More on NC Proposed Ethics Opinion

It has become commonplace for Ethics Opinions to require attorneys to exercise “reasonable care” to protect clients’ data and confidential communication. But the Devil is in the Details. What constitutes “reasonable care?”

As a non-lawyer and not a security specialist, some of the proposed North Carolina provisions seem to me oscillate between pro-forma (i.e., meaningless) and extremely onerous. Thus “lawyers are advised to consult with a security specialist.”  Well, one of the main reasons many small firms switch to a cloud solution is so they can get rid of the expense of hiring consultants. So now they should hire a security specialist instead?

The opinion requires that the security measures of the cloud system be “evaluated by the law firm or a security professional and are satisfactory.” “Evaluation by the law firm” is meaningless – attorneys in general are proud of their inability to do something like this (“I practice law, this stuff is what I hire you for”). So we are back to hiring a consultant.

The proviso requiring a review of “copies of the SaaS vendor’s security audits” is similarly bifurcated – even supposing that a vendor is going to provide that information at all! The LCCA reasonably suggests that rather than asking a law firm to do something it is incapable of doing, or hiring a consultant, that vendors adhere to security standards of recognized security organizations, à la Verisign or Truste.

The NC provision that the “hosting jurisdiction ha[ve] privacy laws, data security laws, and protections against unlawful search and seizure that are as rigorous as those of the United States and the state of North Carolina” is fairly meaningless since with the government’s current ability to execute warrentless invasions of privacy virtually at will in terms of electronic content there is virtually no “protection against unlawful search” in the U.S. In any event, European privacy laws are generally more stringent than those in the U.S.

Lastly, in a world where “password123" is one of the most commonly used passwords, all I can say about the provision requiring “the creation of strong passwords and the regular replacement of passwords” is: dream on, MacDuff.

A recent Alabama Bar Ethics Opinion (2010-02) is much more generic:

“The duty of reasonable care requires the lawyer to become knowledgeable about how the provider will handle the storage and security of the data being stored and to reasonably ensure that the provider will abide by a confidentiality agreement in handling the data. Additionally, because technology is constantly evolving, the lawyer will have a continuing duty to stay abreast of appropriate security safeguards that should be employed by the lawyer and the third-party provider.”

Frank’s comments on outsourcing and single tenant vs. multi-tenant data structures raise more interesting issues.  What he refers to as “outsourcing” – putting data in a rented area of a large data center run by, say Amazon or Rackserver – is, as he notes, common practice. The requirement that these centers have the same confidentiality provisions as an in-house server is certainly reasonable.

A multi-tenant data structure, where a firm’s data is commingled within the same data structure as other firms, is similarly common practice. In the event of an outage, such as that experienced by Amazon at the end of April (see my blog “The Amazon Outage” http://doesitcompute.typepad.com/heckman/2011/04/the-amazon-outage.html) your data may be affected even though it was not what caused the outage.

Firms that are using hosted Microsoft Exchange may have experienced “multi-tenant” issues when they discovered that they are not in control of the Exchange settings for their email accounts because their accounts are clustered together with the accounts of other clients.

As Frank notes, most SaaS vendors use outsourcing and multi-tenant structures “because it lowers their overall cost,” not necessarily because it is the best practice. It is unclear whether in fact it is the “best practice.” A white paper on cloud computing from Advologix (another player in the cloud computing practice management field and one which, like HoudiniEsq, is not a member of LCCA), for example, argues that multi-tenant databases “are a tried and true way to provide a common application infrastructure, with strict segregation maintained between all of the different users, and to provide access to computer resources in the most economical way possible.”  On the other hand, it’s reference to IRS and Social Security databases being multi-tenanted is not necessarily reassuring, given that the Government Accounting Office routinely gives government installations poor, if not failing, marks for security.

I am in no position to judge the merits of these two views. In the end, however, this may be irrelevant as it seems likely that economics will win and the multi-tenant structure and practice of outsourcing will continue to dominate. Ethics opinions sooner or later will follow economics.

Frank Rivera on Proposed North Carolina Ethics Opinion

The North Carolina Bar recently published a Proposed 2011 Formal Ethics Opinion 6,
“Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property.” This follows on the American Bar Association’s draft proposals on “Technology and Confidentiality.” The Legal Cloud Computing Association (“LCCA”), which includes many cloud-based practice management and other vendors, including Clio, RocketMatter, NetDocuments, Total Attorneys, DirectLaw and others, responded with an extensive critique of the draft opinion.

At first glance, some of the NC opinions offer options that fluctuate between being pro forma (i.e., nobody will pay any attention) and onerous of implementation, particularly regarding security. But more of that another time.

Frank Rivera, former chief designer of TimeMatters’ ill-fated World edition, and currently
CEO of HoudiniESQ, a program that competes with many members of the LCCA, offered me the following comments, which I am happy to publish as a guest post. While Frank obviously has an ax to grind here, some of the points he raises are worth serious consideration, especially, it seems to me, regarding outsourcing and single tenancy of web-based applications. I plan to comment on this in the future, but for the moment here are Frank’s comments.


It is my opinion the Legal SaaS vendors made an error in judgment and their response makes the members of the (LCCA) seem as though they are only interested in protecting their own interest, their business. You only have to look at their response to the NC Bar's opinion on Cloud computing to see what I mean. The following LCCA response is from the following URL http://www.realpractice.com/press-releases/legal-cloud-computing-association-publishes-responses/

LCCA Excerpt: "… the Proposed FEO as written would negatively impact a broad scope of attorneys…the onerous requirements of the Proposed FEO would force many cloud computing providers to withdraw from the NC market entirely."

What is important here is not that legal SaaS vendors will pull out of any market, but that the ethics opinion is trying to protect law firms and their clients. I for one applaud the NC Bar's efforts. If you have to adjust your business model so your clients (law firms) have the comfort of knowing where their data is at all times and that it is being protected, then so be it. Shame on the LCCA members for suggesting they would have to pull out of the market if the suggestions in the NC Bar's opinion stand. The LCCA's response continues...

“The LCCA thanks both the ABA and the North Carolina State Bar for the opportunity to provide feedback on their respective proposals. It is the LCCA’s hope that a constructive dialog among stakeholders will facilitate the rapid adoption of cloud computing technology within the legal profession, consistent with the highest standards of professionalism and ethical compliance."

The operative word here is compliance. In one breath, they threaten to "withdraw from the NC market entirely" and in another they attempt to champion the cause of that proposed withdrawal. Clever double-speak aside, the truth of the matter is the that outsourcing Legal Firm data may be forbidden; and this would upset the cart, after all, it is easier to outsource and make it someone else's problem then to take custody of your client's data. Technically, if you outsource, aren't you skirting your fiduciary responsibility? The way I see it, if you didn't think outsourcing your client's data was wrong in the first place, then you didn't really have your client's interest at heart when you entered the market. Trust and transparency starts on day one; not when the state Bars force you to show this trust.

HoudiniESQ has no intention of withdrawing from the NC market, or ANY US market for that matter. Why, you ask? Because unlike the majority of the legal SaaS/Cloud vendors, we DO NOT outsource our client's data to a third party for hosting (e.g. Amazon). Our Terms of Service (TOS) is pretty clear on that fact. Every legal SaaS vendor SHOULD be in control of client data at all times, and if this isn’t the case then your TOS should be quick to point that out. I think the signup page should state this fact as well. The TOS should also clearly state WHERE the data will be stored. We state in our TOS that our client's data remains within US borders at all times, in a state of the art data center located in Michigan (USA) on devices that have complete control over. I'm also of the opinion that Legal Firm data should be stored in a single-tenant architecture, period. What this means is your data is never commingled with everyone else's data. Nearly all of the Legal SaaS/Cloud vendors store their client's data in the same database separated by a schema partition. This is a form of multi-tenant architecture which only benefits the SaaS vendor, because it lowers their overall cost. However, it puts a firm's data at risk. If the federal government confiscates a single firm's database or instance, they are essentially confiscating everyone’s data. Data corruption at the IO and file level is another concern, because an inaccessible database affects every client in the architecture.

We here at HoudiniESQ are not in the least concerned with the NC Bar's opinion, because we addressed the NC Bar's concerns when we architected our product. We will continue to hone our systems to meet the concerns of the legal industry as any responsible SaaS vendor should. As I read the LCCA's response to the NCBA's opinion it sounded like the LCCA would rather fight the NC Bar's opinion than comply with ethical guidelines that safeguard their client's interests.

Further, I think the LCCA members should read the following article because the SaaS/Cloud industry is about to change course. Multi-tenant isn't best practice, it is common practice. Common practice doesn't make an approach or model the best choice. Something any software architect worth his weight would know. The article reads in part...

"The lack of funds has also caused some organizations to sacrifice their privacy and security for multi-tenant, shared, private cloud implementations. This leaves these organizations at risk of spillover and cross contamination with neighboring information. Granted the multi-tenant implementation saves money, it still does not change the fact that it sacrifices security. Since the information being stored and used is usually highly classified federal information, the last thing we would want to do is make a choice based on an inadequate budget that scarifies security."
http://www.ip3inc.com/index.php/about-ip3/security-blog/those-who-fail-to-plan-for-cloud-should-plan-to-fail.html

Frank A. Rivera CEO
http://HoudiniESQ.com

Two Worldox Tips

When I was updating my Document Management White Paper a couple of weeks ago, I realized that there were some specific tips buried in it that might be worth breaking out separately. Here are two.

Traditionally, when you want to create a new document based on an old one, you open the old document, do a “save as” to create a new version and go from there. Inevitably, at some point you wind up making the changes, forgetting the “save as” part and wiping out the old document.  Worldox offers a better way.

With the document you want to use as the basis for a new document highlighted on the Worldox document list, right-click and select “Copy” (if necessary from the “More” menu). Fill out the profile to save the copy. Click OK when Worldox offers to open the document. What you have done is to do a “save as” but before you open the document, thus reducing errors. (In fairness, both Word and WordPerfect offer an “open as copy” option, but nobody ever uses it.)

One of the questions that frequently comes up when Worldox is first implemented is “what about the documents on my desktop?” These are usually forms or other basic documents that are used very frequently.  Worldox offers a way for a user to replicate this functionality. 

For the documents that you use all the time, the equivalent of “desktop” documents, enter a unique code in the description of each document, such as your initials and “xxx.”  Thus “jhxxx.” Then do a search for that code and create a Quick Search Bookmark for it. You can do this by clicking on the “Bookmarks” menu item and select “Add this List.” Select “perform search” under the options. Then, when you click on your bookmark item, the list of documents will appear.

Cataract Surgery

After several years of complaining about how hard web sites were to read, how gray the new Microsoft type fonts were, etc. I finally bit the bullet and investigated cataract surgery. My surgeon said that she rates cataracts on a scale of 1 to 4, that most of her patients were between 2.5 and 3.5 on the scale and I was about a 3. 

So I bit the bullet and had the surgery over the past couple of weeks (each eye a week apart). Wow!!  I can now read the computer screens and drive without glasses, although I may wind up getting reading glasses. Everything is clear and sharp.  My wife refers to my “bionic eyes.”

So if you are wondering about it, go for it (and of course, check out that you are getting a good surgeon).  Thank you, Dr. Raji!

Document Management White Paper Updated

Several people have asked me recently “What has changed since you wrote the Document Management White Paper two and a half years ago?

So I thought it would be a good opportunity to update the White Paper. The answer is that not a whole lot has changed.  The main players are the same, the central considerations are the same.

The main thing that has changed is a greater emphasis on the Cloud and web-based services, including Cloud-based collaboration.  These are the major areas in which the White Paper has been expanded.  Check it out at http://www.heckmanco.com/docs/DMWhitePaper.pdf

P.S.  Happy Bastille Day.

New From Microsoft

There have been several announcements from Microsoft in the past week or two that are worth noticing.

First, SP1 for Office 2010 has been released.  According to the sources I rely on for this sort of thing – Windows Secrets and Woody’s Office Watch – the patch has not been adequately tested and you should hold off on installing it, since Microsoft’s track record on this sort of thing is not very good.  So I repeat: hold off on SP1 until other people have installed it (read: beta tested it).

The other announcement has gotten a lot more publicity: Office 365. This is advertised as Microsoft’s foray into the “cloud.”  However, closer examination reveals that you are most likely to still require Office 2010 on your desktop. Even worse, Office 365 requires the notoriously insecure ActiveX protocol, as well as Silverlight.

In short, it is a Microsoft product through and through.  Furthermore, it is based on Azure, Microsoft’s cloud hosting platform.  Azure has only been available for a couple of years so it is not really a mature product.  Furthermore, it’s main architect, Ray Ozzie, left Microsoft last fall.  So the companies that are rushing to jump on the Azure bandwagon may well be in for a rough ride.