Ezel / Ethics Opinions / TX
TX 2018-09-01

Can a Texas lawyer store confidential client information in the cloud or use cloud-based software to prepare client documents?

Short answer: Per the Committee, yes; a lawyer may use cloud-based storage and document-preparation systems for confidential client information, but must take reasonable precautions and stay alert to data-breach and unauthorized-access risks, because the duty of confidentiality under Rule 1.05 and the competence requirement of Rule 1.01(a) extend to protecting that information.
Currency note: this opinion is from 2018
Subsequent statutory amendments, court decisions, or later opinions or rule amendments may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here.
Disclaimer: Advisory only. Not binding precedent.
About this page: The plain-English summary, reader guidance, and Q&A below were written by Ezel based on the official ethics opinion. The original opinion (linked at the bottom of this page, or PDF in the sidebar) is the authoritative source for any reliance.
View original ethics opinion (PDF)

Texas Ethics Opinion 680: Using Cloud-Based Storage and Software for Client Information

Short answer: Per the Committee, a lawyer may use cloud-based storage and document-preparation systems for confidential client information, provided the lawyer takes reasonable precautions and stays alert to the risk of data breaches and unauthorized access.

Disclaimer: This is an advisory ethics opinion. Advisory opinions are not binding; they interpret the Texas Disciplinary Rules of Professional Conduct and are persuasive authority. This summary is for research purposes only and is not legal advice. Verify current rules before acting on any specific guidance.

About this page: The plain-English summary and Q&A below were written by Ezel based on the official opinion. The opinion text is reproduced at the bottom; the official source (linked) controls.

View original opinion

Plain-English summary

The opinion considers a lawyer who wants to subscribe to cloud-based storage and software systems that hold confidential client information or use it to fill in form documents, and who is concerned about servers located abroad, access by the vendor's employees, hacking, and the risk of a vendor going out of business. The Committee analyzes the question under Rule 1.05, which broadly defines "confidential information" to include both privileged and unprivileged client information, and which bars a lawyer from knowingly revealing confidential information except as permitted by the rule. The Terminology section defines "knowingly" as actual knowledge, which may be inferred from circumstances.

The Committee draws on Opinion 648 (email may generally be used for confidential information) and Opinion 572 (a lawyer may give privileged materials to an independent contractor such as a copy service if the lawyer reasonably expects the confidential character will be respected). It reasons that while wide public usage is not itself justification, alternative methods of storage and document preparation also carry inherent disclosure risk; mail can be intercepted and an office file can be accessed without the lawyer "knowingly" revealing anything. Considering the state of technology and the cost and time savings for clients, a lawyer may use cloud-based systems, while remaining alert to vendor vulnerability and deciding, in some circumstances, that particular information is too sensitive to store without adequate encryption or additional safeguards. In some matters it may be appropriate to confer with the client about these risks and obtain input or consent, and specific client instructions must be followed except as Rule 1.05 otherwise requires or permits.

The Committee lists reasonable precautions: a general understanding of how the cloud technology works; reviewing the provider's terms of service; learning what data-security protections already exist; deciding whether additional steps such as encryption are needed; staying alert to whether a provider is known to be deficient or unusually vulnerable; and training lawyers and staff. These do not require the lawyer to become a technology expert but do require ongoing vigilance. Citing Opinion 665 (metadata), the Committee ties this to Rule 1.01(a)'s competence requirement, which reaches a lawyer's technological competence in preserving confidential information.

In practice

Under this opinion, and under the Texas rules as they stood at the time, a lawyer may use cloud-based electronic storage or software document-preparation systems to hold confidential client information or prepare client documents. The opinion holds that the lawyer must take reasonable precautions, which it enumerates (understanding the technology, reviewing terms of service, learning existing protections, considering encryption, staying alert to vendor vulnerabilities, and training staff), and must remain alert to data breaches and unauthorized access. It treats the competence requirement of Rule 1.01(a) as extending to technological competence in safeguarding confidential information, and notes that specific client instructions about protecting the information must be followed except as Rule 1.05 otherwise requires or permits.

Common questions

Q: Can I keep client files in a cloud service like a document-storage or document-assembly platform?

