Approved by Board of Governors, November 2011
Topics: Information Relating to the Representation of a Client: Third-Party Electronic Storage of Client Materials
“Law Firm contracts with third-party vendor to store client files and documents online on remote server so that Lawyer and/or Client could access the documents over the Internet from any remote location.
Question: May Lawyer do so?
Conclusion: Yes, qualified.”
From the Opinion:
“Lawyer may store client materials on a third-party server so long as Lawyer complies with the duties of competence and confidentiality to reasonably keep the client’s information secure within a given situation. To do so, the lawyer must take reasonable steps to ensure that the storage company will reliably secure client data and keep information confidential. Under certain circumstances, this may be satisfied though a third-party vendor’s compliance with industry standards relating to confidentiality and security, provided that those industry standards meet the minimum requirements imposed on the Lawyer by the Oregon RPCs. This may include, among other things, ensuring the service agreement requires the vendor to preserve the confidentiality and security of the materials. It may also require that vendor notify Lawyer of any nonauthorized third-party access to the materials. Lawyer should also investigate how the vendor backs up and stores its data and metadata to ensure compliance with the Lawyer’s duties…[T]he reasonableness of the steps taken will be measured against the technology ‘available at the time to secure data against unintentional disclosure.'”
The full text is available at http://www.osbar.org…