Iowa Ethics Committee On Lawyers Using Cloud Computing
According to a recent survey conducted by Gartner, a leading technology market research firm, cloud computing is one of the top tech trends for 2012. Of course, this conclusion isn’t exactly surprising, since Gartner and a host of other companies in the business of predicting the future of computing have been saying that for years now.
With the rise of mobile computing, the ability to access your data wherever you happen to be using whatever device is on hand obviously becomes of greater import. And cloud computing is the tool that makes immediate access possible, since it permits the user to access data stored in the cloud, as opposed to their own computer’s hard drive or company-owned servers, using just an Internet connection.
As cloud computing becomes more ubiquitous, lawyers across the country are taking notice and are increasingly asking legal ethics committees to weigh in on the ethics of lawyers using cloud computing services in their law practices.
The most recent decision, Ethics Opinion 11-01, was handed down in September by the Iowa Committee on Practice Ethics and Guidelines (online: http://t.co/dIhbw0MB). At issue was whether an Iowa lawyer or law firm could ethically use SaaS (software as a service), a form of cloud computing, in their law practice.
The Committee first explained that Comment 17 to the Iowa Rule of Professional Conduct Rule 32:1.6 controlled the analysis of the issue. Rule 32:1.6 [Comment 17] provides:
“When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this rule.”
The Committee then offered a wonderfully adept interpretation of its obligations under the rule--one that I hope to see in future opinions issued by other ethics committees when tasked with the obligation to assess the ethical issues presented by the use of new technologies in law offices:
“We believe the Rule establishes a reasonable and flexible approach to guide a lawyer’s use of ever-changing technology...It is beyond the Committee’s ability to conduct a detailed information technology analysis regarding accessibility and data protection used by the presently available SaaS services. Even if we had that ability our analysis would soon be outdated. Instead we prefer to give basic guidance regarding the implementation of the standard described in Comment 17.” (Emphasis added).
The Committee then offered lawyers a number of suggested avenues of inquiry when deciding whether to use any new technology in their law practice, not just cloud computing technologies. The suggested questions center around determining how accessible and secure the data will be:
- Will I have unrestricted access to the stored data?
- Have I stored the data elsewhere so that if access to my data is denied I can acquire the data via another source?
- Have I performed “due diligence” regarding the company that will be storing my data?
- Are they a solid company with a good operating record and is their service recommended by others in the field?
- What country and state are they located and do business in?
- Does their end user’s licensing agreement (EULA) contain legal restrictions regarding their responsibility or liability, choice of law or forum, or limitation on damages?
- Likewise does their EULA grant them proprietary or user rights over my data?
- What is the cost of the service, how is it paid and what happens in the event of non- payment?
- In the event of a financial default will I lose access to the data, does it become the property of the SaaS company or is the data destroyed?
- How do I terminate the relationship with the SaaS company?
- What type of notice does the EULA require.
- How do I retrieve my data and does the SaaS company retain copies?
- Are passwords required to access the program that contains my data?
- Who has access to the passwords?
- Will the public have access to my data?
- If I allow non-clients access to a portion of the data will they have access to other data that I want protected?
- Recognizing that some data will require a higher degree of protection than others, will I have the ability to encrypt certain data using higher level encryption tools of my choosing?
All in all, I was very pleased with this opinion. It set forth a flexible standard and offered lawyers useful guidance while giving them wide berth to incorporate emerging technologies into their practices.
Nicole Black is a Rochester, New York attorney. She co-authors the ABA book Social Media for Lawyers: the Next Frontier, co-authors Criminal Law in New York, a West-Thomson treatise, and is currently writing a book about cloud computing for lawyers that will be published by the ABA in early 2011. She is the founder of lawtechTalk.com and speaks regularly at conferences regarding the intersection of law and technology. She publishes four legal blogs and can be reached at [email protected]