Some Ethical Considerations for Lawyers Using the Cloud and Operating Virtual Law Offices

Some Ethical Considerations for Lawyers Using the Cloud and Operating Virtual Law Offices Mitch Kowalski 1 Introduction Rule 3.01 (1) of the Law Society of Upper Canada s Rules of Professional Conduct is always overshadowed by its sister rules. Yet, it is perhaps one of the most important rules of our profession: 3.01(1) A lawyer shall make legal services available to the public in an efficient and convenient way. This rule suggests that if a lawyer is not providing legal services in an efficient manner then she is breaching the rule; and, if a lawyer is not providing legal services in a convenient manner she is also breaching the rule. Interestingly enough, the commentary in rule 3.01 makes no mention of efficiency and convenience; it deals only with legal aid and declining representation. Somewhat similar is Rule 2.01(1)(e) which requires a lawyer to perform client service in a cost-effective manner. The commentary for this Rule also lacks an interpretation of this phrase. 1 Mitch Kowalski is an innovative thinker, lawyer, writer, lecturer, consultant and entrepreneur. He maintains a boutique law practice in Toronto and writes on a variety of legal and non-legal topics including The National Post s blog, Legal Post. He can be reached at mekowalski@rogers.com.

If we were to fill the gaping hole in these commentaries we would have to determine from what point of view are legal services to seen as efficient, convenient and cost-effective? From the lawyer s point of view? Or from the public s point of view? Clearly, it s the latter. Lawyers have an obligation to make their services efficient, convenient and cost-effective from the point of view of our clients. This is an ongoing obligation which requires lawyers to constantly re-assess if we are complying with these two rules in the way we manage our practices. So it should come as no surprise that efficiency, convenience and cost-effectiveness are at the heart of all the innovations that we are beginning to see sprout up across the legal landscape, including the move to the Cloud and the creation of virtual law firms. These legal innovators are taking their obligations under Rule 3.01(1) and Rule 2.01(1)(e) very seriously. The Cloud The Cloud has been around for a few years, but it has only been in the last 12 months that it has finally achieved critical mass in the commercial mainstream. And with the launch of Apple s icloud, awareness and use of the Cloud will only continue to grow. Simply put, the Cloud is a collection of IT services that are managed and housed by a third party; in other words, outsourced IT. Typically the Cloud is a huge conglomeration of powerful, lightening fast servers (sometimes called server farms ) situated in one or more locations. Why migrate to the Cloud? Outsourcing of any function is usually done because the outsourcer can perform those functions faster, better and cheaper. Outsourcing to the Cloud has a similar rationale. If you are a law firm, there are definite benefits to outsourcing your IT services to the Cloud. In the Cloud you can securely access your data from anywhere, at any time, from any device. The Cloud is scalable you are able to quickly scale your IT needs up or down. The Cloud allows you to reduce your upfront capital costs for servers, network infrastructure, software licences as well as the staff resources to configure servers, and redeploy that capital to other areas of your practice. Using the Cloud can also save you space (no server room is needed) and it reduces your cooling

costs. Software upgrades in the Cloud are performed automatically and seamlessly making it easier to migrate to another platform in the Cloud environment. In short, for law firms, IT services in the Cloud are far superior to those that could ever be cost-effectively created inhouse. The concept behind the Cloud is to share space in order to achieve a higher level of service. But sharing space means losing control - and you need to be comfortable with that. However, you need to weigh the loss of control against the business risk of not migrating to the Cloud. In other words, not moving to the Cloud may be a bigger risk than moving to it, especially if your competitors are already using the Cloud. How do you know if a Cloud provider is right for you? Migration to the Cloud should not be taken lightly and proper planning is required in order to ensure that the move achieves your goals. As a first step, every firm must ensure that the Cloud provider provides physical and electronic security for its data. 2 There is a common misconception that the Cloud makes your data less secure. In fact, the Cloud may actually make your data more secure. Think about it this way. The Cloud provider s core business is providing a secure server farm. Is data security your core business? Or, is your core business the provision of legal services and you dabble with IT in order to make that core business run well? In other words, is your security really better than that of a Cloud provider? Are your procedures really better than that of a Cloud provider? Are your back-ups, redundancies and disaster recovery really better than that of a company whose core business is to deal with these matters? And while major Cloud providers may be targets for hackers, these providers have also invested heavily to better guard against such attacks. Has your firm done the same? The Globe and Mail reported earlier this year that four major Toronto law firms have been targets of safety precaution. 2 Some businesses and law firms have chosen to encrypt data before it is stored in the Cloud as an extra

hackers in 2011; 3 so lawyers should derive little comfort from the fact that your servers are on site or that you don t see yourself as a target. In fact, the greatest risk to law firm client data comes from law firm employees; either because they are stealing data for profit 4 ; or they are taking your data home on a USB device, laptop or tablet and lose the device or the device is stolen. Beyond security issues, keep in mind that there are no legal regulations currently in place for Cloud providers. There is no Cloud Act that spells out the rules, regulations and liabilities around Cloud computing. And, there are no reported court decisions that set out what judges think about Cloud computing liability. In terms of industry standards, there are many that touch on environmental-friendliness, systems management, and American industrial competitiveness, however there are only two security-related standards that can give some comfort to Canadians using Cloud providers: (1) the Statement on Auditing Standards No. 70 (SAS 70) which allows an auditor to evaluate and issue an opinion on the Cloud provider s controls; and (2) an ISO 27001 certification. However, neither of these is mandatory and Cloud providers can still operate their businesses without them. I highly recommend that you spend a great deal of time working out your Cloud strategy and decide what it is that you are going to send to the Cloud, why you want to send it there and what you hope to achieve. Some law firms will start slowly and place only non-mission critical business processes and applications (such as email, human resources matters and customer relationship management) in the Cloud. Others move whole hog into the Cloud; any programs that you currently run for your legal practice (word processing, document assembly, accounting, email, time dockets) can be stored in the Cloud and many, if not all of them, can be run in the Cloud. Choose the path that makes you the most comfortable. 3 Major law firms fall victim to cyber attacks, Globe and Mail April 4, 2011 http://m.theglobeandmail.com/reporton-business/industry-news/the-law-page/major-law-firms-fall-victim-to-cyberattacks/article1972226/?service=mobile 4 When Temptation Bites, Canadian Lawyer Magazine, March 2010, http://www.canadianlawyermag.com/whentemptation-bites.html

When selecting a Cloud provider, you must perform the same due diligence that you would on any other business partner. How long has it been in business? What security breaches have there been? What do current clients say about its service? Contracts Once you selected a specific Cloud provider, you will review two critical documents that govern every Cloud relationship; the Cloud Contract, which sets out the terms of the relationship; and the Service Level Agreement (SLA). You must be fully aware of all the terms in each of these agreements and carefully consider how those terms impact your business. The following is a sample of issues to consider when reviewing the Cloud Contract: 1. Do you have the ability to audit the Cloud provider or get copies of their SAS 70 or other audits? 2. Who owns your data in the Cloud? 3. What does the Cloud provider do with its usage logs or other statistical data it collects on data and clients? Is it sold to third parties? 4. What are the Cloud provider s policies on access to data, including staff, outside consultants or other Cloud tenants? 5. What are the Cloud provider s security protocols for data protection, privacy, physical security and application security? 6. Does the Cloud provider understand your need for strict confidentiality of all data and will it agree to provide it? 7. Where is the data being stored (given that your data may be spread across many servers in many locations) and do the laws of that jurisdiction adversely affect the security of your data?

8. Is your data kept separate from that of other Cloud clients? 9. Who owns the Cloud back-ups and who has access to them? 10. What are the Cloud provider s disaster recovery processes? 11. How often does the Cloud provider back-up its servers? What is its redundancy? 12. What regulations can the Cloud provider verify that it adheres to? 13. If data needs to be transferred back to my firm, in what form will it be delivered? 14. What happens to my data when the Cloud provider goes bankrupt? 15. What are the notification procedures when the Cloud provider goes bankrupt, merges, amalgamates, or sells its business? 16. What are the Cloud provider s notification procedures for security breaches, either physical or electronic? 17. Does the Cloud provider pay your costs of notifying your clients of a cloud security breach? 18. Does the Cloud provider notify you when it is required by law or court order to deliver documents to a third party? 19. What happens when I need to transfer data to another Cloud provider? What format will it be in? How long will it take? What assistance will be provided and is there a cost?

