Committee on Ethics and Practice Guidelines – Opinion 11-01
Topics: “Use of Software as a Service – Cloud Computing”
“Whether a lawyer or law firm may utilize what is known as ‘software as a service’ commonly referred to as ‘SaaS’”
From the opinion:
“We believe… [Rule 32:1.6 [Comment 17] ] establishes a reasonable and flexible approach to guide a lawyer’s use of ever-changing technology… [I]t places on the lawyer the obligation to perform due diligence to assess the degree of protection that will be needed and to act accordingly.
Access to stored data and data protection should be taken into consideration when performing due diligence…
…
We suggest that lawyers intending to use SaaS, or other information technology services that store the lawyer’s work product and client information on servers that are not owned by the lawyer, should ask the following questions:
Accessibility
1. Access:
Will I have unrestricted access to the stored data? …
2. Legal Issues:
Have I performed ‘due diligence’ regarding the company that will be storing my data? …
3. Financial Obligation:
What is the cost of the service, how is it paid and what happens in the event of non-payment? …
4. Termination:
How do I terminate the relationship with the SaaS company?…How do I retrieve my data and does the SaaS company retain copies?
Data Protection
…
1. Password Protection and Public Access:
Are passwords required to access the program that contains my data? Who has access to the passwords? Will the public have access to my data?…
2. Data Encryption:
… [W]ill I have the ability to encrypt certain data using higher level encryption tools of my choosing?
Lawyer’s Use of Information Technology Due Diligence Services
…This due diligence must be performed by individuals who possess both the requisite technology expertise and as well as an understanding of the Iowa Rules of Professional Conduct. The Committee believes that a lawyer may discharge the duties created by Comment 17 by relying on the due diligence services of independent companies, bar associations or other similar organizations or through its own qualified employees.“
Iowa Rules of Professional Conduct: 32:1.6 [Comment 17]
The full text is available at http://iowabar.org…