Law Firms and Cloud Computing: Ethics Guidelines

Cloud computing for Law firmsState bar associations are starting to address the issue of law firms storing confidential client information in the cloud and are rolling out ethics opinions to guide law firm conduct. You can find a list of these opinions here on the American Bar Association web site. The basic standard that is emerging is that the attorney must use "reasonable care" under the circumstances. This makes sense. It leaves to the attorney the responsibility of making a management judgment about the risks in choosing one cloud solution over another. This assumes that the law firm has sufficient technical knowledge to evaluate these new risks created by the development of new information technologies. [This is the  subject of a future blog post!].

The Massachusetts Bar Opinion Ethics Opinion on this subject is troubling because it  explicitly requires:

"Consistent with its prior opinions, the Committee further believes that the Lawyer remains bound to follow an express instruction from his client that the client's confidential information not be stored or transmitted by means of the Internet, and that he should refrain from storing or transmitting particularly sensitive client information by means of the Internet without first seeking and obtaining the client's express consent to do so"

The requirement that in every case the client's express consent to store confidential information in the cloud is not realistic and not consistent with the way web technology is evolving. There are clearly situations where it would would be reasonable under the circumstances to secure a client's consent for storing confidential information in the cloud, but the way this Opinion is framed law firms will interpret to this mean that in every case the client's express consent needs to be explicitly secured. This adds unnecessary "friction" to creating the lawyer/client relationship.

This requirement actually puts Massachusetts lawyers, particularly solos and small law firms at a competitive disadvantage. Solos and small law firms now have to compete against software powered non-lawyer sites such as LegalZoom, LegacyWriter, MyLawyer.com, and RocketLawyer, to name only a few. None of these non-lawyer web sites require that their customers provide express consent to store their confidential data in the cloud, and if they do, the consent is buried so deep in the fine print that the average user is completely unaware of what they are consenting to.

The Opinion cites Google Docs as its leading example, which is a good example of how out of touch the Bar is with emerging technological trends. It won't be long before a person will be able to create a Will using a mobile app on their cell phones.

Must the user then be required to give their express consent before storing their data?  What does that "express consent" mean in a mobile application context? The necessity of preserving the integrity of the lawyer/client relationship through the appropriate application of ethical rules is clearly appropriate. But adding unnecessary "friction" to accessing legal services for the average consumer is just going to result them turning to alternative non-lawyer providers who operate with less restrictions. Restrictions like this impede innovation in the delivery of legal services by the legal profession. No wonder the legal profession is lagging behind every other service industry in adapting to the mobile social web.

For a similar viewpoint see: Carolyn Elefant's Blog Post: The Bar Associations Have Their Head in the clouds When it Comes to Cloud Computing.

For a thoughtful analysis of bar association ethical opinions on the use of cloud computing by lawyers see also:  Bob Ambrogi's blog posts at Catalyst.
 

Law Startups in La La Land

I was at a panel in San Francisco this week titled: Law + Tech - The Unpopulated Multi-Billion Dollar Industry .

By "La La Land" I don't mean Los Angeles or California, but rather "to be in one's own world" as defined by the Urban Dictionary.  As I listened to the founders talk, I couldn't help thinking that given the absence of a clear business model, or the understanding of what it takes to market to consumers or to lawyers,  that many of these start-ups will simply die after the founders run out of cash.  However, out of the ashes one or two  are bound to survive and have a lasting impact on the markets they are targeting.

This was an interesting group of companies - all focused on the idea that there is a need for changing the way legal services are identified, purchased, and delivered and the way that lawyers practice law.

You could classify these companies into three categories:

  • companies that want to connect consumers with lawyers and plan to monetize the traffic stream in some way;
  • companies that want to provide tools to increase law firm productivity;
  • companies that aim to deliver direct legal services through a network of lawyers online or provide a legal solution to a consumer through the use of a digital application.

Here is a list of these companies, some of which were at the Panel,  and one or two which announced within the past 30 days.

Companies linking consumers to lawyers:

MyLawSuit.com - seeks to link clients which have personal injury claims with personal injury lawyers. The company takes 5% of the recovery from the client side. Has a legal opinion that says this is not fee-splitting.

LegalSonar.com -  potential clients find lawyers by searching social media to see which of the searcher's friends have had an experience with a lawyer and whether the friend would recommend them. Free to users, lawyers pay a fee for listing. Limited to Kansas City. Missouri for now, which is where the company is based. This is an interesting idea and makes more sense to me than traditional legal referral services offered by bar associations where recommendation of a lawyer for a client is more arbitrary. Company plans to expand nationwide.

AttorneyFee.com - company provides detailed legal fee information to users to help them evaluate legal services based on price.

LawGives.com - working on a software algorithm that would analyze a user's factual statement (submitted through a secure web form) of their legal problem and match the client to the most suitable attorney based on a software analysis of all of the attorney's experience, education, background, recommendations, and other selection factors. The proprietary algorithm being developed is based on advanced semantic search technologies. This is an interesting concept because if it works, it could be used in a variety of legal contexts such as in large law firms where there is sometimes a need to match the skills of lawyers within the firm to the needs of new cases and clients. LawGives.com would also be a challenge to typical bar sponsored legal referral methods which are based on antiquated pre-Internet technologies (telephone and categorized lists of lawyers). Ethics 20/20 Commission take note.

Start-ups that aim to increase the productivity of law firms:

LawLoop.com - comprehensive, affordable cloud-based practice management system that incorporates in one place document management, practice management tools, time-keeping and billing (next release), calendaring, Outlook email integration, and client communications. A unique feature is the ability to create client extranets between client, lawyer, and other third parties on the fly, by drawing a loop, not unlike creating a Google circle of contacts. Thus, for example, a secure deal space could be created instantly between all of the parties to a deal which would could contain documents, correspondence, and other supporting materials instantly. Price is affordable at $39.00 a user. More competition for RocketMatter and Clio.

LegalReach,com  - Provides cloud-based applications for lawyers.  An App Store now offers Referral Manager, an app designed to securely send and receive business to/from other attorneys while keeping track of vital statistics. Coming soon apps include: Website Builder, CLE Tracker and more. Attorneys can also create on-line Attorney Profiles so a dimension of the business model is to connect prospects with attorneys.

Kiiac.com - Contract analysis and contract standards tool that creates documents through the web browser using Google Docs. Create an NDA online. See also related Contract Standards web site. This is a fabulous resource for lawyers drafting contracts.

Startups that will offer legal solutions directly to consumers:

DocRun.com - DocRun is a SaaS solution that creates highly-customized, state-specific legal contracts and agreements instantly just by asking the user a series of simple, intuitive questions. Site is in alpha. The company has raised 1.1 in seed funding. At public launch, DocRun claims it will provide hundreds of personalized documents, including everything from prenuptial agreements to operating agreements to employment agreements, specially tailored to each individual user using a web-based Q&A engine. Sounds like they are building another web-enabled document assembly application.Claims documents will be very affordable.

UpCounsel.com - Company will offer sophisticated legal services from a network of lawyers to hi-tech start-up companies in California. Not yet launched.

Paperlex.com - Company will offer legal documents online and web-enabled document assembly tools to customize for the individuals personal circumstances. Read More.

Docracy is a new legal document start-up, founded by Matt Hall and John Watkinson, that grew out of a TechCrunch Disrupt Hackathon in New York City. The idea is to provide a free depository of legal documents that meets the needs of small business and start-ups which are crowd sourced by individuals who register for the site. The concept is to provide an open source site for legal documents in the same way that GitHub is an open source site for code. Read more.

LawPivot.com - Free crowd sourced legal advice from lawyers. Rumored to be getting ready to launch an eLance type service for consumers to connect with lawyers on specific projects.  Funded by Google Ventures. Will be interesting to see how LawPivot team creates an ethically compliant business model.

