Volume 18, Number 4
Security Is Key
as ASPs Make Inroads into the Legal Market
By Andrew S. Breines
Lawyers who use application service providers (ASPs) are doing nothing more than "outsourcing" the work of maintaining software applications—and in some cases document and knowledge management—to a third party for a monthly or yearly fee. The third party may direct its sales to the legal market only or to a market that includes other industries. In some cases, the ASP may be strictly a "consumer" product that the law firm has decided to utilize for convenience and cost effectiveness.
One of an ASP’s most important features is its ability to allow multiple users at multiple locations to view the same data and use the same software products across platforms and time zones, simply by logging on and connecting to the firm’s space on the ASP’s server. This means you can use the ASP from a remote location and have the illusion of actually sitting at your desk.
Making It Work
Several categories of ASP products are currently available, including litigation support, litigation management, document management, time and billing, conflict-of-interest checking, research, and collaboration products. These can be further divided into front-office and back-office functions. Recent articles in this publication and other ABA publications provide the names of many products and companies offering ASP services. (See Law Practice Management, "The Litigation ASP Market," a chart prepared by Clifford Shnier, March 2001, as an example of the volume of products and services available.)
Training staff. The amount of staff training required will vary depending on the types of products purchased from the ASP and the computer sophistication of the lawyers in the firm. The good news is that almost everyone knows how to log onto the Internet and use a Web browser. If the user does this properly, the computer will mirror the software products already familiar to those in the firm. The bad news is that many of the litigation and document management ASPs use proprietary systems that require detailed training and constant monitoring by the users to ensure that the products work effectively.
Maximizing existing hardware resources. As long as a firm’s computers are capable of networking and have Internet connections, workers can use ASP services. There is no need for incredibly fast processors, the latest and greatest monitors (unless an individual prefers them), and gigabytes upon gigabytes of memory. ASPs do require that users have sufficient random access memory to enable the computers to multitask with several programs from the ASP, but there is no need to upgrade to the fastest desktop computers available, as many firms periodically do. Also, the ASP is responsible for all upgrades to the programs contained in the package and for required maintenance of the software. This is a big plus because upgrading and license monitoring are not cost effective for lawyers to provide and are often cost prohibitive when outsourced to consultants.
Litigation Support and Management
Many front-office ASPs offer litigation support and management features. Any litigation matter contains several types of information, some public and some private. Public information includes complaints, motions, docket lists, briefs, and discovery requests that are not under seal. Private litigation material includes client data not necessarily relevant to the matter, confidential information, privileged information, and names and contact information for clients, lawyers assigned to the matter, and witnesses. Additional documents associated with litigation, which may or may not be produced in discovery, can be imaged and stored online with the ASP. Examples of these are client documents, witness statements, transcripts of depositions, admissions, and attorney work products that may become public documents or may remain case-sensitive, internal information.
All of these documents can be stored on litigation support and management ASPs just as in traditional trial notebooks. Some have different features, as lawyers have different trial notebook styles, but all allow basic document hosting, docket listing, and the ability to control access to the documents. In fact, you can log onto the government’s Public Access to Court Electronic Records (PACER) site (http://pacer.psc.uscourts.gov/cgi-bin/links.pl), post the docket of your case through the ASP, and have it updated regularly and automatically.
After uploading the docket to the ASP, you might, depending on your ASP, next post copies of all of the pleadings and related orders. These can be scanned, digitized, and posted with links to and from the docket list. Exhibits to the pleadings and other documents can also be scanned and linked. Even digitized audio and videotapes can be posted and linked to specific parts of depositions (if they are taped) and other documents. Each document or exhibit that is posted and linked can be indexed, either in full text or with key words. Many ASPs provide the ability to search entire sets of postings by keyword and locate relevant documents, specific sections within, deposition transcripts, and even video or audio clips.
Finally, most litigation-oriented ASPs give lawyers working on the case, whether in the same firm or separate firms, the ability to send messages, initiate a discussion, have a real-time chat session, or collaborate on a document that may or may not be filed with the court.
Keeping Data Secure
Access restriction and unique login information. For any of these features to work, the ASP also needs to ensure access can be restricted to only what the lawyer, secretary, or paralegal needs to view to properly support trial counsel and the client. Therefore, each authorized user has a unique login that consists of user name, password, and in some situations a static IP address identifying the specific computer being used. In the future, the login could also incorporate fingerprint and voice recognition, cornea identification, or some combination of password and physical recognition features. Whatever their components, security procedures should allow lawyers and staff to access the ASP without alienating them with technological or other hurdles to gaining access.
Professional ethical considerations. An additional security issue involves protecting the clients and information and upholding ethical responsibilities to them. The ASP hosts the documents and related information outside the confines of the firm, which brings up new security and ethics concerns. Password protection, secure socket layer encryption, digital signatures and certificates, direct peer-to-peer connections, authorized logins—a new vocabulary can be required to interact with ASPs and their other users. Security concerns multiply as more people have access to the information and more people are brought in to provide technological solutions.
Using ASPs to perform front- and/or back-office functions gives rise to security issues involving the integrity of the attorney-client relationship, confidentiality of documents and information stored on servers, and the potential for intentional or unintentional compromising of confidentiality by the ASP’s employees, agents, consultants, and vendors.
