TN Ethics Opinion Approves Lawyers’ Cloud Storage of Client Data

Thomas Potter, III
Burr & Forman
Contact
LinkedIn
Facebook
X
Send
Embed

Tennessee has joined other states in formally approving lawyers’ cloud-storage of client-confidential data. The Board of Professional Responsibility (“BOPR”) held that lawyers ethically may use cloud storage for client-confidential information, upon taking reasonable and competent care to ensure their confidentiality and protection from loss, data breach or other risks.

The Opinion applies long-standing attorney ethical obligations to cloud storage just as they would to any other storage medium. Lawyers’ responsibilities are not delegable: Although a lawyer may out-source a service or task, she may not avoid responsibility. That standard requires lawyers to use due diligence in their selection of cloud-storage services and to impose reasonable downstream restrictions upon vendors.

The Board called out some guidelines from other states’ ethics opinions include:

  • Learn providers’ storage and security methods;
  • Impose downstream confidentiality obligations;
  • Stay abreast of appropriate data-security safeguards;
  • Ensure your Business Continuity Plan encompasses your cloud storage provider, your continued access to data and reasonable continuity, fail-over and data-transfer provisions;
  • Carefully review all data-service agreements;
  • Incorporate data-breach notice, mitigation and recovery provisions into agreements;
  • Ensure agreements provide for appropriate procedures and response to governmental or judicial orders requiring production of client data; and,
  • Ensure that these obligations, responsibilities and practices are reflected in the law firm’s procedures.

The ABA has summarized various States’ ethics opinions on cloud computing, here.

The Opinion comes even as the US government and private corporations are heightening their focus on cyber-security. Indeed, lawyers and firms would do well to focus on the same issues that the SEC has highlighted for the financial institutions it regulates:

  • Governance & Risk Assessment, requiring current, tailored processes with senior management (including CISO positions) and board involvement.
  • Access Rights & Controls, across, within and without the enterprise and including credentialing, access tracking, BOYD (bring your own device) issues.
  • Data Loss Prevention, including patch management, system configuration, and outbound communications, with special emphasis on personally-identifiable information.
  • Vendor Management, implementing due-diligence of, and downstream compliance controls over, third-party providers.
  • Trainingof employees and vendors.
  • Incident Response Plansand data protection priorities.

See OCIE to Conduct More Cybersecurity Exams, here.

The TN BOPR’s Formal Ethics Opinion 2015-F-159 (Sept. 11, 2015) is here.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Burr & Forman | Attorney Advertising

Written by:

Burr & Forman
Burr & Forman
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Burr & Forman on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide