Response to North Carolina State Bar Proposed 2011FEO6
July 15, 2011
Alice Neece Mine
North Carolina State Bar
208 Fayetteville Street
PO Box 25908
Raleigh, NC 27611-5908
RE: Comments Relating to Proposed Ethics Opinion FEO 6
Dear Ms. Neece Mine,
On April 21, 2011, the Ethics Committee of the North Carolina State Bar revised its previous proposed opinion on cloud computing (2010 FEO 7) and reissued it as Proposed 2011 Formal Ethics Opinion 6, Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property.
We respectfully submit comments on this proposed opinion on behalf of The Legal Cloud Computing Association (“LCCA”). Formed in December 2010, the LCCA is the collective voice of the leading cloud computing software providers for the legal profession. Consisting of Clio (Themis Solutions, Inc.), DiaLawg, LLC, DirectLaw, Inc., NetDocuments, Nextpoint, RealPractice, Inc., Rocket Matter, LLC, and Total Attorneys, LLC.
We agree with the basic principle articulated in the Opinion that “[a] law firm may use SaaS if reasonable care is taken to effectively minimize the risks to the disclosure of confidential information and to the security of client information and client files.”
However, we believe that the additional minimum requirements imposed on lawyers as mandatory requirements will, as a practical matter, limit the ability of North Carolina lawyers to use cloud computing services in their practices, causing North Carolina’s lawyers to become less competitive with lawyers from other states.
Rather than “mandatory requirements”, we believe that it makes more sense to establish basic principles and suggested guidelines, leaving to the individual attorney to use their best judgment to exercise reasonable care under the particular circumstances of their practice, in choosing a SaaS provider.
The proposed opinion as written would negatively impact a broad scope of attorneys from those who do nothing more than use a web-based email client or conduct online legal research to those that do full scale online delivery of legal services.
We believe that the Opinion as written would affect a broad universe of vendors including Google (many of their applications or services); Yahoo/Hotmail or any other email service attached to a internet service provider, such as Earthlink, Bellsouth, Roadrunner, etc.; Verizon, AT&T, Sprint, T-Mobile; Lexis or Westlaw for online research and almost all of their other services; Mozy; Hosted Exchange; Clio; Total Attorneys; RocketMatter; DirectLaw and any other practice management system with a cloud-based component. Furthermore, any firm that engages in the following tasks is also using SaaS and would be impacted: email; voicemail; digital phone’s voicemail services as well as original phone services many of which use voicemail accessible via SaaS; text messaging or SMS; online backup or storage; other forms of online communication with other professionals or clients. The wide array of vendors, including hundreds of vendors outside of the legal vertical, that the Opinion would impact, coupled with the concerns we outline below, make compliance a practice impossibility.,
Here are our specific concerns about the requirements and how they may impact decisions by North Carolina’s lawyers to use cloud computing services:
(1) There is a requirement that: “a separate agreement that states that the employees at the vendor’s data center are agents of the law firm and have a fiduciary responsibility to protect confidential client information and client property.”
The idea that a major data center, of the kind used by many cloud computing vendors, would enter into an agreement that would make its employees agents of a law firm is not realistic. There is not sufficient consideration to expose the Data Center to this kind of liability, and there is no way data center providers would modify their terms and conditions to meet the needs of a single SaaS legal vendor. We have serious doubts that counsel for the Data Center would ever approve such language. Amending the contract terms just for SaaS vendors that service the legal industry is not likely to happen.
Larger companies, such as Google or Microsoft, are not going to negotiate with North Carolina lawyers on this point. Small companies will simply pull out of the North Carolina market altogether.
(2) Another requirement imposes a duty on the lawyer or law firm to “undertake a financial investigation of the SaaS vendor: to determine its financial stability.”
The larger concern this point attempts to address is the potential bankruptcy of a SaaS provider. But as a practical matter, what are the criteria for financial stability? Would SaaS vendors be willing to divulge sensitive and proprietary financial information just to secure a subscription agreement from a law firm that is worth no more than a few hundred dollars a month?
