By Lance J. Rogers
Iowa lawyers may store client information and other data on a third-party vendor's servers rather than their own computers, so long as the lawyer has unfettered access to the data and can reasonably verify that sound methods are being used to protect the information, the Iowa bar's ethics committee advised Sept. 9 (Iowa State Bar Ass'n Comm. on Ethics and Practice Guidelines, Op. 11-01, 9/9/11).
There are no hard and fast rules on this issue, the committee said. Instead, lawyers who wish to take advantage of “cloud computing” have an obligation “to perform due diligence to assess the degree of protection that will be needed and to act accordingly,” the opinion states.
The committee was asked whether and how lawyers may use “software as a service” or “SaaS” to store data on an off-site server owned by a third-party vendor. The issue is whether attorneys may take advantage of SaaS technology without running afoul of Comment  to Iowa Rule of Professional Conduct 32:1.6, which instructs lawyers to take reasonable precautions so that client information doesn't fall into the hands (or other receptacles) of unintended recipients.
Lawyers need not take extraordinary security measures “if the method of communication affords a reasonable expectation of privacy,” according to the comment. On the other hand, it adds, special precautions may be called for depending upon “the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.”
The rule establishes a flexible approach to cope with “ever-changing technology,” the committee said, and puts on the lawyer a duty “to perform the due diligence to assess the degree of protection that will be needed and to act accordingly.”
What does this mean in the context of SaaS/cloud computing?
The committee said it couldn't provide a sophisticated analysis of data protection technology. But it did present a general outline covering the three areas of concern that lawyers must address before entering the clouds: access, data protection, and due diligence.
On the issue of access, it recommended that lawyers ask SaaS providers the following questions before sending off their information:
On the question of security, the committee recommended asking these questions:
Due diligence regarding information technology can be complex, the committee noted, and calls for not only specialized technological expertise but also an understanding of the professional conduct rules.
There may be employees within the law office who have these qualifications, the committee said, but a lawyer also may discharge the due diligence duties created by Comment  by hiring an independent company or relying on bar associations or other similar organizations to perform the task.
Questions the lawyer will want to consider in this review, the committee said, include:
Are they a solid company with a good operating record and is their service recommended by others in the field? What country and state are they located and do business in? Does their end user's licensing agreement (EULA) contain legal restrictions regarding their responsibility or liability, choice of law or forum, or limitation on damages? Likewise does their EULA grant them proprietary or user rights over my data?
Full text of the opinion is available on the Iowa bar's website at http://www.iabar.net/ethics.nsf/e61beed77a215f6686256497004ce492/02566cb52c2192e28625791f00834cdb?OpenDocument.
The ABA/BNA Lawyers’ Manual on Professional Conduct is a joint publication of the American Bar Association Center for Professional Responsibility and BNA.
Copyright 2011, the American Bar Association and The Bureau of National Affairs, Inc. All Rights Reserved.