North Carolina Bar Regulates Legal Cloud Computing

Posted on June 2, 2011 by Richard Granat

Legal Cloud ComputingA  proposed Ethics Opinion of the North Carolina Bar  that provides guidelines for attorneys using cloud computing services, commonly known as SaaS (Software as a Service),  contains language that is troubling because of its potential impact on solos and small law firm practitioners who are creating virtual law practices. The Bar is soliciting comments prior to making the Opinion final. Here are some comments for consideration.

The Opinion states that to comply with the attorney's duty to keep client data confidential there should be:

"a separate agreement that states that the employees at the vendor’s data center are agents of the law firm and have a fiduciary responsibility to protect confidential client information and client property."

 

DirectLaw is a SaaS vendor that hosts law firm data at a Tier IV Data Center that implements the security controls that a bank or major financial institution uses.  The idea that our data center would enter into an agreement that would make its employees agents of a law firm is not realistic. There is not sufficient consideration to expose the Data Center to this kind of liability, and there is no way that they would modify their terms and conditions to meet the needs of a single SaaS vendor. I doubt that counsel for the Data Center would ever approve such language. The Data Center would just tell us to take our business elsewhere. Amending the contract terms just for SaaS vendors that service the legal industry is not likely to happen.

There are other approaches to providing assurance to law firms that client confidential data is secure and less burdensome.

I think a better guideline would be to suggest or require that SaaS vendors host their data at a data center that is a Tier IV Data Center.  A Tier 4  Data Center is one which has the most stringent level requirements and one which is designed to host mission critical computer systems, with fully redundant subsystems and compartmentalized security zones controlled by biometric access controls methods. The Data Center should also be SAS 70 certified. The Data Center should also have PCI DSS certification if credit card data is stored within the Data Center. With these safeguards in place,  a law firm should be  considered to have undertaken reasonable due diligence to satisfy the obligation to insure that client data will remain confidential.

There are other problems with the North Carolina opinion. Another guideline:

"requires the attorney to undertake a financial investigation of the SaaS vendor: to determine its financial stability."

What does that mean? I am not about to divulge our private financial statements to just any lawyer who inquires. How is it relevant? If there are provisions for data capture and downloading data that is stored in the cloud, and the law firm has access to that data, what difference does it make if the SaaS actually goes out of business?

It would make more sense to simply require that a SaaS vendor carry Internet liability insurance for the benefit of its law firm clients. Law firms will have problems securing Internet Liability Insurance to cover data loss. Data loss as a result of a Data Center outage is not normally covered under a law firm's malpractice policy. For solos and small law firm's securing this kind of coverage would be a burden and cost prohibitive. It makes more sense to require the SaaS vendor to secure such coverage and make its law firm subscribers a beneficiary of the coverage.

Another guideline states that:

"The law firm, or a security professional, has reviewed copies of the SaaS vendor’s security audits and found them satisfactory."

How much does such an audit cost? Can solo practitioners afford such an audit? Who qualifies as a security professional? I think this requirement will act as deterrent to solos and small law firms who are seeking cloud-based solutions that they can use in their practice. I think that a less costly and more effective solution would be for an independent organization to issue a Certificate of Compliance to the SaaS vendor indicating that the SaaS vendors has satisfied or complied with well recognized standards. Like the Truste Certificate in the privacy area, this would give solos and small law firms this would provide stamp of approval that minimum standards have been satisfied. This would move the cost burden of undertaking due diligence to the SaaS vendor, rather than to the solo or small law firm practitioner.

Another guideline states:

"Clients with access to shared documents are aware of the confidentiality risks of showing the information to others. See 2008 FEO 5."

This guideline should be clarified because it is not clear what "shared documents" means. This kind of statement is likely to scare clients into thinking that a law firm that stores client data on the the Internet is putting the client's data at more risk than storing the data in a file cabinet in the lawyer's office.

As the American Bar American,  through its Ethics 20/20 Commission, and state bar associations adapt ethical rules to deal with the delivery of legal services over the Internet, it is important to consider that the burden of compliance may have a different impact on solos and small law firms, than on large law firms. The rules should not act as a barrier to solos and small law firms exploring new ways of delivering legal services online which are cost effective for both the law firms and their clients.

For a similar point of view see Stephanie Kimbro's blog post on the same topic.

Disclosure: DirectLaw is a SaaS vendor that provides a virtual law firm platform to solos and small law firms.