It would make more sense to simply require that a SaaS vendor carry Internet liability insurance for the benefit of its law firm clients. Law firms will have problems securing Internet Liability Insurance to cover data loss. Data loss as a result of a Data Center outage is not normally covered under a law firm’s malpractice policy. For solos and small law firm’s securing this kind of coverage would be a burden and cost prohibitive. It makes more sense to require the SaaS vendor to secure such coverage and make its law firm subscribers a beneficiary of the coverage.
Additionally, cloud-based providers should provide their clients with a mechanism to export data in an open, non-proprietary format. This providers protection against a lawyer becoming “locked in” with given SaaS provider, making it easy to move to an alternative provider should the original provider encounter financial difficulties.
(3) “The law firm, or a security professional, has reviewed copies of the SaaS vendor’s security audits and found them satisfactory.”
Our concerns here relate to the practicality of this requirement and the cost to the small law office. How much does such an audit cost? Can solo practitioners afford such an audit? Who qualifies as a security professional? We think this requirement will act as deterrent to solos and small law firms who are seeking cloud-based solutions that they can use in their practice. We think that a less costly and more effective solution would be for an independent organization to issue a Certificate of Compliance to the SaaS vendor indicating that the SaaS vendors has satisfied or complied with well recognized standards. Like the Truste Certificate in the privacy area, this would give solos and small law firms this would provide stamp of approval that minimum standards have been satisfied. This would move the cost burden of undertaking due diligence to the SaaS vendor, rather than to the solo or small law firm practitioner.
A recent and important development along these lines in the legal vertical is the International Legal Technology Standards Organization (ILTSO). The organization recently published its 2011 Standards to assist both vendors and practitioners in adhering to “best practices” developed by ILTSO.
(4) “Clients with access to shared documents are aware of the confidentiality risks of showing the information to others. See 2008 FEO 5.”
This guideline should be clarified because it is not clear what “shared documents” means. This kind of statement is likely to scare clients into thinking that a law firm that stores client data on the Internet is putting the client’s data at more risk than storing the data in a file cabinet in the lawyer’s office.
(5) Another requirement states: “The agreement with the vendor must specify that firm’s data will be hosted only within a specified geographic area. If by agreement the data is hosted outside of the United States, the law firm must determine that the hosting jurisdiction has privacy laws, data security laws, and protections against unlawful search and seizure that are as rigorous as those of the United States and the state of North Carolina.”
This is a difficult requirement to implement, because most lawyers are not fully cognizant of the requirements of Federal and state privacy law and security laws, and the rules against unlawful search and seizure as they apply to Data Center operations. This is also the more reason why a law firm must be able to look to some independent organization that is capable of certifying compliance, so that evaluation can be accomplished within the time frame of a few hours, rather than the extensive investigation that is a consequence of implementing this requirement. We believe that most lawyers, particularly law firms without an in-house IT department, will either simply ignore the requirement or choose to not embrace cloud based technologies because the time cost of due diligence is simply too high.
Most software vendors will not restrict their server locations, many of which are geo-redundant to begin with, to hosting data centers located only in locations with laws as strict as the US and the state of North Carolina. Many of these vendors have long-standing relationships with trusted hosting companies. How would this restriction impact larger law firms with branches in the State as well as branches overseas where it may make more sense to have one of their servers located closer to the overseas location than further away in the US?
Furthermore, multiple geographic locations minimize risk of data loss. Attorneys should look for geo-redundancy of servers and ensure that those servers are located in SAS 70 Type II certified, Tier IV data centers.
We recommend that data in the cloud should be housed on servers in a Tier IV data center which is a multi-million dollar facility with multiple layers of security and access restrictions. Often these security measures include 24-hour surveillance, biometrically restricted access to the server rooms, and locked server cages. This is far greater security for law office data than a filing cabinet in a law office or a physical storage facility. The level of confidentiality provided by this method may in many ways be greater than the protection of confidential information in a traditional law office. If data is encrypted when it leaves the lawyer’s hands and travels to a third-party for hosting, isn’t that safer than data residing unencrypted on the firm’s computer?
