1. LAW PRACTICE MANAGEMENT IN THE CLOUD
Introduction
In today’s global economy, information technology (IT) is ever-changing and
evolving at a break-neck rate of speed. Businesses that are hesitant or reluctant to
upgrade or improve their IT infrastructure are finding it hard to compete within their
industry. At the same time however, the increased availability of new technology at a
lower cost has raised several issues concerning security and safety of company and client
information. The legal field is one industry in particular where the privacy and
confidentiality involved with client information is of specific concern in moving toward
lower cost, more efficient practice management technology and software, such as those
programs offered as software as a service (SaaS) through cloud computing.
The Oxford Dictionary defines cloud computing as “the practice of using a
network of remote servers hosted on the Internet to store, manage, and process data,
rather than a local server or personal computer.” (Oxford). It is further defined by the
National Institute of Standards and Technology (NIST) as “a model for enabling
ubiquitous, convenient, on-demand network access to a shared pool of configurable
computing resources that can be rapidly provisioned and released with minimal
management effort or service provider interaction.” (Garfinkel, 2011). It has been noted
that the five main principles behind cloud computing are as follows: availability; high
utilization; dynamic scale without capital expenditure; automated creation of new virtual
machines or deletion of existing ones; and a per-usage business model. (Razavi, 2011).
One of the three types of service commonly provided by cloud providers is
Software as a service (SaaS), which is defined as a model of software deployment that
2. 2
uses the Internet to deliver applications on-demand rather than through a physical
software component or software seat. (Pearlson & Saunders, 2012).
SaaS can be deployed in a private or community cloud, or a hybrid of the two. In
a private cloud, the organization operates a cloud strictly for its own use, while a
community cloud is a private cloud shared by several organizations in order to support a
specific requirement (such as healthcare organizations operating in a community cloud to
hold patient medical and billing records). (Garfinkel, 2011). A hybrid cloud model
combines the two by providing and managing some resources in a private cloud in-house,
while essentially outsourcing other resources externally in a community cloud.
Cloud computing has a lower up-front cost than traditional law practice
management software systems, as it generally reduces the expense of new hardware,
software license fees, installation costs and training costs. (Kyle, 2013). In addition,
cloud computing allows outsourcing of certain areas such as accounting and records
management at a much lower cost, generally on a monthly fee schedule. (Kyle, 2013).
With a lower overhead cost and widened opportunity for quick and seamless acquisition,
it would seem that many lawyers would rush to begin performing in the cloud as soon as
possible. However, concerns over the security of confidential client information has
given rise to some uncertainty in subscribing to such cloud-based services.
Creating Value
A. Legal Implications
Despite the ease and cost efficiency of utilizing cloud-based SaaS services,
attorneys must be very aware of the legal ramifications involved with handling such
sensitive information. Of specific concern is personally identifiable information (PII) or
3. 3
personal information belonging to your client’s customers. (Heikkila, 2009). PII is
defined as pieces of computerized data that can be used to distinguish or trace an
individual’s identity. (Heikkila, 2009). In Michigan, PII includes a person’s first name
or first initial along with last name used together with the following information:
• Address and telephone number;
• Driver’s license or state identification
• Social Security Number
• Place of employment
• Employee identification number
• Employer or taxpayer identification number
• Government passport number
• Health insurance identification number
• Mother’s maiden name
• Demand deposit account number
• Savings account number
• Financial transaction device account number or password
• Stock or other security certificate or account number
• Credit card account number
• Vital record
• Medical records or information
(MCL 445.63(o)). Additionally, Michigan considers PII to also include a person’s first
name or first initial along with last name linked to one or more of the following piece of
information:
4. 4
• Social Security Number
• Driver’s license or state identification
• Demand deposit or other financial account number, or credit/debit card
number in conjunction with any required security code, access code or
password that would permit access to any of the individual’s financial
accounts.
(MCL 445.63(e), (p)).
Under Michigan’s data security law, if any of the above-listed information is
accessed or acquired by an unauthorized party whether in the form of unencrypted, un-
redacted or encrypted data with unauthorized access to the encryption key, lest face a
penalty of $250.00 per breach. (MCL 445.72(1)(a)-(b), (12)-(14)).
