At its meeting on January 27, the NC State Bar Council adopted and published the last version of 2011 Formal Ethics 6 “Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property”. The last version of this opinion was sent to subcommittee in July 2011, but the discussion over the structure of the opinion has been almost a year and a half-long process. At one point, a draft of the opinion contained a list of minimum requirements for the use of SaaS which raised some concern with NC lawyers as well as others nationwide who are interested in the development of legal technology.
The final conclusion of the published Opinion:
a law firm may contract with a vendor of software as a service provided the lawyer uses reasonable care to safeguard confidential client information.
The ethics subcommittee that reviewed this issue should be commended for the amount of research and thought that they put into this process. They pulled in experts on both sides on the fence on the issue of using SaaS in law practice and really made an effort to understand the broad impact that the opinion would make on NC practitioners in a variety of practices. At one point, experts in online banking, which also relies on strict security standards for the use of SaaS, were called in to provide their perspective.
Here are some key items to notice in this opinion:
1. The first part provides the lawyer with an explanation of Saas so that he or she understands how it may apply to their practice. Most lawyers are already dependent upon some form of SaaS whether it’s voice mail or email or Lexis and Westlaw research trails. This gives them context.
2. The opinion makes it clear that with technology, “reasonable care” requires that you reevaluate the choices made for your firm and your daily practices on a regular basis. The opinion states “[t]he lawyer must also engage in periodic education about ever-changing security risks presented by the internet.” You can’t chose a technology, add it to your practice management tool kit, and then sit back for a year or two. It’s an ongoing process.
3. What is “reasonable” depends on the circumstances – of the case, of the client, of the lawyer’s comfort with tech, with the practice area, etc. The opinion states “the lawyer must use reasonable care to select a mode of communication that, in light of the circumstances, will best protect confidential client information and the lawyer must advise effected parties if there is reason to believe that the chosen communications technology presents an unreasonable risk to confidentiality.” (emphasis added)
4. The opinion does not provide specific minimum security requirements for the use of SaaS. Instead, it provides recommended security measures and cautions that “[t]he extent of this obligation [under Rule 5.3(a) to ensure the vendor’s services are compatible with our prof. rules] when using a SaaS vendor to store and manipulate confidential client information will depend upon the experience, stability, and reputation of the vendor. Given the rapidity with which computer technology changes, law firms are encouraged to consult periodically with professionals competent in the area of online security.” So if you don’t understand the technology and/or are not willing to keep updated as it develops, you will need to retain someone who will handle that for your firm.
This is an Opinion that will provide anxious NC lawyers with reassurance regarding a technology most of them are already using. Hopefully, it will also make them aware that staying updated on security risks and best practices for the use of the technology in their firms is a necessary part of compliance with the rules of professional conduct.
There are a couple more interesting NC ethics opinions in the works that may impact virtual practitioners, including:
– Proposed 2010 Formal Ethics Opinion 14 “Use of Search Engine Company’s Keyword Advertisements”
– Proposed 2011 Formal Ethics Opinion 14 “Outsourcing Clerical or Administrative Tasks” and
– One that may be related to the use of PO Box addresses as contact information for a home-based practitioner or virtual lawyer