UPDATE: CHECK OUT THIS POST by Erik Mazzone, Director of the Center of Practice Management at the NC Bar Association, on his Law Practice Matters blog. Erik is concerned that the proposed opinion will limit the cloud-based vendors that attorneys in NC can use based on the location of their servers. While most legal SaaS vendors will probably be in compliance by housing the data on servers located in the States, other non-legal SaaS companies, such as Dropbox, Google, etc., may not be in compliance with the proposed opinion because their servers are located overseas. Will this proposed ethics opinion have a broader reach than expected? Are these other services really safe to be using with law office data in the first place? See this post by Information Law Group discussing a recent Ponemon Study about cloud providers and security.
The North Carolina State Bar published the revised version of its proposed ethics opinion on the use of SaaS in law practice management on April 21st, entitled, “Formal Ethics Opinion 6: Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property”.
The direction that this opinion takes provides guidance to the practitioner, rather than attempting to write technology standards into an ethics opinion, which is not the safest place for it. Instead, the opinion requires that the attorney do a thorough job investigating the technology provider and any agreements with that providers to ensure confidentiality of the client data. They also include a reference the ILTSO standards in the footnotes of the opinion (www.iltso.org) along with links to other resources for attorneys to accomplish this process.
From the opinion:
Although a lawyer has a professional obligation to protect confidential information from unauthorized disclosure, the Ethics Committee has long held that this duty does not compel any particular mode of handling confidential information, nor does it prohibit the employment of vendors whose services may involve the handling of documents or data containing client information. … Moreover, while the duty of confidentiality applies to lawyers who choose to use technology to communicate, “this obligation does not require that a lawyer use only infallibly secure methods of communication.” RPC 215. Rather, the lawyer must use reasonable care to select a mode of communication that, in light of the circumstances, will best protect confidential communications, and the lawyer must advise affected parties if there is reason to believe that the chosen communications technology presents an unreasonable risk to confidentiality. Id.
The revised proposed opinion breaks the issues down into three inquiries instead of the previous two and mentions multiple times that if the attorney is not comfortable making these decisions that he or she is responsible for retaining the consultation of an IT specialist who can assist them. The opinion explains “…given the rapidity with which computer technology changes, what constitutes reasonable care may change over time and a law firm should employ or periodically consult with such a professional.” Or for those of us who are comfortable with it, take responsibility and keep up to date with the technology that we choose to use in our own practices. Bravo.
Rather than a list of questions to ask of the prospective technology provider, inquiry #2 defines how an attorney can take “reasonable care” in choosing a provider and then lists five minimum requirements. Most of these requirements are items that an attorney should ensure are present in the provider’s service level agreement (SLA), such as confidentiality agreements, data return and retention policies, information about the location of servers and access to data, etc.
Inquiry #3 lists “ways to minimize risk of loss or unauthorized disclosure of client property or confidential information that a law firm should consider when contracting with a SaaS vendor.” There are eleven items listed, several of which were present on the previous version of the proposed opinion. These deal more with security issues directly than with the agreement between the provider and the law firm.
There is still one item on there that gives me pause which is “[t]he financial history of the SaaS vendor has been investigated and indicates financial stability.” Cloud computing companies undergo a lot of movement. It seems to be the nature of the industry. Sure we all know that companies like Microsoft and Lexis or Westlaw have been around forever so no questions there. But what about the smaller cloud computing companies that are the ones pushing innovation in the delivery of legal services through the use of new legal tech? Does this limit entrepreneurs from entering this space because attorneys can’t use them until they have certain number of years under their belt? Plus what companies do you know that are not public that will freely give out their financial information to prospective customers? So I have some questions about the implementation of this, but again these are suggestions, not requirements for conducting “reasonable care” in researching a tech provider.
Below this proposed SaaS opinion is a second one that addresses online banking for trust accounts. While online banking also makes use of SaaS, the Ethics Committee felt that the nature of online banking was significantly different than the use of SaaS in general for practice management tasks and warranted its own opinion. I appreciate the simplicity of the proposed online banking opinion. I like this statement from the online banking opinion which is also written almost identically into the SaaS opinion:
This opinion does not set forth specific security requirements because mandatory security measures would create a false sense of security in an environment where the risks are continually changing. Instead, due diligence and perpetual education are required. A lawyer must fulfill his fiduciary obligation to safeguard client funds by applying the same diligence and competency to manage the risks of online banking that a lawyer is required to apply when representing clients. (emphasis is mine)
Reading both opinions which relate to SaaS in law practice, an attorney would assume that in order to comply with the the online banking opinion you would have to follow the mandates in the SaaS opinion as well. For example, some virtual law offices have their online banking and trust accounting connected to the rest of their web-based practice management platform so both opinions would apply to the same SaaS application. Maybe it won’t be so confusing as long as the online banking opinion references the SaaS opinion in final publication, which it does in the proposed version.
I was honored to be one of several individuals advising the subcommittee reviewing this ethics opinion. Throughout the process, I was impressed with the subcommittee members’ willingness to digest all of the information that was sent their way, some of it being more technical than they may have wanted to tackle and a lot of it coming from very opinionated and passionate advocates for differing positions on the issue. This revised version of the proposed SaaS opinion reflects the attention that the subcommittee gave to understanding cloud computing and the way that legal professionals are relying on SaaS to operate their law practices. I think this newer version is a significant improvement over previous drafts that were not published publically. Some of those earlier versions would have had a major negative impact on an attorney’s ability to use cloud computing applications and put a chill on innovation.
I look forward to any feedback that come out of the public comment period. This opinion will obviously affect anyone operating a virtual law office in North Carolina, but also have an impact on almost every practitioner in the state given how wide-spread the use of cloud computing is in general law practice. As one of the first ethics opinions to address SaaS in LPM, it may also set a precedent for other state bars considering these issues.
Thanks for the update and your work on the opinion. Reinforces the notion that one setting up a VLO might be best served using a company that works specifically with law firms to ensure that proper care is used handling client information. I also agree with your criticism of the “financial history” prong of the reasonable care inquiry for the same reasons you state – it is always newer entrants that push the envelope and explore new possibilities and many attorneys are in no position to analyze a new public or private companies financial stability (or even some “established” software companies). Thanks for the info.
I think the Ethics Committee still has some work here — their responses to inquiry 2 aren’t particularly well-informed from a technology and practicality point-of-view. If I encrypt all my data before it hits their server, does it matter where the server is located?
In addition, they haven’t done a great of of defining what SaaS is. If a solo creates an internet domain with, say, Godaddy, and Godaddy stores the solo’s email, is GoDaddy providing SaaS? Are the on-line “data rooms” used by transactional lawyers also SaaS? How about services like eFax?