B. Ethical Implications
Attorneys must also carefully consider that they have an ethical obligation to
safeguard client data, including that which is stored in electronic format on a network
connected to the Internet, such as that utilized in the cloud. (Comerford, 2006). The
American Bar Association (ABA) Commission on Ethics 20/20 has addressed the issue
by modifying the Model Rules of Professional Conduct in relation to cloud-computing
services. (Reach, 2012). The first modification made is in regard to the commentary
after MRPC 1.1, which is the rule that addresses a lawyer’s competence in providing
legal representation to a client. (MRPC 1.1). Comment [6] to MRPC 1.1 now includes
the following emphasized clause:
“To maintain the requisite knowledge and skill, a lawyer should keep
abreast of changes in the law and its practice, including the benefits and
risks associated with relevant technology, engage in continuing study and
education and comply with all continuing legal education requirements to
5. 5
which the lawyer is subject.”
(MRPC 1.1 [6]). This comment was amended with the intention that lawyers would
consider it as an ethical requirement to keep abreast and fully understand advances in
technology that would “genuinely relate” to his or her competency in effectively
representing a client. (Barkett, 2013).
The second modification applies to MRPC 1.6, which addresses the
confidentiality of client information. (MRPC 1.6). An additional subparagraph has been
entered, which states: “(c) A lawyer shall make reasonable efforts to prevent the
inadvertent or unauthorized disclosure of, or unauthorized access to, information relating
to the representation of a client.” (MRPC 1.6(c)). Accompanying the new text is an
additional paragraph in Comment [16] of MRPC 1.6, which directly relates to a lawyer’s
use of a cloud storage vendor:
“The unauthorized access to, or the inadvertent or unauthorized disclosure
of, information relating to the representation of a client does not constitute
a violation of paragraph (c) if the lawyer has made reasonable efforts to
prevent the access or disclosure. Factors to be considered in determining
the reasonableness of the lawyer’s efforts include, but are not limited to,
the sensitivity of the information, the likelihood of disclosure if additional
safeguards are not employed, the cost of employing additional safeguards,
the difficulty of implementing the safeguards, and the extent to which the
safeguards adversely affect the lawyer’s ability to represent clients (e.g.,
by making a device or important piece of software excessively difficult to
use). A client may require the lawyer to implement special security
measures not required by this Rule or may give informed consent to forgo
security measures that would otherwise be required by this Rule. Whether
a lawyer may be required to take additional steps to safeguard a client’s
information in order to comply with other law, such as state and federal
laws that govern data privacy or that impose notification requirements
upon the loss of, or unauthorized access to, electronic information, is
beyond the scope of these Rules. For a lawyer’s duties when sharing
information with non-lawyers outside the lawyer’s own firm, see Rule 5.3,
Comments [3]-[4].”
6. 6
At this time, 15 state bar associations (not including Michigan) have issued
opinions regarding the use of legal cloud computing, all of which concurring that the use
of the same is legal among attorneys so long as reasonable care is practiced in doing so.
(Gonsalves, 2013). Given the strict legal guidelines involved, cloud service providers
need to prove to attorneys and law firms beyond a reasonable doubt that their cloud and
SaaS offerings meet strict minimum standards of safeguarding client privacy.
(Gonsalves, 2013). At the same time, lawyers also need to recognize that they have an
ethical obligation to understand cloud computing and any technology being used
thereunder, so they may take the appropriate steps to comply with the ethical obligations
associated with client information and confidentiality. (Prof. Ethics FL, 2013).
IS Management Challenge
For many years, large law firms have had the financial capability to justify the
purchase of expensive software programs to organize the various work areas within the
company. These programs have historically been branded with a very high purchase
price, along with an equally high price for training the work staff and purchasing
hardware to complement the software. Such output costs, added to the loss of revenue
from hours spent by key members of the law firm while being trained on the new
programs, have made it increasingly difficult for mid-size and boutique firms to justify
the purchase of such systems.
A. SaaS and Traditional Software Upgrades
With the rise of cloud computing and SaaS programs, several smaller firms are
now able to utilize practice management software that would previously been out of
range financially on an “as needed” basis. Previously outsourced services such as
7. 7
accounting, central services and records management can be maintained either in-house
using SaaS, or in the cloud using a hybrid structured process. This outsourcing still
accounts for a chunk of company profits, however it does not financially equate with the
financial input necessary to purchase some of the historically well-known practice
management software systems.
