Should lawyers be wary of cloud computing and SaaS?

Posted on August 25, 2009. Filed under: Practice Management, Social Media, The times they are a'changin', Web 2.0 |

Drlogo11

This week’s Daily Record column is entitled “Should Lawyers Be Wary of Saas?.”

A pdf of the article can be found here and my past Daily Record articles can be accessed here.

*****

Should Lawyers Be Wary of SaaS?

Online services for lawyers are becoming increasingly common and, for many lawyers, are an attractive alternative to the traditional law practice management software installed and maintained on a local server within a law office.

Online services available to attorneys now include law practice management systems, document management platforms, secure email networks, digital dictation services and billing/timekeeping services.  The online platforms are attractive, economical and viable alternatives for firms of all sizes.

Online e-mail platforms also are increasing in popularity. Yahoo, Hotmail and Gmail now are the top three e-mail service providers in the United States, and are used by lawyers and clients alike.

The one thing these various platforms have in common is that the data created and managed by these services are stored offsite, in the “cloud.”   The offsite data storage issue has resulted in much speculation among lawyers regarding issues of data security and attorney-client confidentiality.

Before addressing those concerns, let’s define the concepts at issue.

“Cloud computing” is a “type of computing that is comparable to grid computing, relies on sharing computing resources rather than having local servers or personal devices to handle applications. The goal of cloud computing is to apply traditional supercomputing power (normally used by military and research facilities) to perform tens of trillions of computations per second.”

Software as a service —or SaaS —is defined at Oracle.com as “[a] software delivery model in which a software firm provides daily technical operation, maintenance, and support for the software provided to their client.”

In my opinion, the data security and confidentiality concerns regarding cloud computing are exaggerated and overblown.

Of course an attorney has an obligation to research how an SaaS provider will handle confidential information, and should determine how securely the data is stored. It is important to ensure the company stores the data on servers that meet current industry standards, performs back-ups regularly, and that you are satisfied
data will not be lost should a catastrophic event occur.

Concerns that third parties could access the data while traveling through the “cloud” are downright silly, in my opinion. Third parties always have had access to confidential client information, including process servers, court employees, document processing companies, external copy centers and legal document delivery services.

Employees of the building in which a law office is located also have had access to confidential files, including the cleaning service and other employees who maintain the premises. What about summer interns, temporary employees and contract attorneys?

The employees who manage and have access to computer servers are no different. In order to practice law effectively, third parties necessarily must have access to certain files. Assurances that the company in question will make reasonable efforts to ensure employees will not access confidential information is all that’s required.

The New York State Bar Association Committee on Professional Ethics reached a similar conclusion in Opinion 820-2/08/08, where it answered: “May a lawyer use an e-mail service provider that scans e-mails by computer for keywords and then sends or displays instantaneously (to the side of the e-mails in question) computer-generated advertisements to users of the service based on the e-mail communications?”

The committee concluded: “Unless the lawyer learns information suggesting that the provider is materially departing from conventional privacy policies or is using the information it obtains by computer-scanning of e-mails for a purpose that,
unlike computer-generated advertising, puts confidentiality at risk, the use of such e-mail services comports with DR 4-101…A lawyer may use an e-mail service provider that conducts computer scans of e-mails to generate computer advertising, where the e-mails are not reviewed by or provided to other individuals.”

In other words, common sense prevails. Lawyers must resist the urge to overreact to emerging technologies.

Common sense dictates that the same confidentiality standards applicable to physical client files likewise apply to computer-generated data. To conclude otherwise would be to prohibit lawyers from using computers in their law practices —an unrealistic and, quite frankly, ridiculous alternative.

Advertisements

25 Responses to “Should lawyers be wary of cloud computing and SaaS?”

RSS Feed for Practicing Law in the 21st Century-A Law & Technology Blog Comments RSS Feed

Great post. As legal SaaS continues to grow, it is great to refer to posts such as this one to get a realistic view of legal cloud computing.

Your article is great except for a crux one-liner in the middle: “In my opinion, the data security and confidentiality concerns regarding cloud computing are exaggerated and overblown.”

Woah.

Data security and confidentiality concerns are not exaggerated and aren’t overblown. They are exactly what they are – CONCERNS. Putting your data into the cloud and not keeping it locally adds a layer of complexity and an extra amount of opportunity for someone to have access to, and take, that data.

