Frank Rivera on Proposed North Carolina Ethics Opinion

The North Carolina Bar recently published a Proposed 2011 Formal Ethics Opinion 6,
“Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property.” This follows on the American Bar Association’s draft proposals on “Technology and Confidentiality.” The Legal Cloud Computing Association (“LCCA”), which includes many cloud-based practice management and other vendors, including Clio, RocketMatter, NetDocuments, Total Attorneys, DirectLaw and others, responded with an extensive critique of the draft opinion.

At first glance, some of the NC opinions offer options that fluctuate between being pro forma (i.e., nobody will pay any attention) and onerous of implementation, particularly regarding security. But more of that another time.

Frank Rivera, former chief designer of TimeMatters’ ill-fated World edition, and currently
CEO of HoudiniESQ, a program that competes with many members of the LCCA, offered me the following comments, which I am happy to publish as a guest post. While Frank obviously has an ax to grind here, some of the points he raises are worth serious consideration, especially, it seems to me, regarding outsourcing and single tenancy of web-based applications. I plan to comment on this in the future, but for the moment here are Frank’s comments.


It is my opinion the Legal SaaS vendors made an error in judgment and their response makes the members of the (LCCA) seem as though they are only interested in protecting their own interest, their business. You only have to look at their response to the NC Bar's opinion on Cloud computing to see what I mean. The following LCCA response is from the following URL http://www.realpractice.com/press-releases/legal-cloud-computing-association-publishes-responses/

LCCA Excerpt: "… the Proposed FEO as written would negatively impact a broad scope of attorneys…the onerous requirements of the Proposed FEO would force many cloud computing providers to withdraw from the NC market entirely."

What is important here is not that legal SaaS vendors will pull out of any market, but that the ethics opinion is trying to protect law firms and their clients. I for one applaud the NC Bar's efforts. If you have to adjust your business model so your clients (law firms) have the comfort of knowing where their data is at all times and that it is being protected, then so be it. Shame on the LCCA members for suggesting they would have to pull out of the market if the suggestions in the NC Bar's opinion stand. The LCCA's response continues...

“The LCCA thanks both the ABA and the North Carolina State Bar for the opportunity to provide feedback on their respective proposals. It is the LCCA’s hope that a constructive dialog among stakeholders will facilitate the rapid adoption of cloud computing technology within the legal profession, consistent with the highest standards of professionalism and ethical compliance."

The operative word here is compliance. In one breath, they threaten to "withdraw from the NC market entirely" and in another they attempt to champion the cause of that proposed withdrawal. Clever double-speak aside, the truth of the matter is the that outsourcing Legal Firm data may be forbidden; and this would upset the cart, after all, it is easier to outsource and make it someone else's problem then to take custody of your client's data. Technically, if you outsource, aren't you skirting your fiduciary responsibility? The way I see it, if you didn't think outsourcing your client's data was wrong in the first place, then you didn't really have your client's interest at heart when you entered the market. Trust and transparency starts on day one; not when the state Bars force you to show this trust.

HoudiniESQ has no intention of withdrawing from the NC market, or ANY US market for that matter. Why, you ask? Because unlike the majority of the legal SaaS/Cloud vendors, we DO NOT outsource our client's data to a third party for hosting (e.g. Amazon). Our Terms of Service (TOS) is pretty clear on that fact. Every legal SaaS vendor SHOULD be in control of client data at all times, and if this isn’t the case then your TOS should be quick to point that out. I think the signup page should state this fact as well. The TOS should also clearly state WHERE the data will be stored. We state in our TOS that our client's data remains within US borders at all times, in a state of the art data center located in Michigan (USA) on devices that have complete control over. I'm also of the opinion that Legal Firm data should be stored in a single-tenant architecture, period. What this means is your data is never commingled with everyone else's data. Nearly all of the Legal SaaS/Cloud vendors store their client's data in the same database separated by a schema partition. This is a form of multi-tenant architecture which only benefits the SaaS vendor, because it lowers their overall cost. However, it puts a firm's data at risk. If the federal government confiscates a single firm's database or instance, they are essentially confiscating everyone’s data. Data corruption at the IO and file level is another concern, because an inaccessible database affects every client in the architecture.

We here at HoudiniESQ are not in the least concerned with the NC Bar's opinion, because we addressed the NC Bar's concerns when we architected our product. We will continue to hone our systems to meet the concerns of the legal industry as any responsible SaaS vendor should. As I read the LCCA's response to the NCBA's opinion it sounded like the LCCA would rather fight the NC Bar's opinion than comply with ethical guidelines that safeguard their client's interests.

Further, I think the LCCA members should read the following article because the SaaS/Cloud industry is about to change course. Multi-tenant isn't best practice, it is common practice. Common practice doesn't make an approach or model the best choice. Something any software architect worth his weight would know. The article reads in part...

"The lack of funds has also caused some organizations to sacrifice their privacy and security for multi-tenant, shared, private cloud implementations. This leaves these organizations at risk of spillover and cross contamination with neighboring information. Granted the multi-tenant implementation saves money, it still does not change the fact that it sacrifices security. Since the information being stored and used is usually highly classified federal information, the last thing we would want to do is make a choice based on an inadequate budget that scarifies security."
http://www.ip3inc.com/index.php/about-ip3/security-blog/those-who-fail-to-plan-for-cloud-should-plan-to-fail.html

Frank A. Rivera CEO
http://HoudiniESQ.com

Comments

John,

You are right I do have an ax to grind. It should be clear to anyone who has read the NCBA's opinion that nothing in it is a bad idea. Here is another response from a LCCA member to the NCBA's opinion.

… we believe that the additional minimum requirements imposed on lawyers as mandatory requirements will, as a practical matter, limit the ability of North Carolina lawyers to use cloud computing services in their practices, causing North Carolina’s lawyers to become less competitive with lawyers from other states. Rather than "mandatory requirements", we believe that it makes more sense to establish basic principles and suggested guidelines, leaving to the individual attorney to use their best judgment to exercise reasonable care under the particular circumstances of their practice, in choosing a SaaS provider.

How can the LCCA's response appear in numerous legal tech articles and columns and not one author ask the obvious questions, why does the term "mandatory" worry this organization? Who's interest is this organization looking out for?

If organizations such as this one are left to define policy or influence the State Bars (what they dare to call "THEIR" best practices on their websites) then isn't this leaving the fox to guard the hen house?

Disclaimer: I'm a North Carolina resident and Legal SaaS vendor located in Research Triangle Park NC. As John likes to put it, I have a horse in this race.

Posted by: Frank Rivera | July 25, 2011 at 09:27 AM

Isn't the LCCA's membership and leadership similar to the fox guarding the hen house?

We at Data Equity believe that consumers of legal software should be looking toward an independent, non profit group such as the International Legal Technology Standards Organization (ILTSO ). Formed in the spring of this year (2011) ILTSO as a non-profit whose goals are primarily in the interest of protecting consumers. Part of their stated mission is quoted here:

"Whether you’re a law firm, company, or client, now there’s a quick way to verify that better practices are being applied to the storage and transmission of your critical data. Every year we publish industry-leading standards, so you can focus on your business instead of guessing which new technology guidelines to follow." http://www.iltso.org

Time is running out to be heard, this year's public input for ILTSO's charter will end on July 31st.

Steve Stockstill
Data Equity LLC

Posted by: Steve Stockstill, Data Equity LLC | July 27, 2011 at 11:52 AM

I would have to agree with Steve here. The International Legal Technology Standards Organization if non profit and made primarily of Attorneys then we have an organization that would better server the interest of my clients.

Frank Rivera CEO
HoudiniESQ

Posted by: Frank Rivera | July 27, 2011 at 02:48 PM