If you hear about other recent start-ups in the legal industry, funded or otherwise, we would like to know about them. Just mention them in the Comment field to this post. All of this recent activity reminds me of 2001, when we saw many law start-ups funded during the dot.com heyday. Most didn't survive the crash. (USLAW.com; AmeriCounsel; MyCounsel  to name just a few).

Maybe it will be different this time around.

 INcreasing Profit Margins with Document Automation

Legal Cloud Computing Association Publishes Responses to ABA, North Carolina State Bar

The Legal Cloud Computing Association (LCCA) has published responses to proposals issued by the ABA Commission on Ethics 20/20 and the North Carolina State Bar regarding the use of cloud computing within a law practice.

The Legal Cloud Computing Association ("LCCA"), formed in December 2010, is the collective voice of the leading cloud computing software providers for the legal profession, consisting of Clio (Themis Solutions, Inc.), DiaLawg, LLC, DirectLaw, Inc., NetDocuments, Nextpoint, Inc., RealPractice, Inc., Rocket Matter, LLC, and Total Attorneys, LLC.

Response to ABA Commission on Ethics 20/20

The LCCA’s letter to the ABA Commission on Ethics was issued in response to the Commission’s Initial Draft Proposals on "Technology and Confidentiality" published on May 2, 2011. The Proposals include certain modifications to the ABA Model Rules of Professional Conduct that are designed to facilitate the responsible adoption of technology that will increase the quality, and reduce the cost, of legal services.  The Proposals were issued as part of a process initiated in early in 2010 where the Commission published an Issues Paper requesting comments and feedback from the legal community.

The LCCA fully supported the Commission’s Proposals, and concluded that the Commission 's recommendations provided a reasonable framework the would enable law firms to make infomed decisions about using cloud computing resources.

Response to North Carolina State Bar Proposed 2011FEO6

The LCCA’s letter to the North Carolina State Bar pertains to Proposed Formal Ethics Opinion 2011FEO6. The Proposed FEO attempts to address the ethical issues relating to the use of Software-as-a-Service or cloud computing within a law firm environment.

While the LCCA supported the NC State Bar’s efforts to provide clarity on the use of cloud computing, the Proposed FEO as written would negatively impact a broad scope of attorneys from those who do nothing more than use a web-based email client or conduct online legal research to those that do full scale online delivery of legal services.

The onerous requirements of the Proposed FEO, detailed in full in the LCCA’s response to the NC State Bar, would force many cloud computing providers to withdraw from the NC market entirely, thus negatively impacting the technological capabilities and competitiveness of NC-based law firms.

Unlike the recommendations of the ABA Ethics 20/20 Commission, the draft North Carolina bar opinion, as it stands, is likely to have a negative impact on the use of cloud computing resources and applications by law firms in North Carolina. One result is that North Carolina's law  firms, particularly solos and small law firms would be handicapped when competing with law firms from other states.

We are hopeful that the revised opinion will be more compatible with the recommendations of the ABA Ethics 20/20 Commission.  Why is it necessary for each state bar to have their own set of guidelines in this area, when the companies that offer cloud computing services operate nationally?


What Every Lawyer Should Know About Document Automation

For years some law firms, but not all, have used some form of document automation in their law offices. Ranging from an MS Word macro to long standing programs such as HotDocs, as well as automated forms distributed by legal publishers such as Willmaker by Nolo, some law offices have incorporated some form of document automation in their law practices. Document automation of legal documents that are generated in high quantity by a law firm is an indispensable process for increasing law firm productivity and maintaining profit margins in an era of intense competition.

Legal Document Creation the Old Way

The manual process of cutting and pasting clauses from a master MS Word document into a new document, is a productivity process which is fast becoming out dated. It reminds me of the time before there were automated litigation support programs, and legal assistants would duplicate a set of case documents three or four times. The next step was filling one file cabinet with a set of documents in alpha order, filling another filing cabinet with a set of documents in date order, and finally, filling another filing cabinet with a set of documents in issue or subject order to enable "fast"   retrievable of relevant paper documents. It took awhile, but almost all litigation lawyers now use automated litigation support methods.. This is not true of transactional lawyers, many of whom still use out-dated methods of creating legal documents, as if each legal document were a unique novel, poem, or other work of fiction.

