Thursday, August 4, 2011

NC Bar Ethics on Cloud Computing

The following letter was sent today from attorney Jason A. McGrath to the NC Bar Ethics Committee and NC Bar Ethics Counsel. Here is a link to the proposed ethics opinion (scroll down on the linked page).

UPDATE: a few hours after this posting, the NC Bar updated its website and proposed FEO 6 was removed. I believe it is being reconsidered at this time. The two bullet points which concerned me are below, and were proposed minimum requirements:

• An agreement on how confidential client information will be handled in keeping with the lawyer’s professional responsibilities must be included in the SaaS vendor’s Terms of Service or Service Level Agreement, or in a separate agreement that states that the employees at the vendor’s data center are agents of the law firm and have a fiduciary responsibility to protect confidential client information and client property.

• The agreement with the vendor must specify that firm’s data will be hosted only within a specified geographic area. If by agreement the data is hosted outside of the United States, the law firm must determine that the hosting jurisdiction has privacy laws, data security laws, and protections against unlawful search and seizure that are as rigorous as those of the United States and the state of North Carolina.


Regarding: Proposed 2011 Formal Ethics Opinion 6: Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property (April 21, 2011)

 NC Bar Ethics Committee:

 I write to offer formal commentary on proposed FEO 6, which addresses the use of Software as a Service (SaaS) by North Carolina attorneys and law firms. I realize that proposed FEO 6 may already be back in Committee for further tweaking. I thank you in advance for your time and effort in considering the thoughts I share herein.

 I share the following to provide some perspective for my view points. Although I have a traditional law background (practicing law since 1996, first 5 years spent as a criminal prosecutor), I was one of the first attorneys in North Carolina to open a virtual law office (“VLO”), and one of the first in the country to have a multi-jurisdictional VLO. My firm currently services clients in multiple states, and combines a traditional law practice with the virtual practice of law. I am a member of the American Bar Association’s “E-Lawyering Task Force” and I recently served as a panelist at the Online Bar Association’s inaugural conference in Miami. My firm pays for increased website and email security.

 As technology advances and as such technology becomes more and more prevalent in and integrated into our society, including our professions, new methods exist to accomplish the same results previously accomplished in other ways. The electronic folder replaces the file cabinet, the MS Word file replaces the notepad, the email replaces the physical letter, etc. The level of security required for electronic communications and data storage should be similar to that required for physical communications and data storage.

 I believe that the majority of proposed FEO 6 is reasonable; certainly the Ethics Committee is headed in the right direction. However, I have significant concerns over the first two bullet points under “Opinion #2”, both of which may not be realistic / practical requirements as currently written. Since the concerns are similar for both bullet points, I will address the two requirements together.

 Ideally, I can understand that it would be preferable to require SaaS vendors to certify that their security methods comply with Rules of Professional Conduct and that their data is stored in the U.S.A. or a location with relevant laws at least as strict and enforceable as those in the U.S.A. and in North Carolina. However, the disparity in bargaining power is such that larger SaaS vendors would refuse to do so altogether, and smaller SaaS vendors would either refuse or charge the law firm for any and all changes which such certification would require. (I have experienced this very issue, in which a small SaaS vendor refused to make even minor changes to its practices and service; I chose not to do business with said vendor and ended up paying more to use a different vendor’s Saas.) The end result would be that NC attorneys would have very little access to reasonably priced SaaS, putting us at a competitive disadvantage.

 Please keep in mind that I am not only focusing on the immediate increase in cost and decrease in options for the NC lawyer. The end result actually hurts the residents and businesses of North Carolina. The more we attorneys have to pay for SaaS (or anything else), the higher fees we have to charge our clients to make up for it. My firm often offers lower fees when compared to firms which do not efficiently utilize SaaS and other technology; that would not continue if overly restrictive regulations drive my firm’s costs up. The net result would be decreased access to legal services for those in lower income brackets.

 To require lawyers to only use SaaS vendors which will agree to the conditions in the proposed FEO would be like telling lawyers that they can only use a physical file cabinet with a specially made lock, and that we must obtain certification from the lock manufacturer that said lock is good enough to supply the level of security required by the Rules of Professional Conduct. Said manufacturers, of course, would not comply. Instead, they would point out (correctly) that their locks meet industry standards, are used by banks, the government, etc. and are sufficient.[1]

 Other analogies which must be considered include the use of courier services and copy services. I am unaware of a single lawyer or law firm which has successfully attempted to have Fed Ex, UPS or Kinko’s change their terms of service to specifically state that their services comply with Rules of Profession Conduct. Attorneys use private companies every day to handle their data in some form or fashion. There is nothing stopping a Kinko’s employee from reading each and every document sent to Kinko’s to be copied. There is nothing stopping a Fed Ex employee from reading every document which passes through his/her hands. However, we use such companies without further thought, confident that the industry standards regarding security and confidentiality are appropriate and sufficient.

 As long as SaaS vendors certify that their security meets a certain grade (an industry standard) and that certification is supported by the vendor’s actual practices, that vendor should be approved for use by NC lawyers. At the end of the day, what good is 100% security if obtaining that standard is so cost-prohibitive that a lawyer can’t stay in business, or can’t offer anything but the highest rates? I can guarantee you that the majority of my clients would prefer reasonable security and reasonable prices, as opposed to incredible security and higher prices.[2]

 I fully recognize that these issues are extremely challenging ones, and that the standards which we require of ourselves must be a work in progress. I encourage the Committee to continue to explore reasonable standards which accomplish the necessary security and confidentiality while also allowing NC lawyers and clients to fully benefit from the advantages offered by SaaS.



                                                                                                 Jason A. McGrath, Esq.

 cc: Alice Neece Mine, NC Bar Ethics

[1] I would point out that I have had Clerks of Court in multiple counties in North Carolina use Yahoo and Gmail to e-mail me with regard to official court matters/cases; I make no further comment on the levels of security involved in such emails.

[2] It may be that law firms using SaaS or similar services/data storage options should be encouraged or required to disclose the same to clients, or even to obtain client consent.