As big data makes it more complicated for enterprises to respond to discovery and regulatory requests in U.S. legal matters, many are finding that there are multiple advantages in moving their e-discovery efforts to the cloud. Recently, based on its interview with Catalyst founder and CEO John Tredennick, the digital magazine eWeek published a slideshow, E-Discovery Management More Effective in the Cloud: 10 Reasons Why. Click the image below to go to the full slideshow.
New Hampshire has become the latest state to weigh in on the ethics of using cloud computing in the practice of law. The Ethics Committee of the New Hampshire Bar Association recently published Advisory Opinion #2012-13/4, in which it adopted the consensus opinion among states that a lawyer may use cloud computing consistent with his or her ethical obligations, as long as the lawyer takes reasonable steps to ensure that sensitive client information remains confidential.
While the opinion mirrored much of what other states have said on the ethics of cloud computing, it took a slightly different tack from some of the other opinions in its discussion of lawyer competence as it relates to cloud computing.
Last August, I wrote here about the American Bar Association’s vote to amend the Model Rules of Professional Conduct to make clear that a lawyer’s duty of competence extends to technology. In a revised comment to Model Rule 1.1 governing competence, the ABA said that a lawyer has a duty to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”
Referring to this change, the NHBA’s Ethics Committee said that the duty of competence requires a lawyer who uses the cloud to “understand and guard against the risks inherent in it.”
There is no hard and fast rule as to what a lawyer must do with respect to each client when using cloud computing. The facts and circumstances of each case, including the type and sensitivity of client information, will dictate what reasonable protective measures a lawyer must take when using cloud computing. ….
Competent lawyers must have a basic understanding of the technologies they use. Furthermore, as technology, the regulatory framework, and privacy laws keep changing, lawyers should keep abreast of these changes.
In other respects, the opinion tracked those issued by other states. It addressed a lawyer’s duty to maintain the confidentiality of client information stored in the cloud and to ensure that the cloud provider will take steps to safeguard client data. It also analogized a cloud provider to a nonlawyer assistant under the ethics rules, cautioning that “the lawyer must make reasonable efforts to ensure that the provider understands and is capable of complying with its obligation to act in a manner consistent with the lawyer’s own professional responsibilities.”
Similar to what some other states’ opinions have done, the NHBA opinion set out 10 points a lawyer should consider before using a cloud computing service:
- Is the provider of cloud computing services a reputable organization?
- Does the provider offer robust security measures?
- Is the data stored in a format that renders it retrievable as well as secure?
- Does the provider commingle data in a way that could result in inadvertent disclosure?
- Do the terms of service state that the provider merely holds a license to the stored data?
- Does the provider have an enforceable obligation to keep the data confidential?
- Where are the provider’s servers located and what are the privacy laws in effect at that location?
- Will the provider retain the data when the representation ends or the agreement between the lawyer and provider is terminated?
- Do the terms of service obligate the provider to warn the lawyer if information is subpoenaed by a third party?
- What is the provider’s disaster recovery plan with respect to stored data?
In summing up its opinion, the NHBA Ethics Committee once again emphasizes a lawyer’s duty of competence with respect to technology:
The New Hampshire Ethics Committee concurs with the consensus among states that a lawyer may use cloud computing in a manner consistent with his or her ethical duties by taking reasonable steps to protect client data. Granted, a lawyer may not find a provider of cloud computing services whose terms of service address all of the issues addressed above, but it bears repeating, that while a lawyer need not become an expert in data storage, a lawyer must remain aware of how and where data is stored and what the service agreement says. Although the New Hampshire Rules of Professional Conduct do not impose a strict liability standard, the duties of confidentiality and competence are ongoing and not delegable. The requirement of competence means that even when storing data in the cloud, a lawyer must take reasonable steps to protect client information and cannot allow the storage and retrieval of data to become nebulous.
For other posts on this blog about legal ethics and cloud computing, view the posts collected in the ethics category.
Florida has become the latest state to weigh in on the legal ethics of cloud computing, joining other states that have done so in concluding that lawyers may ethically use cloud computing, provided they exercise due diligence to ensure that the cloud provider maintains adequate safeguards to protect the confidentiality and security of client information.
The Professional Ethics Committee of the The Florida Bar issued the proposed opinion (Proposed Advisory Opinion 12-3) Jan. 25. The committee concluded:
[L]awyers may use cloud computing if they take reasonable precautions to ensure that confidentiality of client information is maintained. The lawyer should research the service provider to be used, should ensure that the service provider maintains adequate security, should ensure that the lawyer has adequate access to the information stored remotely, and should consider backing up the data elsewhere as a precaution.