How secure is data hosted by ASPs? Software and access issues create security concerns, but so does the ASP’s physical business location. How can you know whether the server facility is secure? If it is not, is your data secure? Many legal-related industry ASPs have agreements with "data centers" that provide physical security, maintenance, and other services formerly provided by in-house information technology consultants or employees (leaders include Exodus and Genuity).
These are private companies that have taken the lead in the United States by trying to create standards. If the government does not take a similar lead in these areas, there will be competing certifying authorities for data centers. Therefore, the companies that prevail in this era of mergers and consolidations will have strong positions throughout the United States and the world without being bound by more than traditional laws regarding competition and antitrust. The corollary to this argument is that the best and strongest companies will prevail and provide more stability and expertise to their customers.
Data centers should be government certified, and most utilize redundant backups for both power supply and data. In order to maintain connections to their customers, ASPs also rely on high-speed connections from the data centers to the Internet with built-in redundancies to make sure the connections are always available. In addition, these data centers use encryption technologies to protect the flow of inbound and outbound data.
What happens if the ASP’s or the firm’s Internet connection goes down? Who is responsible, and who is liable? ASPs maintain multiple independent redundant connections to the Internet—if one fails, the others carry on. Some ASPs also carry direct connections to servers, firms, and authorized off-site users. These dedicated direct connections also have redundant backups that may include secure connection via the Internet. Responsibility and liability are two sides to the same coin. Although the ASP has an obligation to ensure access, no ASP can guarantee 100 percent connectability, and many ASP user agreements include language that specify only a high-percentage probabliity of connectability. However, ASPs also attempt to limit liability to users, including law firms, in the event that data cannot be accessed or is corrupted, or that confidentiality is compromised. The enforceability of similar damage limitation clauses has been struck down in several states, and the debate can be expected to continue. In any event, firms should upgrade their users’ Internet browsers while being cautious to maintain redundant backups in the event that lawyers can not access the applications via the ASP.
What can be done to avoid or limit exposure? Any firm contemplating entering into an agreement with an ASP must perform due diligence of the ASP. The ASP market is in its infancy, and many of the current crop will not be in existence a year from now. How can you prevent catastrophe from striking data hosted by an ASP and still maintain access to the benefits of new technologies to conduct your practice?
For example, say you have a complex litigation matter that you are managing with an ASP. All of the documents, work product, reference materials, pleadings, evidence, and the docket list are uploaded and linked via the ASP’s technology. You decide, as lead counsel, that you want to have a mock trial or negotiation. Because many of the documents are public, you have the ability to increase authorized users to include a mock jury and even a stand-in for opposing counsel.
Inadvertently, the ASP provides access for these additional users to documents that are not public, such as attorney-client chat logs, collaborative notes on drafts of pleadings, and potential settlement figures. Is the ASP liable to the firm for breaching the attorney-client privilege? Are they subject to damages above and beyond the amounts paid by the firm to the ASP? There are no clear answers. Guidelines are evolving as the ASP market matures.
Further complications for liability arise if the other side and the judge, for example, also have access to the public records associated with the case. Suppose the ASP again fails to restrict access to non-public data in the case, but this time opposing counsel gains access to all of your trial strategy and work product materials. Because the ASP’s technology failed in setting proper access restrictions, or a worker simply made a mistake in granting the wrong levels of access, does the company bear increased responsibility?
Designating a firm administrator. Most ASPs allow firms to designate an administrator who can authorize and edit access levels by categories, such as case, public documents, private documents, chat, collaboration, file sharing, e-mail, or discussion board, right down to specifying only certain folders and documents within the folder. In addition, the administrator can change and update the rights users have with regard to the data—like administrator rights, full or limited edit rights, view only, browse docket list only, or any combination of features.
By having the technology to enable firm administration, an ASP’s liability can be limited because the firm has the responsibility to warrant access, with the ASP available for technical assistance and training. As stated above, the question of ASP liability is as yet unresolved by the courts. The industry is so new that the cases that are pending have not come to a resolution or have been settled without a report as to the result of the settlement. Over the next several months, as more and more ASPs fail, there will be a number of new cases filed. Courts will decide a high percentage of these cases. Until that time, ASPs will continue to try and limit their liability by contract and hope that the basic precepts of contract law will protect them from liability.
How training can help a firm decide. Most ASPs do provide training, which includes not only how to use the technology but also explanations of practical features, security measures, and guidelines for the firm’s internal safeguarding of the attorney-client relationship. Basic training covers such topics as discussing the ASP in open areas, not divulging login information, not saving logins in browsers (most browsers allow this option—some ASPs have technology that blocks this feature), not leaving the computer connected to the ASP without logging out overnight or on weekends, and treating information accessed on the ASP the same way other confidential client information is handled on a daily basis. Some ASPs actually have built-in security procedures that terminate the connection if the user is idle for a period of time.
Security issues have existed ever since lawyers began practicing. As lawyers increasingly switch firms and locations, security technology has evolved to a point that within minutes of leaving a firm, the lawyer’s access to the computer system can be terminated as easily as his or her access to the front door. There are downsides to using an ASP, but by properly determining your needs in advance of choosing an ASP, you can protect client confidentiality, realize greater productivity, and extend the life of aging hardware.
Andrew S. Breines is a principal of Aresty International Law Offices, P.C., in Boston, Massachusetts.