Two months ago, North Carolina released Proposed Formal Ethics Opinion 6 , Subscribing to Software as a Service (SaaS) While Fulfilling the Duties of Confidentiality and Preservation of Client Property. As others, including my Social Media for Lawyers co-author Nicole Black, NC Bar LPM Advisor Eric Mazzone, e-lawyering pioneer Richard Granat and North Carolina virtual lawyer Steph Kimbro have already written, the decision represents a step backward for lawyers – and indeed, may have the effect of precluding lawyers from using popular services like Google docs, Mozy, email or texting even for entirely non-confidential purposes.
It’s bad enough that North Carolina’s proposed opinion will make it nearly impossible for lawyers to take advantage of new technologies that could reduce the cost of legal service. But to add insult to injury, FEO 6’s stringent regulations apply only to use of SaaS (or cloud) vendor services a companion opinion, FEO 7 gives a pass to lawyers who rely on online banking for trust account management. Yet, there’s no rational justification for North Carolina to maintain a double-standard for online management of client dollars and client data.
North Carolina’s proposed FEO 7 requires lawyers using online banking to exercise reasonable care, specifically, taking steps to minimize the risk of loss or theft of client money. Though the Opinion states that lawyers have an affirmative duty to understand the risks of online banking and to employ best practices such as strong password policies, the Opinion goes on to state that:
Understanding the contract with the depository bank and the use of the resources and expertise available from the bank are good first steps toward fulfilling the lawyer’s fiduciary obligations.
Simply put, lawyers can meet their ethics obligations by relying on banks as a trusted source of information regarding online banking security practices.
Contrast the bar’s deferential approach towards online banking with its adversarial attitude towards SAAS companies. Lawyers can’t simply rely on a cloud providers’ expertise in security practices or on the company’s representations regarding its security practices. Instead, lawyers are required (not encouraged, but required!) to:
• personally, or through a security expert, evaluate the company’s measures for safeguarding the physical and electronic security of data, including but not limited to “firewalls, encryption techniques, socket security features, and intrusion-detection systems.”
• investigate a cloud provider’s financial history;
• review the cloud provider’s security audits and
• install special security software to ensure that users connected to cloud vendors are protected against malware and viruses.
I could understand if there were a need for these rules – for example, a string of identity thefts or a pattern of security breaches — committed by, or resulting from a cloud provider’s data storage. But the North Carolina Bar does not cite a single incident to justify the addition of onerous conditions which if followed to the letter will cost solos and small firms (who don’t have in-house IT or accounting staff) several thousands of dollars in added compliance. By contrast, the past six months has been rife with news of banks’ misdeeds ranging from incompetence such as lost loan modification documents to outright fraud a la robo-signing. Yet, in spite of the banks’ abysmal track record, the North Carolina Bar apparently does not believe that banks’ security practices justify any additional scrutiny. To the contrary, the Bar regards banks as a source of “resources and expertise” upon which lawyers can rely to fulfill their ethics obligations in using online banking for trust account transactions.
Of course, I don’t advocate imposing the same security restrictions on online banking services as North Carolina has proposed for cloud vendors. Instead, I use banking as an example of a situation where bars have, for decades, permitted lawyers to rely on other providers for protection of client property. Moreover, if a client’s trust account is compromised, that money can’t be replaced, particularly if it’s a large sum. By contrast, most data that lawyers house on cloud providers is created on a local machine or filed with a court or regulatory body, so even in a worst case scenario if a cloud provider were to lose data (and again, I stress, there is no evidence that this has ever happened), it could be recovered from other sources.
North Carolina’s treatment of cloud vendors is typical of how many lawyers approach technology – as something entirely new and never before seen rather than an automated version of other tools and practices we lawyers already have in place. North Carolina generally got it right with in its opinion related to online management of trust accounts. Why can’t it simply apply that same reasoned approach (along with the other suggestions I made here to cloud services as well?
Whether you’re a member of the North Carolina Bar or not, please make your views known to Alice Neece Mine. Other jurisdictions, including yours, may be inclined to follow North Carolina’s lead, so please weigh in so that this proposal does not become precedent.