20. What penalties are in place for a breach of terms of the Cloud contract? Are these penalties strong enough to motivate the Cloud provider to prevent breaches? In 2011, any penalties for breaches of the Cloud contract will likely be limited to the reimbursement of Cloud fees paid, or out-of-pocket expenses, if a Cloud client gets sued by its customers. A Cloud provider s SLA is the other important document governing your relationship and should also be read carefully. The SLA should be negotiated and tailored to reflect your specific needs. SLAs will cover the following key areas: Uptime: What does the Cloud provider consider to be uptime? Are there any exclusions to uptime, such as scheduled maintenance? How does any downtime impact your business? Performance: How is performance defined by the Cloud provider? What performance do you require in order to operate your business? Determine which parts of your business you cannot afford to be without and negotiate specific terms for those areas. Service/support performance: What are the hours for customer support? What support are you entitled to? What support do you require for your business? What are the performance metrics for support (call back in 15 minutes or 24 hours)? Parting Words Once you have selected an appropriate Cloud provider and negotiated the Cloud Contract and the SLA to a point with which you are comfortable, you will come to the final gut-check moment as you stand on the precipice of Cloud migration: it will not be possible or practical to migrate back to your old method of personally housing servers. Once you are in the Cloud, your business needs and your IT culture will have inexorably shifted to a new paradigm making it impossible to migrate back. In short, once you let the toothpaste out of the tube, you can t put it back in.

Cloud Ethical Matters This portion of the paper will deal with some ethical rules and considerations in connection with using the Cloud for your law practice. To date, no rule has been created by any bar associations or law societies in Canada to deal specifically with the Cloud. In Ontario, there are two rules that affect your decision to use the Cloud in your practice: rule 3.01(1) which I discussed in the introduction (which in my view compels all Ontario lawyers to consider how best to use the Cloud for their practices) and Rule 2.03(1). Rule 2.03(1) deals with confidentiality: 2.03 (1) A lawyer at all times shall hold in strict confidence all information concerning the business and affairs of the client acquired in the course of the professional relationship and shall not divulge any such information unless expressly or impliedly authorized by the client or required by law to do so. The commentary following this Rule is badly dated and does not deal with the Cloud. There is a misperception among the Ontario bar that moving data to the Cloud is automatically a breach of this rule because the Cloud is inherently unsafe. That is not true anymore than storing back-up disks or files outside a law office is a breach of this rule. Nor does this rule require lawyers to put in place an infallibly secure form of data storage. The Canadian Bar Association s Supplement to the Code of Professional Conduct entitled Guidelines for Practising Ethically with New Information Technologies makes no mention of the Cloud but it does recommend off-site storage and back-up of data 5 - which is similar to using the Cloud as these are typically provided by third parties. The Law Society of Upper Canada s Practice Management Guidelines are also silent on use of the Cloud however there is brief commentary that recommends that lawyers adopt adequate measures to protect 5 See section 5 of the Guidelines

against security threats, 6 and that back-up data should be stored in a secure off-site location, 7 which again is typically provided by third parties. There has been some commentary that moving to the Cloud requires disclosure and consent from clients. 8 However I find that view hard to reconcile with the CBA and Law Society requirements to store back-up data and files off-site, which would typically be done through a third party service provider; no such consent or disclosure is required in these instances. To avoid any uncertainty, the simplest course of action is to position your use of the Cloud as an efficiency enhancement in your retainer and on your website: In order to serve you better we use the latest cloud-based technologies for the management and storage of all files. One of the most important roles of any lawyer is to exercise good judgment and the materials in Appendices A and B from North Carolina and New York are fine examples of how some law associations and law societies recognize the need for lawyers to be able to take advantage of new technology in a manner that keeps them ethically grounded without being burdened by new rules. In a nutshell, the North Carolina Bar Association simply advises lawyers to make all necessary inquiries to satisfy themselves that the data will remain secure. The Law Society of British Columbia came out with a report on cloud computing in July, 2011 comes to a similar conclusion; lawyers using the Cloud must conduct proper due diligence in connection with the Cloud provider to ensure data safety. At the present time in Ontario, it is up to you to assess the efficiencies, convenience, costeffectiveness and other benefits of using the Cloud as required under Rule 3.01(1). It is also up to you to best manage the risk to client confidentiality when using the Cloud, keeping in mind that you are not required to keep data infallibly secure. This is the proper approach. 9 which 6 See Section 5.10 7 See Section 5.11 8 Kosa, James, Computing in the Cloud: A Warning for Lawyers, SLAW June 14, 2010 http://www.slaw.ca/2010/06/14/computing-in-the-cloud-a-warning-for-lawyers/ 9 Law Society of British Columbia, Report of the Cloud Computing Working Group, July 15, 2011, http://www.lawsociety.bc.ca/docs/publications/reports/cloudcomputing.pdf

The Virtual Practice of Law The virtual practice of law means different things to different people and the issues surrounding it are legion far too much for a small section of this paper. This section will merely highlight some of the things that you should consider before creating such a practice. The virtual practice of law is much more that lawyers using technology to serve their clients. It has to include an element whereby all services, meetings, communication and work are done within a virtual world or virtual office; one that has no physical presence. Stephanie Kimbro used the following definition in her book Virtual Law Practice: How to Deliver Legal Services Online (ABA, 2010): A virtual law practice is a professional law practice that exists online through a secure portal and is accessible to both the client and the lawyer anywhere the parties may access the Internet. Legal services are delivered online using this method. The lawyers and their clients have the ability to securely discuss matters online, download and upload documents for review, create legal documents, and handle other business transactions related to the delivery of legal services in a secure digital environment. This definition lends itself best to an entirely web-based firm; a firm in which lawyers do not share any physical office space nor have any physical interaction. That is a true Virtual Law Office (VLO). Most so-called VLO s however are hybrids of this model, but which ever type of VLO model you operate the ethical issues remain the same. If you create a VLO the most obvious benefits are that you have no physical overhead costs to carry and you have a new ability to serve clients anywhere in the province - or even outside of your province. Therein lies the main ethical issue: extra-territorial practice or unauthorized practice of law. The Law Society of Upper Canada s Practice Management Guidelines do not specially deal with VLOs but they do give minimal guidance in connection with the practice of law through the internet. Section 5.6 states: Ontario lawyers practising law in other jurisdictions through the provision of legal services on the Internet should respect and uphold the law of the other jurisdiction and not engage in the unauthorized practice of law.

It is unclear at this time as to how law societies will view VLOs and any allegation of unauthorized practice. The National Mobility Agreement between Canadian law societies currently allows Ontario lawyers to practise for up to 100 days in any other common law province. However, it is uncertain how that will be interpreted in connection with VLOs. Will law societies take a progressive, business-minded approach and consider only the time spent by a VLO on legal matters in a certain jurisdiction? Or will they take a more restrictive (and antiquated) approach and find that a VLO has established a 365-days-a-year office in that jurisdiction? The National Mobility Agreement provides little assistance in this regard. Section 7 of the Agreement states that: A host governing body will allow a lawyer from another jurisdiction to provide legal services in the host jurisdiction or with respect to the law of the host jurisdiction on a temporary basis, without a mobility permit or notice to the host governing body, for a total of not more than 100 days in a calendar year, provided the lawyer..has not established an economic nexus with the host jurisdiction as described in clause 16. Section 16 then states that: an economic nexus is established by actions inconsistent with temporary mobility to the host jurisdiction, including but not limited to doing any of the following in the host jurisdiction: (a) providing legal services beyond 100 days, or [any] longer period allowed ; (b) opening an office from which legal services are offered or provided to the public; (c) becoming resident; or (d) opening or operating a trust account, or accepting trust funds [in that jurisdiction]. It is hoped that law societies will opt for a more progressive approach in interpreting section 16 (b) of the National Mobility Agreement. Or course, if a VLO has lawyers in each province it may take advantage of Rule 3.04 regarding the creation of interprovincial law firms. The lack of direct client contact means that lawyers opening a VLO should carefully consider the following in their operations: 1. How to define and confirm in writing the lawyer-client relationship? 2. What security is in place to ensure the confidentiality of client information and where is your website really located? 3. How do you verify client identification?

