the Internet without first seeking and
obtaining the client's express consent to do so.[1]
Applying its conclusions to Google docs, Lawyer's proposed
Internet based data storage solution, the Committee observes that
Google has adopted written terms of service and a privacy policy
for users of Google docs (see generally http://www.google.com/google-d-s/terms.html)
that reference and incorporate various other Google policies. Among
other things, Google represents that data stored on Google docs is
"private" and "password protected," but can be voluntarily shared
by the user with others or published to the World Wide Web. The
Committee further observes that Google docs and other Internet
based storage solutions, like many, if not most, remotely
accessible software systems and computer networks, are not immune
from attack by unauthorized persons or other forms of security
breaches. See, e.g., "How Safe Are Your Google Docs",
found at
https://www.upwork.com/blog/2010/05/how-safe-are-your-google-docs/;
and "Can You Trust Your Data To Amazon, Other Storage
Cloud Providers?", found at
http://www.networkworld.com/supp/2008/ndc3/051908-cloud-storage.html.
The foregoing policies, protections and resources are referenced
by the Committee solely for informational purposes. Ultimately, the
question of whether the use of Google docs, or any other Internet
based data storage service provider, is compatible with Lawyer's
ethical obligation to protect his clients' confidential information
is one that Lawyer must answer for himself based on the criteria
set forth in this opinion, the information that he is reasonably
able to obtain regarding the relative security of the various
alternatives that are available, and his own sound professional
judgment.
This opinion was approved for publication by the
Massachusetts Bar Association's House of Delegates on May 17,
2012.
[1] The American
Bar Association and the bar associations of various states also
have addressed the ethical implications of using Internet-based
software and data storage services, either formally or
provisionally. See, e.g., American Bar Assoc.
Commission on Ethics 20/20 "Issues Paper Concerning Client
Confidentiality and Lawyers' Use of Technology," dated September
20, 2010; New York State Bar Association Committee on Professional
Ethics Opinion 842, dated September 10, 2010; California State Bar
Standing Committee on Professional Responsibility and Conduct
Proposed Formal Opinion Interim No. 08-0002, approved for public
comment in August 2010; Iowa State Bar Association Committee on
Ethics and Practice Guidelines Opinion 11-01, dated September 9,
2011; and North Carolina State Bar Ethics Committee Proposed 2011
Formal Ethics Opinion 6, dated October 20, 2011.