Barriers to Change

An obstacle to wider use of automated document assembly methods, is typically the lawyer's insistence on crafting the words in each clause to their own satisfaction. Because most lawyer's do not have the requisite programming skill to automate their own documents, law firms by default will opt to use their own non-automated documents, rather than risk using the legal documents automated by an independent provider, because by definition the content of the documents is "not their own." As a result, many law firms do not even use desk-top document assembly solutions when the forms are published by an independent provider or publisher, remaining stuck using more time consuming and less productive manual methods.

Typically, when a law firm does use document assembly methods, a paralegal inputs answers from a paper intake/questionnaire into a document assembly program running on a personal computer. This results in the extra time-consuming step of inputting data from the intake questionnaire to the document assembly program, but it is still more efficient than manual methods.

Web-Enabled Document Automation

Now comes, "web-enabled legal document automation" methods."  Web-enabled document automation is a process whereby the intake questionnaire is presented on-line to the client through the web browser to be completed directly.

When the client clicks the "Submit" button the document is instantly assembled, ready for the attorneys further review, analysis, revision, and customization if necessary.  The result is a further leap in productivity because the client is actually doing part of the work at no cost to the lawyer, freeing the lawyer up to focus on analysis and further customization of the document.

This is what the work flow looks like when using web-enabled document automation methods:

Client Journey- Web-Enabled Document Automation Work Flow

Unfortunately, lawyers have been slow to adapt to this process as well,  because of their reluctance to use legal documents drafted or automated by someone else. However in order to automate their own documents they must either acquire the skill to do the job, or commit the capital to have a skilled professional automate their documents for them. For solos and small law firms these two constraints create formidable obstacles to using more efficient methods.

Since neither condition is common within smaller law firms (programming skill, investment capital), the result is that the law firm gets stuck using older less productive methods of document creation.

Vendors that provide web-enabled document platforms include, our own Rapidocs, and Exari, Brightleaf, HotDocs, DealBuilder, and Wizilegal, to name only a few, all claim that their authoring systems are easy to use, but I have yet to see lawyers without any kind of programming skill create their own automated legal documents in any quantity. Thus, law firms become stuck in a negative loop of their own creation which reduces productivity (and profitability) :

"My legal documents are better than yours; I can't automate them for the web because I don't know how; thus I will be less productive and be required to charge you more because of my own inefficiency."

Competition

In the consumer space, now comes the non-lawyer providers to take advantage of the solo and small law firm's competitive disadvantage. Research by companies like Kiiac provide support the conclusion that 85% of the language in transactional documents is actually the same. In more commoditized areas, where legal forms have been standardized,  the legal form content is 100% the same in all documents. Taking advantage of this consistency of legal form content,  companies like LegalZoom, Nolo, CompleteCase, SmartLegalForms, and LegacyWriter , with their superior on-line marketing and branding machines, now sell legal forms by the thousands at low cost which provide a "good enough" legal solution for consumers who would do any thing to avoid paying the higher fees to an attorney.

Its true that the consumer doesn't get the benefit of the attorney's legal advice and counsel, and the accountability and protection that dealing with an attorney provides, but consumers don't seem to care.

What can be done?

The "web-based legal document automation solution" , used by non-lawyer providers, is a disruptive technology  that is eating away at the core business base of the typical solo and small law firm practitioner. 

What can solos and small law firms do to compete in this challenging competitive environment?
The American Bar Association's Legal Technology Resource Center reported last year in their Annual Technology Survey that only 52.2% of solo practitioner's don't have a web site.  Even if this number is underestimated, it is shockingly low compared with web site utilization by other industries.  If you don't even have a web site, the idea of "web-enabled document automation" is still a "light year" away.

What can be done to encourage more wide-spread use of web-enabled document automation technology by law firms, particularly solos and small law firms? A follow-up post will explore some solutions, but I am open to ideas from anyone.

