The NC Bar has published the revised version of it proposed ethics opinion entitled “Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property”, 2011 FEO 6 on the website. It will also be published in the next issue of the NC State Bar Journal.
You can read some of the history of this opinion in this post. After a year or more of subcommittee review and revision, this latest version will hopefully be the final one that the Ethics Committee recommends for adoption by the Council at their January meeting.
The subcommittee removed the list of minimum requirements for the selection of a technology vendor. Many of the items on the list had raised concern as detailed here by myself and others. The new version of the opinion sticks with the “reasonable care” standard requiring the attorney to do his or her due diligence in researching the technology and any third-party provider. The proposed opinion states:
…a law firm may use SaaS if reasonable care is taken to minimize the risks of inadvertent disclosure of confidential information and to protect the security of client information and client files. A lawyer must fulfill the duties to protect confidential client information and to safeguard client files by applying the same diligence and competency to manage the risks of SaaS that the lawyer is required to apply when representing clients.
The opinion then goes on to state that because technology and security risks change so rapidly, the opinion will not include minimum requirements that might quickly become outdated and create a false sense of security for practitioners. Instead, they suggest that in order to conduct due diligence the attorney can 1) look for confidentiality provisions in the vendor’s user agreement or SLA, 2) review the SLA and any security policies, 3) evaluate how the vendor has stored secures the data and 4) review how the vendor backs up the data.
Another positive change in the new version is the clarification in the first inquiry of just how broad a reach SaaS has in the legal profession:
Instances of SaaS software extend beyond the practice management sphere addressed above, and can include technologies as far-ranging as web-based email programs, online legal research software, online backup and storage, text messaging/SMS (short message service), voicemail on mobile or VoIP phones, online communication over social media, and beyond.
One thing I have encountered in speaking at different CLEs for lawyers is that many of them use the technology, but don’t know the terminology and are not even aware that they are already using a form of cloud computing. This clarification will help lawyers who depend on SaaS on a daily basis to understand that this opinion relates to them and that they have a responsibility to understand what they are using and to keep up to date.
This version of the proposed opinion makes the most sense to me based on the wide variety of use of SaaS in law practice management. I am hoping that there will not be any criticism of the new version so that this will become an adopted opinion. In the meantime, lawyers who need assistance understanding how to conduct due diligence in meeting a reasonable care standard for using SaaS should either hire an IT consultant to help them evaluate their use or find one of the many resources and blogs related to cloud computing and security to stay updated or find some of the ABA LTRC or other state bar guidelines or suggested best practice sites.