(This blog has frequently covered the legal ethics of cloud computing. For our other posts on this topic, click here.)
For lawyers, the primary concern about cloud computing is confidentiality, the committee explained. “A lawyer has the obligation to ensure that confidentiality of information is maintained by nonlawyers under the lawyer’s supervision, including nonlawyers that are third parties used by the lawyer in the provision of legal services.”
The committee noted that other states that have addressed the issue of cloud computing have generally determined that lawyers may ethically use cloud services as long as they take reasonable steps. The committee said that it agrees with these other states’ opinions.
Regarding the steps a lawyer should take to research a cloud provider, the committee endorsed the recommendations suggested by New York State Bar Ethics Opinion 842, which included:
- Ensure that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information.
- Investigate the online data storage provider’s security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances.
- Employ available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored.
The Florida committee also cited Iowa Ethics Opinion 11-01 as being of particular practical assistance to lawyers facing this issue.
As suggested by the Iowa opinion, lawyers must be able to access the lawyer’s own information without limit, others should not be able to access the information, but lawyers must be able to provide limited access to third parties to specific information, yet must be able to restrict their access to only that information. Iowa Ethics Opinion 11-01 also recommends considering the reputation of the service provider to be used, its location, its user agreement and whether it chooses the law or forum in which any dispute will be decided, whether it limits the service provider’s liability, whether the service provider retains the information in the event the lawyer terminates the relationship with the service provider, what access the lawyer has to the data on termination of the relationship with the service provider, and whether the agreement creates “any proprietary or user rights” over the data the lawyer stores with the service provider.
In addition, the Florida committee agreed with Iowa’s suggestion that a lawyer determine whether the information is password protected, whether the information is encrypted, and whether the lawyer will have the ability to further encrypt the information if additional security measures are required because of the special nature of a particular matter or piece of information.
Under the Florida Bar’s rules, members of the bar will now be invited to submit comments on the proposed opinion. When the committee next meets on June 28, it will consider any comments it has received. Anyone wishing to submit comments should direct them to Elizabeth Clark Tarbert, Ethics Counsel, The Florida Bar, 651 E. Jefferson Street, Tallahassee 32399-2300.
The future of legal technology is looking cloudy — and that’s not a bad thing. Cloud computing is on track to overtake on-premise computing within the legal services industry in the very near future, according to a recently published survey of legal IT professionals. Fifty-seven percent of those surveyed predicted that this will happen within five years and 81 percent said it will be within 10 years. Only 16 percent said it would never happen.
The survey was conducted in September by the publication Legal IT Professionals and its results were published Nov. 26. The online survey of the publication’s global readership elicited 438 responses, representing law firms ranging in size from small boutiques to global megafirms. More than three-quarters of respondents work directly in legal IT, either within a firm (54 percent) or as external consultants (24 percent). Lawyers and paralegals made up 22 percent of respondents.
The inevitability of the cloud overtaking on-premise computing is driven in part by the increasing prevalence of mobile devices within the legal industry, the survey found.
As connectivity – particularly mobile connectivity – becomes ubiquitous, and lawyers, like everyone else, become culturally accustomed to accessing everything online, cloud computing is likely to become the de facto delivery model for information and applications.
But the cloud also offers inherent advantages that are driving its ever-increasing popularity. “Cloud computing transcends geographical boundaries and storage limitations,” the survey noted. “It supports business continuity and disaster recovery.”
In fact, the survey’s respondents cited business continuity as among the top benefits of cloud computing. Asked what they considered to be the main benefits of the cloud, their top answers were:
- Flexibility/Agility, 55%.
- More mobility, 54%.
- Business continuity, 52%.
- Scalability, 47%.
- Cost savings, 40%.
- Ease of implementation, 21%.
- Focus on core business, 18%.
- Going green, 13%.
Although the survey identified a clear trend towards cloud computing, it also established that both legal professionals and clients maintain reservations. For example, respondents were asked, “If your law firm’s management asked for your advice regarding moving key applications to the cloud, would you be in favor of this strategy?” Responses were an even split, with 45 percent in favor and 46 percent against moving key applications to the cloud. Smaller firms were more likely than larger firms to embrace a cloud strategy. “Law firms are notoriously risk averse and tend to be what one lawyer described as ‘proud second movers’ when it comes to technology,” the survey suggested.
In a similar vein, 60 percent of respondents believed that their clients might be concerned if key applications and services were hosted in the cloud. “The biggest concerns about this are among CIO/CTOs (67%) and general IT staff (68%), who are perhaps the most risk aware groups surveyed and have to deal directly with any security breach or outage,” the survey explained.
