I've Looked at Clouds from Both Sides Now

Rule 1.05 of the Texas Disciplinary Rules of Professional Conduct states:

(a) Confidential information includes both privileged information and unprivileged client information. Privileged information refers to the information of a client protected by the lawyer-client privilege of Rule 5.03 of the Texas Rules of Evidence or of Rule 5.03 of the Texas Rules of Criminal Evidence or by the principles of attorney-client privilege governed by Rule 5.01 of the Federal Rules of Evidence for United States Courts and Magistrates. Unprivileged client information means all information relating to a client or furnished by the client, other than privileged information, acquired by the lawyer during the course of or by reason of the representation of the client.

(b) Except as permitted by paragraphs (c) and (d), or as required by paragraphs (e), and (f), a lawyer shall not knowingly:

(1) Reveal confidential information of a client or a former client to:

(i) a person that the client has instructed is not to receive the information; or

(ii) anyone else, other than the client, the clients representatives, or the members, associates, or employees of the lawyers law firm.

Confidentiality requirements in Texas are quite broad, meaning that attorneys must protect virtually any client-related information stored on the cloud. While storing client information in this manner was obviously not contemplated by the drafters of the Rule, the basic principle still applies. In  2018 the Professional Ethics Committee of the State Bar of Texas addressed this issue in Ethics Opinion 680. The Committee found that attorneys may ethically use the cloud for file back-up so long as they take “reasonable precautions in the adoption and use of cloud-based technology,” including:

• acquiring a general understanding of how the cloud technology works;
• reviewing the “terms of service” to which the lawyer submits when using a specific cloud-based provider just as the lawyer should do when choosing and supervising other types of service providers;
• learning what protections already exist within the technology for data security;
• determining whether additional steps, including but not limited to the encryption of client confidential information, should be taken before submitting that client information to a cloud-based system;
• remaining alert as to whether a particular cloud-based provider is known to be deficient in its data security measures or is or has been unusually vulnerable to “hacking” of stored information; and
• training for lawyers and staff regarding appropriate protections and considerations.  

The committee noted that while lawyers need not be experts in technology, they are required to  “become and remain vigilant about data security issues from the outset of using a particular technology in connection with client confidential information.” Attorneys who wish to use the cloud should develop the technological competence to evaluate and remain alert to the risks of cloud-based storage systems. The Committee declined to require client consent, though it did note that attorneys should consult with clients regarding cloud security where appropriate or when raised by the client. The best answer is C.