On the contrary, with the development of new, more affordable and efficient
software systems available through the cloud as SaaS, more law offices, both large and
small, are able to take advantage of the available technology at a fraction of the price.
For example, many of the small or boutique firms are able to outsource billing and
accounting practices to cloud-based vendors who will track-down and collect funds that
would have otherwise been disregarded or forgotten for lack of individual time or
resources in investigating uncollected receivables.
Even state governments are using the opportunity to switch to cloud-based SaaS
services for handing legal practice management. For example, after consolidating its IT
operations in 2010, the State of California began looking for opportunistic ways to use
cloud computing to cut costs, improve operational efficiencies, reduce paper usage and
provide an overall improved service to its residents. (PR Newswire, 2011). This search
led the California Department of General Services (DGS) and the Department of Fair
Employment and Housing (DFEH) to sign a 5-year contract with LogicBit Corporation
for use of its web-based legal practice management product HoudiniESQ. (PR
Newswire, 2011). Offered both on-site and via the cloud, HoudiniESQ offers secure
access to data from nearly anywhere an Internet connection exists via various media
devices, and is able to integrate with Microsoft Word, Microsoft Excel, Microsoft
8. 8
Outlook and Intuit Quickbooks. (PR Newswire, 2011). The ease of accessibility among
the many existing devices in the State of California architectural infrastructure made the
switch to the cloud-based system more attractive, given that the purchase of new or
modified hardware was not necessary, saving the state and its residents money in the long
run.
Given the many benefits of cloud computing, vendors of traditional practice
management software programs are evolving to offer their clients patches and upgrades
in the cloud. Unfortunately, many of the upgrades are costly much like the original
software, and involve drastic evolutionary changes to the user interface, requiring time
and possible training to learn the new features. Although some of the patches or
upgrades may be unnecessary to continue proper functionality of the practice
management software system, others are necessary to continue working with the new or
updated operating systems currently available. This being the case, it is important as a
manager to be aware of the mode of operation the vendor undertakes when handling
cloud-based upgrades to the existing software systems. Specifically, a manager would
want to know how the vendor would notify the organization when notable upgrades are
available. Once notified of a potential upgrade or patch, the manager would then need to
inquire as to the anticipated value the upgrade or patch would grant to the existing
system, how much time it would take to perform the upgrade, how much the upgrade
would cost in accordance with the monthly subscription fee, and how much training
would be required to bring employees up to speed on the upgraded system.
B. Establishing Trust or Acceptance of New Technology
9. 9
An additional concern involved in using cloud-based law practice management is
in convincing other attorneys to accept the new technology and become accustomed to
using it in every day practice. To explain, many of the senior or more conservative
members of a law firm do not understand what “the cloud” is – many of them rarely even
use a computer for more than email or inner-office messaging. Personal assistants or
paralegals, transcribing either from audiotape or from hand-written notes, do most of the
computing for this particular band of attorneys, much as it has been done since the
invention of a typewriter. Not only are many older members of the bar distrustful of
technology, they are generally distrustful of sharing client information or documents in
anything other than a physical paper file where they can tangibly examine the contents at
will. Switching to a cloud-based service for practice management generally entails
document scanning and archival in the cloud with retrieval by either a bar code or other
numerical code system off-site. Physical files, although maintained for originality and
authenticity purposes while a case is pending or in appeal, are generally shipped to off-
site physical storage buildings until the statutory time period has lapsed for destruction.
Keeping the documents “up in the air” or “out in limbo” as I’ve heard some attorneys
term cloud usage, is simply too difficult for some to contemplate given what they believe
to be a lack of control over the file. Moreover, a sheer lack of knowledge of computer
technology and a stubbornness or unwillingness to learn anything computer-related could
be difficult to overcome in some instances.
