More on NC Proposed Ethics Opinion

It has become commonplace for Ethics Opinions to require attorneys to exercise “reasonable care” to protect clients’ data and confidential communication. But the Devil is in the Details. What constitutes “reasonable care?”

As a non-lawyer and not a security specialist, some of the proposed North Carolina provisions seem to me oscillate between pro-forma (i.e., meaningless) and extremely onerous. Thus “lawyers are advised to consult with a security specialist.”  Well, one of the main reasons many small firms switch to a cloud solution is so they can get rid of the expense of hiring consultants. So now they should hire a security specialist instead?

The opinion requires that the security measures of the cloud system be “evaluated by the law firm or a security professional and are satisfactory.” “Evaluation by the law firm” is meaningless – attorneys in general are proud of their inability to do something like this (“I practice law, this stuff is what I hire you for”). So we are back to hiring a consultant.

The proviso requiring a review of “copies of the SaaS vendor’s security audits” is similarly bifurcated – even supposing that a vendor is going to provide that information at all! The LCCA reasonably suggests that rather than asking a law firm to do something it is incapable of doing, or hiring a consultant, that vendors adhere to security standards of recognized security organizations, à la Verisign or Truste.

The NC provision that the “hosting jurisdiction ha[ve] privacy laws, data security laws, and protections against unlawful search and seizure that are as rigorous as those of the United States and the state of North Carolina” is fairly meaningless since with the government’s current ability to execute warrentless invasions of privacy virtually at will in terms of electronic content there is virtually no “protection against unlawful search” in the U.S. In any event, European privacy laws are generally more stringent than those in the U.S.

Lastly, in a world where “password123" is one of the most commonly used passwords, all I can say about the provision requiring “the creation of strong passwords and the regular replacement of passwords” is: dream on, MacDuff.

A recent Alabama Bar Ethics Opinion (2010-02) is much more generic:

“The duty of reasonable care requires the lawyer to become knowledgeable about how the provider will handle the storage and security of the data being stored and to reasonably ensure that the provider will abide by a confidentiality agreement in handling the data. Additionally, because technology is constantly evolving, the lawyer will have a continuing duty to stay abreast of appropriate security safeguards that should be employed by the lawyer and the third-party provider.”

Frank’s comments on outsourcing and single tenant vs. multi-tenant data structures raise more interesting issues.  What he refers to as “outsourcing” – putting data in a rented area of a large data center run by, say Amazon or Rackserver – is, as he notes, common practice. The requirement that these centers have the same confidentiality provisions as an in-house server is certainly reasonable.

A multi-tenant data structure, where a firm’s data is commingled within the same data structure as other firms, is similarly common practice. In the event of an outage, such as that experienced by Amazon at the end of April (see my blog “The Amazon Outage” http://doesitcompute.typepad.com/heckman/2011/04/the-amazon-outage.html) your data may be affected even though it was not what caused the outage.

Firms that are using hosted Microsoft Exchange may have experienced “multi-tenant” issues when they discovered that they are not in control of the Exchange settings for their email accounts because their accounts are clustered together with the accounts of other clients.

As Frank notes, most SaaS vendors use outsourcing and multi-tenant structures “because it lowers their overall cost,” not necessarily because it is the best practice. It is unclear whether in fact it is the “best practice.” A white paper on cloud computing from Advologix (another player in the cloud computing practice management field and one which, like HoudiniEsq, is not a member of LCCA), for example, argues that multi-tenant databases “are a tried and true way to provide a common application infrastructure, with strict segregation maintained between all of the different users, and to provide access to computer resources in the most economical way possible.”  On the other hand, it’s reference to IRS and Social Security databases being multi-tenanted is not necessarily reassuring, given that the Government Accounting Office routinely gives government installations poor, if not failing, marks for security.

I am in no position to judge the merits of these two views. In the end, however, this may be irrelevant as it seems likely that economics will win and the multi-tenant structure and practice of outsourcing will continue to dominate. Ethics opinions sooner or later will follow economics.

Comments

John,

Most vendors outsource because it is so easy to do so and they don't have to take custody of their client's data. My problem is that they don't state this on their TOS or signup forms. Economics has nothing to do with disclosure and transparency. I think you missed my point.

RE: Best Practice; We have seen many request for proposals (RFP) from state and federal agencies in the last 18 months requiring that hosted COTS (Commercial Off The Shelf) systems provide SIngle Tenancy. The bigger the agency or law firm the more we hear this requirement. But to the misinformed when they hear Single Tenancy they tend to think of how Single Tenancy has been implemented in the past and this just isn't the case. Today we take a hybrid approach, HSTs. Hybrid Single Tenancy offers better performance and security at a low cost.

Let me share the realities of legal SaaS economics. This is important and goes back to the NCBA's opinion regarding the financial stability of a vendor.

You can no longer use SalesForce to draw conclusions from. Not technically or economically for that matter. SalesForce has been struggling with several technology choices and architecture decisions that have got them pinned into a corner right now. They may be number one but they are NOT number one when it comes to legal SaaS. AdvologixPM at best has a couple of hundred law firms using their product. Not a good choice for any argument. Everyone is quick to point out the benefits of multi-tenancy but few care to point out the downsides of a single instance such as the inability to customize the product and when it is customized the inability to make changes after the fact. It's not just the shared database that is of concern John.

Let's not lose sight of the fact that a significant number of users loss data when Amazon went down in VA. You would have to ask those who loss their data what they think of the economics of multi-tenancy and having their data outsourced.

SalesForce isn't a good comparison period. The legal SaaS market is a totally different animal. The market is tiny compared to the general SaleForce market. SalesForce has a potential market of tens of millions. The legal SaaS market is tiny by comparison with just 1.2m lawyers in the US and 1.4m in Canada and is split by numerous vendors, many offering the same product and services. Most law firms use traditional desktop software rather than the Cloud further reducing the market. True a large number of these lawyers are solos but contrary to popular belief, the Solo market isn't a goldmine, it is just a pot of gold. Out of all the solos in the market a large percentage will not use a PMS of any sort but instead a collection of products and services to manage their practice. This has always been the case.

Oddly enough, when I read about legal SaaS on the web the columns tend to be directed to Solos. Many of these articles give the impression that all legal SaaS vendors are the same. This isn't true.

Currently we are the largest provider of web-based legal practice management software in the marketplace and our business isn't built on Solos. Our clients average 8-10 seats or more not 1 or 2. This has been the case since we entered the market. Maybe its because or product is more robust then any of the others but we tend to attract small to larger law firms. We are also the largest legal SaaS vendor in the state and federal sectors when you count the number of state and federal agencies using our product in the Cloud. We have no reason to believe that Solos will make up the largest portion of the market.

It is the small to large law firms that are already familiar with legal practice management software who will make the biggest impact on the legal SaaS market in the next few years not the Solos. This is very important because the larger law firms have special needs and requirements and have more stringent policies regarding client data. Since you used SalesForce I will as well just to make a point. Who is the average user of SalesForce, small Solo type businesses or larger organizations?

Not every legal SaaS vendor no matter how big, is a safe bet.

The Solo market isn't the feeding frenzy the press makes it out to be. You don't have to look far to see what I mean. Lets look at one of the latest entrants into the legal SaaS market, LNs FirmManager. It is my opinion that FirmManager was dead on arrival. LN's annual burn rate, assuming just $1m in salaries (15 employees involved with a base salary of 70k, not including, infrastructure cost, marketing, support, etc. the number of course is much-much higher) they would have needed at least 1,500 sign-ups when they went live to justify being in the market and a bucket of new signups every month thereafter. The economics of multi-tenancy really doesn't come into play now does it? How did I draw my conclusions? The public FirmManager forums only have 100 or so members and that number hasn't budged in months. The FirmManager YouTube channel has had less than 150 views. A good number of the views are probably competitors. The Testimonials web page has only one entry and it is from one of the advisory board members. It is important to note that FirmManager isn't the only legal SaaS vendor that seems to be struggling either.

So why does this all matter? Financial stability, security and transparency are the major components of the NCBA's opinion.

You can't make a sound decision on which legal SaaS vendor is best if you don't really know the market because they all claim to be "the leading legal practice management solution" and we know they all can't be.

Frank Rivera CEO
HoudiniESQ

Posted by: Frank Rivera | July 27, 2011 at 10:43 AM