Search

Ethics Opinions

Opinion 12-03

March 2012

Summary: A lawyer generally may store and synchronize electronic work files containing confidential client information across different platforms and devices using an Internet based storage solution, such as "Google docs," so long as the lawyer undertakes reasonable efforts to ensure that the provider's terms of use and data privacy policies, practices and procedures are compatible with the lawyer's professional obligations, including the obligation to protect confidential client information reflected in Rule 1.6(a). A lawyer remains bound, however, to follow an express instruction from his or her client that the client's confidential information not be stored or transmitted by means of the Internet, and all lawyers should refrain from storing or transmitting particularly sensitive client information by means of the Internet without first obtaining the client's express consent to do so.

Facts: A lawyer ("Lawyer") wishes to store and synchronize the electronic work files that he creates in the course of his law practice across multiple computers and devices (e.g., smartphones, iPads, etc.) so that he can access them remotely. Some of the work files contain privileged or other confidential client information. Lawyer is considering several potential solutions to address his needs, including storing and synchronizing his electronic files remotely using a third-party service that is accessible through the Internet, such as "Google docs." As described by Google, Google docs is a private service that permits users to store their documents and other data on Google's servers and access that information remotely over the Internet using multiple devices and platforms. Numerous other "cloud" based storage options, such as Microsoft's "Windows Azure," Apple's "iCloud," and Amazon.com's "S3" service, exist. The issue presented is whether it would violate Lawyer's obligations under the Massachusetts Rules of Professional Conduct to store confidential client information using Google docs or some other Internet based storage solution, and to synchronize his computers and other devices that contain or access such information over the Internet.

Discussion: Rule 1.6 of the Massachusetts Rules of Professional Conduct governs the confidentiality of client information. Subsection (a) of Rule 1.6 provides, in relevant part, that "[a] lawyer shall not reveal confidential information relating to the representation of a client unless the client consents after consultation...." The duty of confidentiality dictated by Rule 1.6 (as well as other rules) imposes upon Lawyer the obligation to avoid using means of communication with the client that pose an unreasonable risk of inadvertent disclosure to third persons.

In this context, the question posed is whether Lawyer's use of Google docs or another Internet based data storage service provider, which carries with it a small, but genuine risk of unauthorized access or interception, presents an unreasonable risk of inadvertent disclosure and, therefore, violates Rule 1.6(a).

The Committee on Professional Ethics previously has addressed issues of client confidentiality posed by a lawyer's use of the Internet and remote access capabilities. For example, in Opinion 00-01, the Committee concluded that a lawyer's use of unencrypted Internet e-mail to engage in confidential communications with his or her client does not violate Massachusetts Rule of Professional Conduct 1.6(a) in ordinary circumstances. We said, in relevant part,

[i]t is the Committee's opinion that the use of unencrypted Internet e-mail for the purpose of transmitting confidential or privileged client communications does not, in most instances, constitute a violation of any applicable ethical rule, including Rule 1.6. The Committee reaches this conclusion primarily because it believes that both the lawyer and the client typically have a reasonable expectation that such communications will remain legally and effectively private. See, e.g., 18 U.S.C.A. 2510, et seq. (the "Electronic Communications Privacy Act"). The technological possibility that a privileged or confidential e-mail communication could be intercepted in disregard of federal law does not diminish that expectation. Other standard forms of communication, including the telephone and the United States mail, also carry with them some risk of interception. Legal prohibitions on the interception of private telephone calls and letters, however, generally provide protection against unauthorized disclosure sufficient to make those means of communication reasonably secure for purposes of Rule 1.6(a). The Committee believes that, in light of statutes such as the Electronic Communications Privacy Act, the same reasoning now applies to unencrypted Internet e-mail.

Similarly, in Opinion 05-04, the Committee concluded that a law firm may provide a third-party software vendor with remote access to confidential client information stored on the firm's computers for the purpose of allowing the vendor to support and maintain a computer software application utilized by the law firm so long as the law firm undertakes "reasonable efforts" to ensure that the conduct of the software vendor "is compatible with the professional obligations of the lawyer[s]," including the obligation to protect confidential client information reflected in Rule 1.6(a). The Committee stated that "reasonable efforts" in the circumstances would include, among other things,

(a) notifying the vendor of the confidential nature of the information stored on the firm's servers and in its document database; (b) examining the vendor's existing policies and procedures with respect to the handling of confidential information; (c) obtaining written assurance from the vendor that confidential client information on the firm's computer system will only [be] utilized solely for technical support purposes and will be accessed only on an "as needed" basis; (d) obtaining written assurance from the vendor that the confidentiality of all client information will be respected and preserved by the vendor and its employees; and (e) drafting and agreeing upon additional procedures for protecting any particularly sensitive client information that may reside on the firm's computer system, to the extent necessary.

