Limiting Risk in the Cloud: Smarter SaaS Agreements
The cloud offers lawyers unparalleled software-as-a-service (SaaS) resources to manage their practices, organize documents and communicate with clients—but it can also blur the bright-line ethics rules. To safeguard the integrity of files in the cloud, you must think critically and creatively about the ethical and practical implications of using SaaS providers.
State bar ethics opinions haven’t kept pace with the issues. So for now, you have to devise your own strategy to keep out of trouble. Here’s a set of guidelines regarding SaaS Service Level Agreements (SLAs) to help you do just that.
Get Smart About Service Level Agreement Terms
Perhaps the most pressing ethics issue raised by the cloud, is the extent to which it protects confidential client information. Under the American Bar Association’s Model Rules of Professional Conduct, a lawyer may not “reveal information relating to the representation of a client unless the client gives informed consent,” except when the disclosure is made under narrow circumstances, or “is impliedly authorized in order to carry out the representation” (Rule 1.6). When using a cloud-based office system, it is essential to take reasonable precautions to ensure the privacy of client documents and other confidential information. Consider adding the following terms to any service level agreement:
- The SLA should be clear that the service provider has no ownership interest in any of the data subject to the agreement, and that all files are owned exclusively by the lawyer and/or client. The SLA may also forbid the provider from withholding data if there is a dispute under the SLA, and instead impose an affirmative obligation on the provider to release client data upon the attorney’s request.
- The SLA should impose a duty on the SaaS provider to ensure an appropriate level of security and should provide protocols for addressing security breaches and notifying the lawyer of any security breaches.
- The SLA should address the SaaS provider’s procedure for responding to subpoenas for the production of records. For example, the provider may be served with subpoenas for client data not only by parties who are engaged in litigation with the client, but also by third parties who have no direct dispute with the client and instead seek access to the client’s data for other uses. The provider may not respond to these subpoenas, because the provider does not have true legal possession, custody or control over the documents—the attorney does. The SLA should make this explicit with a clause on the topic of subpoenas.
- The SLA should confirm that the SaaS provider’s technology incorporates security protocols that meet industry standards for withstanding foreseeable attempts to unlawfully access data. Also make sure the SLA states that data is regularly backed up by the provider.
- The SLA should specify the provider’s level of data encryption so that the lawyer may consult outside technicians to determine its sufficiency.
- The SLA should include a detailed section on how confidential client documents will be handled when the lawyer no longer wishes to retain them. For example, it may include procedures for data destruction when the lawyer no longer requires the relevant data and data transfer when a client switches lawyers or law firms.
- The SLA should list the geographic regions in which the SaaS provider will store the lawyer’s data. The lawyer must determine whether the laws of the geographic regions in which the data will be held afford it the same privacy protections as the law in the state where the lawyer practices. If not, client documents could be subject to unwanted disclosure.
- The SLA should provide a method of retrieving data and returning it to the lawyer after termination of the SLA, or in the event that the provider goes out of business or has technical issues that cause a lapse in service. Check to see whether the format in which the data is stored (and will be returned) is compatible with software available through other providers.
- The SLA should also include a clause confirming that only employees specially trained in appropriate security measures will handle client data, and that employees will be bound by the provider’s confidentiality policies not to disclose client data.
In addition, make sure you are meeting your ethics obligations by taking the following measures in your law practice:
- Be safe. Develop a system for backing up client data, so it remains accessible on-site even in the event of a SaaS provider failure.
- Keep options open. Maintain an alternate way to connect to the Internet.
- Caution others. Counsel clients who use cloud computing for their own internal documents to develop litigation hold procedures in consultation with their lawyers and SaaS providers.
- Be transparent. Disclose the firm’s use of cloud computing technology to the client and consider referencing cloud computing in the engagement letter.
The practice of law is in the midst of a sea change regarding the storage and retrieval of client documents. The guidelines given here are intended to highlight areas of concern in cloud computing and suggest strategies for protecting client privacy. The goal is not to eliminate risk—which is impossible until a new technology is fully vetted by the legal community—but to limit it. Precisely because the benefits of cloud computing are so great, lawyers will be well-served by applying these guidelines when dealing with SaaS providers.
Tom Zuber is creator and Co-CEO of LawLoop.com. Tom, an intellectual property attorney, is also a Co-Founder and a member of the Management Committee of Zuber & Taillieu in Los Angeles. He earned his J.D. from Columbia University Law School. Read Tom’s full bio here.
More Good Ideas Every Day for your Law Practice …
Be sure to sign up here for Attorney at Work’s “Daily Dispatch” or “Weekly Wrap” newsletter for enterprising lawyers … no charge!