Shift in Attitude
Still, there is a general shift in attitude in favor of cloud computing, the survey found. More than half of respondents said they are more positive about it now than a year ago. Only 10 percent of respondents said that their opinion about cloud computing had become more negative.
As for the future, respondents overwhelmingly cited security and client confidentiality as the biggest challenges that they would have to address before moving IT resources to the cloud. Across all roles, firm sizes and locations, between 73 percent and 90 percent of respondents said that security was their top concern.
In the final analysis, the authors of the survey report conclude that the tide has turned for cloud computing and that the cloud is here to stay.
The tide has turned, particularly in the mid-markets which are facing competition from market entrants, large firms that are driven by market forces to price their services more competitively and specialist boutiques that are utilising cloud computing to access resources and offer services that drive competitive advantage. The smaller, more agile firms are leading the way in outsourcing their entire IT infrastructure to an external cloud provider.
You can download the complete Global Cloud Survey Report from the Legal IT Professionals home page or directly from this link. The full report contains additional questions and details about responses, along with selected quotes from respondents. The report includes an introduction written by Nicole Black, author of the ABA book, Cloud Computing for Lawyers, in which she offers her perspective on the results.
When I read Ralph Losey’s recent article in Law Technology News, “Five Reasons to Outsource Litigation Support,” it brought to mind that old Greyhound bus slogan, “Go Greyhound—and leave the driving to us.” Don’t waste your time driving when that is Greyhound’s core competency, the slogan suggested. The same holds true for many aspects of e-discovery, as Losey’s article describes.
E-discovery is a complex process that requires both legal services and non-legal services. A law firm’s core competency is to provide legal services. E-discovery vendors have core competencies in providing those non-legal services. Law firms should focus on practicing law and leave the driving to outside vendors.
Losey argues forcefully for why firms and legal departments should focus on their core competency:
Your organization is a law firm, or law department of a corporation. Your lawyers are trained and engaged in the practice of law — that is your mission. Why should you own and operate a nonlegal e-discovery business within your walls under the guise of a litigation support department?
His point becomes even more forceful when he explains that his firm decided to outsource only after spending nine months preparing to do the opposite. Losey joined his firm, Jackson Lewis, in May 2012, as national e-discovery counsel. He helped it build a major e-discovery program that included a trained e-discovery liaison attorney in each of the national firm’s 49 offices, mandatory e-discovery training for all associates, and recommended training for all partners.
Despite this extensive infrastructure, and after nine months of research, Losey’s firm decided to outsource to a vendor all the non-legal e-discovery work that, until then, its litigation support department had been providing to the firm’s clients.
Core competency was a key factor in the firm’s decision to outsource, Losey writes. The decision allowed the firm to focus on the practice of law and outside vendors to handle computer-related technical services. In addition to core competency, Losey outlines four other reasons why legal organizations should consider outsourcing:
- Complexity. “Nonlegal e-discovery services are difficult to perform correctly,” he asserts. This is highly technical work that can easily be botched.
- Cost savings. It is expensive for a legal organization to set up and operate a litigation support department, Losey notes. “If you continue to keep your e-discovery work in-house, you have no choice but to keep writing big checks for the latest technology and staff,” he writes.
- Risk. The complexity of the non-legal aspects of e-discovery means that the risk of errors is high, along with the risk of exposure for those errors. If a client’s data is accidentally exposed, who is liable?
- Ethics. A law firm’s provision of non-legal e-discovery services raises a host of ethical issues, Losey contends. Better to bypass them through outsourcing.
The bottom line, Losey indicates, is a much cleaner break between legal and non-legal e-discovery services. While outsourcing is not without issues of its own, Losey concludes that, “these issues are easier to deal with than the issues raised by running a side-business, even if it is often a de facto not-for-profit.”
Additional Advantages of the Cloud
Many of the points Losey makes in his article strike chords here at Catalyst. Catalyst is a company that has remained focused on its core competencies in document hosting, search and review for more than a dozen years. It is a company composed of veteran e-discovery professionals who fully understand the complexity and risks inherent in their work.
However, one point particularly worth emphasizing is that of cost savings—and more specifically the cost savings that come from hosting data in the cloud. Losey does not specifically mention the cloud, but he does note this:
Litigation support departments, like any business, are expensive to set up and operate, and an e-discovery business requires a large initial investment. Not only must expensive hardware be purchased and continually replaced, but the software is in a state of near-constant change and ultimately usually proves to be more expensive than the hardware. Specialized employees are costly as well, and need expensive training to use these tools.
