North Carolina Lawyers Weekly
Cloud-computing applications, or “software as a service,” are widely touted as being flexible, efficient and cost-cutting tools for managing a legal practice.
But does a lawyer’s use of these web-based applications run the risk of compromising the privacy and security of client files in violation of the Rules of Professional Conduct?
That was the gist of an inquiry that Greenville attorney Amy Edwards sent to the State Bar’s ethics committee, leading to a proposed formal ethics opinion that is believed to be the first in the country to address the use of software as a service, or SaaS.
The ethics committee voted at its quarterly meeting in April to publish the two-part opinion, proposed 2010 FEO 7, in the upcoming State Bar Journal.
The first part permits a lawyer to use SaaS so long as steps are taken “to minimize the risk of inadvertent or unauthorized disclosure of confidential client information” and “to protect client property, including file information, from risk of loss.”
The opinion’s second part presents a list of 23 questions a lawyer should answer about the SaaS product in order to decide whether risks have been sufficiently minimized.
“Overall, I think it’s still a new concept for a lot of attorneys,” said Edwards, who said her firm first learned about SaaS when searching for a new conflicts-checking system and a way to advance its goal of becoming a paperless office.
Edwards’ firm discovered Clio, a web-based system that provided not only conflicts-checking but also applications for billing, time tracking and document management, she said.
“The opinion was really helpful,” Edwards said. “What it addresses are a lot of the issues that we had thought about.”
However, some attorneys think the ethics opinion should provide more guidance. Others question whether the State Bar should delve into the matter at all.
“In most jurisdictions, a lawyer would not really think to ask for that kind of guidance,” Carolyn Elefant, a Washington, D.C.-based lawyer, told North Carolina Lawyers Weekly.
Elefant is the author of the popular blog for solo and small-firm lawyers, MyShingle.com.
“Traditionally, bar associations don’t micromanage our practice-management tools,” she said.
Heading for the cloud
Instead of having the software installed on a computer or server, which requires the purchase of a license, SaaS is accessed over the Internet for a subscription fee.
Many praise SaaS for the fact that it cuts down on overhead costs and allows remote access to client files, which can result in more affordable and efficient client service.
SaaS has become especially popular among what Jim Calloway, the director of the Oklahoma Bar Association’s management-assistance program, called “a new type of law practice … of essentially a lawyer, a smart phone, a lawyer’s website and a laptop as the basic infrastructure.”
“But I think now you’re seeing more traditional firms realizing the benefits and exploring the options of using technology for law-practice management,” said Wilmington attorney Stephanie Kimbro, who launched the state’s first virtual law practice and won the ABA’s 2009 Keane Award for excellence in e-lawyering.
“I think that’s why we’re seeing this come up as a topic” in an ethics opinion, she said.
Indeed, Edwards said the lawyers in her firm are “not cyberlawyers; we’re brick-and-mortar lawyers,” but were nonetheless drawn to the advantages they saw in switching to a SaaS law-practice-management model.
Minimize the risk
Before making that switch, Edwards said her firm wanted to consult with the State Bar on the ethical ramifications.
According to Alice Mine, the State Bar’s ethics counsel, the closest that the ethics committee has come to addressing cloud-computing in a formal opinion was 2008 FEO 5, which allowed the use of a web-based document-management system.
In a recent ethics opinion, the Arizona State Bar agreed with 2008 FEO 5, holding that a firm could use an online file-storage and retrieval system that would allow clients to access their files over the Internet so long as reasonable precautions were taken to protect the security and confidentiality of client documents and information.
Along those same lines, the potential ethical problem posed by the use of SaaS is the storage of the law firm’s data — client files, billing information and work product — on remote servers maintained by the SaaS vendor, and the possibility of that information being disclosed to others by accident or without permission.
In reaching its proposed opinion, the ethics committee compared the situation to the storage of physical documents.
According to the proposed opinion, although a lawyer has a duty under RPC 1.6 and 1.15 to protect and preserve a client’s confidential information and property, “this obligation does not require that a lawyer use only infallibly secure methods of communication.”
Instead, a lawyer is simply required to take reasonable care to protect the client’s information and property. Thus, the lawyer would not be required to “guarantee that the [SaaS] system will be invulnerable to unauthorized access.”
Best practices
The second part of the proposed opinion attempts to flesh out what “reasonable care” would look like in choosing and working with a SaaS vendor.
The 23 questions that a lawyer should answer to determine whether the risk of disclosure or loss of confidential client information has been minimized cover several areas, including learning about the vendor’s financial stability, encryption techniques and backup procedures.
In particular, the questions focus on the terms and conditions of the user agreement. For instance: Would the vendor be willing to include a provision stating that the employees at the vendor’s data center are agents of the law firm?
“There’s a big range,” said Raleigh solo attorney Christopher Fulmer, who wrote to the State Bar about the opinion. “Some of the vendors, when you read through their terms of service, they don’t say anything about keeping your information private.”
Kimbro said she appreciated the ethics committee’s approach of providing guidance but thought the list of questions could be “narrowed down.”
“In particular, one question would ask about the financial details of the company, and I’m not sure that it is realistic for any company to provide that to a prospective customer,” she said.
Edwards said that she submitted to Clio a draft confidentiality agreement that covered her firm’s specific concerns, and that the company had no objections to it.
However, Fulmer said it would be unlikely that vendors would take that same approach in every case, especially when dealing with solo and small-firm lawyers.
He said a revised list of questions or conditions would be helpful to the vendors as much as the attorneys.
“If the Bar can give some guidance, maybe a lot of these providers would address those issues right off the top” in the terms of their user agreements, he said. “The State Bar could say, ‘This is what we’re expecting.’”
In a letter to the State Bar, Kimbro noted that, in reality, many vendors provide regular data backups and store information at data centers with highly regulated environments that include fire suppression, backup power, security and around-the-clock monitoring.
She also pointed out that many SaaS vendors use a 128-bit or greater Advance Encryption Standard, which is the same level of security that many banks and governmental entities use.
National standards
North Carolina’s approach to the issue has received national attention. Some believe the state’s ethics opinion could influence how other jurisdictions address the use of SaaS.
However, Elefant said she would prefer to see a broader national approach to cloud computing.
“I really don’t want to see these issues resolved on a state-by-state basis,” she said.
She compared the situation to the patchwork of opinions that have emerged in recent years on whether lawyers should be permitted to look at metadata embedded in documents. Some jurisdictions have prohibited it, some have allowed it, and others have allowed it but only under certain limited circumstances.
“The decisions are all over the map. It makes it virtually impossible for a lawyer who practices in different jurisdictions to comply,” Elefant said.
“So, with something like practice-management tools: If you’re licensed in one state that says you can use it, and one that says you can’t, then you’re going to have to set up two practice-management tools. It’s going to be very onerous.”
After receiving comments, the State Bar ethics committee will meet in July to decide what revisions, if any, will be made to the proposed opinion.