A: Per Opinion 680, yes. The Committee concludes a lawyer may use cloud-based storage and software systems for confidential client information, provided the lawyer takes reasonable precautions and stays alert to breach and unauthorized-access risks.

Q: What precautions does the opinion say I should take?

A: The opinion lists understanding how the cloud technology works, reviewing the provider's terms of service, learning what data-security protections exist, deciding whether to encrypt or add safeguards, staying alert to whether a provider is known to be deficient or unusually vulnerable, and training lawyers and staff.

Q: Do I have to become a technology expert?

A: No. The Committee states the precautions do not require lawyers to become technology experts, but do require them to become and remain vigilant about data-security issues from the outset of using a particular technology.

Q: Do I need the client's consent to use cloud storage?

A: The opinion does not impose a categorical consent requirement; it says in some circumstances it may be appropriate to confer with the client about the risks and obtain input or consent, and that specific client instructions must be followed except as Rule 1.05 otherwise requires or permits.

Background and rules framework

The opinion interprets Texas Disciplinary Rule 1.05 (confidentiality of information, including its broad definition of "confidential information" and the bar on knowingly revealing it; ABA Model Rule 1.6) and Rule 1.01(a) (competence; ABA Model Rule 1.1), reading competence to include technological competence in preserving confidential information. It applies the reasoning of Opinions 648, 572, and 665.

Citations and references

Rules of Professional Conduct:

  • MR 1.6 (confidentiality of information)
  • MR 1.1 (competence)
  • Texas Disciplinary Rules 1.05, 1.01(a)

Other opinions cited:

  • Texas Professional Ethics Committee Opinion 648 (April 2015): a lawyer may generally communicate confidential information by email
  • Texas Professional Ethics Committee Opinion 572 (June 2006): a lawyer may deliver privileged materials to an independent contractor such as a copy service if confidentiality is reasonably expected to be respected
  • Texas Professional Ethics Committee Opinion 665 (December 2016): the competence requirement reaches technological competence in preserving confidential information

See also

Source

Original opinion text

Reproduced from the official source for research purposes. The linked source is authoritative.

QUESTION PRESENTED

Under the Texas Disciplinary Rules of Professional Conduct may a lawyer use cloud-based client data storage systems or use cloud-based software systems for the creation of client-specific documents where confidential client information is stored or submitted to a cloud-based system?

STATEMENT OF FACTS

A lawyer is considering subscribing to various cloud-based electronic storage and software systems that allow users to store confidential client information or prepare form legal documents by uploading confidential client information for insertion into those form documents. The lawyer is concerned because these cloud-based electronic storage and software systems are owned by private companies, the various computer servers on which this client confidential information would reside are or may be located in other countries, the client information could be accessed by employees of these private companies, and there is the possibility of these servers and the confidential information residing on them being "hacked" by third parties or being rendered inaccessible as a result of a cloud storage vendor going out of business. The lawyer questions whether it is ethical to use cloud-based electronic storage or software systems given these conditions and the potential disclosure risks to confidential client information.

DISCUSSION

Rule 1.05(a) of the Texas Disciplinary Rules of Professional Conduct broadly defines client "confidential information" as including both "privileged information" and "unprivileged client information." The latter means "all information relating to a client or furnished by the client, other than privileged information, acquired by the lawyer during the course of or by reason of the representation of the client." Rule 1.05(a).

Rule 1.05(b) provides in part that, "[e]xcept as permitted by paragraphs (c) and (d), or as required by paragraphs (e) and (f), a lawyer shall not knowingly:

(1) Reveal confidential information of a client or former client to:
(i) a person that the client has instructed is not to receive the information; or
(ii) anyone else, other than the client, the client's representatives, or the members, associates, or employees of the lawyer's law firm."

A lawyer violates Rule 1.05 if the lawyer knowingly reveals confidential information to any person other than those persons who are permitted or required to receive the information under paragraphs (b), (c), (d), (e), or (f) of the Rule. The Terminology section of the Rules states that "ʻ[k]nowinglyʼ . . . denotes actual knowledge of the fact in question" and that a "person's knowledge may be inferred from circumstances."