If, however, you pay attention to those concerns and have proper contract language in your agreements to mitigate those concerns, then they will simply stay concerns. On the other hand, if you ignore them, treat them as non-important, or dismiss them as exaggerated or overblown, they will eventually be forgotten (it breeds complacency) – which is EXACTLY when you end up with a data security or confidentiality problem.

I’m biased because I’ve seen too many large companies leak hundreds of thousands of people’s data dozens and dozens of times… with almost nothing other than an “oops… sorry” among them. I’m also biased because I read thousands of contracts every year for these types of services where there is very little by way of “industry standard”, and almost nothing of “conventional privacy policies” such as you suggest. Rather, most vendors put in as much liability limiting language as they possibly can, knowing full well that merely the transmission of the data from the client to their facility, unless encrypted (which is almost never the case), is open to exploit.

So please, don’t down-play the importance of data security and confidentiality in a cloud computing environment. Play it UP. Make it continuously important. It is manageable – but you can’t ignore it hoping that everyone’s playing by the same rules.

There may be an additional concern for non-US firms – the Patriot Act.

If a UK firm were to use SaaS with servers inside the US, my understanding is that the data is subject to access by the US government under the terms of the Act – something which I know has concerned a number of Data Protection specialists in the UK.

Is this a real concern, do you think? If so, is there a way to ensure that data remains within the EU (much easier for data protection for UK firms)? Does this potentially bar UK firms from using US suppliers?

Perhaps this concern is overblown?

Security of information is a critical component to cloud computing which is why making this decision to go this route should be equally as great as the credibility of the firm offering it.
Accessibility, reliability and cost effectiveness are three things that come to mind when I think of this offering. A good provider will offer a complete package of software that will help law firms “run a business” and account for all that is involved. This is of great importance for start-ups and small firms that primarily focus more on their area of expertise which is practicing law rather than the business end of it.
There are countless statistics related to money lost in hours that have not been account for. There is also a component to inefficient use of time related to managing your in-house system. Hosted solutions with integrated software packages that work seamlessly together can be a great option for firms looking to better manage time, information and cash flow.

Thanks for all the comments so far. My replies to a few issues raised:

Jeff–

I agree that data security and confidentiality are very important. That’s why my next paragraph after that statement sets forth some issues lawyers must consider. However, most lawyers simply recoil at the very thought of cloud computing, assuming that their simple office server with minimal security protections (in many cases) is somehow safer than data in the cloud. That’s simply not the case.

As for industry standard, a number of SaaS providers are currently working together and with the ABA to establish industry standards for the legal industry, but general industry standards for cloud computing can also be used as a guideline, as well. It’s an emerging technology and it takes a bit of time for these things to evolve, although they’re happening at a record pace, IMO, as is the emergence of these and other legal technologies.

Peter–

You raise a great point–and one that is a perfect example of why lawyers need to exercise due diligence re: their particular jurisdiction and the rules that may apply when using any technology.

Anyone considering using cloud computing and SaaS should identify the location of the servers that will be hosting their data and ascertain the applicable rules and laws that may apply to the data if it crosses international boundaries.

Hi Niki:

This is an extremely important topic and one that a lot of folks are trying to get their heads around. As a SaaS provider and engineer myself, I’m only too aware that not all SaaS providers are created equal.

SaaS, in my opinion, is inevitable. It’s hard for me to imagine that in 10 or 20 years desktop versions of software will be the norm. So I think it’s very important for lawyers to know some of the basics about security and what this all means.

I recommend that anyone considering a SaaS solution understand many factors, including but not limited to 1) physical security of the actual servers and data 2) code security and protection against attacks 3) confidentiality policy of the SaaS provider 3) encryption used to protect traffic (128 bit or greater and coverage of sensitive traffic).

I also encourage people to stop by eff.org, the electronic frontier foundation, to see an in-depth exploration of some of the issues to think about as we move to an increasingly online world.

The other issue (and there are several) that is key with SaaS vendors is that the law firm should INSIST upon being able to keep a local copy of their data. Otherwise your firm is at the mercy of the SaaS vendor.

Niki:

My real concern isn’t with the lawyers, it’s with the vendors.

