Yes, You Actually Have to Read the Terms of Service to be Ethically Compliant

You read the headline right. There, I said it. You have to read the Terms of Service and possibly more to be ethically compliant.

OK, I don’t mean every word. Just the important ones.

It’s OK. We’re all friends. I won’t rat you out. And I won’t tell Disciplinary Counsel, Ethics Counsel, Bar Counsel, or whatever they call it in your jurisdiction. That doesn’t mean they won’t find out. But they won’t find out from me.

That said, I can’t guarantee someone else won’t find out, and then you’ll be a headline. Despite what they say, trust me, it’s not always great to be in the news.

Consider Steven A. Schwartz or Paul Manafort. You remember them. Schwartz is the lawyer who used ChatGPT to write a brief, only to discover, way too late, that the citations were all made up. He never expected to be the poster child for anything, but he was.

Then there is Paul Manafort, or really his lawyer. They were the ones who didn’t properly redact his reply to a motion, and revealed information that was never intended for the public. That made headlines, too.

You could have your own headline. Perhaps it’ll say, “Lawyer reveals confidential information to terrorists because he didn’t know that the Terms of Service on his software said the company could.”

Now calm down. I know. You think nobody reads them. Dropbox Terms of Service, for example, are 2,704 words. That’s short. According to the website, statista.com, which counts the words, as of April 2020, Microsoft’s Terms of Service was 15,260 words, Apple’s was 7,314 and Facebook’s was 4,132. In other words, Microsoft’s Terms of Service are roughly twice as long as the Bill of Rights, which is 7,591 words.

That’s a lot to read, and they change all the time, too. Trust me, I’m not saying it because I like reading them, but you really must. Maybe not every word, but certainly the key provisions.

Let me explain.

It turns out that a lawyer used a service for preparing clients’ taxes. Nothing unusual there. It was on his desktop, and the company didn’t see the data he entered. Nothing to worry about there.

But then he discovered a software glitch, and the company needed to see his data to be able to understand the problem and fix it. Now he had to worry. After all, they had access to his clients’ most sensitive information. Tax returns have lots of confidential information. Just ask Donald Trump.

And therein lies the rub.

The lawyer couldn’t just turn over the records. He knew that. The company, however, couldn’t fix the bug without seeing the information.

And, of course, there was nothing about the company accessing or seeing client data in the Terms of Service.

So, the lawyer did the right thing; he contacted his state bar’s ethics counsel. Many state bars and some local bars have ethics counsel or an ethics hotline where you can call and ask these types of questions and receive answers.

The lawyer requested an opinion from the ethics counsel, which in turn led to the Bar’s Ethics Committee issuing a formal opinion, one that is intended to provide general guidance to all members of the bar. 

The Ethics Committee issued Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility Formal Opinion 2024-100, “Lawyer’s Ethical Obligations when Using Third-Party Vendors Who Have Access to Confidential Information.” And it’s a game changer because it says what attorneys should have known all along. The Committee’s conclusion was that lawyers who hire third-party vendors to perform various functions that assist a lawyer in providing services to clients have a duty to provide competent representation to their clients as required by Rule 1.1. The important part is that the Committee also concluded that lawyers must, under Rule 5.3, make reasonable efforts to ensure that the conduct of third-party vendors “is compatible with the professional obligations of the lawyer,” including the duty to protect information relating to the representation of the client, pursuant to Rule 1.6.

Although the guidance was under the Pennsylvania Rules of Professional Conduct, the opinion would apply equally under the Model Rules of Professional Conduct, and any other state’s rules. Most importantly, the opinion sets minimum standards that should apply to a wide range of circumstances.

The opinion is practical. The Committee recognized that is not possible to get a specific guarantee from every vendor and doesn’t require an attorney to do so. In many cases, depending upon the size of a vendor or how it conducts its operations, it may not be feasible to have every vendor sign such an agreement. Plus, the vendors in almost every case will tell the lawyers to read their Terms of Service, and that will guide them. After all, the vendors have lawyers too, and they are advising not to agree to anything that is not in that document.

For example, many small and midsize firms use QuickBooks for their financial accounting. QuickBooks, according to the website, 6sense, has 146,168 customers and one of its target markets is the legal industry. Recently, the company made concerted efforts to move users from the desktop version to the cloud, which means someone may have access to your IOLTA account, payroll and other data. But it is not realistic to think that QuickBooks will tailor its Terms of Service to lawyers.

But lawyers will use these products––in many cases they have no choice but to use them. So, they must take reasonable precautions.

What are reasonable precautions?

Since we’ve already recognized that lawyers are not going to read the entire Terms of Service, they have an obligation, an ethical requirement, to read certain portions of them.

For example, Microsoft’s Terms of Service is overwhelming. It is separated into 35 subsections, many of them irrelevant to attorneys. On the other hand, “Your Privacy,” “Your Content,” “Code of Conduct” and “Using the Services & Support” are essential to review.

