The Mississippi Bar has adopted a new ethics opinion regarding the use of online cloud-based storage companies, such as Dropbox, Google Cloud, Box, OneDrive, etc. The opinion provides that lawyers may use a cloud-based electronic data storage system to store client confidential information, but lawyers must undertake reasonable precautions in using cloud-based systems.
The opinion outlines several “reasonable precautions,” but does not provide an exhaustive list:
- acquiring a general understanding of how cloud technology works;
- reviewing the “terms of service” to which the lawyer submits when using a specific cloud-based provider just as the lawyer should do when choosing and supervising other types of service providers;
- learning what protections already exist within the technology for data security;
- determining whether additional steps, including but not limited to the encryption of client confidential information, should be taken before submitting that client information to a cloud-based system;
- remaining alert as to whether a particular cloud-based provider is known to be deficient in its data security measures or is or has been unusually vulnerable to “hacking” of the stored information; and
- training for lawyers and staff regarding appropriate protections and considerations.
The opinion also cites to Ethics Opinions from several other jurisdictions that can be helpful as well.
In Opinion No. 259 (November 29, 2012), the Mississippi Bar concluded that MRPC 1.6 includes a duty of technological competence with respect to protecting client confidentiality and also imposes upon lawyers an affirmative duty to take reasonable precautions to ensure that confidential client data stored in the cloud is not revealed except in the circumstances permitted by Rule 1.6.
You can read the full Ethics Opinion here.