By Lance J. Rogers
Iowa lawyers may store client information and other data on a third-party vendor's servers rather than their own computers, so long as the lawyer has unfettered access to the data and can reasonably verify that sound methods are being used to protect the information, the Iowa bar's ethics committee advised Sept. 9 (Iowa State Bar Ass'n Comm. on Ethics and Practice Guidelines, Op. 11-01, 9/9/11).
There are no hard and fast rules on this issue, the committee said. Instead, lawyers who wish to take advantage of “cloud computing” have an obligation “to perform due diligence to assess the degree of protection that will be needed and to act accordingly,” the opinion states.
The committee was asked whether and how lawyers may use “software as a service” or “SaaS” to store data on an off-site server owned by a third-party vendor. The issue is whether attorneys may take advantage of SaaS technology without running afoul of Comment  to Iowa Rule of Professional Conduct 32:1.6, which instructs lawyers to take reasonable precautions so that client information doesn't fall into the hands (or other receptacles) of unintended recipients.
Lawyers need not take extraordinary security measures “if the method of communication affords a reasonable expectation of privacy,” according to the comment. On the other hand, it adds, special precautions may be called for depending upon “the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.”
The rule establishes a flexible approach to cope with “ever-changing technology,” the committee said, and puts on the lawyer a duty “to perform the due diligence to assess the degree of protection that will be needed and to act accordingly.”
What does this mean in the context of SaaS/cloud computing?
The committee said it couldn't provide a sophisticated analysis of data protection technology. But it did present a general outline covering the three areas of concern that lawyers must address before entering the clouds: access, data protection, and due diligence.
On the issue of access, it recommended that lawyers ask SaaS providers the following questions before sending off their information:
On the question of security, the committee recommended asking these questions:
Due diligence regarding information technology can be complex, the committee noted, and calls for not only specialized technological expertise but also an understanding of the professional conduct rules.
There may be employees within the law office who have these qualifications, the committee said, but a lawyer also may discharge the due diligence duties created by Comment  by hiring an independent company or relying on bar associations or other similar organizations to perform the task.
Questions the lawyer will want to consider in this review, the committee said, include:
Are they a solid company with a good operating record and is their service recommended by others in the field? What country and state are they located and do business in? Does their end user's licensing agreement (EULA) contain legal restrictions regarding their responsibility or liability, choice of law or forum, or limitation on damages? Likewise does their EULA grant them proprietary or user rights over my data?
Full text of the opinion is available on the Iowa bar's website at http://www.iabar.net/ethics.nsf/e61beed77a215f6686256497004ce492/02566cb52c2192e28625791f00834cdb?OpenDocument.
Copyright 2011, the American Bar Association and The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).