4. How do you determine mental capacity, if needed? 5. How do you determine undue influence on a client? 6. Will the VLO have a physical office in the provinces where its lawyers are licensed? 7. Are there restrictions on VLOs in the provinces in which you wish to operate? 8. Does the VLO website contain disclosure on what, how and where the VLO operates along with disclaimers so that visitors and clients understand how the firm operates? 9. Does the VLO comply with the rules of professional conduct for every jurisdiction in which its lawyers are licensed? And when those rules differ, does the firm comply with the most stringent standards? 10. When the rules in section 9 above conflict, has the VLO taken reasonable steps to ensure that the manner in which it practices in each province is consistent with the appropriate rules? 11. What are the VLO rules about declining work from provinces in which the firm is not permitted to practice or which prohibit lawyers from practicing in a VLO? The United States is far ahead of Canada in thinking about the issues raised by VLOs 10. The ABA/LPM elawyering Task Force s Suggested Minimum Requirements for Law Firms Delivering Legal Services Online, suggests the following also be considered: 1. The VLO website must contain a secure client web space that is accessible only with a user name and secure password; 2. The VLO must have a system of conflict checking in place; 3. he VLO must not violate the rules governing the unauthorized practice of law and must serve only clients who are residents of the state(s) where the firm is authorized to practice, or clients who have a matter within the state(s) where the firm is authorized to practice; 10 The Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility issued Formal Opinion 2010-200, Ethical Obligations on Maintaining a Virtual Office for the Practice of Law in Pennsylvania which provides guidelines for creating a VLO that complies with its Rules of Professional Conduct. The New Jersey Advisory Committee on Professional Ethics and the Committee on Attorney Advertising issued a Joint Opinion that permits an attorney who has a physical office to also have a satellite office that is a virtual office, but no lawyer may operate solely from a virtual office.

4. The firm must have a procedure to verify that it is authorized to provide services to every client; 5. Attorneys must comply with any residency or bona fide office requirements and, when applicable, inform the public that [the firm] does not have a physical law office in a state or that the firm s attorneys reside in a state other than the one in which they are offering services; 6. The website should include a disclaimer that clarifies any UPL limitations; 7. The website should clearly describe any limitations on its services, the requirements necessary to establish a lawyer-client relationship, and contain disclaimers addressing the creation of the lawyer-client relationship; 8. The website should clearly state that any legal information on it is not legal advice, and that a lawyer-client relationship must be established before legal services are provided; 9. Each client must accept and agree to a retainer/fee agreement whether in writing or created in a variety of electronic formats outlining the scope of legal services when becoming a client and that the acceptance of the agreement establishes the lawyerclient relationship; 10. No legal services will be provided until a lawyer-client relationship is established; 11. If applicable, the firm complies with any client-identification rules, even if the client is an online client; 12. The firm website must comply with all rules of professional responsibility that apply to marketing and/or advertising; 13. Payment of fees must comply with all rules governing attorney trust accounts, as well as any federal regulations, such as PCI compliance; 14. All data that is transferred online between the website and the firm must be encrypted; 15. Third-party hosting providers should have policies and procedures addressing security breaches, data theft, privacy and other concerns; 16. Contracts with hosting providers should specify when the provider s staff has access to client files and state that if the vendor s staff is accessing client data for technical

reasons, they are functioning as agents of the law firm as if they were the law firm s internal staff; 17. There should be procedures to guarantee the security of client data, provide for redundant backups, and offer a procedure for exporting the data at the firm s request; and 18. The firm should consider obtaining certifications that confirm the security and the privacy policy of its websites. Most of these are also worthy of consideration by Canadian lawyers wishing to create VLOs. In conclusion, while opening a VLO fuels a romantic notion of working from a cottage on the shores of a quiet lake, there is a great deal of work that needs to be done before you make your romantic dream a reality. Be careful out there.

APPENDIX A Note: Software as a service (SaaS) is third party managed software in a Cloud environment, which lawyers pay a monthly or annual user fee for the right to use that software instead of purchasing it. North Carolina Bar Association Proposed 2010 Formal Ethics Opinion 7 Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property April 15, 2010 Proposed opinion rules that a law firm may contract with a vendor of software as a service provided the risks that confidential client information may be disclosed or lost are effectively minimized. Inquiry #1: Much of software development, including the specialized software used by lawyers for case/practice management, document management and billing/financial management, is moving to the software as a service (SaaS) model. In the article Software as a Service (SaaS) Definition and Solutions, Meridith Levinson, writing for the CIO website, explains SaaS as follows: Generally speaking, it s software that s developed and hosted by the SaaS vendor and which the end user customer accesses over the Internet. Unlike traditional packaged applications that users install on their computers or servers, the SaaS vendor owns the software and runs it on computers in its data center. The customer does not own the software but effectively rents it, usually for a monthly fee. 11 11 http://www.cio.com/article/109704/software_as_a_service_saas_definition_and_solutions Meridith Levinson, Software as a Service (SaaS) Definition and Solutions, CIO.com (March 15, 2007; accessed March 4, 2010)

The American Bar Association s Legal Technology Resource Center explains SaaS as follows: SaaS is distinguished from traditional software in several ways. Rather than installing the software to your computer or the firm's server, SaaS is accessed via a web browser (like Internet Explorer or FireFox) over the Internet. Data is stored in the vendor's data center rather than on the firm's computers. Upgrades and updates, both major and minor, are rolled out continuously. And perhaps most importantly, SaaS is usually sold on a subscription model, meaning that users pay a monthly fee rather than purchasing a license up front. 12 SaaS for law firms may involve the storage of a law firm s data, including client files, billing information, and work product, on remote servers rather than on the law firm s own computer and, therefore, outside the direct control of the firm s lawyers. Given the duty to safeguard confidential client information, including protecting that information from unauthorized disclosure; the duty to protect client property from destruction, degradation or loss (whether from system failure, natural disaster, or dissolution of a vendor's business); and the continuing need to retrieve client data in a form that is usable outside of the vendor's product i ; may a law firm use SaaS? Opinion #1: Yes, provided steps are taken effectively to minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property, including file information, from risk of loss. Rule 1.6 of the Rules of Professional Conduct states that a lawyer may not reveal information relating to the representation of a client unless the client gives informed consent or the disclosure is impliedly authorized to carry out the representation. Comment [17] explains, A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer s supervision. Comment [18] adds that, when transmitting confidential client information, a lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. 12 FYI: Software as a Service (Saas) for Lawyers, ABA Legal Technology Resource Center < http://www.abanet.org/tech/ltrc/fyidocs/saas.html>.