I would challenge your supposition that this is “emerging technology” – in fact, it’s decades-old technology. It’s been repackaged, rebranded and redesigned for the 21st century obviously… but the core is the same: Your data on “somebody else’s drive (to quote Tom Smith).

And the confidentiality issues are similar, too… only this time, it’s not just giving them your financials or customer information that you WANT to keep secret… it’s giving them client information you have to keep secret as a matter of law.

Having reviewed and negotiated literally thousands of contracts with confidentiality, data use/disclosure policies, HIPAA documents regarding private health information, etc provisions… yet still finding violations, unexpected leaks, etc… I’m simply not convinced that many SaaS vendors have geared up sufficiently to handle information of this type of sensitivity.

Additionally, I would even argue that while asking your vendors where they’re keeping their data is nice from a due-diligence perspective, few customers know how to engage a contracts professional to adequately modify the contract to prevent future migration of that data to somewhere else. That’s also not even addressing the issue of your data in your home country, with technical support people somewhere else with virtual access to that data.

All in all, for lawyers (and healthcare providers) to be truly comfortable with using SaaS vendors where client information is involved, I believe we’re still several years away from the lawsuits and/or legislation that will have to happen in order to make those professions able to fully enjoy the benefits of a SaaS environment. Until then, I advocate for EXTREMELY strong contract negotiations to appropriately allocate risk based on data access.

Oh, and I think that the NY State Bar Opinion 820-2/08/08 is a little premature in terms of understanding the technology at hand (an obvious discussion of Gmail’s system and Google’s auto-generated content-related advertising mechanisms). The issue isn’t just whether a person has access to the e-mails themselves, but whether the content is determinable by review of the advertising presented to the end-user. I think it’s incredibly short-sighted to think that just because Google promises that (today) no one is reading the text of each message to: 1) believe that they’ll continue not reading tomorrow; and 2) believe that you can’t discern both the client and the subject matter simply by review of the associated advertising.

I suppose it comes down to trust (as I’ve been discussing on <a href="http://www.licensinghandbook.com/2009/08/25/more-on-trust/"my blog today). The truth is that SaaS vendors should have to go above and beyond to prove trustworthiness for this type of data. And they don’t (some would even say won’t).

Comment longer than a tweet, but shorter than a brief: Great piece and discussion Nikki. You’re great to Follow Nikki! Like the server location point, the Lawyer(s) bar admission(s) state(s) raise disparate ethical concerns from state to state on Attorney Client Privilege. Pleased to see cited NY Ethics Opinion based on common sense. The U.S. vs. international privacy law concerns for international business/finance/corporate/legal practice have been there all along with the Patriot Act a more recent example.

I believe the crux of the concerns can be boiled down to a simple, though nerve-wracking, question: Can we, as attorneys, justifiably rely on someone else to protect and preserve our clients’ confidences?

The parallels between analog and digital contexts abound. A letter to a client can be intercepted as easily (perhaps more so) than can an e-mail message.

Offices can be broken into just as easily – again, perhaps more so – than online document repositories.

I agree with the central thrust of the article, which to me seems to be that we live in a networked, digital world and we need to start embracing the transaction of business there. Those who delay adoption or deny its inevitability may lose some traction as the changes overtake them (and their clients).

In my opinion, it is critical that we maintain local copies of all digital assets. Failing to do so could be equivalent to malpractice. What result if you cannot access a key document at a crucial moment, because “the network is down”? SaaS providers may tout reliability, but I’d rather have at least one potential failure point within my direct control. Storage is inexpensive enough that we can surely provide that safeguard. Isn’t it our professional obligation, after all?

Offloading the overhead of desktop (or even server) applications is the natural progression of network technologies. As pointed out by another commenter, it’s been the practice since the inception of computing. But interoperability and redundancy are key factors, too. We shouldn’t be inextricably tied to a particular vendor through proprietary formats or data accessibility concerns.

I can agree that SaaS is the next logical step for our profession. But to give over too much control is foolhardy and, in my opinion, borders on negligent.

I probably have a lot more to say on this topic (encryption, transience, and Google Apps options are but a few items that come to mind), but I’ll close out for now.

Thanks for the article, Niki.

