Caching Client Information in ‘Clouds' Is Permissible With Proper Precautions

By Lance J. Rogers  

Iowa lawyers may store client information and other data on a third-party vendor's servers rather than their own computers, so long as the lawyer has unfettered access to the data and can reasonably verify that sound methods are being used to protect the information, the Iowa bar's ethics committee advised Sept. 9 (Iowa State Bar Ass'n Comm. on Ethics and Practice Guidelines, Op. 11-01, 9/9/11).

There are no hard and fast rules on this issue, the committee said. Instead, lawyers who wish to take advantage of “cloud computing” have an obligation “to perform due diligence to assess the degree of protection that will be needed and to act accordingly,” the opinion states.

Reasonable Precautions

The committee was asked whether and how lawyers may use “software as a service” or “SaaS” to store data on an off-site server owned by a third-party vendor. The issue is whether attorneys may take advantage of SaaS technology without running afoul of Comment [17] to Iowa Rule of Professional Conduct 32:1.6, which instructs lawyers to take reasonable precautions so that client information doesn't fall into the hands (or other receptacles) of unintended recipients.

Lawyers need not take extraordinary security measures “if the method of communication affords a reasonable expectation of privacy,” according to the comment. On the other hand, it adds, special precautions may be called for depending upon “the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.”

The rule establishes a flexible approach to cope with “ever-changing technology,” the committee said, and puts on the lawyer a duty “to perform the due diligence to assess the degree of protection that will be needed and to act accordingly.”

Questions to Ask

What does this mean in the context of SaaS/cloud computing?

The committee said it couldn't provide a sophisticated analysis of data protection technology. But it did present a general outline covering the three areas of concern that lawyers must address before entering the clouds: access, data protection, and due diligence.

On the issue of access, it recommended that lawyers ask SaaS providers the following questions before sending off their information:

  • Will I have unrestricted access to the data?
  • What is the procedure if access is denied?
  • What are the fees for the service?
  • If I miss payments or default, will the stored information be destroyed or will it become property of the company?
  • What is the procedure for terminating the relationship and retrieving the data?

On the question of security, the committee recommended asking these questions:

  • Are passwords required to access any program that contains my data?
  • Can I secure some data with higher level encryption tools than those provided by the SaaS?
  • Who will have access to the passwords?
  • Will the public have access to my data?
  • If I allow nonclients access to a limited portion of the information, will they also gain access to other data that I want protected?
Due Diligence

Due diligence regarding information technology can be complex, the committee noted, and calls for not only specialized technological expertise but also an understanding of the professional conduct rules.

There may be employees within the law office who have these qualifications, the committee said, but a lawyer also may discharge the due diligence duties created by Comment [17] by hiring an independent company or relying on bar associations or other similar organizations to perform the task.

Questions the lawyer will want to consider in this review, the committee said, include:

Are they a solid company with a good operating record and is their service recommended by others in the field? What country and state are they located and do business in? Does their end user's licensing agreement (EULA) contain legal restrictions regarding their responsibility or liability, choice of law or forum, or limitation on damages? Likewise does their EULA grant them proprietary or user rights over my data?

Full text of the opinion is available on the Iowa bar's website at


The ABA/BNA Lawyers’ Manual on Professional Conduct is a joint publication of the American Bar Association Center for Professional Responsibility and BNA.

Copyright 2011, the American Bar Association and The Bureau of National Affairs, Inc. All Rights Reserved.