That paragraph precisely sets out the business case for a cloud e-discovery vendor. With a cloud-based e-discovery vendor, law firms and legal departments avoid the expenses of setting up and operating a department, they avoid expensive hardware purchases and replacement, and they avoid near-constant software upgrades. They even avoid many of the specialized employees. All of this “driving” is left to the cloud vendor. The lawyers just focus on the legal work.
Recently, we engaged in an in-depth analysis comparing the total cost of ownership of a cloud-based e-discovery platform against locally hosted or appliance-based platforms. Soon, we will publish the detailed results of our analysis.
The result of our analysis was startling in its conclusion. While we already knew that cloud platforms saved money in several aspects of e-discovery, this was the first time we know of that anyone pulled together all the costs, direct and indirect, and compared them head-to-head.
What we found, using our most conservative figures, was that the cloud produced cost savings of 36 percent over appliance-based platforms. That is significant for any sized case and particularly so for large legal matters involving high volumes of electronic documents.
So when Ralph Losey makes the case for why legal organizations should outsource the non-legal aspects of e-discovery, we could not agree more. By outsourcing to a reputable vendor, legal organizations save money, avoid risk and get to focus on what they do best. They can practice law, while they leave the driving to us.
Use of predictive coding and Internet-based electronic discovery tools rose in 2012, according to the recently published 2012 ABA Legal Technology Survey Report on litigation and courtroom technology.
Of lawyers whose firm had handled an e-discovery case, 44 percent said they had used Internet-based e-discovery tools, up from 31 percent in 2011. Thirty-five percent said they had used Internet-based litigation-support software, up from 24 percent in 2011. Of those same lawyers, 23 percent said they had used predictive coding to process or review e-discovery materials, up from 15 percent the prior year.
By comparison, lawyers’ use of desktop-based e-discovery tools rose only slightly, from 46 percent to 48 percent, and their use of desktop-based litigation support software held steady, at 46 percent.
Not surprisingly, the use of these types of e-discovery tools is far more common among lawyers in larger firms than among those in solo and small firms. Among lawyers whose firm has handled e-discovery matters, only 5 percent of solo lawyers and 6 percent of lawyers in firms of 2-9 lawyers say they’ve used predictive coding. By contrast, in firms of 500 or more lawyers, 43.5 percent report having used predictive coding.
A similar but less-dramatic gap exists when lawyers who have handled e-discovery matters were asked if they ever use Internet-based e-discovery tools. Among lawyers in firms of 500 or more, 67.3 percent say they’ve used these tools. Among lawyers in solo firms, 33.3 percent say they have.
In fact, solo and small-firm lawyers are far less likely than their larger-firm counterparts to have ever handled an e-discovery matter. When asked how often they had made an e-discovery request on behalf of a client, 64.2 percent of solo lawyers said never. At firms of 500 or more, only 31.3 percent answered never.
Along the same lines, lawyers were asked how often they had received e-discovery requests on behalf of clients. Of solo lawyers, 56.1 percent said never. At firms of 500 or more, 27.9 percent said never.
Another question asked whether the lawyer’s firm (as opposed to the lawyer directly) had ever been involved in a case that required the processing or review of e-discovery materials. Only 12.8 percent of solos and 34.3 percent of lawyers in firms of 2-9 lawyers answered yes. Of lawyers in firms of 500 or more, 71 percent said yes. Among all respondents in all sized firms, 43.8 percent said that their firms had been involved in an e-discovery matter.
On the topic of outsourcing, the survey asked lawyers whether they outsource e-discovery processing or review. The results show little change in outsourcing to e-discovery consultants and companies — 44 percent in 2012 compared to 45 percent in 2011. Likewise, the percentage of outsourcing to computer forensics specialists remained steady at 42 percent from 2011 to 2012.
However, the survey indicates that outsourcing to lawyers outside their own firm is on the rise. Outsourcing to lawyers within the United States rose from 16 percent in 2011 to 25 percent in 2012. Outsourcing to lawyers outside the United States rose from 3 percent in 2011 to 8 percent in 2012. Here again, the larger the firm, the more likely the lawyer is to outsource.
Something that surprised me in the survey is that there has been virtually no change over the past three years in the number of firms reporting that they have a distinct e-discovery initiative (such as a practice group). In 2012, 25 percent of respondents said their firms had such an initiative, down from 27 percent in 2011 and equal with 2010′s 25 percent. Also notable is that, among firms that have such an initiative, fewer of them report having a partner heading it up. Increasingly, the firm’s CIO is taking on primary responsibility for its e-discovery initiative.