Another factor that law firms should consider is whether the Data Center that the SaaS vendor uses has a SAS-70 (type I-II) certification, which attests to a Data Center’s control of its network. This is a requirement for all publicly held IT companies per Sarbanes-Oxley rules. This is the kind of independent certification that law firms can look for assurance that the Data Center used by the SaaS Vendor has implemented internal control procedures that are designed to insure the security of data.
Law firms should make sure that there is a provision in the SLA stating that the vendor will notify the attorney in the event that it needs to reallocate resources and migrate the attorney’s data from one server location to another. Again, the benefit of having data backed up in the cloud may outweigh the risks. For example, any attorneys with firms that have encountered flooding, fire or other natural disasters where their entire practices were in paper files would have been able to safe guard their client’s files if those files had been on server located outside of their physical law office.
If the SaaS application provider incorporates an ecommerce component that accepts client credit card payments, the law firm should as a minimum make sure that the credit card processing company used by the provider is deemed “PCI compliant” by the Payment Card Security Standards Council. Credit card processors have to earn their compliance every year by meeting stringent criteria, including an annual on-site audit, a review of their internal security policy, simulated attacks on their network, and internal network scans. Visa offers a global registry of PCI-compliant credit card processors on its website.
Impact on Solos and Small Law Firms
As state bar associations adapt ethical rules to deal with the delivery of legal services over the Internet, it is important to consider that the burden of compliance may have a different impact on solos and small law firms than on large law firms. The rules should not act as a barrier to solos and small law firms exploring new ways of delivering legal services online, which are cost effective for both law firms and their clients.
We think an effective solution that would not impose an undue burden on solo practitioners and small law firms would be for an independent organization to formulate and promulgate standards to help practitioners understand and deploy appropriate technologies responsibly, and then allow attorneys to represent compliance with these standards. One such organization, the International Legal Technical Standards Organization (ILTSO), recently published its 2011 Standards to assist practitioners in this important manner, and was recognized by this organization. Later this quarter, ILTSO will allow firms, regardless of size, to display compliance with the Standards. This will not only allow attorneys to publicly represent that these industry-appropriate Standards have been satisfied, but should also begin to shift the costs of undertaking due diligence to the SaaS vendors, rather than to the solo or small law firm practitioner. We respectfully request that attorney-focused, nonprofit industry groups such as ILTSO, which specialize in the formation of computing standards for the legal profession, continue to be granted deference in North Carolina as we seek to define and redefine “reasonableness” in a shifting technological landscape.
We further suggest the Committee examine the Proposals published by the ABA Commission on Ethics 20/20. These Proposals address the same root concerns as the proposed 2011FEO6, but in a fashion that is both pragmatic and achievable for vendors and lawyers alike.
Due Diligence Requirement and Guidance
We would like to suggest that the Ethics Committee make due diligence a requirement in choosing a technology. Then, outside of a formal opinion, provide Bar members with updated guidance about how to use reasonable care in selecting a provider and how to perform due diligence in researching and implementing cloud-based solutions to comply with the existing rules of professional responsibility. Because ethics opinions are not updated on a regular basis, this form of guidance should be in another resource that could be updated on a regular basis.
A more reasonable course of action – and one that will allow law firms to adapt to changing technologies – would be to establish basic principles, leaving to supplementary, non-binding guidance materials that task of helping law firms conduct due diligence in a way that meets the needs of their individual law practices.
Thank you for the opportunity to be part of this conversation and to submit comments on the Committee’s proposed Ethics Opinion. We hope that you will find our comments helpful in your deliberations.
The Legal Cloud Computing Association
Jack Newton, Co-founder and Chief Executive Officer, Clio (Themis Solutions Inc.)
Jeff Goens, Co-founder, President & General Counsel, Dialawg, LLC
Richard Granat, Founder and Chief Executive Officer, DirectLaw Inc.
Leonard Johnson, VP Marketing, NetDocuments
Rakesh Madhava, Chief Executive Officer, Nextpoint, Inc.
Carey Ransom, Chief Executive Officer, RealPractice, Inc.
Larry Port, Founding Partner and Chief Software Architect, Rocket Matter LLC
David Dahl, Chief Technology Officer, Total Attorneys, LLC