Rule 1.15 also requires a lawyer to preserve client property, including information in a client s file such as client documents and lawyer work product, from risk of loss due to destruction, degradation or loss. See also RPC 209 (noting the general fiduciary duty to safeguard the property of a client ); RPC 234 (duty to store original documents with legal significance in a safe place or return to client); and 98 FEO 15 (lawyer must exercise due care when selecting depository bank for trust account). Although a lawyer has a professional obligation to protect confidential information from unauthorized disclosure, the Ethics Committee has long held that this duty does not compel any particular mode of handling confidential information nor does it prohibit the employment of vendors whose services may involve the handling of documents or data containing client information. See RPC 133 (no requirement that firm s waste paper be shredded if lawyer ascertains that persons or entities responsible for the disposal employ procedures that effectively minimize the risk that confidential information may be disclosed). Moreover, the committee has held that, while the duty of confidentiality extends to the use of technology to communicate, this obligation does not require that a lawyer use only infallibly secure methods of communication. RPC 215. Rather, the lawyer must use reasonable care to select a mode of communication that, in light of the circumstances, will best protect confidential communications and the lawyer must advise effected parties if there is reason to believe that the chosen communications technology presents an unreasonable risk to confidentiality. 13 Furthermore, in 2008 FEO 5, the committee has already held that the use of a web-based document management system that allows both the law firm and the client access to the client's file is permissible: provided the lawyer can fulfill his obligation to protect the confidential information of all clients. A lawyer must take steps to minimize the risk that confidential client information will be disclosed to other clients or to third parties. See RPC 133 and RPC 215.A security code access procedure that only allows a client to access its own confidential information would be an appropriate measure to protect confidential client information.if the law firm will be contracting with a third party to maintain the web-based management system, the law firm must ensure that the third party also employs measures which effectively minimize the risk that confidential information might be lost or disclosed. See RPC 133. In a recent ethics opinion, the Arizona State Bar s Committee on the Rules of Professional Conduct, concurred with 2008 FEO 5, holding that a law firm may use an online file storage and retrieval system that allows clients to access their files over the Internet provided the firm takes reasonable precautions to protect the security and confidentiality of client documents and information. 14 13 Id. 14 Arizona State Bar Committee on Rules of Professional Conduct, Opinion 09-04 (Dec. 9, 2009).

In light of the above, the Ethics Committee concludes that a law firm may use SaaS if reasonable care is taken effectively to minimize the risks to the confidentiality and to the security of client information and client files. However, the law firm is not required to guarantee that the system will be invulnerable to unauthorized access. 15 Note that no opinion is expressed on the business question of whether SaaS is suitable for a particular law firm. 15 Id.

Inquiry #2: Are there any best practices that a law firm should follow when contracting with a SaaS vendor to minimize the risk? Opinion #2: Yes, a lawyer should be able to answer the list of questions below satisfactorily in order to conclude that the risk has been minimized. However, the list is not all inclusive and consultation with a security professional competent in the area of online computer security is recommended when contracting with a SaaS vendor. Moreover, given the rapidity with which computer technology changes, what may constitute reasonable care may change over time and a law firm would be wise periodically to consult with such a professional. The lawyer or law firm should be able to answer the following questions sufficiently to conclude that the risk to confidentiality and security of client file information is minimal 16 : What is the history of the SaaS vendor? Where does it derive funding? How stable is it financially? Has the lawyer read the user or license agreement terms, including the security policy, and does he/she understand the meaning of the terms? Does the SaaS vendor's Terms of Service or Service Level Agreement address confidentiality? If not, would the vendor be willing to sign a confidentiality agreement in keeping with the lawyer s professional responsibilities? Would the vendor be willing to include a provision in that agreement stating that the employees at the vendor s data center are agents of the law firm and have a fiduciary responsibility to protect client information? How does the SaaS vendor, or any third party data hosting company, safeguard the physical and electronic security and confidentiality of stored data? Has there been an evaluation of the vendor s security measures including the following: firewalls, encryption techniques, socket security features, and intrusion-detection systems? Has the lawyer requested copies of the SaaS vendor s security audits? Where is data hosted? Is it in a country with less rigorous protections against unlawful search and seizure? Who has access to the data besides the lawyer? Who owns the data the lawyer or SaaS vendor? 16 Erik Mazzone, Director of Center for Practice Management, North Carolina Bar Association (in email communications with counsel to the Ethics Committee, 3/30/10 and 3/31/10) and ABA Legal Technology Resource Center, see fn. 2.

If the lawyer terminates use of the SaaS product, or the service otherwise has a break in continuity, how does the lawyer retrieve the data and what happens to the data hosted by the service provider? If the SaaS vendor goes out of business, will the lawyer have access to the data and the software or source code? Can the lawyer get data "off" the servers for the lawyer s own offline use/backup? If the lawyer decides to cancel the subscription to SaaS, will the lawyer get the data? Is data supplied in a nonproprietary format that is compatible with other software? How often is the user's data backed up? Does the vendor backup data in multiple data centers in different geographic locations to safeguard against natural disaster? If clients have access to shared documents, are they aware of the confidentiality risks of showing the information to others? See 2008 FEO 5. Does the law firm have a back-up for shared document software in case something goes wrong, such as an outside server going down?

APPENDIX B NEW YORK STATE BAR ASSOCIATION Committee on Professional Ethics Opinion 842 (9/10/10) Topic: information. Using an outside online storage provider to store client confidential Digest: A lawyer may use an online data storage system to store and back up client confidential information provided that the lawyer takes reasonable care to ensure that confidentiality will be maintained in a manner consistent with the lawyer s obligations under Rule 1.6. In addition, the lawyer should stay abreast of technological advances to ensure that the storage system remains sufficiently advanced to protect the client s information, and should monitor the changing law of privilege to ensure that storing the information online will not cause loss or waiver of any privilege. Rules: 1.4, 1.6(a), 1.6(c) QUESTION 1. May a lawyer use an online system to store a client's confidential information without violating the duty of confidentiality or any other duty? If so, what steps should the lawyer take to ensure that the information is sufficiently secure? OPINION2. Various companies offer online computer data storage systems that are maintained on an array of Internet servers located around the world. (The array of Internet servers that store the data is often called the cloud.") A solo practitioner would like to use one of these online cloud computer data storage systems to store client confidential information. The lawyer s aim is to ensure that his clients information will not be lost if something happens to the lawyer s own computers. The online data storage system is password-protected and the data stored in the online system is encrypted. 3. A discussion of confidential information implicates Rule 1.6 of the New York Rules of Professional Conduct (the Rules ), the general rule governing confidentiality. Rule 1.6(a) provides as follows: A lawyer shall not knowingly reveal confidential information... or use such information to the disadvantage of a client or for the advantage of a lawyer or a third person, unless: (1) the client gives informed consent, as defined in Rule 1.0(j); (2) the disclosure is impliedly authorized to advance the best interests of the client and is either reasonable under the circumstances or customary in the professional community; or (3) the disclosure is permitted by paragraph (b). 4. The obligation to preserve client confidential information extends beyond merely prohibiting an attorney from revealing confidential information without client consent. A lawyer must also take reasonable care to affirmatively protect a client s confidential information. See N.Y. County 733 (2004)

(an attorney must diligently preserve the client s confidences, whether reduced to digital format, paper, or otherwise ). As a New Jersey ethics committee observed, even when a lawyer wants a closed client file to be destroyed, "[s]imply placing the files in the trash would not suffice. Appropriate steps must be taken to ensure that confidential and privileged information remains protected and not available to third parties." New Jersey Opinion (2006), quoting New Jersey Opinion 692 (2002). 5. In addition, Rule 1.6(c) provides that an attorney must exercise reasonable care to prevent... others whose services are utilized by the lawyer from disclosing or using confidential information of a client except to the extent disclosure is permitted by Rule 1.6(b). Accordingly, a lawyer must take reasonable affirmative steps to guard against the risk of inadvertent disclosure by others who are working under the attorney s supervision or who have been retained by the attorney to assist in providing services to the client. We note, however, that exercising "reasonable care" under Rule 1.6 does not mean that the lawyer guarantees that the information is secure from anyunauthorized access. 6. To date, no New York ethics opinion has addressed the ethics of storing confidential information online. However, in N.Y. State 709 (1998) this Committee addressed the duty to preserve a client s confidential information when transmitting such information electronically. Opinion 709 concluded that lawyers may transmit confidential information by e-mail, but cautioned that lawyers must always act reasonably in choosing to use e-mail for confidential communications. The Committee also warned that the exercise of reasonable care may differ from one case to the next. Accordingly, when a lawyer is on notice that the confidential information being transmitted is of such an extraordinarily sensitive nature that it is reasonable to use only a means of communication that is completely under the lawyer s control, the lawyer must select a more secure means of communication than unencrypted Internet e-mail. See also Rule 1.6, cmt. 17 (a lawyer must take reasonable precautions to prevent information coming into the hands of unintended recipients when transmitting information relating to the representation, but is not required to use special security measures if the means of communicating provides a reasonable expectation of privacy). 7. Ethics advisory opinions in several other states have approved the use of electronic storage of client files provided that sufficient precautions are in place. See, e.g., New Jersey Opinion 701 (2006) (lawyer may use electronic filing system whereby all documents are scanned into a digitized format and entrusted to someone outside the firm provided that the lawyer exercises reasonable care, which includes entrusting documents to a third party with an enforceable obligation to preserve confidentiality and security, and employing available technology to guard against reasonably foreseeable attempts to infiltrate data); Arizona Opinion 05-04 (2005) (electronic storage of client files is permissible provided lawyers and law firms take competent and reasonable steps to assure that the client s confidences are not disclosed to third parties through theft or inadvertence ); see also Arizona Opinion 09-04 (2009) (lawyer may provide clients with an online file storage and retrieval system that clients may access, provided lawyer takes reasonable precautions to protect security and confidentiality and lawyer periodically reviews security measures as technology advances over time to ensure that the confidentiality of client information remains reasonably protected).