The 2012 ABA Legal Technology Survey Report consists of six volumes, covering a range of topics from technology basics to mobile lawyering. The e-discovery results are contained in Volume III, which covers litigation and courtroom technology. Volume III is available for purchase from the ABA for $350 (or $300 for ABA members). An abbreviated trend report on litigation and courtroom technology can be purchased for $55 (or $45 for ABA members).
MBA Ethics Opinion 12-03 was drafted by the MBA’s Committee on Professional Ethics and approved by the association’s House of Delegates on May 17, 2012. The MBA is not the official lawyer-discipline board in the state, so its ethics opinions are advisory only. (Note that I am a member of the MBA and have served on various MBA committees over the years.)
Even so, the MBA’s opinion adds to the growing and unanimous list of lawyer-ethics panels that have concluded that lawyers may ethically use cloud applications and services, provided they take reasonable precautions to protect the confidentiality and security of the data. (See our earlier post: Two New Legal Ethics Opinions Suggest Clear Skies Ahead for Cloud Computing.)
This brings to 11 the number of states that have ruled on the ethics of cloud computing. In addition to Mass., the other opinions are:
- North Carolina 2011 Formal Ethics Opinion 6.
- Pennsylvania Formal Opinion 2011-200.
- California Formal Opinion No. 2010-179.
- Alabama State Bar Ethics Opinion 2010-02.
- Arizona State Bar Formal Opinion 09-04.
- Nevada State Bar Formal Opinion No. 33.
- New York State Bar Association Opinion 842 of 2010.
- Iowa Op. 11-01.
- Oregon Formal Op. 2011-188.
- Vermont Advisory Ethics Op. 2010-6.
Notably, all of these states agree that the use of cloud computing is ethical.
Storing Client Files in the Cloud
This latest opinion out of Massachusetts was issued in response to a lawyer who wanted to use Google Docs or some similar service to store and synchronize his work files. The issue was whether the lawyer’s use of such a service would violate his professional obligations under the Massachusetts Rules of Professional Conduct.
In considering this issue, the committee noted that it had twice before issued opinions dealing with lawyers’ use of the Internet and remote access. In its Opinion 00-01, the committee concluded that a lawyer’s use of unencrypted email to communicate with clients does not violate the professional conduct rules. Later, in Opinion 05-04, the committee ruled that a law firm may provide a third-party software vendor with remote access to confidential client information stored on the firm’s computers, provided the law firm undertakes “reasonable efforts” to ensure that the vendor operates in a manner that is consistent with the lawyers’ professional obligations.
The reasoning of these earlier opinions extends to the use of cloud storage, the committee concluded, and “generally would allow Lawyer also to use Google docs or some other Internet based data storage service provider to store confidential information, and to synchronize data using that provider over the Internet.
As other ethics panels have done, the Mass. committee went on to emphasize that a lawyer must take reasonable efforts to ensure the security of client information.
[T]he Committee believes that the use of an Internet based service provider to store confidential client information would not violate Massachusetts Rule of Professional Conduct 1.6(a) in ordinary circumstances so long as Lawyer undertakes reasonable efforts to ensure that the provider’s data privacy policies, practices and procedures are compatible with Lawyer’s professional obligations, including the obligation to protect confidential client information reflected in Rule 1.6(a).
Those “reasonable efforts,” the committee said, would include:
- Examining the provider’s practices with regard to data encryption, password protection, and system back-ups, and also its available service history, including reports of known security breaches.
- Periodically revisiting the provider’s policies, practices and procedures to ensure that they remain compatible with the lawyer’s professional obligations.
The committee also advised that the lawyer is bound to follow any express instructions from his clients against the use of cloud services to store their data. “[H]e should refrain from storing or transmitting particularly sensitive client information by means of the Internet without first seeking and obtaining the client’s express consent to do so,” the committee cautioned.
Ultimately, the question of whether the use of Google docs, or any other Internet based data storage service provider, is compatible with Lawyer’s ethical obligation to protect his clients’ confidential information is one that Lawyer must answer for himself based on the criteria set forth in this opinion, the information that he is reasonably able to obtain regarding the relative security of the various alternatives that are available, and his own sound professional judgment.
[A hat tip to the Boston College Legal Eagle blog for bringing this opinion to my attention.]
In a post here one year ago, Catalyst CEO John Tredennick wrote about draft recommendations on cloud computing issued by the National Institute of Standards and Technology (NIST). As John noted then, “the NIST team set out to write a primer on the cloud—types, deployment models, service models, cloud security and, ultimately, the benefits of cloud computing.”