Download our White Paper on Web-Enabled Document Automation

 

North Carolina Bar Regulates Legal Cloud Computing

Legal Cloud ComputingA  proposed Ethics Opinion of the North Carolina Bar  that provides guidelines for attorneys using cloud computing services, commonly known as SaaS (Software as a Service),  contains language that is troubling because of its potential impact on solos and small law firm practitioners who are creating virtual law practices. The Bar is soliciting comments prior to making the Opinion final. Here are some comments for consideration.

The Opinion states that to comply with the attorney's duty to keep client data confidential there should be:

"a separate agreement that states that the employees at the vendor’s data center are agents of the law firm and have a fiduciary responsibility to protect confidential client information and client property."

 

DirectLaw is a SaaS vendor that hosts law firm data at a Tier IV Data Center that implements the security controls that a bank or major financial institution uses.  The idea that our data center would enter into an agreement that would make its employees agents of a law firm is not realistic. There is not sufficient consideration to expose the Data Center to this kind of liability, and there is no way that they would modify their terms and conditions to meet the needs of a single SaaS vendor. I doubt that counsel for the Data Center would ever approve such language. The Data Center would just tell us to take our business elsewhere. Amending the contract terms just for SaaS vendors that service the legal industry is not likely to happen.

There are other approaches to providing assurance to law firms that client confidential data is secure and less burdensome.

I think a better guideline would be to suggest or require that SaaS vendors host their data at a data center that is a Tier IV Data Center.  A Tier 4  Data Center is one which has the most stringent level requirements and one which is designed to host mission critical computer systems, with fully redundant subsystems and compartmentalized security zones controlled by biometric access controls methods. The Data Center should also be SAS 70 certified. The Data Center should also have PCI DSS certification if credit card data is stored within the Data Center. With these safeguards in place,  a law firm should be  considered to have undertaken reasonable due diligence to satisfy the obligation to insure that client data will remain confidential.

There are other problems with the North Carolina opinion. Another guideline:

"requires the attorney to undertake a financial investigation of the SaaS vendor: to determine its financial stability."

What does that mean? I am not about to divulge our private financial statements to just any lawyer who inquires. How is it relevant? If there are provisions for data capture and downloading data that is stored in the cloud, and the law firm has access to that data, what difference does it make if the SaaS actually goes out of business?

It would make more sense to simply require that a SaaS vendor carry Internet liability insurance for the benefit of its law firm clients. Law firms will have problems securing Internet Liability Insurance to cover data loss. Data loss as a result of a Data Center outage is not normally covered under a law firm's malpractice policy. For solos and small law firm's securing this kind of coverage would be a burden and cost prohibitive. It makes more sense to require the SaaS vendor to secure such coverage and make its law firm subscribers a beneficiary of the coverage.

Another guideline states that:

"The law firm, or a security professional, has reviewed copies of the SaaS vendor’s security audits and found them satisfactory."

How much does such an audit cost? Can solo practitioners afford such an audit? Who qualifies as a security professional? I think this requirement will act as deterrent to solos and small law firms who are seeking cloud-based solutions that they can use in their practice. I think that a less costly and more effective solution would be for an independent organization to issue a Certificate of Compliance to the SaaS vendor indicating that the SaaS vendors has satisfied or complied with well recognized standards. Like the Truste Certificate in the privacy area, this would give solos and small law firms this would provide stamp of approval that minimum standards have been satisfied. This would move the cost burden of undertaking due diligence to the SaaS vendor, rather than to the solo or small law firm practitioner.

Another guideline states:

"Clients with access to shared documents are aware of the confidentiality risks of showing the information to others. See 2008 FEO 5."

This guideline should be clarified because it is not clear what "shared documents" means. This kind of statement is likely to scare clients into thinking that a law firm that stores client data on the the Internet is putting the client's data at more risk than storing the data in a file cabinet in the lawyer's office.

