The North Carolina State Bar (NCSB) recently issued a proposed formal ethics opinion (proposed 2010 FEO 7), which may assist lawyers in assessing the risks of using a particular cloud computing product in their law practice.
The primary issue addressed by the NCSB was whether a law firm may use SaaS-based platforms, such as law practice management software, and thus store confidential client data on servers located offsite and controlled by a third party.
The NCSB concluded that it was permissible for lawyers to do so as long as steps were taken to “effectively minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property, including file information, from risk of loss.”
Importantly, the NCSB stated that a lawyer is not required to guarantee that a system is “invulnerable to unauthorized access” and that a law firm’s duty to protect confidential client information does not compel a particular method of handling the information, nor does it prohibit the use of third party vendors who may have access to the data.
Thus, the opinion wisely offered a broadly framed, elastic standard that permits individual attorneys to make careful choices about the technologies that best fit their individual practices.
The NCSB also provided lawyers with a detailed list of questions to ask Software-as-a-Service vendors, suggesting that satisfactory answers to these questions may reduce risk to the confidentiality and security of client data:
- What is the history of the SaaS vendor? Where does it derive funding? How stable is it financially?
- Has the lawyer read the user or license agreement terms, including the security policy , and does he or she understand the meaning of the terms?
- Does the SaaS vendor’s Terms of Service or Service Level Agreement address confidentiality? If not, would the vendor be willing to sign a confidentiality agreement in keeping with the lawyer’s professional responsibilities? Would the vendor be willing to include a provision stating the employees at the vendor’s data center are agents of the law firm and have a fiduciary responsibility to protect client information?
- How does the SaaS vendor, or any third-party data hosting company, safeguard the physical and electronic security and confidentiality of stored data? Has there been an evaluation of the vendor’s security measures, including firewalls, encryption techniques, socket security features and intrusion-detection systems?
- Has the lawyer requested copies of the SaaS vendor’s security audits?
- Where is data hosted? Is it in a country with less rigorous protections against unlawful search and seizure?
- Who has access to the data besides the lawyer?
- Who owns the data — the lawyer or the SaaS vendor?
- If the lawyer terminates use of the SaaS product, or the service otherwise has a break in continuity, how does the lawyer retrieve the data and what happens to the data hosted by the service provider?
- If the SaaS vendor goes out of business, will the lawyer have access to the data and the software or source code?
- Can the lawyer retrieve data off of the servers for his or her own offline useful backup?
- If the lawyer decides to cancel the subscription to SaaS, will he or she get the data? Is data supplied in a non-proprietary format compatible with other software?
- How often is the user’s data backed up? Does the vendor back up data in multiple data centers in different geographic locations to safeguard against natural disaster?
- If clients have access to shared documents, are they aware of the confidentiality risks of showing the information to others?
- Does the law firm have a back-up for shared document software in case something goes wrong, such as an outside server going down?
All in all, the NCSB’s opinion is very helpful for lawyers considering using cloud computing products in their practice. It allows them the flexibility to determine the technologies that best fit their individual law practices while providing lawyers with much-needed guidance in the selection of a cloud computing vendor.