The Committee believes that the reasoning set forth in Opinion 00-01 and Opinion 05-04 generally would allow Lawyer also to use Google docs or some other Internet based data storage service provider to store confidential client information, and to synchronize data using that provider over the Internet. More specifically, the Committee believes that the use of an Internet based service provider to store confidential client information would not violate Massachusetts Rule of Professional Conduct 1.6(a) in ordinary circumstances so long as Lawyer undertakes reasonable efforts to ensure that the provider's data privacy policies, practices and procedures are compatible with Lawyer's professional obligations, including the obligation to protect confidential client information reflected in Rule 1.6(a). "Reasonable efforts" by Lawyer with respect to such a provider would include, in the Committee's opinion:

(a) examining the provider's terms of use and written policies and procedures with respect to data privacy and the handling of confidential information;

(b) ensuring that the provider's terms of use and written policies and procedures prohibit unauthorized access to data stored on the provider's system, including access by the provider itself for any purpose other than conveying or displaying the data to authorized users;

(c) ensuring that the provider's terms of use and written policies and procedures, as well as its functional capabilities, give the Lawyer reasonable access to, and control over, the data stored on the provider's system in the event that the Lawyer's relationship with the provider is interrupted for any reason (e.g., if the storage provider ceases operations or shuts off the Lawyer's account, either temporarily or permanently);

(d) examining the provider's existing practices (including data encryption, password protection, and system back ups) and available service history (including reports of known security breaches or "holes") to reasonably ensure that data stored on the provider's system actually will remain confidential, and will not be intentionally or inadvertently disclosed or lost; and

(e) periodically revisiting and reexamining the provider's policies, practices and procedures to ensure that they remain compatible with Lawyer's professional obligations to protect confidential client information reflected in Rule 1.6(a).

Consistent with its prior opinions, the Committee further believes that Lawyer remains bound to follow an express instruction from his client that the client's confidential information not be stored or transmitted by means of the Internet, and that he should refrain from storing or transmitting particularly sensitive client information by means of the Internet without first seeking and obtaining the client's express consent to do so.[1]

Applying its conclusions to Google docs, Lawyer's proposed Internet based data storage solution, the Committee observes that Google has adopted written terms of service and a privacy policy for users of Google docs (see generally http://www.google.com/google-d-s/terms.html) that reference and incorporate various other Google policies. Among other things, Google represents that data stored on Google docs is "private" and "password protected," but can be voluntarily shared by the user with others or published to the World Wide Web. The Committee further observes that Google docs and other Internet based storage solutions, like many, if not most, remotely accessible software systems and computer networks, are not immune from attack by unauthorized persons or other forms of security breaches. See, e.g., "How Safe Are Your Google Docs", found at https://www.upwork.com/blog/2010/05/how-safe-are-your-google-docs/; and "Can You Trust Your Data To Amazon, Other Storage Cloud Providers?", found at http://www.networkworld.com/supp/2008/ndc3/051908-cloud-storage.html.

The foregoing policies, protections and resources are referenced by the Committee solely for informational purposes. Ultimately, the question of whether the use of Google docs, or any other Internet based data storage service provider, is compatible with Lawyer's ethical obligation to protect his clients' confidential information is one that Lawyer must answer for himself based on the criteria set forth in this opinion, the information that he is reasonably able to obtain regarding the relative security of the various alternatives that are available, and his own sound professional judgment.

This opinion was approved for publication by the Massachusetts Bar Association's House of Delegates on May 17, 2012.




[1] The American Bar Association and the bar associations of various states also have addressed the ethical implications of using Internet-based software and data storage services, either formally or provisionally.  See, e.g., American Bar Assoc. Commission on Ethics 20/20 "Issues Paper Concerning Client Confidentiality and Lawyers' Use of Technology," dated September 20, 2010; New York State Bar Association Committee on Professional Ethics Opinion 842, dated September 10, 2010; California State Bar Standing Committee on Professional Responsibility and Conduct Proposed Formal Opinion Interim No. 08-0002, approved for public comment in August 2010; Iowa State Bar Association Committee on Ethics and Practice Guidelines Opinion 11-01, dated September 9, 2011; and North Carolina State Bar Ethics Committee Proposed 2011 Formal Ethics Opinion 6, dated October 20, 2011.