As the American Bar American,  through its Ethics 20/20 Commission, and state bar associations adapt ethical rules to deal with the delivery of legal services over the Internet, it is important to consider that the burden of compliance may have a different impact on solos and small law firms, than on large law firms. The rules should not act as a barrier to solos and small law firms exploring new ways of delivering legal services online which are cost effective for both the law firms and their clients.

For a similar point of view see Stephanie Kimbro's blog post on the same topic.

Disclosure: DirectLaw is a SaaS vendor that provides a virtual law firm platform to solos and small law firms.

How safe and secure is your law practice environment?

A new nonprofit organization has emerged to help lawyers assess the safety and security of their law practice environment. The organization is the International Legal Technology Standards Organization and it recently released a set of standards that law firms can used to evaluate:

  1. the law firm's internal security standards; and
  2. help law firm's make informed decisions about "cloud computing" vendors and other hosting arrangements where confidential data is stored outside of the physical office of the law firm

The Standards are much more detailed and comprehensive than the ABA/LPM's eLawyering Task Force publication of Cloud Computing Guidelines for Law Firms.

Disclosure: I am on the Advisory Board of ILTSO and provided some guidance to the development of the standards.

The standards are being circulated for comment before final publication.

The standards offer a sensible definition of "reasonable under the circumstances" by recognizing that different types of law firms have different security needs, although all lawyers are bound to prevent the disclosure of client data. Law firms are categorized into three types of situations:

  • "Bronze - this standard is appropriate in every law practice, including solo practices."
  • "Silver - this standard is typically appropriate for firms of more than one attorney, or where circumstances or resources dictate."
     
  • "Gold - this standard is typically appropriate for larger firms or those with additional IT resources, or where circumstances or resources dictate."

The idea of categorizing law practice environments into these three categories is a new idea, as some of the standards only apply to the Gold and Silver category. The intent is to recognize that law firms have different IT capabilities and the size of the law firm usually determines how the law firm will approach the problem of securing client and other firm data.

At this point of development, the law firm is responsible for undertaking their own self-assessment. Law firms can apply to the standards to their own law practice environment and if in compliance display the ILTSO seal.

ILTSO Seal of ComplianceAt some point, I can see where ILTSO might undertake an independent assessment of a law firm's security arrangements and if it compliance with the standards, award a certificate like the Truste certification which assesses an organization's privacy policies. A small fee could be charged for this assessment and it would vary depending on whether the type of law firm practice environment is  Bronze, Silver, or Gold. This would give assurance to clients that all reasonable efforts have been taken to secure the confidentiality of their data.

It will be interesting to see how the organized bar responds to these standards, as their are entities both at the state level, and the American Bar Association that are analyzing these same subjects.

The ABA Ethics 20/20 Commission, for example, has been holding hearings on cloud computing and security of data and has released a working paper on this subject.

Just last week, the Commission released its recommendations on outsourcing, which is a process that has an impact on the confidentiality of client data. The recommendations have not yet been posted on the Commission's web site, but the ABA Journal reports that:

"The commission proposes revisions to the Model Rules recognizing that electronically stored information, including metadata, is material subject to confidentiality rules. It also proposed revisions directing lawyers to make reasonable efforts to prevent inadvertent disclosure of information relating to representation of a client."

ILTSO's new standards would give concrete meaning to the definition of "reasonable efforts" and provide a detailed framework that could guide attorney assessment of particular outsourcing and cloud computing arrangements.

A positive impact of having this evaluation framework in place might be the accelerated adoption of technologies, such as cloud computing. Compliance with the guidelines would support a law firm's assertion that the firm has taken all reasonable steps to secure client data to reduce its liability in case of a security breach over which the firm had no control.

An unanticipated consequence might be a slow down in adoption, as the lack of clarity in this area might give many lawyers a reason not to become "early adopters." Many lawyers might choose to wait until standards like ILTSO's are accepted by a broad base of legal organizations and law firms.

Of course, by then, the "real" early adopters will have acquired a first mover advantage over law firms that are still thinking about the subject, to the those firms competitive disadvantage.