8. Because the inquiring lawyer will use the online data storage system for the purpose of preserving client information - a purpose both related to the retention and necessary to providing legal services to the client - using the online system is consistent with conduct that this Committee has deemed ethically permissible. See N.Y. State 473 (1977) (absent client s objection, lawyer may provide confidential information to outside service agency for legitimate purposes relating to the representation provided that the lawyer exercises care in the selection of the agency and cautions the agency to keep the information confidential); cf. NY CPLR 4548 (privileged communication does not lose its privileged character solely because it is communicated by electronic means or because persons necessary for the delivery or facilitation of such electronic communication may have access to its contents). 9. We conclude that a lawyer may use an online cloud computer data backup system to store client files provided that the lawyer takes reasonable care to ensure that the system is secure and that client confidentiality will be maintained. Reasonable care to protect a client s confidential information against unauthorized disclosure may include consideration of the following steps: Ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information; Investigating the online data storage provider's security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances; Employing available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored; and/or 10. Technology and the security of stored data are changing rapidly. Even after taking some or all of these steps (or similar steps), therefore, the lawyer should periodically reconfirm that the provider s security measures remain effective in light of advances in technology. If the lawyer learns information suggesting that the security measures used by the online data storage provider are insufficient to adequately protect the confidentiality of client information, or if the lawyer learns of any breach of confidentiality by the online storage provider, then the lawyer must investigate whether there has been any breach of his or her own clients confidential information, notify any affected clients, and discontinue use of the service unless the lawyer receives assurances that any security issues have been sufficiently remediated. See Rule 1.4 (mandating communication with clients); see also N.Y. State 820 (2008) (addressing Web-based email services).

11. Not only technology itself but also the law relating to technology and the protection of confidential communications is changing rapidly. Lawyers using online storage systems (and electronic means of communication generally) should monitor these legal developments, especially regarding instances when using technology may waive an otherwise applicable privilege. See, e.g., City of Ontario, Calif. v. Quon, 130 S. Ct. 2619, 177 L.Ed.2d 216 (2010) (holding that City did not violate Fourth Amendment when it reviewed transcripts of messages sent and received by police officers on police department pagers); Scott v. Beth Israel Medical Center, 17 Misc. 3d 934, 847 N.Y.S.2d 436 (N.Y. Sup. 2007) (e-mails between hospital employee and his personal attorneys were not privileged because employer s policy regarding computer use and e-mail monitoring stated that employees had no reasonable expectation of privacy in e-mails sent over the employer's e-mail server). But see Stengart v. Loving Care Agency, Inc., 201 N.J. 300, 990 A.2d 650 (2010) (despite employer s e-mail policy stating that company had right to review and disclose all information on the company s media systems and services and that e-mails were not to be considered private or personal to any employees, company violated employee's attorney-client privilege by reviewing e-mails sent to employee s personal attorney on employer's laptop through employee s personal, password-protected e-mail account). 12. This Committee s prior opinions have addressed the disclosure of confidential information in metadata and the perils of practicing law over the Internet. We have noted in those opinions that the duty to exercise reasonable care to prevent disclosure of confidential information may, in some circumstances, call for the lawyer to stay abreast of technological advances and the potential risks in transmitting information electronically. N.Y. State 782 (2004), citing N.Y. State 709 (1998) (when conducting trademark practice over the Internet, lawyer had duty to stay abreast of this evolving technology to assess any changes in the likelihood of interception as well as the availability of improved technologies that may reduce such risks at reasonable cost ); see also N.Y. State 820 (2008) (same in context of using e-mail service provider that scans e-mails to generate computer advertising). The same duty to stay current with the technological advances applies to a lawyer's contemplated use of an online data storage system. CONCLUSION 13. A lawyer may use an online data storage system to store and back up client confidential information provided that the lawyer takes reasonable care to ensure that confidentiality is maintained in a manner consistent with the lawyer s obligations under Rule 1.6. A lawyer using an online storage provider should take reasonable care to protect confidential information, and should exercise reasonable care to prevent others whose services are utilized by the lawyer from disclosing or using confidential information of a client. In addition, the lawyer should stay abreast of technological advances to ensure that the storage system remains sufficiently advanced to protect the client s information, and the lawyer should monitor the changing law of privilege to ensure that storing information in the cloud will not waive or jeopardize any privilege protecting the information.

APPENDIX C

Publication Note: The following Chapter will appear in a forthcoming book by Nicole Black entitled Cloud Computing for Lawyers to be published by the ABA Law Practice Management Section in the fall of 2011. Chapter 4 Ethical Implications of Cloud Computing in Law Practice By Stephanie Kimbro 1 Ethics issues related to the use of cloud computing in law practice can be sorted into two primary categories. The first category of ethics issues relates to the lawyer s selection of the cloud-computing technology and vendor services that will be used in the law practice. Second, the lawyer faces ethics risks in the daily use of the technology after it has been integrated into the law firm. Ethical issues that may arise in the use of cloud computing depend on the intended use of the technology in practice management. For example, a law firm using a software as a service (SaaS) product for online marketing of the firm is going to run into a different set of issues than the lawyer who is using a Web-based research tool to prepare for a client s case. There will be an increased ethics risk depending on whether the use of cloud computing for the law firm is private, public, or a hybrid of services. Also, it depends on the type of data that will be placed in the cloud, who will be receiving the data when it is transferred and stored in the cloud, the countries in which these parties are located, and whether international electronic data and privacy laws be implicated. This chapter will not attempt to provide an exhaustive discussion of each of the implicated ethics issues and the rules of professional responsibility that may be impacted by them. Instead, this chapter will serve as an introduction to the key ethics issues using the American Bar Association s (ABA) Model Rules as a guidepost and show how different state bars and the ABA are addressing these concerns. Lawyers should consult 1 Stephanie Kimbro, MA, JD, has operated a Web-based virtual law office in North Carolina since 2006 and delivers unbundled estate planning to clients online. She is the recipient of the 2009 ABA Keane Award for Excellence in elawyering and the author of Virtual Law Practice: How to Deliver Legal Services Online, published by the ABA/LPM, October, 2010. She serves as the Vice-Chair of the ABA LPM Ethics and Professional Responsibility Task Force and as a member of the ABA LPM Council. She authors the Virtual Law Practice blog which discusses current ethics opinions and issues related to lawyers use of technology.

