The Ethics Committee of the North Carolina State Bar issued a proposed ethics opinion recently that could break significant ground. As we noted in an earlier post, the committee was asked whether a law firm could use a SaaS (Software as a Service) provider to store confidential client data or documents. The specific question was this:

SaaS for law firms may involve the storage of a law firm’s data, including client files, billing information, and work product, on remote servers rather than on the law firm’s own computer and, therefore, outside the direct control of the firm’s lawyers.

Given the duty to safeguard confidential client information, including protecting that information from unauthorized disclosure; the duty to protect client property from destruction, degradation, or loss (whether from system failure, natural disaster, or dissolution of a vendor’s business); and the continuing need to retrieve client data in a form that is usable outside of the vendor’s product; may a law firm use SaaS?

Yes, You Can Use SaaS Providers

Not surprisingly, the committee answered a resounding “Yes” so long as the law firm takes steps to minimize the risk of inadvertent disclosure of client confidential information.

That makes sense to me simply as a matter of practicality. The market is quickly moving toward the SaaS delivery model because it is cheaper and provides better functionality and features so long as you are connected to the Internet. If the trend continues, there may not be any client-based software in a few years. It may all be delivered as a service over the Internet by SaaS providers.

Best Practices for Dealing with SaaS Vendors?

I found the next part of the opinion even more interesting. The committee went further to offer what it called “best practices” for selecting SaaS vendors.

The specific question was this:

Are there any “best practices” that a law firm should follow when contracting with a SaaS vendor to minimize the risk?

Again, the answer was “Yes.” The committee suggested that a lawyer be able to answer the following questions satisfactorily in order to conclude that the risk of inadvertent disclosure is minimized.

• What is the history of the SaaS vendor? Where does it derive funding? How stable is it financially?
• Has the lawyer read the user or license agreement terms, including the security policy, and does he/she understand the meaning of the terms?
• Does the SaaS vendor’s Terms of Service or Service Level Agreement address confidentiality? If not, would the vendor be willing to sign a confidentiality agreement in keeping with the lawyer’s professional responsibilities? Would the vendor be willing to include a provision in that agreement stating that the employees at the vendor’s data center are agents of the law firm and have a fiduciary responsibility to protect client information?
• How does the SaaS vendor, or any third party data hosting company, safeguard the physical and electronic security and confidentiality of stored data? Has there been an evaluation of the vendor’s security measures including the following: firewalls, encryption techniques, socket security features, and intrusion-detection systems?
• Has the lawyer requested copies of the SaaS vendor’s security audits?
• Where is data hosted? Is it in a country with less rigorous protections against unlawful search and seizure?
• Who has access to the data besides the lawyer?
• Who owns the data—the lawyer or SaaS vendor?
• If the lawyer terminates use of the SaaS product, or the service otherwise has a break in continuity, how does the lawyer retrieve the data and what happens to the data hosted by the service provider?
• If the SaaS vendor goes out of business, will the lawyer have access to the data and the software or source code?
• Can the lawyer get data “off” the servers for the lawyer’s own offline use/backup? If the lawyer decides to cancel the subscription to SaaS, will the lawyer get the data? Is data supplied in a non-proprietary format that is compatible with other software?
• How often is the user’s data backed up? Does the vendor back up data in multiple data centers in different geographic locations to safeguard against natural disaster?
• If clients have access to shared documents, are they aware of the confidentiality risks of showing the information to others?
• Does the law firm have a back-up for shared document software in case something goes wrong, such as an outside server going down?

These are pretty hefty requirements. I am not sure most lawyers will be able to call Google or Microsoft and get answers to these questions.

Moreover, some are open to debate. For example, is the committee requiring that a lawyer only use a SaaS vendor with data centers in different geographical locations? If so, that will add to the service costs. I don’t know of many law firms that save their data to multiple data centers to protect against a natural disaster. In my experience, most keep their backups in the same vicinity as their primary files. Some keep the backup tapes in the same office.

The basis for the committee’s opinion is pretty interesting. The committee cited email recommendations from Erik Mazzone, the director of the Center for Practice Management at the North Carolina Bar Association. It also referred to the ABA Legal Technology Resource Center.

I don’t challenge Mr. Mazzone’s recommendations so much as suggest that these kinds of issues merit broader inquiry. The opinion is one of the first on the subject, which means it will be persuasive to the next bar dealing with this issue. There is certainly the chance that the recommendations will be picked up as precedent and codified as the standards for dealing with SaaS vendors. I hope there is more discussion on some of these points before the cement hardens.

To be fair, the committee issued this as a tentative opinion in an attempt to generate comments. Moreover, they expressly stated that the list was not meant to be all-inclusive and suggested “consultation with a security professional competent in the area of online computer security.” They also noted that “given the rapidity with which computer technology changes, what may constitute reasonable care may change over time and a law firm would be wise periodically to consult with such a professional.”

All in all, I commend the committee for a thoughtful opinion that heads in the right direction. I hope others pick up this debate and add their ideas. SaaS is the future, both for business and the legal profession. Lawyers will use SaaS providers and clients will benefit through better and cheaper services. Let’s hope the other bar associations agree.

Proposed 2010 Formal Ethics Opinion 7, Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property (April 15, 2010).