HIDDEN DANGERS: ASPS AND ETHICS
BY DAVID HRICIK AND PETER KRAKAUR
Does your firm’s application service provider pose hidden risks to confidentiality, conflicts and diligence obligations? The waters might seem inviting, but watch out. Unseen ethics
violations could lurk below.
Online document assembly, collaboration tools, billing services, e-mail, virtual deal rooms, file storage and backup. There are numerous legal products and services being offered by application service providers (ASPs) on the Internet. Yet very little is said about the ethical issues created when lawyers use ASPs.
They raise serious concerns—attorney-client confidentiality, conflicts, competence and due diligence. Under most state rules, lawyers must make reasonable efforts to ensure that the conduct of all non-lawyers they employ or retain is compatible with the lawyer’s professional obligations. Thus, the lawyer is responsible for ensuring that the ASP’s conduct is compatible with applicable ethics requirements. Before you or your firm enter into a contract with an ASP, consider how it will affect your ability to comply with the profession’s ethics rules.
Here, we review some of the primary ethical issues raised by ASP use, with references to the Model Rules of Professional Conduct (MRPC). Although these rules serve as a helpful guide to the issues, remember that ethics rules are enforced on a state-by-state basis. In some instances, "federal" law may apply to certain issues. Consult the rules of the jurisdictions in which you are licensed to practice, the law of the jurisdiction in which the conduct may take place and any other applicable law. It will help you proceed with caution if you decide to contract with an ASP.
Confidentiality: Data Storage and Exchange
Use of ASPs to transmit e-mail, collaborate online, or store or exchange data containing client information raises confidentiality concerns. With narrow exceptions, lawyers are required not to reveal "information relating to the representation" of a client under MRPC 1.6.
There is little guidance from the courts or bar associations on the use of ASPs. By analogy, however, bar associations have reasoned that a lawyer who stores a client’s paper files in an off-site storage facility owned by a third party should take "reasonable assurances" that the party will take measures to protect those confidences. For ASPs, that means that you should consider, among other things, investigating whether the information will be stored on a networked computer and, if so, the security measures the ASP takes to prevent hacking and to otherwise ensure that data is transmitted and stored securely. Alternatively, consider entering into a specific agreement with the ASP regarding the handling of confidential information.
With regard to creating and exchanging files, consider whether the ASP tracks edits made to client-related files. For example, using Microsoft Word’s Track Changes feature, a lawyer and client can exchange drafts of a document to see what revisions were made by whom. Importantly, if one turns off the Track Changes feature, the history of revisions still remains with the document. Unless it is stripped out before it is sent to third parties, this data can be recovered. (It could be recovered during discovery, too.) Tracked changes are but one example of the type of hidden data that accompanies files. The metadata associated with a document (who wrote it, when, on what matter) also often follows a document unless stripped away.
You should inquire whether the ASP maintains the confidentiality of this metadata and, more importantly, whether the ASP can strip out meta-data when files are exchanged with clients or third parties. Also, because some viruses can trigger mass distribution of data, learn whether the ASP offers virus protection services.
Lastly, analyze whether you will receive notice of third-party requests for data stored on the ASP’s system. For example, if the vendor receives a subpoena requiring it to allow access to third-party litigants or law enforcement officials, will you be notified before the disclosure occurs? Further, in some circumstances, law enforcement officials have seized entire computer systems containing the sought-after information as well as information belonging to third parties. In the appropriate case, a lawyer may want to ask an ASP to store the lawyer’s data on separate devices to avoid that data being sequestered solely because it shared the same device as other data.
Confidentiality and E-mail: Encryption and Disclaimers
E-mail in particular raises security and confidentiality concerns. All states that have addressed the issue to date follow the basic approach suggested in ABA Formal Opinion 99-413. Specifically, lawyers (regardless of whether they’re in-house or in a firm, solo practice or government) should, as necessary, discuss with their clients the security risks of e-mail use. Based on these discussions, the lawyer should follow the client’s instructions regarding appropriate means of communication. The client may, for example, request that all communications be encrypted, or that the lawyer or the client be able to encrypt only selected communications.
At a minimum, you should consider whether using the specific ASP raises unique concerns. Even if you and the client do not feel that encryption is necessary, you may still face confidentiality issues based on the service or product. How easy is it to gain access to the system or product? Can ASP employees access the messages in the system? If so, under what circumstances? What do the ASP’s terms of service say regarding disclosure of files to third parties?
If you do need to encrypt information, determine whether the ASP offers the option to encrypt all or selected e-mail. Of equal import, gain a clear understanding of the level of encryption offered. Some encryption programs protect information against casual viewing, but can be easily deciphered by a person with the "right" tools and training. Others are impregnable against all but the most serious hacker.
In addition, consider the ASP’s capabilities across your client base. For example, if one client wishes to encrypt all exchanges, a second wishes to encrypt some exchanges and a third wishes no encryption, can the ASP meet those needs? On a related note, can the ASP provide varying levels of encryption for in-house counsel, offering access to encrypted communications only to the lawyers or a select group?
