This week's Daily Record column is entitled "Virtual Law Offices: California Weighs In."
A pdf of the article can be found here and my past Daily Record articles can be accessed here.
Virtual Law Offices: California Weighs In
Virtual law offices are a relatively new, emerging concept, but fortunately for legal practitioners, a number of ethics committees are slowly but surely addressing the ethical issues surrounding the practice of law via an online portal.
Most recently, in November 2011, the State bar of California Standing Committee on Professional Responsibility and Conduct addressed the ethics of maintaining a virtual law office in a draft formal ethics opinion (No. 10-0003) (See: www.calbar.ca.gov/Portals/0/documents/publicComment/2012/). This proposed opinion was handed down on November 5th and then opened up for a 90-day public comment period.
The issue considered by the Committee was whether “an attorney (may) maintain a virtual law office practice (“VLO”) and still comply with her ethical obligations, if the communications with the client, and storage of and access to all information about the client’s matter, are all conducted solely through the internet using the secure computer servers of a third-party vendor (i.e., “cloud computing”).”
Before addressing the ethical issues posed by VLOs, the Committee acknowledged that the cloud-based technologies used by VLOs are similar to the cloud computing software used by some traditional law offices and thus its many of its conclusions in the opinion applied equally to VLOs and brick and mortar offices using cloud computing services. However, because the hypothetical VLO at issue was solely virtual with no brick and mortar components, it presented unique ethical issues which would require due diligence considerations specific to VLOs.
In particular, the VLO practitioner must exercise reasonable care in ensuring that confidential client information is adequately protected from disclosure to unintended third parties. Of note, however, was that while technological expertise on behalf of the attorney was not required, it was essential that any attorney wishing to use cloud computing tools in their law practice have a basic understanding of the technology. As the Committee explained, “(W)hile Attorney is not required to become a technology expert in order to comply with her duty of confidentiality and competence, Attorney does owe her clients a duty to have a basic understanding of the protections afforded by the technology she uses in her practice.”
The Committee listed a number of factors that an attorney must address when choosing a VLO cloud computing provider, including: 1) the credentials of the vendor, 2) data security issues, 3) whether the cloud vendor will transmit client data across jurisdictional boundaries, 4) the attorney’s ability to supervise the vendor, and 3) the terms of the contract with the vendor. The Committee stressed that these obligations are continuing and the attorney must continue to reassess these issues, as needed, throughout the term of the contract with the vendor.
The Committee also advised that client consent regarding the storage of client data on a third party server was not required in regard to the hypothetical VLO discussed in the opinion, since that system was password protected and encrypted, and each client was permitted access only to his or her own matter. However, the Committee cautioned that a different type of VLO set up might require client consent, as might changing security standards over time, and thus the issue of client consent must be carefully considered based on the specific technology set up of the VLO each time an attorney establishes a virtual law practice.
The Committee also addressed, at length, the unique ethical issues presented by the delivery of legal services through a VLO. These obligations include ensuring that the intake process provides both the attorney and the client with sufficient information regarding legal services to be provided and the scope of representation. The attorney must also ensure that the client has an understanding of and access to sufficient technology to support representation via the VLO. Finally, the attorney has an obligation to keep the client sufficiently informed of the status of the matter and to adequately supervise “subordinate attorneys, and non-attorney employees or agents” even if those employees operate out of different physical locations.
All in all, this proposed opinion provided a very thoughtful and detailed analysis of the ethical issues presented when an attorney establishes a virtual law practice.
The only aspect of the opinion that troubled me was the suggestion that, in some cases, lawyers who outsourced the storage of confidential client data to third party providers might need to obtain client consent prior to doing so. Client consent is generally not a requirement when attorneys outsource the storage or handling of confidential client data in paper format, such as when storing old paper files in a warehouse or providing a process server with confidential documents. Electronic data should be treated no differently simply because the confidential information is stored in a different format. The suggestion that, in some cases, it might be treated differently in the future does not bode well for cloud computing and sets dangerous precedent.
That being said, aside from that one issue, this is a well thought out opinion that provides legal practitioners with a helpful overview of the ethical issues presented by VLOs and offers useful guidance for attorneys considering establishing this type of law practice.
Nicole Black is a Rochester, New York attorney and GigaOM Pro Analyst. She co-authors the ABA book Social Media for Lawyers: the Next Frontier, co-authors Criminal Law in New York, a West-Thomson treatise, and is currently writing a book about cloud computing for lawyers that will be published by the ABA in late 2011. She is the founder of lawtechTalk.com and speaks regularly at conferences regarding the intersection of law and technology. She publishes four legal blogs and can be reached at firstname.lastname@example.org.