Ethics Question of the Month October 2020

I've Looked at Clouds from Both Sides Now

Can law firms store firm files on the cloud?

The Situation

Attorney Ginger is looking at options for backing up files on her law firm’s server. She considers backing them up to an external storage device each night before leaving the office and taking it home with her.  She’s concerned, however, that this method is cumbersome and that she lacks the discipline to stick with it.    

Ginger likes the idea of a system that will automatically back up her files to backup servers via the internet, more commonly known as backing up to the cloud.  She is considering using a cloud-based service recommended by one of her clients who uses the cloud to back up the files for his online business.  Ginger knows that she has an ethical obligation to secure and keep confidential all client information, and she is concerned that using the cloud may violate that obligation.  After all, cloud servers are owned by private entities over which she has no control and may be located in foreign countries.  She is also worried about employees of these entities or third-party hackers obtaining her client information. 

The Question

As Ginger considers her options, which of these statements is most accurate?

The Correct Answer is C Of 47 Responses, 36% are correct.

  1. A 6
  2. B 4
  3. C 17
  4. D 6
  5. E 7
  6. F 7

The Explanation

Rule 1.05 of the Texas Disciplinary Rules of Professional Conduct states:

(a) Confidential information includes both privileged information and unprivileged client information. Privileged information refers to the information of a client protected by the lawyer-client privilege of Rule 5.03 of the Texas Rules of Evidence or of Rule 5.03 of the Texas Rules of Criminal Evidence or by the principles of attorney-client privilege governed by Rule 5.01 of the Federal Rules of Evidence for United States Courts and Magistrates. Unprivileged client information means all information relating to a client or furnished by the client, other than privileged information, acquired by the lawyer during the course of or by reason of the representation of the client.

(b) Except as permitted by paragraphs (c) and (d), or as required by paragraphs (e), and (f), a lawyer shall not knowingly:

(1) Reveal confidential information of a client or a former client to:

(i) a person that the client has instructed is not to receive the information; or

(ii) anyone else, other than the client, the clients representatives, or the members, associates, or employees of the lawyers law firm.

Confidentiality requirements in Texas are quite broad, meaning that attorneys must protect virtually any client-related information stored on the cloud. While storing client information in this manner was obviously not contemplated by the drafters of the Rule, the basic principle still applies. In  2018 the Professional Ethics Committee of the State Bar of Texas addressed this issue in Ethics Opinion 680. The Committee found that attorneys may ethically use the cloud for file back-up so long as they take “reasonable precautions in the adoption and use of cloud-based technology,” including:

  • acquiring a general understanding of how the cloud technology works;
  • reviewing the “terms of service” to which the lawyer submits when using a specific cloud-based provider just as the lawyer should do when choosing and supervising other types of service providers;
  • learning what protections already exist within the technology for data security;
  • determining whether additional steps, including but not limited to the encryption of client confidential information, should be taken before submitting that client information to a cloud-based system;
  • remaining alert as to whether a particular cloud-based provider is known to be deficient in its data security measures or is or has been unusually vulnerable to “hacking” of stored information; and
  • training for lawyers and staff regarding appropriate protections and considerations.  

The committee noted that while lawyers need not be experts in technology, they are required to  “become and remain vigilant about data security issues from the outset of using a particular technology in connection with client confidential information.” Attorneys who wish to use the cloud should develop the technological competence to evaluate and remain alert to the risks of cloud-based storage systems. The Committee declined to require client consent, though it did note that attorneys should consult with clients regarding cloud security where appropriate or when raised by the client. The best answer is C.

Bluebook Citation

I've Looked at Clouds from Both Sides Now: Ethics Question of the Month - October 2020, Texas Center for Legal Ethics (2020), from (last visited Jun 16, 2024)