Should a SaaS Vendor’s Data Center be an Agent of the Virtual Law Firm?

Below is a short and to-the-point article that I drafted for the NC Bar Association’s Technical Advisory Committee after our last meeting discussing the proposed NC Ethics Opinion on SaaS.  I wasn’t critical of the opinion at first, until I spoke with a few SaaS vendors and others who explained their positions in greater detail to me.

If you are licensed in NC and operate a virtual law office, you might want to read the below and consider providing your comments and feedback.  More than one legal SaaS vendor has already indicated that if the ethics opinion is published in its current version, that they will simply pull out of serving the NC legal marketplace.

Harsh consequences for attorneys practicing here, but also potentially harmful for the public who receive assistance delivered online or from attorneys who use the cost benefits of cloud-computing to make their prices for legal services more affordable.


The North Carolina State Bar published the revised version of its proposed ethics opinion on the use of SaaS in law practice management on April 21st, entitled, “Formal Ethics Opinion 6: Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property”.

Your firm will be in violation of this ethics opinion if it is published as written and your firm uses any of the following products:

Google (any of their applications or services)

Yahoo/Hotmail or any other email service attached to a internet service provider, such as Earthlink, Bellsouth, Roadrunner, etc

Verizon, AT&T, Sprint, T-Mobile

Lexis or Westlaw for online research and almost all of their other services




Total Attorneys

Rocket Lawyer


Any other practice management system with a cloud-based component

Or if your firm engages in the following tasks:


Voicemail (Per Erik Mazzone, Director for the Center for Practice Management at the NCBA, “Voicemail on a mobile phone is data hosted on servers owned or contracted by the mobile carrier. The software that enables us to call a number and listen to voicemail is SaaS.”)

Digital phone’s voicemail services as well as original phone services many of which use voicemail accessible via SaaS.

Text messaging or SMS

Online backup or storage

Online communication with other professionals or clients

There are two requirements in proposed opinion which may result in the restriction of use by law firms of a majority of the technology software and services that they currently rely on. These provisions are:

1) “An agreement on how confidential client information will be handled in keeping with the lawyer’s professional responsibilities must be included in the SaaS vendor’s Terms of Service or Service Level Agreement, or in a separate agreement that states that the employees at the vendor’s data center are agents of the law firm and have a fiduciary responsibility to protect confidential client information and client property.” [Emphasis added] ; and

2) “The agreement with the vendor must specify that firm’s data will be hosted only within a specified geographic area. If by agreement the data is hosted outside of the United States, the law firm must determine that the hosting jurisdiction has privacy laws, data security laws, and protections against unlawful search and seizure that are as rigorous as those of the United States and the state of North Carolina.” [Emphasis added]

Most software vendors will not sign an agreement assuming this level of liability and agency for client property. Most software vendors will also not restrict their server locations, many of which are georedundant to begin with, to hosting data centers located only in locations with laws as strict as the US and the state of North Carolina. The Legal Cloud Computing Association (LCCA), a group of vendors who provide services to lawyers, and the International Legal Technology Standards Organization (ILTSO) are in the process of writing comments to the NC Bar regarding the negative impact that this opinion will have on legal technology innovation as well as the negative impact that it will have on their customers who practice law in the state.

There are more practical and realistic ways to address the confidentiality concerns raised in the use of software as a services. It is not practical to expect hundreds of NC practitioners to stop using cloud computing. It is not realistic to expect a technology provider or vendor to assume liability for client property. Minimum requirements should not be imposed on legal practitioners. Instead, this opinion should contain suggestions and guidance for performing due diligence in researching and implementing cloud-based solutions to comply with the rules of professional responsibility.

There are hundreds of attorneys and law firms in North Carolina that rely on software as a service on a daily basis. If you are one of these firms, please consider writing to the NC Ethics Committee.


  1. Stephanie – I missed the boat on this decision but since I commented initially I wanted to do so again (via MyShingle since I don’t practice in NC) – is there still time?

  2. slkimbro

    Yes, Carolyn. There is still time. This newest revision of the proposed opinion was just published and they are accepting comment and feedback at this time. Your thoughts on this new revision would be greatly valued!


Leave a comment:


Required field