GPSOLO June 2008
The Ethical Implications of Online Software
Last year in the June 2007 issue of GPSolo magazine ( www.abanet.org/genpractice/magazine/2007/jun/softwareasaservice.html), I wrote about software as a service (SaaS) and the benefits that firms are receiving from this approach, which delivers software capabilities across the Internet without the need for firms to invest capital or labor to purchase and install needed applications. Since then, both the interest in this model as well as the number of service providers have continued to grow.
Saas: An Overview
So what is SaaS? Webopedia, the online dictionary ( www.webopedia.com), states:
SaaS is a software delivery method that provides access to software and its functions remotely as a Web-based service. SaaS allows organizations to access business functionality at a cost typically less than paying for licensed applications since SaaS pricing is based on a monthly fee. Also, because the software is hosted remotely, users don't need to invest in additional hardware. SaaS removes the need for organizations to handle the installation, set-up and often daily upkeep and maintenance. Software as a Service may also be referred to as simply hosted applications.
SaaS applications range from free online applications including Google Docs, Zoho, Glide, Gliffy, EMC’s MozyHome free backup service, to enterprise-level, fee-based applications including SalesForce.com’s customer relationship management service, WebEx web meeting service, LexisNexis NetDocuments, Google Docs Enterprise version (available by subscription), and EMC’s MozyEnterprise backup service, to name just a few. The one thing these services have in common is that they offer multi-tenant capability from the same platform. This differentiates SaaS from the application service provider (ASP) model, which generally hosts a specific product (such as Microsoft Exchange Server) for your firm. The ASP needs a separate MS Exchange Server license and installation for each additional customer to whom the ASP provides Exchange hosting. With SaaS, all users share the same program code base (which often can be minimally customized for your firm) and work from the same program, which allows SaaS providers the ability to deliver services on a scale that is both economically sound and viable for simultaneous use by numerous customers.
According to the “Five Benefits of Software As a Service” whitepaper found on online calendaring provider Trumba’s website ( www.trumba.com/connect/knowledgecenter/software_as_a_service.aspx), there are five reasons to use SaaS:
- Save money.
- Save time.
- Focus your technology budgets on competitive advantage rather than infrastructure.
- Gain immediate access to the latest innovations.
- Join a community of interest.
The first four are pretty straightforward and understandable. The fifth, “join a community of interest,” builds on the idea that the service model brings the service provider’s interests and the customer’s interest together. Although these five reasons may not be applicable in every situation, they are factors that should be considered when deciding whether to use the traditional model of purchased software hosted on your own equipment versus software being delivered as a service.
As reported in our June 2007 issue, one firm that found sufficient reason to switch to a SaaS solution was Kegler Brown Hill & Ritter, a 57-lawyer firm in Columbus, Ohio. Kegler Brown moved to a variety of SaaS solutions, including Postini for e-mail spam filtering, bankruptcy accounting solutions from Epiq Systems, Inc., and NetDocuments from LexisNexis for their document management needs. One year after that article first appeared, the firm is still very pleased with the shift to SaaS. In a recent e-mail follow-up interview, Mark B. Manoukian, director of information systems for Kegler Brown, said:
I have too much to say regarding NetDocuments because NetDocuments does so many things: DMS, e-mail management, client extranets, remote access, ethical walls, DSRBC provisioning. When I talk about NetDocuments… I emphasize that it replaces not just Hummingbird or Interwoven [document management systems], but entire ecosystems built around those systems. Two cool new features in NetDocuments: (1) There is a new review function as in document review, a la Summation. I don’t quite know how useful it is yet, but it is cool, and another example of the expanding ND [NetDocuments] ecosystem; and (2) they have rolled out their super-cool, new search engine known as FAST. FAST is the search engine that is used in the Lexis Total Search product. This is the same Norwegian search product\company that Microsoft just purchased. Again, this represents expansion of the out-of-the-box ecosystem in that we might otherwise have to buy something like Recommind to achieve search functionality of this caliber. Truth is, I just love this search engine. The math and applied logic behind it is pretty sophisticated.
According to ZDNet author Phil Waine-wright in his January 2, 2008, blog post “Eight Reasons SaaS Will Surge in 2008” ( http://blogs.zdnet.com/SAAS/?p=432), 2008 will “be the year when SaaS becomes impossible to ignore.” Included in his reasons is the fact that the SaaS model is all about service.
SaaS and Client Confidentiality
Trumba, Wainewright, and others paint a bright future for software as a service, but what of the inherent ethical dangers with this model, and how do they apply to lawyers and our duty to maintain client confidentiality?
Rule 1.6 (a) of the Model Rules of Professional Conduct ( www.abanet.org/cpr/mrpc/rule_1_6.html) published by the American Bar Association states: “A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b)” (paragraph b includes such exceptions as the prevention of certain death or bodily harm).
