Do I need my client’s permission to store their files in the cloud?

There is only one state, Massachusetts, that recommends that attorneys obtain client consent prior to uploading confidential information into the cloud.^[1] A majority of states impose a duty on attorneys to be competent in technology matters and to maintain client confidentiality.^[2] These two duties impact an attorney’s ability to store client data in the cloud, but it is the duty of confidentiality which formed the basis for Massachusetts’ decision to recommend obtaining client consent prior to uploading confidential information to the cloud.^[1]

Attorneys argue that the risk to confidential files stored online is no more, and in some ways is even less than the risk of someone breaking into a locked file room or a locked file cabinet located in the attorney’s office.^[3] Since attorneys aren’t required to obtain client consent before storing paper files, they shouldn’t be required to obtain client consent before storing electronic files on the web. The majority of states have followed this logic and permit law firms to store client data on the cloud without obtaining client consent first (although if the client states that they don’t want you to store their data in the cloud, your law firm is obligated to respect those wishes).^[4]

References

1. The Massachusettes Bar Association, Ethics Opinion 12-03
2. 36 States Have Adopted the Duty of Technology Competence
3. Keep Your Clients Safe in the Cloud
4. Louisiana Legal Ethics, CLOUD COMPUTING ETHICS