Now, NIST has published final version of its recommendations, Cloud Computing Synopsis and Recommendations, an 81-page guide to cloud computing. Notably, the guide endeavors to explain cloud systems in plain language. It covers how clouds are deployed, what kinds of cloud services are available, the economic considerations, the technical characteristics such as performance and reliability, typical terms of service, and security issues.
The document’s purpose is to provide recommendations for IT decision makers. NIST offers recommendations for how and when cloud computing is appropriate to use, and it explores both strengths and weaknesses of the cloud.
Nothing in the report specifically addresses cloud computing in the legal environment or the use of the cloud in e-discovery, with one exception. In the report’s concluding recommendations, NIST includes this: “Consumers should investigate whether a provider can support ad hoc legal requests for: (1) e-Discovery, such as litigation freezes, and (2) preservation of data and meta-data.”
Although not specifically addressed to the legal industry, one section of the report of interest to many legal professionals will be the one that addresses Software-as-a-Service cloud systems. These SaaS systems are those where software is deployed as a hosted service and accessed by the end user over the Internet via a Web browser. This is how Catalyst deploys its e-discovery technology and it is increasingly how lawyers are accessing all sorts of software, from practice-management systems to collaboration tools.
Greater Efficiency and Performance
“Compared with traditional computing and software distribution solutions, SaaS clouds provide scalability and also shift significant burdens from consumers to providers, resulting in a number of opportunities for greater efficiency and, in some cases, performance,” the NIST report says. It describes five key benefits of SaaS clouds:
- Very modest software tool footprint. Because no client-side software is required (except for the Web browser that everyone already has), SaaS systems are convenient and efficient. NIST notes that SaaS applications can be accessed without waiting for complex installation procedures and that users incur fundamentally reduced start-up costs. And unlike shrink-wrapped software, SaaS systems pose little risk of interfering with desktop configurations.
- Efficient use of software licenses. SaaS systems “dramatically reduce” license-management overheads. Consumers can employ a single license on multiple computers at different times, instead of having to purchase extra licenses for separate computers.
- Centralized management and data. The majority of data managed by a SaaS application resides on the servers of the cloud provider. “This logical centralization of data has important implications for consumers,” NIST says. One is that the SaaS provider can provide professional management of the data and its security. Another is that the data is available to the consumer on demand, providing greater convenience and reduced risk of data loss or theft.
- Platform responsibilities managed by providers. Under the SaaS model, all the headaches of managing the data infrastructure belong to the SaaS provider, not to the consumer. “Consumers need not be distracted by which operating system, hardware devices or configuration choices, or software library versions underlie a SaaS application,” NIST explains. Further, all software and hardware upgrades occur on the server side, so consumers get all the benefits of the upgrades without any of the hassles.
- Savings in up-front costs. With a SaaS application, a consumer can get started without any up-front costs for equipment acquisition and installation. In addition, going forward, SaaS systems are scalable, providing the consumer with both flexibility and efficiency going forward.
While NIST sees many benefits in the SaaS model of cloud computing, one concern it expresses is with the potential vulnerability of some Web browsers. “Although browsers encrypt their communications with cloud providers, subtle disclosures of information are still possible,” NIST cautions. Another area of concern for some consumers is that the SaaS model depends on the reliability of the consumer’s network connection.
Overall, NIST recommends that the SaaS model is particularly well suited to use for “business logic” applications, such as invoicing, funds transfer and inventory management; for collaboration, either within or between organizations; for office productivity, including word processing, spreadsheets, presentation programs and database programs; and for software support and development, such as format conversion tools, security scanning and analysis, and compliance checking.
The Bottom Line
When John wrote about NIST’s draft report a year ago, he noted that cloud computing was still relatively new to the legal community. A year later, cloud computing is gaining wider and wider acceptance and popularity. There are good reasons for that, as this latest NIST report makes clear.
To me, the key to the cloud’s growing popularity is in the name “Software as a Service.” The operative word there is “service.” Client-side systems are too often laden with hassles — from unintelligible shrink-wrap agreements to trouble-prone installations to ongoing updates and maintenance. Technology that is supposed to solve a problem is too often the source of a whole new set of problems.
With SaaS, that equation is flipped. The consumer gets the functionality without having to deal with any of the dysfunctionality. What the consumer wants is service, and with the SaaS model, that’s what the consumer gets.
Here is the latest legal-ethics forecast for cloud computing in the legal profession: Clear skies ahead.
Two new ethics opinions in recent weeks on lawyers’ use of the cloud add further weight to what has so far been the consensus of state ethics panels–that it is ethical for lawyers to store client documents in the cloud and use cloud-based applications, provided the lawyers take reasonable safeguards to ensure the safety and security of the data.