The “Your Content” section is instructive.

Your Content. Many of our Services allow you to create, store or share Your Content or receive material from others. We don't claim ownership of Your Content. Your Content remains yours and you are responsible for it.

a. When you share Your Content with other people, you understand that they may be able to, on a worldwide basis, use, save, record, reproduce, broadcast, transmit, share and display Your Content for the purpose that you made Your Content available on the Services without compensating you. If you do not want others to have that ability, do not use the Services to share Your Content. You represent and warrant that for the duration of these Terms, you have (and will have) all the rights necessary for Your Content that is uploaded, stored, or shared on or through the Services and that the collection, use. and retention of Your Content will not violate any law or rights of others. Microsoft cannot be held responsible for Your Content or the material others upload, store or share using the Services.

b. To the extent necessary to provide the Services to you and others, to protect you and the Services, and to improve Microsoft products and services, you grant to Microsoft a worldwide and royalty-free intellectual property license to use Your Content, for example, to make copies of, retain, transmit, reformat, display. and distribute via communication tools Your Content on the Services. If you publish Your Content in areas of the Service where it is available broadly online without restrictions, Your Content may appear in demonstrations or materials that promote the Service. Some of the Services are supported by advertising. Controls for how Microsoft personalizes advertising are available at htt12s://choice.live.com (https://go.microsoft.com/fwlink/?Linkld=2867S9). We do not use what you say in email, chat, video calls or voice mail, or your documents, photos or other personal files, to target advertising to you. Our advertising policies are covered in detail in the Privacy Statement.

Dissecting this paragraph is important. The first part is easy. Microsoft comes out and clearly states that you own the content. That is vital. Ever since the days when cloud computing was a new issue, every ethics opinion was clear that you, the lawyer, owned the content. That is non-negotiable.

Then comes paragraph a, regarding sharing content. Presumably, you aren’t sharing client content. Microsoft says, however, that you are responsible for it if you post it somewhere.

Then comes paragraph b. It seems to say, but is not totally clear, that Microsoft will use the content. But is it saying regardless of whether you publish it on their services, or only if you publish it? The company also makes clear that they do not use what you say in email, chat, video calls or voicemail, or your documents, photos or other personal files, to target advertising to you. But are they reading your email, etc.? We know some companies do. Microsoft has in the past gone on the record that it doesn’t read customers’ emails.

So, are you going to trust Microsoft? I could further analyze the Terms of Service, but I hope you get the picture.

Compare Microsoft’s Terms of Service with AOL’s, which is really Yahoo. They take a different approach: “Yahoo analyzes and stores all communications content, including email content from incoming and outgoing mail. This allows us to deliver, personalize and develop relevant features, content, advertising and Services.” In other words, they read the email, and they use it for whatever purposes they want.

Another way to put it is that Yahoo/AOL is reading all your email. That means that it is not confidential and if opposing counsel wanted to pursue seeing your email, she might be successful.

Imagine the consequences. Disciplinary. Client relations. Litigation. All are possible. The worst part is that the consequences of using free email services like AOL and Yahoo have been known for many years, and despite this, lawyers continue to use them. Why? They’re lazy. It’s cheap. Plus, there hasn’t been a poster child for AOL disclosures, as Steven Schwartz was for artificial intelligence.

We won’t be able to solve all the problems here, so let’s see what you and I can do to make sure we are not the examples when it comes to third-party vendors and other outsourced services.

The Pennsylvania opinion helps in that regard. It recognizes that you cannot be totally protected, but instead offers suggestions on how attorneys and their firms can make reasonable efforts.

“Reasonable efforts” under Model Rule 5.3 means taking steps to ensure that the third-party vendor has in place adequate procedures to safeguard confidential and sensitive client information. A four-step approach will help assure this.

First, the vendor should have Terms of Service or a Privacy Policy assuring confidentiality of any information it receives. This is non-negotiable. It almost certainly will not cite the Rules of Professional Conduct, but it is critical that you have that assurance in writing. If it isn’t willing to do so, find another vendor.

Second, the vendor must agree that you own the content. The client file is owned by the client. You cannot ever have any question about ownership. If it doesn’t say that, or you have doubts, seek another vendor.

Third, the vendor must agree that it will not make unauthorized disclosures of client information. It sounds obvious, but it bears repeating.

Fourth, the vendor must understand and have or will establish reasonable procedures to protect the confidentiality of the information it gains access to. These should include protections such as who can see the data, etc.

If the vendor has these types of provisions in place, you can feel comfortable that it will honor your professional obligations under the Rules of Professional Conduct, including the obligation to safeguard client confidential information.

But remember, if you do not read the Terms of Service, you will never know this. Many lawyers are still using AOL, Yahoo and other free services. Free generally means no protection, or you get what you pay for.

We all know how quickly Steven Schwartz became a poster child. Read the relevant provisions of the Terms of Service to make sure you are not next.