with their individual state bar s rules of professional conduct when integrating cloudbased technology into practice management. A. Duty of Confidentiality (Model Rule 1.6(a)) and Safeguarding Client Property (Model Rule 1.15) The duties of confidentiality and to safeguard client property comes into play when confidential client information is transferred and/or stored in a cloud-based system and with almost all uses of cloud computing by lawyers, from cloud-based e-mail to fullscale online delivery of legal services. For example, a lawyer waiting in an airport uses the free WiFi access to download his e-mail from a Web mail server. He receives an e-mail from a client containing confidential information in the form of the client s social security number and bank accounts that the lawyer had requested for use in the client s case. The lawyer replies to the client using the Web-based e-mail service and attaches a draft document for the client to review. The transmission of data was not encrypted because it was sent through a Web-based e-mail server over public wireless. The lawyer continues to use the free WiFi to enter his username and password into a poorly configured remote virtual private network (VPN) that logs him into his firm s computer. (A VPN provides users with secure access to their organization's network, generally via an Internet connection). During the time of this brief transaction, a hacker used the public hotspot to view everything on the lawyer s screen, including the username and password to his Webbased e-mail account. The lawyer uses the same username and password for all his accounts, both personal and business-related. A hacker has the ability to access the client s confidential information as well as watch the lawyer s actions as he works over the public WiFi on the firm s VPN. The ethics concern that reaches over all aspects of cloud computing use in practice management is the lawyer s compliance with the ABA s Model Rules of Professional Conduct Rule 1.6(a) regarding confidentiality and Rule 1.15 regarding the safekeeping of client property. 2 Rule 1.15(a) provides that [a] lawyer shall hold property 2 MODEL RULES OF PROF L CONDUCT R. 1.6 available at http://www.abanet.org/cpr/mrpc/rule_1_6.html (last visited July 11, 2011). For a detailed analysis and review of ABA Model Rule 1.6(a) and other state

of clients or third persons that is in a lawyer's possession in connection with a representation separate from the lawyer's own property. Funds shall be kept in a separate account maintained in the state where the lawyer's office is situated, or elsewhere with the consent of the client or third person. Other property shall be identified as such and appropriately safeguarded. Complete records of such account funds and other property shall be kept by the lawyer and shall be preserved for a period of [five years] after termination of the representation. 3 Rule 1.6(a) provides that A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation.... Comment 17 to this rule provides that lawyers must take reasonable precautions to safeguard confidential information and prevent it from going to unintended recipients during the transmission. Rule 1.6(a) sets the standard for safeguarding client property, but begs the question of what constitutes reasonable precaution. For the lawyer to assume that he or she has taken reasonable precautions with the tools chosen to practice law, the lawyer must do his or her due diligence in researching and understanding the risk and benefits of the technology used to transmit and store confidential law office data. Chapter in this book provides a useful checklist of items to research when conducting due diligence in selecting a vendor. The concern echoed by different state bars regarding Rules 1.6 and 1.15 is that some lawyers may not have the technical knowledge to select the appropriate provider or know how to implement and maintain the technology in their own practice after making a selection. To remedy this, several proposed state bar ethics opinions are attempting to come up with a set of guidelines and questions for lawyers to use when researching their technology provider. For example, the North Carolina State Bar published Proposed Formal Ethics Op. 6 (2011), which specifically addresses the use of Software as a Service (SaaS), one form of cloud computing, in law practice. The proposed opinion contains a list of minimum bar opinions related to the duty of confidentiality, see Washington State Bar Association, Advisory Op. 2080 (2006), available at http://mcle.mywsba.org/io/print.aspx?id=1553 (last visited July 11, 2011). 3 MODEL RULES OF PROF L CONDUCT R. 1.15, available at http://www.abanet.org/cpr/mrpc/rule_1_15.html (last visited July 11, 2011). Comment 1 of Rule 1.15 provides that [a] lawyer should hold property of others with the care required of a professional fiduciary.

requirements that must be met before the lawyer may use the cloud-based product in his or her practice. These requirements include the lawyer s due diligence in researching the ability of the vendor to protect the confidentiality of client data. At the time of this writing, the proposed opinion has been returned to a subcommittee of the North Carolina State Bar Ethics Committee for further study, with the potential for a revised opinion. On a national level, the International Legal Technology Standards Organization (ILTSO) has published a set of standards for the use of technology in law practice. 4 The organization launched in April, 2011 with the intention of providing updated technology guidance with a emphasis on cloud-based technology. Ensuring the security of mobile devices and applications and protecting the confidentiality of client information when using cloud-based technology is a primary focus of the ILTSO Standards. The organization intends to update the Standards on a regular basis to keep them current with changes in technology and hopes to provide state bars and their members with the guidance they need to safely use cloud computing in law practice. 5 State bars are beginning to recognize different levels of security in electronic communication and that they need to avoid lumping all forms of cloud-based technology into regulations that limit use without taking these distinctions into consideration. Ethics rules regarding the use of e-mail are a good example. One cloud-based e-mail service may provide unencrypted communication, but other cloud-based e-mails solutions may provide end-to-end encryption of data, a higher security standard. Although many state bars have ethics opinions approving of the use of unencrypted e-mail in law practice management, current technology and security industry standards tell us that unencrypted e-mail may not be the most secure method of transferring digital data. Both Nevada and Massachusetts have recently passed data privacy laws requiring encryption of personal information that is processed by a business entity. 6 Both states laws find that, for the confidential data to be adequately protected, it must be encrypted. Under Nevada s law, 4 International Legal Technology Standards Organization, http://www.iltso.org/iltso/welcome.html (last visited July 29, 2011). 5 As a sign that state bars may welcome the guidance provided in the ILTSO Standards, the footnotes of the proposed North Carolina Ethics Op. No. 6 (2011) referred to the Standards as a resource for guidance for lawyers researching cloud computing. 6 See MASS. GEN. LAWS ch. 93A, Regulation of Business Practices for Consumers Protection, available at http://www.mass.gov/legis/laws/mgl/gl-93a-toc.htm (last visited July 11, 2011).

any business that stores personal information where the data is stored out of the physical control of the business must be encrypted. 7 These laws recognize that unencrypted methods, such as most e-mail used by law firms, are not secure methods of storing confidential data under today s technology standards. Accordingly, a lawyer who is considering using a cloud-based technology that is unencrypted should consider whether the use of that method meets the requirement of reasonable precaution found in Model Rule 1.6(a). Likewise, the lawyer must consider whether the use of this technology may be relied upon to safeguard the client s property as required by Model Rule 1.15. More recently, the California State Bar published an ethics opinion that addresses the lawyer s duty of confidentiality to clients using technology that may be accessed by a third-party. 8 Formal Ethics Opinion 2010-179 published in December 2010 provides: [w]hether an attorney violates his or her duties of confidentiality and competence when using technology to transmit or store confidential client information will depend on the particular technology being used and the circumstances surrounding such use. Before using a particular technology in the course of representing a client, an attorney must take appropriate steps to evaluate: 1) the level of security attendant to the use of that technology, including whether reasonable precautions may be taken when using the technology to increase the level of security; 2) the legal ramifications to a third party who intercepts, accesses or exceeds authorized use of the electronic information; 3) the degree of sensitivity of the information; 4) the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product; 5) the urgency of the situation; and 6) the client s instructions and circumstances, such as access by others to the client s devices and communications. Although it does not provide specific technical requirements, the opinion does give a process for making a determination of whether the use of the technology is ethical for the law practice within the specifics of the firm s situation. The opinion is unique because it is one of the first ethics opinions to specifically provide that a lawyer s use of public wireless to conduct business does not protect client confidentiality. By requiring 7 See NEV. REV. STAT. ch. 603A (2009), Security of Personal Information, available at http://search.leg.state.nv.us/isysquery/irl5021/1/doc (last visited January 25, 2011). AUTHOR THIS LINK IS BROKEN, PLEASE REVISE. 8 California State Bar, Formal Ethics Op. 2010-179 (2010), available at http://ethics.calbar.ca.gov/linkclick.aspx?fileticket=wmqecihp7h4%3d&tabid=836 (last visited Feb. 3, 2011). AUTHOR THIS LINK IS BROKEN. PLEASE VERIFY.