More and more ethics committees of various state bar associations are addressing the question of whether it is permissible to store client documents in electronic format rather than paper. The SaaS service provider model takes this issue to the next level, as information and documents are stored on third-party servers rather than a law firm’s own equipment. Timothy J. Pierce, ethics counsel for the State Bar of Wisconsin, wrote in his article “Maintaining Electronic Client Files” for the September 2006 issue of Wisconsin Lawyer ( http://tinyurl.com/3dduhb):
A lawyer must take reasonable steps to protect the confidentiality of electronically stored client files. Lawyers have an obligation to act competently to protect the confidentiality of information relating to the representation of their clients, including protecting both open and closed client files. With respect to electronically stored client files, a lawyer must take reasonable steps to ensure that third parties will not gain access to such documents. This raises the question as to whether client files may be stored on a computer system that is linked to the Internet or even be stored on servers controlled by a third party.
Pierce relied on ethics opinions from the American Bar Association, the State Bar of Nevada, and the New Jersey State Bar Association to reach his conclusion. Although not all of them were directly on point, they provide a basis for us to look to for guidance.
ABA Formal Opinion 99-413 ( www.abanet.org/cpr/fo99-413.html), although not on point, does provide us with insight into the realm of electronic communications. The ABA committee stated: “A lawyer may transmit information relating to the representation of a client by unencrypted e-mail sent over the Internet without violating the Model Rules of Professional Conduct (1998) because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint.” This is instructive as it recognizes the “reasonable expectation of privacy.”
The State Bar of Nevada’s Standing Committee on Professional Responsibility and Conduct in its Formal Opinion No. 33 ( www.nvbar.org/Ethics/Ethics_Opinions_DETAIL.htm#Opinion%2033) and Opinion 701 of the New Jersey Advisory Committee on Professional Ethics ( http://lawlibrary.rutgers.edu/ethicsdecisions/acp/acp701_1.html) recognized that attorneys are not required to absolutely guarantee that a breach of confidentiality cannot occur when using an outside service provider. Nevada’s opinion addressed the question of whether an outside party could be used to store files in digital format or if this would be considered a breach of confidentiality. In reaching its decision, the Nevada committee analogized storing digital files on an off-site server to storing paper documents in an off-site storage facility operated by a third party. In reviewing prior ABA opinions, the Nevada Committee reiterated that, in light of those opinions and the changes to Model Rule 1.6, an attorney would not be held liable for a disclosure of confidential information so long as the attorney:
- Exercises reasonable care in the selection of the third-party contractor, such that the contractor can be reasonably relied upon to keep the information confidential; and
- Has a reasonable expectation that the information will be kept confidential; and
- Instructs and requires the third-party contractor to keep the information confidential and inaccessible.
In Opinion 701, the New Jersey Advisory Committee on Professional Ethics opined that so long as an attorney uses “reasonable care” against unauthorized disclosure, the lawyer has satisfied his or her professional obligations. The standard of exercising “reasonable care” is met if “(1) the lawyer has entrusted such documents to an outside provider under circumstances in which there is an enforceable obligation to preserve confidentiality and security, and (2) use is made of available technology to guard against reasonably foreseeable attempts to infiltrate the data.”
In addition to these ethics opinions, recent cases, including Warshak v. United States, 490 F.3d 455 (6th Cir 2007), help provide additional information as to the ability of lawyers and law firms to store electronic files and communications on third-party equipment. Although not dealing directly with the storage of documents on a third-party server, Warshak relied on cases that addressed the question of whether attachment to a network diluted or eliminated a person’s expectation of privacy. According to the Warshak court, “individuals maintain a reasonable expectation of privacy in e-mails that are stored with, or sent or received through, a commercial ISP” ( Warshak at 473). This court also recognized that a party can waive the expectation to privacy depending on the terms of the user or other agreement with the outside provider.
In instances where a user agreement explicitly provides that e-mails and other files will be monitored or audited as in Simons, the user’s knowledge of this fact may well extinguish his reasonable expectation of privacy. Without such a statement, however, the service provider’s control over the files and ability to access them under certain limited circumstances will not be enough to overcome an expectation of privacy, as in Heckerkamp. ( Warshak at 473)
The exception to this expectation occurs where the third party clearly provides in its user agreement or other license that the information will be monitored and audited, which removes the privacy expectation.
These ethics opinions and court cases indicate that attorneys must exercise their professional judgment in taking reasonable steps to protect the confidentiality of their client’s information. When a lawyer selects any SaaS provider, the terms of the user or license agreement will be critical in determining whether or not there is a reasonable expectation of privacy while using the service.
Before using any SaaS or similar service you should ascertain the following:
- Who owns the data once it is transferred to the service provider?
- Who has access to your data and under what circumstances?
- If you terminate the service, how is your data returned to you?
- If you terminate the service, what happens to your data on the provider’s servers?
- Can you also maintain a copy of your data locally?
- What steps does the provider take to protect against unauthorized outside access to the data it stores?
- How is your data backed up?
- Does the provider have a policy to ensure confidentiality?
If you obtain satisfactory answers to these questions, then I believe that you have satisfied your professional obligations and responsibilities in selecting a service provider to comply with the requirements of the applicable rules of professional conduct.
Nerino J. Petro Jr. is the practice management advisor for the State Bar of Wisconsin. He may be reached at firstname.lastname@example.org.