May a lawyer contract with a third-party vendor to store client files and documents online, allowing for remote access by the lawyer or her clients?
Here are the details from the opinion:
A lawyer may store client materials on a third-party server so long as Lawyer complies with the duties of competence and confidentiality to reasonably keep the client’s information secure within a given situation.
Keeping client information secure means taking reasonable steps to ensure that the storage company will reliably secure client data and keep information confidential. Under certain circumstances, this may be satisfied though a third-party vendor’s compliance with industry standards relating to confidentiality and security, provided that those industry standards meet the minimum requirements imposed on the Lawyer by the Oregon RPCs. This may include, among other things:
Ensuring the service agreement requires the vendor to preserve the confidentiality and security of the materials.
It may also require that vendor notify Lawyer of any nonauthorized third-party access to the materials.
The lawyer should also investigate how the vendor backs up and stores its data and metadata to ensure compliance with the lawyer’s duties.
Although the third-party vendor may have reasonable protective measures in place to safeguard the client materials, the reasonableness of the steps taken will be measured against the technology “available at the time to secure data against unintentional disclosure.” As technology advances, the third-party vendor’s protective measures may become less secure or obsolete over time. Accordingly, Lawyer may be required to reevaluate the protective measures used by the third party vendor to safeguard the client materials.