lawyers to use encrypted, private networks, this opinion has gone a step further to educate the legal profession about the safe use of cloud-based technology in practice management. Future ethics opinions relating to the use of cloud computing and client confidentiality, such as the proposed North Carolina Formal Ethics Opinion 7, may include more specific guidelines for lawyers to use when taking reasonable precautions to ensure that the use of technology protects their client s confidential data. On September 20, 2010, the ABA Commission on Ethics 20/20 Working Group on the Implications of New Technologies published for comment an Issues Paper Concerning Client Confidentiality and Lawyers Use of Technology. 9 The paper discusses the Commission s review of the use of technology by lawyers to transmit and store confidential information. Proposed guidelines, educational whitepapers, and proposed changes to the model rules are included at the end of the issues paper. The commission held hearings in Chicago in December 2010 from parties interested in providing them with information about how the legal profession is using cloud computing in different forms to practice law. Another ethics issues that comes up in cloud computing under Rule 1.15 is the removal of the client s property from the cloud-based application. Lawyers using cloud computing to store client property must ensure that the technology provider has a return and retention policy that ensures that there are methods in place for the lawyer to remove the data and return it to the client. Terms in the service-level agreement with the provider cannot hold the client s data hostage. Furthermore, Rule 1.15 requires that lawyers retain their client s files for a period of five years following the representation. Lawyers retaining files in digital format through cloud-based systems must comply with this rule whether those files appear as archived in the system for that time-period or whether they must be exported and retained in digital format off the cloud and in the law firm s in-house control. Law firms using cloud-based applications to invoice and receive payments for legal services online from third-party processing companies should also be careful about 9 ABA Commission on Ethics 20/20 Working Group on the Implications of New Technologies Issues Paper Concerning Client Confidentiality and Lawyers Use of Technology, available at http://www.abanet.org/ethics2020/pdfs/clientconfidentiality_issuespaper.pdf (last visited Feb. 3, 2011). AUTHOR LINK IS BROKEN, PLEASE VERIFY

compliance with Rule 1.15. Certain cloud-based online payment systems may not automatically route funds to the law firm s trust account, and some might attempt to take per transaction or other administrative fees out of the client s funds intended to be held in trust by the law firm. Law firms should be careful to select a cloud provider that has an understanding of lawyer s trust accounting and interest on lawyers trust accounts (IOLTA) compliance as required by most state bars. It is important to remember that most state bars ethics opinions relating to technology may be outdated and approve of digital methods of communication that no longer meet today s security standards. Although many state bars are publishing new opinions that relate to cloud computing and/or third-party hosting and storage of law office data, many lawyers are left interpreting older ethics opinions to their duty to protect the confidentiality of their client s matter. Fortunately, some practice management advisors at various state bars and other entities, including some legal SaaS vendors, are drafting guidelines and providing educational content for lawyers to understand how they may conduct their due diligence of researching a cloud-based solution for their practice. Other issues come up after the cloud-based technology is chosen that relate to the lawyer s use of the technology, but also to how they handle a breach of the client s data. Concerns over confidentiality and compliance with Rule 1.6 (a) and Rule 1.15 are the over-arching ethics concern that looms over the general use of all cloud computing in practice management, regardless of the specific application or intended use by the lawyer. 10 B. Legal Compliance Issues and Security Legal compliance issues and security are of concern to multijurisdictional law firms, U.S.-based firms working with clients, and lawyers located outside of the United States. Closely related to the lawyer s professional responsibility to comply with Rules 1.6 and 1.15, the use of cloud computing in law practice may raise questions of 10 For further reading, see The ABA Commission on Ethics 20/20 Working Group on the Implications of New Technologies, Issues Paper Concerning Client Confidentiality and Lawyers Use of Technology (Sept. 20, 2010), http://www.americanbar.org/content/dam/aba/migrated/2011_build/ethics_2020/clientconfidentiality_issue spaper.authcheckdam.pdf (last visited July 11, 2011); ABA Comm. on Ethics and Prof l Responsibility, Formal Op. 99-413 (1999) (discussing confidentiality issues of using unencrypted e-mail).

compliance with federal security protocols, such as the National Bureau of Standards and the NAS under the Computer Security Act. 11 This chapter will not attempt to go into this complicated topic in great detail other than to give the reader a perspective on International laws and U.S.-based initiatives that may shape the use of cloud computing for legal professionals in the United States. There are certain federal laws that may need to be updated to adequately reflect the use of cloud computing before some law firms will feel confident using cloud-based technologies for law practice. The Electronic Communications Privacy Act (ECPA) was amended in 1996 to increase privacy protections on electronic data and to require a higher standard of care before law enforcement may gain access to electronic data. 12 The definition of communication in the ECPA has changed drastically since the act was originally written in 1986. Even amendments in the late 1990s did not correct the disparity between the statute and current methods of electronic communication. The result has been a significant lack of privacy for users. Similarly, Title II of the ECPA, titled the Stored Communication Act, may not contain adequate distinctions among different forms of digital storage to make it clear at what point the service provider may access the data for its own purpose or hand it over in response to government requests. Because of the lack of stringent privacy laws protecting electronic data in the United States, members of the European Union (EU) may not legally handle or store data in the United States that would be subject to these regulations. This may affect law firms transmitting and storing client electronic data overseas. The EU Data Protection Directive protects personal information for all member states, and the 2002 Directive on Privacy and Electronic Communications addresses the use of cookies. 13 Users of electronic communications within the EU member states are provided with clear information about 11 Computer Security Act of 1987, Pub. L. No. 100-235, 101 Stat. 1724 (codified at 40 U.S.C. 759 (2006)). AUTHOR PLEASE VERIFY CODIFIED AT 12 Electronic Communications Privacy Act of 1986, ECPA Pub. L. No. 99-508, 100 Stat. 1848 (1986) (codified at 18 U.S.C. 2510). PLEASE VERIFY CODIFIED AT 13 See Council Directive 95/46, 1995 O.J. (L 281) 31 (EC), available at http://www.cdt.org/privacy/eudirective/eu_directive_.html (last visited July 11, 2011); Council Directive 2002/58, 2002 O.J. (L 201) (EC), available at http://eurlex.europa.eu/lexuriserv/lexuriserv.do?uri=oj:l:2002:201:0037:0047:en:pdf (last visited Feb. 4, 2011); AUTHOR LINK BROKEN; PLS VERIFYThe Privacy and Electronic Communications (EC Directive) Regulations, 2003, No. 2426, available at http://www.legislation.gov.uk/uksi/2003/2426/contents/made (last visited July 11, 2011).

the collection of their personal information and are given the right to refuse the collection. In 2009, a different eprivacy Directive in the EU was published which addresses the third-party storage of personal information. 14 This directive requires that the thirdparty who wishes to collect and store personal information must first obtain the consent from the user after providing them with clear and thorough information about storage and access. Even if the third-party is only collecting a username or identity that is not the user s real name, the Data Protection Directive applies. Storage of consumer data outside of the EU might be in violation of the Directive. Therefore, even a law firm using a cloud-computing solution that includes a client portal would still be subject to the Directive. Another barrier to the use of cloud computing internationally in the legal profession is the 2001 US Patriot Act. 15 The Patriot Act gives broad rights to the U.S. government to access data transferring through and/or stored in the country. When this risk of government access to data is paired with the EU Directive, the majority of EUmember businesses are not likely to engage in cloud-based transactions with third-party technology vendors or businesses in the United States where their data might be stored on servers located within the reach of U.S. laws. Even non-eu-member states may be wary of the Patriot Act s reach. A 2010 article on virtual law firms published by the Law Society of British Columbia observed the potential risk for Canadian lawyers to house law office data on servers located within the United States as a result of the Patriot Act. 16 In fact, only a few countries outside of the EU have a level of data protection that would comply with the directive. For now, if a business that works with EU state members wants to use cloud computing, it would have to use a third-party cloud-computing service located in the EU and make sure that no personal information left an EU member country. 14 Council Directive 2009/136, 209 O.J. (L 337) (EC) (Nov. 25, 2009), available at http://eurlex.europa.eu/lexuriserv/lexuriserv.do?uri=oj:l:2009:337:0011:0036:en:pdf (last visited Feb. 4, 2011). AUTHOR: LINK BROKEN, PLS VERIFY 15 U.S. Patriot Act of 2001, Pub. L. No. 107-56, 115 Stat. 272 (2001), available at http://epic.org/privacy/terrorism/hr3162.html (last visited July 11, 2011). 16 Law Society of British Columbia, The Real World of Virtual Law Firms, 3 BENCHERS BULLETIN (Fall 2010), http://www.lawsociety.bc.ca/page.cfm?cid=162&t=the-real-world-of-virtual-law-firms.