The first of the two latest opinions is yet another in a series of proposed opinions from the North Carolina State Bar. As I wrote in an earlier post here, the North Carolina Ethics Committee deserves credit for the careful and thoughtful consideration it is giving this issue. On Oct. 20, it issued Proposed 2011 Formal Ethics Opinion 6, Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property. [Hat tip to Jack Newton at Slaw.]
This is the committee’s third version of this proposed opinion. The first version, issued in April 2010, said that a lawyer may ethically use SaaS, “provided steps are taken effectively to minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property, including file information, from risk of loss.”
Although commentators generally praised that opinion, the Ethics Committee withdrew it and, on April 21, 2011, filed a revised proposed opinion. While this second proposed opinion again endorsed lawyers’ use of cloud computing, it also set out mandatory minimum requirements a lawyer should adhere to in selecting a cloud provider. This time, the comments were less favorable, with many in the legal computing arguing that the requirements were so onerous as to effectively block the use of many cloud applications.
Clearly, the North Carolina Ethics Committee heard and was swayed by those arguments. In this latest opinion, it once again endorsed a lawyer’s use of SaaS, provided the lawyer takes care to protect confidential information:
[A] law firm may use SaaS if reasonable care is taken to minimize the risks of inadvertent disclosure of confidential information and to protect the security of client information and client files. A lawyer must fulfill the duties to protect confidential client information and to safeguard client files by applying the same diligence and competency to manage the risks of SaaS that the lawyer is required to apply when representing clients.
This time, however, the opinion omits any list of specific requirements a lawyer must follow in selecting a SaaS provider. Instead, it cautions lawyers to “make reasonable efforts to ensure that the services are provided in a manner that is compatible with the professional obligations of the lawyer,” taking into consideration “the experience, stability, and reputation of the vendor.” It then goes on to list five “recommended” security measures to consider:
- Agreement with the vendor on how it will handle confidential client information.
- Ability to retrieve the data if the lawyer terminates the vendor or the vendor goes out of business.
- Careful review of the terms of the lawyer’s agreement with the vendor, including its security policy.
- Evaluation of the vendor’s measures for safeguarding the security and confidentiality of data.
- Evaluation of the vendor’s back-up procedures.
The opinion suggests that lawyers, in considering these issues, may want to consult with “professionals competent in the area of online security.”
Pennsylvania Says ‘Yes’ to the Cloud
The second new opinion comes from the Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility (with a hat tip to Dan Pinnington at Slaw for posting it). In Formal Opinion 2011-200, the Pennsylvania committee address the ethical obligations of attorneys using cloud computing and SaaS while fulfilling their duties of confidentiality and preservation of client property.
The short answer it gives (within a lengthy and thoughtful opinion) is this:
Yes. An attorney may ethically allow client confidential material to be stored in “the cloud” provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks.
In addressing the reasonable safeguards a lawyer should follow, the committee follows the lead of other states in declining to list mandatory standards. “This Committee acknowledges that the advances in technology make it difficult, if not impossible to provide specific standards that will apply to every attorney,” it explains. Even so, it provides a fairly detailed list of the steps that a standard of reasonable care “may include.” Some of these steps address internal law firm measures–such as backing up data, installing firewalls, and using encryption–and others address measures a law firm should ask of a vendor. In the latter category, the opinion recommends that a lawyer ensure that the provider:
- Explicitly agrees that it has no ownership or security interest in the data.
- Has an enforceable obligation to preserve security.
- Will notify the lawyer if requested to produce data to a third party and provide the lawyer with the ability to respond to the request before the provider produces the requested information.
- Has technology built to withstand a reasonably foreseeable attempt to infiltrate data, including penetration testing.
- Includes in its terms of service or service level agreement an agreement about how confidential client information will be handled.
- Provides the firm with right to audit the provider’s security procedures and to obtain copies of any security audits performed.
- Hosts the data only within a specified geographic area.
- Provides a method for the lawyer to retrieve the data.
- Provides the ability to get data off the vendor’s servers for the lawyer’s own use or in-house backup offline.
The Pennsylvania opinion also includes a discussion of lawyers’ use of Web-based email services such as Gmail and Hotmail. While cautioning that such services carry risks “that attorneys should be aware of and mitigate,” the opinion nonetheless indicates that lawyers are free to use such services. In most cases, these services may be used without encryption, although certain matters may require heightened security, including encryption, the committee says.
The Pennsylvania committee cites with approval a 1998 ethics opinion in which the District of Columbia Bar concluded: “In most circumstances, transmission of confidential information by unencrypted electronic mail does not per se violate the confidentiality rules of the legal profession. However, individual circumstances may require greater means of security.”