Tags: , , , , , , , , , , , , , , , , , , , , , ,

2010 ABA Legal Technology Survey Report on E-Lawyering: Questionable Data

Posted on July 4, 2010 by Richard Granat

Volume IV of the recently released 2010 ABA Legal Technology Survey Report is devoted to Web and Communication Technology. A section on E-Lawyering reports that 14% of Respondents over all, and 19% of solo practitioners, report that they have a virtual law office or virtual law practice. This question in the survey that deals with with the question of whether a law firm has a 
"virtual law practice" was framed in terms of whether the attorney primarily interacts with clients using Internet-based software and other electronic communications software.

In my opinion, these self-reported responses from attorneys are not meaningful and are much too high to be accurate. The reported numbers are not useful in understanding where the legal profession is in terms of adopting the concept of a "virtual law practice." The reality is that the adoption rate is much lower.

The ABA Law Practice Management Section's eLawyering Task Force (disclosure: I am Co-Chair of the eLawyering Task Force),  defines a "virtual law practice" as one that offers to its clients a secure client portal, as part of the law firm's web site, where the client can log in with a user name and password, and interact with their attorney, as well as consume other online legal services. A virtual law practice is more than simply communicating with clients by email and never meeting with clients face-to-face. In order to have a "virtual law practice" by our definition,  you have to have a web site and a portion of that web site has to be dedicated as a secure portal for clients. Without this distinction, many law firms can claim that they are "virtual law firms" simply because they use email extensively, as the ABA Study seems to imply, giving the impression that integration of Internet technologies as part of their legal service delivery system is much higher than it actually is.

For example, in another question, the survey participants were asked whether the firm has a web site. The solo practitioner group responded that only 52.1% had a web site, but this is the same group that responded that 19% has a "virtual law practice."  By our definition, if you don't have a web site you don't have a "virtual law practice." The only explanation for the discrepancy in these numbers is that the question of " Do you have a virtual law practice?" was phrased so broadly that more law firms where included in the category than should be.

Another question that was asked to determine what kinds of online legal services were offered by the firm was: "Does your law firm offer online document preparation?" 11.4% of solo firms reported that they did. Again this number doesn't make any sense. There were 149 respondents in the Solo category. Only 52.1% actually had a web site, or 77 firms had a web site from which online document preparation could be offered. 11.4% would suggest that only approximately 8 law firms could offer this service. Not only is this number too small to make any meaningful projections in terms of the total number of solo practitioners in the US (more than 400,000), but it is also likely to be misleading. Here's why:

The technological options for offering online document assembly for solo practitioners are very limited. One option is to provide fillable Adobe . pdf forms. But you can't easily use a fillable Adobe .pdf to create a text document such as a Will or a Shareholder's Agreement. The major document assembly vendors such as HotDocs, DealBuilder, and Exari have systems that support online document assembly but the price for licensing these systems is much too expensive for the average solo practitioner. Wizilegal, a new entrant to the field, provides a new low cost web-enabled document assembly solution, but our market information suggest that they have only a small number of users. (Disclosure: DIrectLaw, which sponsors this blog, is one of the few web-enabled document assembly solutions that is offered at a price that a solo practitioner can afford.)

In short, the question about the use of online document assembly should have been phrased much more narrowly, with a field in the questionnaire that would require that the law firm indicate what platform is being used to support online document assembly, and whether it is a third party vendor, or whether the programming was done in-house. My sense is that if the question were asked properly, the number of law firms offering online document assembly would be much lower than actually reported.

Finally, 3% of respondents report that their firms offer expert system on their web sites (compared with 1% in the 2009 survey), including 7% of the large firm respondents. Based on our surveys of law firms from solos to large law firms, this percentage seems very high to me. It is very rare that I come across a law firm web site that actually offers an "expert system" for use by its clients, and I review or check out literally thousands of law firm web sites a year.  Most lawyers don't even know what an "expert system" is! I would like to see a more precise question, where the respondent is required to name the kind of "expert system" they are offering and the url of the web site where it is offered, so that a reviewer could more closely examine what the law firm represents they are doing is in fact the case.

I think that it is commendable that the ABA Legal Technology Resource Center now has a separate section of its annual report just on web and communication technology. The platform for the delivery of legal services is gradually shifting from traditional face-to-face office practice to the Web, but my sense is that the the pace of adaptation is much slower than is being officially reported. This is understandable in a profession that views its core identity as one where clients are dealt with primarily face-to-face. 

On the other hand, our own research on consumer preferences suggests that more than half of consumers would like their law firm to have an online virtual component. Thus, the legal profession continues to lag behind what other service industries offer to their clients and customers online.

 

 

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , ,