• United States



Lawyers in the Cloud (And Their Data)

Jul 26, 20112 mins
Data and Information Security

Even state bar associations, the entities that regulate lawyers, are struggling with the cloud. Specifically, the “big” question is “if a lawyer stores attorney-client privileged information in the cloud, will that result in a waiver of that privilege.” Remarkably, only a very few bar associations have directly addressed this issue.

Arizona, New Jersey, and New York bar associations have all issued guidances for lawyers regarding cloud storage of sensitive attorney-client information. In general, they find the practice is permissible if reasonable care is used to vet and monitor the cloud provider’s security measures. For example, the New York bar stated, “[A] lawyer may use an online ‘cloud’ computer data backup system to store client files provided that the lawyer takes reasonable care to ensure that the system is secure and that client confidentiality will be maintained.” New York State Ethics Op. 842.

The question, of course, is “what constitutes reasonable care?” For example, if a cloud provider has a good record of security and has a great SAS 70 Type II audit report, but specifically disclaims any liability for security breaches and offers only minimal confidentiality protection, is this good enough to satisfy the “reasonable care” requirement? No one knows. What is clear is that, just like all other businesses, lawyers must be cautious in this area and thoroughly vet their cloud providers.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author