What this Means for Cloud Computing
On this blog, we have been following and writing about the ethics of cloud computing for a year now. To date, not a single ethics panel has found any ethical concern with lawyers’ use of cloud computing, provided the lawyer exercises reasonable care in selecting and vetting a vendor. The Pennsylvania opinion includes a state-by-state review of relevant ethics opinions and sums them up this way:
Generally, the consensus is that, while “cloud computing” is permissible, lawyers should proceed with caution because they have an ethical duty to protect sensitive client data. In service to that essential duty, and in order to meet the standard of reasonable care, other Committees have determined that attorneys must (1) include terms in any agreement with the provider that require the provider to preserve the confidentiality and security of the data, and (2) be knowledgeable about how providers will handle the data entrusted to them.
The measures these various ethics panels suggest are reasonable and sensible. For the most part, lawyers should select cloud vendors that have proven themselves to be reputable, stable and competent. Lawyers should expect agreements with these vendors that clearly address issues of confidentiality and security.
That said, these latest opinions underscore what we said at the outset: The forecast for cloud computing in the legal profession is clear skies ahead.
If you are interested in reading our prior posts on this topic, see:
The annual Fulbright & Jaworski Litigation Trends Survey provides a revealing yearly snapshot of the state of corporate litigation. Now in its eighth year, the survey polls corporate law departments in the U.S. and U.K. on the state of their disputes. For this year’s survey, Fulbright gather input from 405 in-house counsel, including 275 in the U.S.
The big headline from this year’s survey, which was released Oct. 18, is that litigation was down slightly for businesses on both sides of the pond. At the same, they saw an increase in regulatory actions and internal investigations. More than a third of corporate counsel reported an increase in external regulatory inquiries and more than a quarter predicted that the coming year will be even worse.
Even though litigation was down slightly, litigation spending was up. For U.S. companies, the median spend in 2011 was $1.4 million, up from a median of $1 million the year before. Spending will continue to go up, the survey says, driven in part by the cost of e-discovery. Nearly a fifth of all companies and a quarter of large caps expect to see budget increases for e-discovery.
Cloud Computing: Up, Up & Away
For the first time, the survey asked about the use of cloud computing and the result suggests–as the survey put it–that cloud computing is “up, up and away.” More than a quarter of all respondents said that their companies use cloud computing. Among companies in the tech sector, 48% use it. Among public companies, 34% use it. In the manufacturing sector, 325 use it. A quarter of U.S. companies and 13% of U.K. companies said that they expect to move software to the cloud.
As use of the cloud increases, so does the frequency with which companies encounter issues relating to data preservation, collection and security in the cloud. Overall, 31$ of U.S. respondents and 50% of U.K. respondents said that they had to preserve or collect data from the cloud in connection with actual or threatened litigation. Of companies using cloud computing, 71% had to preserve data and 61% had to collect data from the cloud. Of the companies using the cloud, 28% reported having had a security breach.
We all know that cooperation is supposed to be the watchword in e-discovery, but the Fulbright survey found mixed results on the cooperation count. The survey asked respondents whether, in the past year, they had “made a concerted effort to be more cooperative or transparent with opposing counsel in your conduct of discovery.” There was an almost even split between those who said “yes” (34%) and those who said “no” (36%). The other 29% said they’d had no opportunity to be more cooperative.
Notably, one industry stood out for its efforts to improve cooperation among opposing counsel, the survey found. In the energy industry, 45% of respondents answered yes to the cooperation question. In contract, the insurance and real estate industries were at the low end of the cooperation scale, with only 17% and 19%, respectively, answering yes.
Among other findings of the survey related to e-discovery:
- 91% of U.S. and 55% of U.K. companies allow employees to use mobile hand-held devices.
- 30% of U.S. and 36% of U.K. companies have had to preserve or collect data from their employees’ mobile devices for litigation or an investigation.
- 45% of all companies have no restrictions on social media use.
- 18% of all companies have had to collect data from an employee’s personal social media account in a company litigation.
An interesting side note is that, when asked about their company’s social-media blocking policy, 10% of corporate counsel said they did not know. While this is down from two years ago–when 19% said they didn’t know–it is surprising that even a tenth of corporate counsel would not know their company’s policy.
Download the Survey
The full, 60-page survey covers much more than just e-discovery. You can download the complete survey for free at www.fulbright.com/litigationtrends. A Fulbright press release summarizes the survey’s key findings. From the download page, you can also register for a Nov. 1 Fulbright webcast that will present an overview of the survey.