42. (That's for those of you who picked up on the 'Hitchhiker's Guide to the Galaxy' reference).
I usually don't feel it necessary to refer you to my disclaimer but, because this is a State Bar of California opinion – and I'm Vice-Chair of their Law Practice Management & Technology Section Executive Committee (LPMT) – I want to remind you that:
"This blog site is published by and reflects the personal views of Perry L. Segal, in his individual capacity. Any views expressed herein have not been adopted by the California State Bar's Board of Governors or overall membership, nor are they to be construed as representing the position of the State Bar of California."
The LPMT Executive Committee may publish its own, 'official' comments, to which I may also contribute. That being said…
Technology is an extremely logic-based discipline, in its purest form; or it should be, at least. Indeed, like the practice of law, success or failure is predicated upon compiling and understanding a particular set of facts, then realistically acting upon those facts. Note my emphasis on the word, 'realistically'. If I wish to suspend disbelief and begin with a set of unrealistic criteria, I may be equally able to formulate a reasonable solution, assuming it's possible to locate someone – or something – that fits the original, unrealistic premise.
This is my assessment of Formal Opinion Interim No. 10-0003 (Virtual Law Office). It's actually a very well-crafted opinion, but it's based on a 'Statement of Facts' that, to me, are an unrealistic portrayal of how an attorney practices – or would practice – law.
First, there's no reason for me to re-invent the wheel. For another excellent nuts & bolts assessment of the opinion, please see Stephanie Kimbro's post on her Virtual Law Practice blog. She's an authority on the Virtual Law Office and is also cited as a resource on page one of the opinion itself.
From a pure cloud security standpoint, this is an excellent document and a perfect complement to opinion 2010-179 on wireless networks. In fact, I would recommend that practitioners ignore the hypotheticals for a moment (especially if they're pressed for time) and proceed to the Discussion heading, Section 1 ("Duties"), which is what I'm doing for the purposes of this post.
Section 1 examines confidentiality issues of employing a cloud-based system with a 3rd-party vendor and provides a five-point list of due diligence factors that includes, but isn't necessarily limited to:
- The Credentials of the Vendor
- Data Security (Well, that's not very helpful, but it goes on to refer the reader to California, New York and ABA opinions for guidance)
- Vendor's Transmission of Client Info in the Cloud Across Jurisdictional Boundaries or Other 3rd-Party Servers (You've heard – or read, I suppose – me pontificate on that one; the "digital roach motel" and "know where your data is")
- Attorney's Ability to Supervise the Vendor (As I've reminded you often, you may hire competence, but not delegate this duty)
- Terms of Service of Contract with the Vendor (This is huge where the cloud is concerned. For example, many provider contracts contain language to the effect that, "Once you transfer it to us, it becomes our property.", a major no-no for attorneys)
It also points out the security environment must be periodically reassessed, which is terrific advice. I usually refer to it as "fire drills". Finally, it points out that none of this may take place without proper disclosure to the client, who may, by the way, have no idea how any of this works.
Section 2 examines competence issues as follows:
- Proper management of attorney's intake system to determine one of the basics; "Who is the client?"
- Determining whether attorney may perform the requested services
- Determining that the client comprehends the services being performed (This document also refers to comprehension issues due to a language barrier)
- Keeping the client reasonably informed
- Determining that the client understands technology (When I read #3 above, it immediately triggered the thought that technology is another language both attorney and client must understand…)
- Determining when to decline to represent a client via a VLO, and whether representation may continue through traditional means
This section also re-raises the supervisory issue, but this time it's in terms of the attorney supervising other attorneys and/or non-attorneys.
Ok, so you know what I like, now let's get into what I don't like. The hypothetical describes the VLO as a password-protected and encrypted portal that sits on a 3rd-party cloud. So far, so good. But then, it goes on to say that the attorney plans not to communicate with clients by phone, email or in person, but will limit communication solely to the portal.
Yeah, that covers a lot of us, doesn't it?
I understand that it's possible for attorneys to communicate this way, but is it probable? Does this opinion realistically apply to most attorneys; now and even into the future? I'm not trying to be snarky here, but you can't blame me for being a tech guy. Immediately, my mind wanders to what would likely happen in this scenario. A technology or communication issue arises and the frustrated attorney – or client – resorts to email or a phone call.
And what about secrecy? No, I'm not alluding to some nefarious purpose. There are legitimate reasons why attorney and/or client might not want to document ideas or discussions – electronically or otherwise – in the short-term (what comes to mind is a nervous potential client who has invented a new product, but doesn't want to provide a lot of written detail to attorneys, while soliciting the representation of several of them, for fear that the inventor's intellectual property will be revealed).
The second thing that bothers me is the "Issue" statement that opens the opinion. It states, verbatim:
"May an attorney maintain a virtual law office practice ("VLO") and still comply with her ethical obligations, if the communication with the client, and storage of and access to all information about the client's matter, are all conducted solely through the internet using the secure computer servers of a third-party vendor (i.e., "cloud computing")." [Italics/bold added. It's posed as a question, but in the text, the paragraph ends with a period – not sure if it's a typo that will be corrected in a later version].
What's the danger here? Hello? Facebook is the cloud! Google is the cloud! Email is the cloud! A lot of communication is taking place – right now – through means not anticipated in this opinion. What I'm saying is, if one removes the term, "VLO", from this document, it could just as easily apply to methods attorneys use to communicate with their clients on a daily basis, while at the same time, being completely unaware that many of these products are in the cloud.
It also fails to anticipate one other factor; what will happen the day these measures apply to all cloud-based technology (that day is coming, and in some cases, is already here). As it stands today, if most attorneys attempted to comply with these security measures, law practice as we know it would grind to a halt.
Better start preparing now…