One way these issues could be addressed is by having divided meetings among
the firm, first discussing the transition with the support staff and then moving up the
ladder to the senior most members. In most cases, it is the individual support staff
10. 10
assigned to an attorney who ultimately has the most power in teaching the new
technology to the attorney. If an attorney feels as though his or her support staff is
competent in handling a new or modified mode of operation, it makes it easier for him or
her to trust that those important documents “up in the air” are not being lost or
inappropriately handled in the cloud. Once this trust is established, carving-out a small
amount of time during each week’s progress meeting to discuss how the new technology
is being used would not only allow an open forum for sharing ideas on how to best utilize
the system, but it would also provide ongoing training to those who are still having
trouble trusting the system.
Another way to deal with this issue is to present the bottom line financially.
Showing the profit-sharing senior members of a law firm how much money they will
save in capital expenditures and overhead may shift the balance just enough to convince
them, albeit begrudgingly, to take the change in stride. Traditional law firm practice
management software requires a large capital investment up front, given the need to
purchase a license for and train each user. In addition, the hardware necessary to
effectively operate the software in total, such as various large capacity scanners,
document automation software, compatible operating system software and on-site
network servers, can extend beyond 6 figures depending on how large the law firm is and
how much information you will need to store. The costs associated with ongoing
maintenance and support, when needed, and the purchase or transfer of licenses as
employees come and go are also of consideration.
On the other hand, cloud computing allows the firm to rent the software it needs
when it needs it through SaaS. Licensing is not necessary; therefore the cost typically
11. 11
associated with the transfer of use from one employee or attorney to the next is not an
issue. Generally, no additional hardware is needed outside of the run of the mill office
machinery typically found within a law firm such as printers, scanners, and other
computing devices, which eliminates another up-front cost. In addition, a server is not
generally needed in-house because everything operates in the cloud.
However, while naming all of the savings realized at the forefront of a cloud
computing transition, one main thing to consider for the next 3-5 years is the overall
growth you anticipate within your firm and how that could affect your savings in the long
haul. Although cloud-based services are generally offered on a monthly subscription
basis, data management is usually limited to a set storage amount for each month. It is
anticipated that while you may add to the amount of data stored in the cloud every month,
you will also be deleting data from the cloud that is no longer needed. That being the
case, if you anticipate growth in the volume of cases your firm will take over a 12-18
month period, or in the complexity of the cases you already have which would require a
rapid influx of data within that period of time, as manager you may want to consider
upgrading your data storage subscription to avoid any potential repeated overages.
Should the need for additional data storage continue to increase, it would be necessary to
examine whether a transition to a traditional on-site server storage system would be more
cost effective. Nonetheless, cloud-based SaaS could still be utilized while maintaining
data storage in-house, in order to save costs on the traditional software, as enumerated
previously.
C. Best Practices to Confront Legal and Ethical Concerns
12. 12
In light of the many legal and ethical concerns, the manager would want to very
carefully analyze the security concerns of confidential client information, and proceed in
a manner to best protect those interests. As far as existing hardware is concerned, I
would ensure that the organizational network was protected with various technical
controls, such as a firewall, anti-virus software and anti-spyware. Additionally, I would
install monitoring software that would oversee usage by looking for possible data leakage
while at the same time supervising all things leaving the inner-office network. Finally, I
would initiate use of a detection system for intrusion, including protection technology to
assist in protecting and detecting when or whether information is being compromised by
an outside source.
My next task as manager would include a detailed investigation of the vendor our
firm intended to use for the cloud-based service or services to determine the level of
security that is provided in housing or transmitting information. With that in mind, I
would look particularly into whether prior clients or customers have had issues with
security breach instances in past dealings with the vendor. Additionally, I would want to
review the service agreement or service contract to see how security issues are controlled
and handled, should one occur. In the unfortunate circumstance that client information
was leaked as a result of faulty vendor handling, I would want to be sure that a steadfast
plan was in place to immediately locate the issue and correct the same.
Once a vendor is selected, I would then ensure that the firm had an information
security management policy handbook, or a portion of the employee handbook devoted to
the issue. In this policy portion, I would ensure that the procedures outlining acceptable
use of devices (company supplied or BYOD) and client data are specifically named,
13. 13
including those controls for accessing client data through various media devices available
to the firm’s employees. As part of the security policy manual, I would include that all
devices must be password protected, and that any devices used by employees be
registered in an online log or catalog by the employee’s name, type of device, model and
serial number. That way, should any device become compromised due to physical loss,
access to information by an unauthorized user could be denied by simply terminating the
authorized user’s existing online account or license for that device. Additionally, I would
institute a policy restricting the removal of client data from the office without encryption
in place, and further restrict removal of client data without authorization of the partner or
member supervising that client’s case or legal matter.
