⚖️ ShieldDrop Legal Suite
← BlogTry Free →
Ethics & ComplianceMay 2026 · 9 min read

Attorney-Client Privilege and Cloud Software: What Every Attorney Must Know

⚖️ Key Authorities
  • ABA Model Rule 1.6(c) — Duty to prevent inadvertent disclosure
  • ABA Formal Opinion 477R (2017) — Cloud computing and confidentiality
  • ABA Formal Opinion 498 (2021) — Virtual practice and security obligations
  • ABA Formal Opinion 512 (2023) — Generative AI and confidentiality

When you drag a client document into Dropbox, upload a deposition to Otter.ai, or paste case facts into ChatGPT, you are transmitting potentially privileged information to a third-party server. The question every attorney should be asking — and most aren't — is whether privilege survives that transmission, and what obligations attach when it does.

The Core Duty: ABA Model Rule 1.6(c)

Rule 1.6(c) requires attorneys to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." The Comment to Rule 1.6 explicitly includes electronic means: "[w]hen transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients."

This duty did not go away when attorneys started using cloud tools. It transferred. The question isn't whether you can use cloud software — you clearly can. The question is whether you've taken "reasonable precautions" for the specific tool and the sensitivity of the information involved.

ABA Opinion 477R: The Cloud Framework

ABA Formal Opinion 477R (2017) is the most comprehensive guidance on cloud software selection. It establishes a five-factor framework for evaluating any cloud service:

1. Nature of the threat
What kind of data is being transmitted? Is it highly sensitive (trial strategy, settlement figures, medical records) or routine?
2. Likelihood of realization
How likely is unauthorized access? A tool that stores your documents indefinitely has a different risk profile than one that processes and discards.
3. Potential injury
What happens if the data is disclosed? Could it affect the outcome of litigation, harm the client's interests, or create bar liability?
4. Availability of safeguards
What security measures does the vendor offer? Encryption at rest, in transit, SOC 2 compliance?
5. Costs of safeguards
Are the safeguards reasonable given the nature of the matter and the client's ability to pay for higher-security alternatives?

ABA Opinion 512: Generative AI Changes Everything

ABA Formal Opinion 512 (2023) addressed generative AI directly. It makes clear that using AI tools for client matters requires the same confidentiality analysis as any other cloud service. Critically, it warns that many AI providers train their models on user inputs — meaning your case facts, your client's identity, and your litigation strategy could become training data for a commercial AI model.

Opinion 512 does not prohibit AI use — but it requires attorneys to understand how each tool handles data before using it for client matters. "The lawyer must act competently to safeguard information relating to the representation."

Evaluating tools: the ShieldDrop standard

❌ Red flags in any tool
  • Uses your data to train AI
  • Logs document content on servers
  • No clear data deletion policy
  • Subprocessors include major cloud platforms
  • Free tier with no DPA available
✅ Green flags
  • Zero-retention or in-browser processing
  • Verifiable privacy claims
  • DPA available on request
  • No AI training on your data
  • Clear incident notification policy
ShieldDrop's approach to Rule 1.6(c)

ShieldDrop Legal Suite was built on a single architectural premise: the safest cloud tool is one that never receives your data. By processing all documents in the browser via WebAssembly, ShieldDrop eliminates the disclosure risk entirely. There is no server transmission, no storage, and no subprocessor with access to client files. This satisfies the most stringent reading of Rule 1.6(c) for file processing tasks. Read the technical white paper →

Get the Attorney Privacy Digest
Monthly: metadata case law updates, state bar rulings, and new tool announcements. No spam.