Given the risk of data breaches and the duty to maintain client confidences, is it ethical for lawyers to use cloud computing? Among the state bar associations that have considered the issue, the consensus is yes—with a catch.

The New Hampshire Bar Association is the latest to address cloud computing in the practice of law. Its Advisory Opinion #2012-13/4 allows lawyers to use cloud computing consistent with their ethical obligations, so long as they take “reasonable steps to ensure that sensitive client information remains confidential.”

To comply, lawyers don’t have to become IT experts; instead, following the latest revisions to the ABA Model Rules of Professional Conduct, which require an awareness of technology’s risks and benefits, they must “have a basic understanding of the technologies they use.”

According to the New Hampshire Bar Association, lawyers must also consider the following questions when choosing a cloud provider (note that the italics below summarize clarifications made by the Bar):

1.    Is the provider of cloud computing services a reputable organization?

2.    Does the provider offer robust security measures?

The minimum required security measures are “password protections or other verification procedures limiting access to the data; safeguards such as data backup and restoration, a firewall, or encryption; periodic audits by third parties of the provider’s security; and notification procedures in case of a breach.”

3.    Is the data stored in a format that renders it retrievable as well as secure?

4.    Does the provider commingle data belonging to different clients and/or different practitioners such that retrieval may result in inadvertent disclosure?

5.    Do the terms of service state that the provider merely holds a license to the store data?

The cloud provider cannot “own” data stored in the cloud: data must be identified as the client’s property.

6.    Does the provider have an enforceable obligation to keep the data confidential?

7.    Where are the provider’s servers located and what are the privacy laws in effect at that location regarding unauthorized access, retrieval, and destruction of compromised data?

8.    Will the provider retain the data—and if so, for how long—when the representation ends or the agreement between the lawyer and provider is terminated for another reason?

9.    Do the terms of service obligate the provider to warn the lawyer if information is subject to a third-party subpoena?

10.    What is the provider’s disaster recovery plan with respect [to] stored data?

So before sending data to the cloud, scrutinize the cloud provider’s terms of service. Then stay up-to-date on technology and data privacy laws to ensure that sensitive client information remains confidential.

Paul Matthews is chief technology officer at Conduent. He can be reached at

Conduent Legal and Compliance Solutions (“Conduent”) is not authorized to practice law, and neither offers legal advice nor provides legal services in any jurisdiction. The services offered by Conduent are limited to the non-legal, administrative aspects of document review and discovery projects. Conduent provides such services solely at the direction and under the supervision of its clients’ authorized legal counsel. See more at
Note: This blog was founded upon the completion of the separation of Conduent from Xerox Corporation. Certain articles here were originally published when Conduent's business portfolio was part of Xerox. Web links, telephone numbers and titles were correct at the time of publication, but may have changed. We appreciate your diligent readership. Should you come across any information that appears out of date, please e-mail