Professional Ethics Opinion 648 (April 2015) addressed the question of whether a lawyer could ethically transmit client confidential information by email. The Committee concluded that, "considering the present state of technology and email usage, a lawyer may generally communicate confidential information by email. Some circumstances, may, however, cause a lawyer to have a duty to advise a client regarding risks incident to the sending or receiving of emails arising from those circumstances and to consider whether it is prudent to use encrypted email or another form of communication." Similarly, Opinion 572 (June 2006) determined that, "[u]nder the Texas Disciplinary Rules of Professional Conduct, unless the client has instructed otherwise, a lawyer may deliver materials containing privileged information to an independent contractor, such as a copy service, hired by the lawyer in the furtherance of the lawyer's representation of the client if the lawyer reasonably expects that the confidential character of the information will be respected by the independent contractor."

Cloud-based electronic storage and software systems are in wide use among the general public and lawyers. While wide usage of an information storage method or software document creation system is not, in itself, justification for its use by lawyers, alternative methods of information storage and document preparation also have an inherent risk of disclosure or misuse, just as a privileged letter to a client through the U.S. Postal Service (versus transmission through email) can be intercepted or accessed by third parties and a client's file in a lawyer's office may be susceptible to access or disclosure by unauthorized parties without the lawyer "knowingly" revealing that information.

Considering the present state of technology, its common usage to store confidential information, and the potential cost and time savings for clients, a lawyer may use cloud-based electronic data systems and document preparation software for client confidential information; however, lawyers should remain continually alert to the vulnerability of cloud-based vendors and systems to data breaches and whether a particular vendor or system appears to be unusually vulnerable, based on systemic failures by that vendor or system of which the lawyer should be aware. In certain circumstances, a lawyer may decide that some client confidential information is too vulnerable to unauthorized access or disclosure to risk its storage or use in a cloud-based electronic system or too vulnerable to such risk without that data being adequately encrypted or without additional technological safeguards in place. Data "hacking" by third parties is becoming increasingly well-known and can even occur with respect to client confidential information stored on a server within a law firm. Therefore, a lawyer should remain reasonably aware of changes in technology and the associated risks, without unnecessarily retreating from the use of new technology that may save significant time and money for clients. In some circumstances it may be appropriate to confer with a client regarding these risks as applicable to a particular matter and obtain a client's input regarding or consent to using cloud-based electronic data systems and document preparation software. Of course, if a client has given specific instructions regarding the use and protection of its client confidential information in a matter those instructions must be followed except when otherwise required or permitted by the provisions of Rule 1.05.

Still, a lawyer must take reasonable precautions in the adoption and use of cloud-based technology for client document and data storage or the creation of client-specific documents that require client confidential information. These reasonable precautions include: (1) acquiring a general understanding of how the cloud technology works; (2) reviewing the "terms of service" to which the lawyer submits when using a specific cloud-based provider just as the lawyer should do when choosing and supervising other types of service providers; (3) learning what protections already exist within the technology for data security; (4) determining whether additional steps, including but not limited to the encryption of client confidential information, should be taken before submitting that client information to a cloud-based system; (5) remaining alert as to whether a particular cloud-based provider is known to be deficient in its data security measures or is or has been unusually vulnerable to "hacking" of stored information; and (6) training for lawyers and staff regarding appropriate protections and considerations. These precautions do not require lawyers to become experts in technology; however, they do require lawyers to become and remain vigilant about data security issues from the outset of using a particular technology in connection with client confidential information. The Committee refrains from setting out specific requirements for assessing reasonableness since some precautions become obsolete over time with changing technologies and the risks may change as well.

Rule 1.01(a) requires that lawyers exhibit "competence" in representing clients. In Opinion 665 (December 2016), the Committee applied Rule 1.01 to a question involving a lawyer's inadvertent transmission to third parties of electronic metadata within client documents and concluded that the Rule's "competency" requirement was applicable to a lawyer's technological competence in preserving client confidential information. The Committee reiterates here the necessity of competence by lawyers and their staff regarding data protection considerations of cloud-based systems.

CONCLUSION

Under the Texas Disciplinary Rules of Professional Conduct, a lawyer may use a cloud-based electronic data storage system or cloud-based software document preparation system to store client confidential information or prepare legal documents. However, lawyers must remain alert to the possibility of data breaches, unauthorized access, or disclosure of client confidential information and undertake reasonable precautions in using those cloud-based systems.

Tex. Comm. On Professional Ethics, Op. 680 (2018)