Great point about being able to maintain your own local copies of your data. One more step in that direction, though. Make sure it’s data you can use, like in Excel spreadsheet format or in ISO standards, such as vCard for contacts or iCalendar for calendar info. The last thing you need is a bunch of scrambled data you can’t do anything with. And you should be able to get this data when you want as well.

Larry –

I agree completely, and that was part of my later point when referring to interoperability.

Despite certain vendors’ preferences or past performance, most data should be stored in XML/XSL or some other portable and translatable format. (Wrapped in encryption protection, of course). The most visible offender here is Microsoft, but plenty of other vendors lock your data into proprietary formats, too.

I don’t think a lawyer should only be able to get their data in XML. What’s a lawyer going to do with XML? Basecamp exports to XML and I never understood that. Now you have to go get a developer to do something with it.

If they get Excel, vCard, iCalendar, etc at least they can use it immediately.

Thanks, Leigh, for saying better and more succinctly than I was able to do in many paragraphs. You conveyed what I was trying to point out quite well.

Jeff Gordon –

Your posts were very long but I managed to read them all.

I wanted to reply to one point when you said that SaaS is not emerging and has been around for decades.

It is true that SaaS has been around for A decade, but it has not yet reached maturity and thus is still emerging. Larry is right in suggesting that legacy on-premise software will be MIA in the coming years and hosted solutions will be out of the emerging stage.

As I see a conservative legal industry adopting SaaS at an ever increasing rate, I agree with Nikki that many of the security issues have been overcome and adequately dealt with.

Wes: Sorry for the length of my responses – these aren’t easy topics and require some depth of explanation.

SaaS is repackaged distributed computing (around since the 1960s). Centralized apps and storage. The difference is distance and bandwidth. Now we can have these things centralized on one continent and used on another with 100% GUI. So, it’s not new, it’s just the flavor-du-jour of application availability. Of course vendors like this model – they always have – it gives them absolute control over the app AND the data. So I don’t doubt that it will be the delivery method for a long time to come.

Notwithstanding, and respectfully, my issue is that I do not believe that the security and privacy issues have been worked out sufficiently. Let’s go for a period of a few years without a data breach (I’ll even forgive ones due to hackers and only go with those that are due to stupidity). After that, I’ll feel a lot better. I mean really, when was the last time that you heard about some lawyer’s office being ransacked with client files taken? It doesn’t happen that often because it’s hard on multiple levels:

1. Buildings are difficult to locate to know where the data is stored.
2. Files are even harder to find and are usually in additionally-locked cabinets/rooms/etc (or stored off-site completely).
3. PC’s not connected to the internet are a little harder to hack simply from an availability perspective.
4. Online databases are complete representations of ALL of the data. Maybe someone needs to come up with a way to secure individual records inside each database, so even if all of the data is stolen, each record is sealed individually?

Thanks for the response but I can’t accept you saying that SaaS is the same thing distributed computing or even ASPs. There may be some similarities (especially with ASPs) but to say it’s the same thing is off beat. I don’t have time to delve in deeper to that but I may tomorrow.

Also, you based your argument of SaaS being insecure on a future occurrence and I will address that issue in the future when the referenced event happens.

SaaS is in many ways analogous to a VAX mainframe, and those have been around longer than I have. I think the debate between SaaS, distributed computing and ASPs is a red herring.

For me, the more critical issues center around the inherent paradox in what we’re trying to achieve with cloud computing solutions – ubiquitous access to centralized data, all with super strict access control. We want to get to our data from anywhere – our desks, cars, vacation spots – and we want it to be protected by military-grade security.

That’s a tall order, but not impossible.

I struggle with imagining (and affording) a workable solution to our demands.

I’m very excited to see what develops in the coming months/years to meet our requirements.

As for portability via XML, I agree that it is cumbersome, but at least I can make sense of it with a plain text reader, which is more than I can say for formats like DOC, XLS, PPT or PST. And most apps can import XML files.

I should strike out that sentence about struggling to imagine/afford a solution.

There are always options, we just need to balance our compromises.

That’s what happens when I post comments from my BlackBerry late at night.

Hello to Niki and all others,

First let me congratulate this great and needed article. In my opinion, the comments are all pertinent also, despite some aparent blurring here and there.

All concerns are understandable and lawyers should not take for granted their concerns are being taken care of by all software vendors.
Lawyers must do their homework and read carefully the Terms of Service, Security Policy and Privacy Policy of the vendor at hand, in order to be sure it’s a company worth their trust – which should never be a blind trust, even then.