The ethical obligation to protect client confidences is closely related to the protection of files covered by the attorney-client privilege. To further ensure that the privilege is not waived owing to inadvertent disclosure, some attorneys insert a legend on e-mail messages advising the unintended recipient not to review or reveal the contents and to advise the sender of its misdirection. You might investigate whether the ASP offers the ability to insert one or more such legends into e-mail or other communications.
Competence: Backups and Reliability
Certain aspects of ASP use raise competence issues. Lawyers who fail to back up their data (wherever stored) and then lose important client files, or files necessary for the representation, run the risk of failing to act competently, as covered in MRPC 1.1. Consequently, you need to consider whether the ASP’s backup procedures are sufficient to ensure that client data is not lost.
Separately, lawyers who rely on an ASP to assist in their performance of legal services must take reasonable steps to understand the quality control mechanisms. For example, if the ASP provides document assembly or financial calculations that will serve as the basis for your advice to a client, consider the reliability of the ASP’s system and design. How does the ASP calculate the taxes owed on a particular transaction? Does it guarantee that it is monitoring and using the latest IRS rates? Just as a lawyer who relies on a poorly trained accountant might be found negligent, so too might a lawyer who relies on a poorly designed or executed ASP application.
Diligence and Communication
Lawyers must act with reasonable diligence in the representation of a client and keep the client reasonably informed about the status of a matter, as related in MRPC 1.3 and 1.4. Relying on an ASP to provide communications to the client can raise diligence issues, especially if communications are delayed or interrupted.
What happens if services are not available owing to power or system failures at the ASP or on the Internet? ASP contracts no doubt will have force majeure provisions addressing these circumstances from their perspective. While such provisions may cover the financial impact of interrupted or terminated service, they do not necessarily cover the impact on the lawyer’s duty to communicate with clients or to act diligently. If the ASP fails at a critical time, consider what alternative means of communication are available—offered either through the ASP or separately—to complete the deal, file the lawsuit or otherwise perform promptly.
The costs associated with the ASP raise another communication issue. Will you pass the costs on to the client? Will you mark up the costs? If so, you may need to inform the client. The ABA has proposed adopting, in draft Model Rules, the approach that its and other jurisdictions’ bar associations have taken with respect to "marking up" costs: It generally cannot be done unless the markup is disclosed to the client. Before entering into a contract with an ASP, consider the markup issue—and whether the ASP contract contains any language regarding confidentiality of the contract’s terms.
Another diligence concern is what might happen if the ASP fails or files for bankruptcy protection. Worse, suppose it closes its doors abruptly. In either situation, you might be unable to retrieve important information during a critical time, or for a long period of time. Indeed, you may never be able to retrieve the information if, for example, the ASP’s hardware is sold to third parties without notice.
Advertising: Disclosures and Links
In certain circumstances, lawyers or firms may use ASPs to host information regarding availability for legal services. If you are considering this, either for your Web site or as part of a directory-type listing, understand who has control over content displayed on the site.
Several consistent themes are developing. First, most states consider lawyer Web sites to be advertising under state ethics rules. This means that they must comply with state counterparts to MRPC 7.01. Second, most states are treating e-mail like regular mail, requiring it to be labeled as advertising and otherwise requiring it to be treated just like a mailed letter. Third, most states treat chat-room or other real-time communications as being in-person solicitation for purposes of the ethics rules. Finally, some states have explored whether it is appropriate for a lawyer to make payments to an Internet service for advertising the lawyer’s services based either on a set fee or based on the number of hits or referrals from the service to the lawyer.
LegalEthics.com (a Web site maintained by one of the authors) has links to each state’s Internet ethics requirements, including advertising rules. While there is no uniformity, the requirements generally break down along these lines:
P Disclosures. Many states require law home pages to identify, for example, where the lawyers are licensed or who is responsible for the site.
P Archiving requirements. Many states require lawyers to keep copies of their sites.
P Filing requirements. Several states require filing of the original site, and some require submitting changes made to the site.
P Linking. Some states provide that their rules do not apply to sites linked to a law firm site, while most are silent. Does a firm have a responsibility to monitor who is linking to its site and to take action if, for example, the person creating the link describes the firm in a way that the firm could not ethically describe itself?
P Misleading statements. Lawyer advertisements are subject to the general prohibition that the advertisement not be false or misleading. In addition, there are a number of "housekeeping" rules contained in the ABA and state-specific rules.
Before using ASPs to deliver information regarding availability for legal services, consider how your compliance with applicable advertising rules may be affected by the information and the service provided by the ASP.