Next, I would ensure that all employees were properly trained on how to handle
client data even before its entry into the firm’s internal cloud-based system, and make
training a part of the security policy manual. Specifically, I would ensure that only those
individuals who are vital to receiving or analyzing client data had access to the
information. Then I would ensure that all employees were aware of who those
individuals are in the case that they need client data for any reason in carrying-out their
daily activities. The less confidential information is shared among the firm’s employees,
the less likely any of the information will be leaked – whether intentionally or
unintentionally. On this same line of reasoning, I would add a portion to the security
manual that covers the destruction of client data and/or notes associated with a client that
are not necessary to his or her representation by the firm. Anything paper-based must be
cross-shredded internally, and any software or hardware that could contain sensitive
information must be destroyed via incineration.
14. 14
In consideration of the many benefits associated with cloud computing and SaaS
software for legal practice management, it would seem as though a centralized focus on
potential security concerns as a way to reject their use would not be beneficial. So long
as proper safety policies and corrective measures were in place prior to undertaking the
use of these processes, as manager I would definitely recommend moving forward as
enumerated above.
15. 15
RESOURCES
Barkett, J. (2013). Ethical Challenges on the Horizon: Confidentiality, Competence and
Cloud Computing. ABA Section of Litigation Annual Conference. Chicago, IL.
Cloud Computing. (n.d.) In Oxford Dictionaries online. Retrieved from
http://www.oxforddictionaries.com/definition/english/cloud-computing
Comerford, J. (2006). Competent Computing: A Lawyer’s Ethical Duty to Safeguard the
Confidentiality and Integrity of Client Information Stored on Computers and Computer
Networks. Georgetown Journal of Legal Ethics, 19, 629.
Garfinkel, S. (2011). Cloud Computing Defined: A primer on key terms in Business
Impact this month. MIT Technology Review. Retrieved from
http://www.technologyreview.com/news/425618/cloud-computing-defined/
Gonsalves, C. (2013). Raising the Bar for Legal Cloud Computing. Channelnomics,
Retrieved from http://channelnomics.com/2013/07/01/raising-the-bar-for-legal-cloud-
computing/.
Heikkila, F. (2009). Data Privacy in the Law Firm. Michigan Bar Journal, pp. 33-36.
Kyle, M. (2013). Cloud Computing: The Least a Law Firm Should Know.
WebMasterView.com. Retrieved from http://www.webmasterview.com/2013/08/cloud-
computing-law-firms/
MCL 445.63 et seq.
MCL 445.72 et seq.
Model Rules of Professional Conduct 1.1
Model Rules of Professional Conduct 1.6
Pearlson, K. & Saunders, C., (2012). Managing & Using Information Systems: A
Strategic Approach (5th
ed.). Hoboken, NJ: John Wiley & Sons, Inc.
PR Newswire. (2011). The State of California Saves Big by using Cloud Based Legal
Practice Management System HoudiniESQ. PR Newswire, June 27, 2011.
Professional Ethics Committee of the Florida Bar (2013). Professional Ethics of the
Florida Bar, Opinion 12-3. Retrieved from
http://www.floridabar.org/tfb/tfbetopin.nsf/SearchView/ETHICS,+OPINION+12-
3?opendocument
16. 16
Razavi, A. & Strommen-Bakhtiar, A. (2011). Should the “CLOUD” be regulated? An
assessment. Issues in Informing Science & Information Technology, 8, 219.
Reach, C.S. (Jan. 2012). Reach for the cloud: for some, cloud computing remains a
nebulous concept. It has the potential to transform law offices and save firms a lot of
money on information technology, but cloud computing has its limits. Lawyers should
consider the benefits and risks before placing their firms in ‘the cloud’. Trial. P. 38.
http://www.justice.org/cps/rde/xchg/justice/hs.xsl/4938.htm