The move to web-based software is completely inevitable, and today the security can be as military-grade as ever before, in the “analog world” – or more so.
When the company does apply a high-level of security (servers in datacenters with military-grade protection and bank-grade communication encryption), the main source of insecurity still lays elsewhere, like the use of an uncrypted web-based e-mail service like Hotmail, the password written in a piece of paper in an unlocked drawer or the computer logged on during a coffee break.

As for local copies of all data, they’re a must. But I too believe to have XML is far more critical than other formats, just because it’s an open standard. From Wikipedia: “XML (Extensible Markup Language) is a set of rules for encoding documents electronically”; link: http://en.wikipedia.org/wiki/Xml.

Hi Folks:

Great lively discussion. I wanted to throw out a link to an article I wrote on the differences between ASP and SaaS for ILTA: http://bit.ly/TeJtC. That may explain some of the technical intricacies there, if you don’t fall asleep reading it.

In terms of XML, yes, it can be used in a good way. But note that XML merely allows you to come up with your own way of describing data. So if people come up with different XML schemas, or different ways of describing data, then it isn’t interoperable.

For example, I could come up with XML for a billable item like this:

Or this:

Both examples are XML. Yet they are not interoperable. What you need is not merely XML, you need agreement on XML schemas and formats. LEEDS is one of those.

Ah, my xml snippets were eliminated in my post. Alas. If you wanna follow up with me, just send me an email and I’ll explain there.

Thanks, Larry, for the insight on XML. But that really isn’t the goal of the XML standard. The goal is to set a standard for describing the data. That’s enough so you don’t get stuck with your current provider and be able to take a look at the data dropping the file on Excel (or in any text reader, as Leigh Monette pointed out).

Sure, LEDES makes it easier. It’s great that LEDES exists – that makes XML even more useful. Every software provider for law firms should be compliant with it or be working on it.

Great comments folks:

As both a SaaS and traditional secure email vendor myself, I’ve seen both sides of the arguments…and the major stumbling blocks I find (especially with the legal industry), is the lack of education around security (or lack thereof) of email, and the natural struggle between convenience and security.

But agreeing with most comments made so far, we also have to be congizent of the fact that State Privacy laws may dictate what lawyers will have to do. For those of you that are not aware yet, both Nevada and Mass have new Privacy laws that forces business users to encrypt their emails should they contain any Private Identifiable Information (PII). This includes even if the client happens to be in either of those States.

And folks,…the other States are following closely behind.

Nice topic!

Niki,

Great post. In fifteen years of encouraging lawyers to leverage technology in their practices I have noticed some recurring themes, regardless of the technology at issue. Lawyers are frightened of changes and many established lawyers spread disinformation about technology to impede its implementation.

Whether it was connecting to the Internet in the first place, using email, smart phones or cloud computing, empirically I have witnessed older lawyers consistently decrying “Fire Bad.” Ostensibly, the concerns were always the same. “But this new technology risks disclosing all of our clients’ confidential information.” In reality, the concerns appeared to center around established attorneys losing market share to more agile attorneys, knowledgable about emerging technologies.

While this is true new technology has its risks, a few minor precautions make these risk infinitesimal compared to “old school” technologies. SaaS is nothing new. Lawyers have been using it for years without even knowing it. The key is selecting a trustworthy SaaS provider. Is Google likely to inadvertently disclose your clients’ confidential information? No. If people wanted to steal your clients’ information, your use of Google SaaS is certainly not the weak link.

Lawyers, especially more established lawyers, have a duty to their clients to become informed about how technology can enhance the atty/client relationship. While I understand the frustration of established lawyers, feeling overwhelmed by technological advancements in the legal profession, this is no reason to frustrate its progress. Such actions are unethical.

I do not care if an attorney elects to be a Luddite. But to stifle innovation, by spreading fear about the technology is a disgrace to the profession. Lawyers have a duty to dispel anti-technology propaganda whenever they see it.

Writing blog posts, like the one above are a great way to combat disinformation. Keep up the great work Niki. It is lawyers like you, and posts like this, that are going to drag the profession, kicking and screaming, out of the Dark Ages and into the future.

Brett Trout


Comments are closed.

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: