One thing seems certain about the Ethics Committee of the North Carolina State Bar—it is trying hard to get its opinion right on the ethics of cloud computing.
In April 2010, the committee issued a proposed opinion that addressed the question of whether a law firm may ethically use Software as a Service in light of a lawyer’s duty to safeguard confidential client information and protect client property from destruction or loss. The opinion answered the question in the affirmative, “provided steps are taken effectively to minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property, including file information, from risk of loss.”
The proposed opinion generally elicited praise from lawyers who use cloud-based applications and from vendors that provide such applications. (See what we at Catalyst had to say about it in two posts, The Legal Ethics of Cloud Computing and N.C. Ethics Opinion on SaaS Merits Broader Inquiry.) But after putting the proposed opinion out for public comment, the Ethics Committee withdrew it and, on April 21, 2011, filed a revised proposed opinion (Proposed 2011 Formal Ethics Opinion 6).
While this second proposed opinion again endorsed lawyers’ use of cloud computing, it also proposed minimum requirements a lawyer should adhere to in selecting a cloud provider. This time, the comments were less favorable, with many in the legal computing arguing that the requirements were so onerous as to effectively block the use of many cloud applications. On behalf of several cloud vendors, the Legal Cloud Computing Association filed written commentsobjecting to the proposed opinion. The comments said:
[W]e believe that the additional minimum requirements imposed on lawyers as mandatory requirements will, as a practical matter, limit the ability of North Carolina lawyers to use cloud computing services in their practices, causing North Carolina’s lawyers to become less competitive with lawyers from other states.
Rather than “mandatory requirements”, we believe that it makes more sense to establish basic principles and suggested guidelines, leaving to the individual attorney to use their best judgment to exercise reasonable care under the particular circumstances of their practice, in choosing a SaaS provider.
The International Legal Technology Standards Organization also filed comments opposing the proposed opinion, as did a number of individual attorneys.
Against this backdrop, the Ethics Committee recently voted to send the proposed opinion back to the subcommittee that drafted it, according to North Carolina lawyer Stephanie Kimbro, in a post at her blog Virtual Law Practice. The subcommittee will reconsider the opinion in light of the comments that were filed. The outcome of the reconsideration should be known by the end of October, Kimbro said.
What Does this Mean for E-Discovery in the Cloud?
The short answer to that question is: Not much. Let me explain.
The objections to the proposed opinion focused on the fairly rigorous vetting process it required lawyers to go through before entrusting client data to a cloud provider. The opinion would require a lawyer, for example, to investigate the vendor’s financial stability and review its security audits. This was seen as unfair to solo and small firm lawyers in particular, who would have neither the time nor the resources to follow each of the recommended steps. Even if a lawyer was in a position to follow each of the steps, getting all the required information would be virtually impossible from consumer-focused vendors such as Google or Dropbox.
By contrast, with regard to e-discovery, the opinion’s proposed requirements make perfect sense. A lawyer selecting a cloud provider to serve as a hosting and review platform for litigation documents would be remiss not to engage in this sort of vetting process. Further, any established e-discovery vendor will be prepared for just such an inquiry and will have due-diligence documentation readily available regarding its security, systems and facilities.
I’ve read some criticism of one aspect of the proposed rule that would require lawyers to look into the financial history and stability of the SaaS vendor. Granted, vendors are not likely to want to share all their financials with every lawyer who asks. But I do not believe that this is what the rule envisions. Surely, the rule was not intended to require lawyers to dig into a company’s finances beyond information that is publicly available.
My friend and fellow Boston College Law School alumnus Erik Mazzone made a similar point in his post about this latest proposed opinion. Mazzone, who is director of the Center for Practice Management at the North Carolina Bar Association (a separate entity from the State Bar), highlights one of the opinion’s proposed requirements as worthy of particularly close attention:
The agreement with the vendor must specify that firm’s data will be hosted only within a specified geographic area. If by agreement the data is hosted outside of the United States, the law firm must determine that the hosting jurisdiction has privacy laws, data security laws, and protections against unlawful search and seizure that are as rigorous as those of the United States and the state of North Carolina.
This could be a real problem with respect to vendors who do not focus on the legal market, Mazzone writes. Major vendors such as Google, Dropbox and Evernote are not likely to change where their data is hosted in response to one state’s ethics requirements, he argues. At the same time, he writes, “I expect that this provision will not cause a great deal of difficulty for the legal-specific … cloud software out there.”
His point about legal-specific cloud software is particularly true within the context of e-discovery. Here again, a lawyer would be remiss not to pin down at least the country in which the data will be hosted. The physical location of the data can implicate the host country’s privacy and security laws, regardless of where the company that owns the data is headquartered or of where the litigation is situated. That could open a can of worms separate and apart from the litigation at hand.
The North Carolina Bar should be commended for the careful thought and study it is devoting to this issue. We will look forward to seeing what comes of this latest reconsideration. Meanwhile, within the very specific context of e-discovery in the cloud, we are confident that established practitioners and established vendors already adhere to the most rigid of policies and practices. In e-discovery, the confidentiality and security of client data is already a matter of the highest order.