Below is the text from my letter to the NC Bar Ethics Committee regarding their proposed ethics opinion on the use of Software as a Service (SaaS) in law practice management. The Committee has received only two comments so far. This is an important issue that will have a big impact on attorneys in NC and potentially elsewhere if other state bars follow this example.
If you are an attorney or IT consultant in NC or even outside the state who uses cloud-based applications, please consider providing the committee with your comments and feedback on the way this opinion should be worded.
June 11, 2011
North Carolina State Bar
c/o Alice Neece Mine
Re: Comments on Proposed FEO 6
To Whom it May Concern:
I would like to respectfully offer comments on the North Carolina State Bar proposed ethics opinion FEO 6 regarding the use of SaaS in law practice management, entitled, “Formal Ethics Opinion 6: Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property”. I am an attorney whose practice relies on software as a service on a daily basis, but there are hundreds of lawyers and law firms in the State of North Carolina that also rely on cloud computing on a daily basis to operate. The proposed opinion as written would negatively impact a broad scope of attorneys from those who do nothing more than use a web-based email client or conduct online legal research to those that do full scale online delivery of legal services.
To fully explain the scope of who this opinion would affect, I have compiled a list of products and services that are SaaS and used regularly by lawyers in our State: Google (many of their applications or services);Yahoo/Hotmail or any other email service attached to a internet service provider, such as Earthlink, Bellsouth, Roadrunner, etc.; Verizon, AT&T, Sprint, T-Mobile; Lexis or Westlaw for online research and almost all of their other services; Mozy; DropBox; Clio; Total Attorneys; Rocket Lawyer; DirectLaw and any other practice management system with a cloud-based component. Any firm that engages in the following tasks is also using SaaS and would be impacted: email; voicemail; digital phone’s voicemail services as well as original phone services many of which use voicemail accessible via SaaS; text messaging or SMS; online backup or storage; other forms of online communication with other professionals or clients.
Specifically, there are two provisions in the proposed opinion that raise concerns for attorneys using software as a service. These provisions are:
1) “An agreement on how confidential client information will be handled in keeping with the lawyer’s professional responsibilities must be included in the SaaS vendor’s Terms of Service or Service Level Agreement, or in a separate agreement that states that the employees at the vendor’s data center are agents of the law firm and have a fiduciary responsibility to protect confidential client information and client property.” ; and
2) “The agreement with the vendor must specify that firm’s data will be hosted only within a specified geographic area. If by agreement the data is hosted outside of the United States, the law firm must determine that the hosting jurisdiction has privacy laws, data security laws, and protections against unlawful search and seizure that are as rigorous as those of the United States and the state of North Carolina.”
First, most software vendors will not sign an agreement assuming this level of liability and agency for client property. Larger companies, such as Google or Microsoft, are not going to negotiate with North Carolina lawyers on this point. Small companies will pull out of the North Carolina market altogether. What impact would this lack of practice management tools and options have on firms in our state? What impact would it have on multijurisdictional firms that would be able to use SaaS practice management tools in other states where their attorneys provide services but not in North Carolina?
Instead of this minimum requirement being written into the opinion, an option might be for the attorney to verify that the technology vendor maintains adequate business insurance covering losses from data breaches. In addition to this, attorneys may mitigate risks by making sure that their software has export features or an offline version that they are then able to back-up on an encrypted hard drive in-house to have in the event of data loss by the provider. This is all part of the attorney conducting his or her own due diligence in researching and selecting a technology provider whose services meet the needs of their firm.
Of second concern, most software vendors will not restrict their server locations, many of which are georedundant to begin with, to
hosting data centers located only in locations with laws as strict as the US and the state of North Carolina. Many of these vendors have long-standing relationships with trusted hosting companies. How would this restriction impact larger law firms with branches in the State as well as branches overseas where it may make more sense to have one of their servers located closer to the overseas location than further away in the US?
