Occasionally lawyers still call in asking if it’s ethically permissible to place data in the cloud and often wanting to talk about the associated risks.  I get it.  For those who haven’t intentionally moved to the cloud already, trying to understand the risks and learning how to responsibly manage them can be a bit intimidating.  Thankfully, a number of ethics opinions have been issued on this topic over the years so the answer to their questions is usually a rather straight forward one.  Basically, it’s yes as long as you do your due diligence on the vendor and couple that with taking appropriate steps to see that your data is properly secured in transit as well as when at rest.

In addition to issuing ethics opinions that address data security in the cloud, a number of states have also revised their Rules of Professional Conduct to clarify that the rule on competency now includes an obligation to keep up with changes in relevant technology. (See Comment [8] to ABA MRPC 1.1 Competency.) Many have also added a provision to their confidentiality rule making it clear that lawyers are to take steps to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.  (See ABA MRPC 1.6.)

With the above in mind, here’s where it gets interesting.  During a presentation at the ABA’s 44^th National Conference of Professional Responsibility, a CLE panelist threw out the following for all of us attendees to chew on.  Given that a lawyer has an ethical duty to verify that any vendor a firm works with has in place appropriate safeguards to keep the lawyer’s data secure, why wouldn’t the same duty arise when a lawyer shares data with another lawyer outside of the firm?  For example, do lawyers have a duty to make sure any lawyer they co-counsel with has appropriate data security safeguards in place?  How about all the lawyers who are adverse to your firm’s clients?  After all, data is being regularly exchanged during discovery and contract negotiations just for starters.

I will admit this comment caught me off guard; but I quickly came to realize a legitimate concern had been raised.  Think about it.  There are no exceptions in the RPCs or the comments that say something along the lines of don’t worry about data security issues when exchanging digital data with lawyers outside of your own firm.  Couple that with the reality that there are still a significant percentage of lawyers in active practice who have no idea how to encrypt a file or a mobile device, have no idea what a VPN is, and/or have no intention of using more than one easy to remember password for everything they do and hopefully the issue becomes clear.

It’s all about data security and, ethical duties aside, your clients expect you to take whatever steps are necessary to make sure their confidences remain confidential.   To your clients, it will matter not if it was you or your co-counsel who failed to take reasonable steps to prevent the unauthorized access to or inadvertent disclosure of their confidences.  The same can be said for sharing data with any lawyer on the other side.  Taking this to its logical conclusion, even failing to scan data coming from lawyers outside the firm for possible malware infections could be problematic.

Again, I get it; and yes, trust is a good thing.  I’m not suggesting that every time you want to form a co-counsel relationship or negotiate a contract you should have the lawyer complete a 3-page data security questionnaire.  That said, what would be wrong with establishing basic guidelines as to the reasonable data security steps both lawyers will take.  For example, you might agree to commit to encrypting the data stream for any and all communications that include confidential client information and then decide how to best accomplish that.

Here’ the bottom-line as I see it.  Data security is the name of the game and it’s your reputation that’s on the line.  Should the unexpected ever happen, your clients are going to want answers.  When the truth is the misstep was a failure to consider and responsibly address the risks associated with exchanging digital data with other lawyers, well let’s just be honest and admit this is never going to pass muster; but, of course, you already know that.