Conflicts of Interest
The uses of currently available ASPs do not appear to create conflicts of interest. For example, it would not seem to create a conflict for both parties to a lawsuit to use the same ASP for their e-mail provider. However, as services and applications become more substantive, additional issues may arise. Suppose, for example, that an ASP is providing accounting-related services to both parties to the same lawsuit. It is unlikely that a single accounting firm could ethically represent both parties. Even with respect to more mundane services, such as online document storage, should a lawyer inquire whether the ASP is providing the same or similar services to the opponent in that matter? Separately, should the lawyer consider whether the ASP can provide electronic versions of "ethical walls" to screen out other lawyers from accessing information relating to a specific matter?
In addition, conflicts can arise from just one party’s use of an ASP’s services. For example, one of the more troublesome aspects of e-mail is the possible inadvertent creation of attorney-client relationships. Suppose a lawyer receives an e-mail disclosing important facts about a possible lawsuit from a person who in good faith sought to hire that lawyer, but the potential defendant is a long-time client of the lawyer. Some authority holds that a lawyer who receives information under such circumstances would be disqualified.
One option for reducing inadvertent conflicts is to post a disclaimer, such that when people seek to e-mail a lawyer, they are first brought to a page that explains that they should not send unsolicited confidential information, since the lawyer does not represent them; that the lawyer may already represent the opposing party; and so on. The potential client may be required to affirmatively click on an agreement to such terms. Another approach is to not post lawyer e-mail addresses, but instead to only post a generic firstname.lastname@example.org and have e-mail sent to that address delivered to a person who is "walled off" from others in the firm. Another option is to only provide lawyer e-mail addresses to clients once a representation has begun. Examine whether the ASP provides mechanisms to handle e-mail in the manner chosen to manage potential conflicts.
Unauthorized Practice of Law
Rules governing the unauthorized practice of law have not yet caught up to the fact that law practice is national in scope, let alone addressed the global aspects of the legal profession. Instead, lawyers who practice law "in" states where they are not licensed run the risk of, among other things, being accused of engaging in the unauthorized practice of law. In Birbrower, Montalbano, Condon & Frank, P.C. v. ESQ Business Service, Inc., the California Supreme Court went so far as to conclude a lawyer could commit the unauthorized practice of law—a crime—even though "not physically present here, by advising a California client on California law in connection with a California legal dispute by telephone, fax, computer or other modern technological means."
If you plan to use an ASP to deliver legal services or content, you may want to inquire whether the ASP has measures in place to screen users by jurisdiction. For example, the ASP may have a registration asking users to identify their home state. You could use such mechanisms to restrict delivery of legal content and services to jurisdictions in which you are licensed to practice.
What’s the Case at Hand?
There is virtually no authority addressing, much less answering, most of the issues discussed here. Consequently, lawyers must take care to understand that their compliance with ethical obligations may be affected by the use of ASPs. Depending on the complexity of the service or product, you might consider an ethics consultation. As with many ethics issues, the appropriate approach will depend on the facts and circumstances of the case at hand.
David Hricik (email@example.com) is an Adjunct Professor of Law with the Univeristy of Texas School of Law who also litigates complex commercial cases.
Peter Krakaur (firstname.lastname@example.org) is a Knowledge Manager and Of Counsel with Brobeck, Phleger & Harrison in San Francisco and is a member of the Section’s eLawyering Committee. He is also publisher of LegalEthics.com (www.legalethics.com).
The opinions expressed by Peter Krakaur are his own and not necessarily those of Brobeck, Phleger&Harrison, LLP, or any of its clients.
[SIDEBAR 1, page 34]
Beware of Forming Ancillary Services and MDPs
Lawyers who themselves provide and charge for services and products as if they were an ASP may be providing ancillary law-related services. If so, they may be subject to particular regulation and disclosure obligations.
Beyond that, however, lawyers who form affiliations with particular ASPs, or who form economic relationships with them, may run the risk of having created multidisciplinary partnerships. Both business forms create certain obligations. Generally, it is unethical for lawyers to share fees with non-lawyers. Yet that may be the substance of an agreement between lawyer and ASP.
Look very carefully at any "fee-splitting" arrangement with a Web site. Bar opinions exist that, for example, prohibit lawyers from entering into office leases that base the rent on the lawyer’s revenues. By analogy, any sort of revenue sharing arrangements relating to the lawyer’s activities need to be examined carefully.
— David Hricik and Peter Krakauer
[SIDEBAR 2, page 37]
• "ABCs of Computer Security" by Albert Barsocchini. Law Technology News, November 2000.
• "The Increasing Use of the Internet in the Practice of Law" by Eric G. Kraft. Journal of the Kansas Bar Association, February 2000.
• "Lawyer Communications on the Internet: Beginning the Millennium with Disparate Standards" by Louise L. Hill. Washington Law Review, July 2000.
• "Lawyers Worry Too Much about Transmitting Client Confidences by Internet E-mail" by David Hricik, Georgetown Journal of Legal Ethics, Volume 11, 1998.
• "Limiting the Ethical Risks of Law Firm Web Sites" by Steven A. Meyerowitz. Pennsylvania Lawyer, October 2000.