To minimize this risk, attorneys should look for georedundancy of servers and ensure that those servers are in Tier4 data centers. They should make sure that there is a provision in the SLA stating that the vendor will notify the attorney in the event that it needs to reallocate resources and migrate the attorney’s data from one server location to another. Again, the benefit of having data backed up
in the cloud may outweigh the risks. For example, any attorneys with firms that have encountered flooding, fire or other natural disasters where their entire practices were in paper files would have been able to safe guard their client’s files if those files had been on server located outside of their physical law office.
Overall, there is a misplaced double standard for SaaS in this opinion that does not make sense. Data in the cloud should be housed on servers in a Tier4 data center which is a multi-million dollar facility with multiple layers of security and access restrictions. This is far greater security for law office data than a filing cabinet in a law office or a physical storage facility. The level of confidentiality provided by this method may in many ways be greater than the protection of confidential information in a traditional law office. If data is encrypted when it leaves the lawyer’s hands and travels to a third-party for hosting, isn’t that safer than data residing unencrypted on the firm’s computer?
More clients are requesting that firms use cloud computing because the cost-savings significantly lower their legal fees and the use of this technology provides them with conveniences. No technology is 100% safe whether it is SaaS or traditional install software on your own in-house server. There are vulnerabilities in every system. Rather than throwing the baby out with the bathwater, the key is to find ways to minimize the risk and to stay aware of the changing security issues as they arise so that the risk can be reevaluated and addressed as necessary.
There is concern that many attorneys may not take this responsibility seriously or know where to start to keep updated. But that shouldn’t result in an overall restriction of use by the entire bar membership. Some attorneys choose not to stay updated in the laws of their practice areas. It comes down to the judgment of the individual attorney and the risk of ethics violations and malpractice claims that he or she accepts with that decision. Attorneys who are afraid of cloud-based technologies, who cannot stay up to date or retain an IT consultant to assist them in staying updated, should simply make the decision not to chose this alternative.
There are more practical and realistic ways to address the confidentiality concerns raised in the use of SaaS. It is not practical to expect hundreds of NC practitioners to stop using cloud computing. It is not realistic to expect a technology provider or vendor to assume liability for client property. These minimum requirements should not be imposed on legal practitioners because they will not be able to meet them. This could result in hundreds of attorneys and firms being in violation of this ethics opinion. Those that would want to comply would have to find a way to migrate all of their cloud-based data into another system that was in compliance which could take time and resources and again, would not then provide them with 100% security of their client’s confidential information.
Instead, I would like to suggest that the Ethics Committee in the opinion make due diligence a requirement in choosing a technology. Then, outside of a formal opinion, provide Bar members with updated guidance about how to use reasonable care in selecting
a provider and how to perform due diligence in researching and implementing cloud-based solutions to comply with the existing rules of professional responsibility. Because ethics opinions are not updated on a regular basis, this form of guidance should be in another resource that could be updated on a regular basis. We have some wonderful resources in our state, such as Erik Mazzone and the Center for Practice Management at the North Carolina State Bar Association, who work hard at educating newly licensed attorneys about the risks and benefits of using SaaS in practice management. Because quickly developing technology and innovation are not restricted by geography, attorneys should also be referred to resources that are updated regularly, such as the newly formed non-profit, ILTSO, which was created in part to serve this purpose.
We need updated guidelines for performing due diligence in choosing the technology and provider as well as best practices for attorneys’ daily use of that technology. But it would not be practical to put this into an ethics opinion. All of these forms of education would go to minimizing the risk of the use of SaaS in practice management, but still allow attorneys in our state to serve their clients and operate their practices using this technology.
Thank you for your consideration and for the opportunity to provide feedback on this proposed opinion.
Stephanie Kimbro, Esq.
This would be very disruptive and expensive for my firm and other small firms like mine. We plan to comment formally to the bar. In many cases, the security and up-time provided by SaaS providers far exceed what we could accomplish on our own (servers need maintenance, can crash and may not have the same security level). The SaaS I use has multiple redundant backups and 99.99% uptime. That’s better for business and better for clients. Large firms rely on virtual offices as well, and this could impact how they do business.