Because of the potential chill on international business in the United States, not to mention innovation in business technology, several U.S.-based initiatives have formed to encourage changes in legislation. The Digital Due Process (DDP) coalition is attempting to update the current legislation that governs how law enforcement accesses electronic data, including changing the ECPA to address the realities of cloud computing. 17 Microsoft announced an initiative called the Cloud Computing Advancement Act, which proposes, among other things, changes to the ECPA to increase data privacy protection, to more clearly define electronic communications with current technology, and to provide users with more information about the service provider and control over the data that is collected by that third-party. 18 In a similar initiative, IBM published the Open Cloud Manifesto in the spring of 2009 to encourage open standards in cloud-computing services that would make the different provider s services more consistent as a technology community. 19 It is unclear what impact these legislative initiatives will have. Until U.S. laws are changed to provide additional privacy protections for users of digital communications, it is possible that law firms interested in using cloud-computing applications to deliver legal services online to clients located in EU-member states may have to jump through a few hurdles to ensure compliance with EU Directives. In some cases, this may mean that, to operate ethically using cloud based technology, the firm will have to find an EU-based technology provider and ensure that the servers housing any law office data are located in an EU-member state. C. Duties to Prospective Clients (Model Rule 1.18) and Scope of Representation (Model Rule 1.2) Model Rules 1.18 and 1.2 come into play with client intake or contact us forms on firm Web sites, when communicating with prospective clients through cloud-based 17 See http://www.digitaldueprocess.org/index.cfm?objectid=37940370-2551-11df-8e02000c296ba163 (last visited July 11, 2011). 18 Brad Smith, General Counsel, Microsoft Corporation, Speech at the Brookings Institution Policy Forum: Cloud Computing for Business and Society, Building Confidence in the Cloud: The Need for Prompt Industry and Government Action for Cloud Computing (Jan. 20, 2010), available at http://blog.seattlepi.com/microsoft/library/20100120smithspeech.pdf (last visited July 11, 2011). 19 See http://www.opencloudmanifesto.org/open%20cloud%20manifesto.pdf (last visited Feb. 4, 2011). AUTHOR LINK BROKEN; PLS VERIFY

social media applications; and when asking prospective clients to register on a Web site or client portal. For example, a prospective client follows a lawyer or firm profile on Twitter and decides to post a 140-character request for legal assistance that includes confidential information about their legal matter. The lawyer s profile explains that she handles a specific practice area and provides free consultations, but does not specify how these consultations are provided. The lawyer and the firm s Twitter account regularly posts tweets with general legal information pertaining to the practice area to which the individual s legal need relates. Does the client have a reasonable expectation that the lawyer would be willing to form a client-lawyer relationship? If the lawyer has been answering legal questions in a Web-based forum, does an unsolicited, direct question posted publically on Twitter to that same lawyer constitute a request from a prospective client to which the lawyer must respond? Model Rule 1.18 provides that [e]ven when no client-lawyer relationship ensues, a lawyer who has had discussions with a prospective client shall not use or reveal information learned in the consultation, except as Rule 1.9 would permit with respect to information of a former client. 20 Comment 2 to the rule clarifies that a prospective client is not a person who communicates information unilaterally to a lawyer, without any reasonable expectation that the lawyer is willing to discuss the possibility of forming a client-lawyer relationship.... (Emphasis added.) Comment 3 to this rule provides that the lawyer has a duty to keep the information transmitted confidential regardless of how brief. Model Rule 1.2(a) provides that a lawyer shall abide by a client's decisions concerning the objectives of representation and, as required by Rule 1.4, shall consult with the client as to the means by which they are to be pursued. A lawyer may take such action on behalf of the client as is impliedly authorized to carry out the representation.... 21 Section (c) of the rule allows for limited-scope representation, also termed the 20 MODEL RULES OF PROF L CONDUCT R. 1.18, available at http://www.abanet.org/cpr/mrpc/rule_1_18.html (last visited July 11, 2011). 21 MODEL RULES OF PROF L CONDUCT R. 1.2 (YEAR), available at http://www.abanet.org/cpr/mrpc/rule_1_2.html (last visited July 11, 2011).

unbundling of legal services, which is becoming a popular form of delivering legal services online to clients. To understand how Rule 1.18 and 1.2 work with cloud computing, it is necessary to distinguish among the different online communications in a variety of delivery formats. Communications through cloud-computing applications are similar to the use of text messaging, rather than a cell phone call, and occur at must faster speeds than the use of traditional e-mail. Comments are sent quickly and some with word limits. Likewise, responses to comments posted in this environment generally are expected to be within twenty-four hours if not immediate. The transmissions in most cloud-based applications are public. Not only may the lawyer be responding to the prospective client s post, but other individuals online who are not professionals, and even those who could have conflicting interests with the prospective client, are also able to read and post their own responses either directly to the individual or out to the general public. By doing so, the original request for legal assistance has the potential to be spread around to a large number of individuals. Ignoring the fact that the lack of privacy and encryption of the transmission of data may compromise the confidentiality of the client s matter, what are the duties of the lawyer receiving that original request for legal assistance? Within the context of cloudbased communication, such as lawyers use of social networking, what is a reasonable expectation on the part of a prospective client in online social environments? To be safe, should the lawyer send out standard responses to these requests warning prospective clients not to post confidential information and telling them they cannot represent them? Are disclaimers posted on online profiles sufficient notice to prospective clients? State bars differ in their opinions in answering these ethics questions. Regarding whether information received from a prospective client online triggers the duty of confidentiality under Rule 1.18, some state bar ethics opinions find that the duty of confidentiality to the prospective client occurs without an adequate disclaimer and even go a step further to claim that just having a law firm Web site is an implicit agreement

to consider the formation of a lawyer/client relationship. 22 Other state bar ethics opinions do not impose the duty of confidentiality and instead leave the responsibility on the lawyer to decline representation. 23 All of these opinions focus on the receipt of unsolicited e-mails from prospective clients rather than cloud-based communications through social media applications or intended online client intake forms or secure client portals. The ethics risks associated with each of these online applications will differ depending on how each operates and is used by the prospective client and managed by the lawyer. The different cloud-based forms of communication between lawyers and prospective clients and how the ethics rules apply might be broken down into two categories: (1) instant, public online communication; and (2) expected online communications. These different forms of cloud-based communication and how they relate to Rules 1.2 and 1.18 are discussed below. 1. Instant and Public Online Communications Given the popularity of social media applications that rely on cloud computing, it is unlikely that a prospective client would have an expectation of privacy when communicating online using a public, cloud-based application. Prospective clients who use these methods regularly read public information posted from individuals that they follow on sites, such as Twitter, Facebook, and LinkedIn. When registering to use these cloud-based applications, prospective clients must click to accept the terms of use, which typically include statements regarding privacy and confidentiality. These clickwrap agreements for use of the technology are binding and enforceable contracts with that technology provider, but they also could provide evidence that the individual using these application has had adequate notice beforehand of the risks of communicating confidential information using them. In reality, most individuals registering on social media applications do not actually read through these agreements. However, in terms of determining whether there is a reasonable expectation that the lawyer will represent the individual following an online transmission, these agreements 22 See Assoc. of the Bar of the City of N.Y Comm. on Prof'l and Judicial Ethics, Formal Op. 2001-1 (2001); N.J. Sup. Ct. Advisory Comm. on Prof'l Ethics, Op. 695 (2004); Mass. Bar Assoc. Comm. on Prof'l Ethics, Op. 07-01 (2007). 23 State Bar of Ariz. Comm. on the Rules of Prof'l Conduct, Op. 02-04 (2002); Iowa State Bar Ass'n Comm. on Ethics and Practice Guidelines, Op. 07-02 (2007).

point to the fact that prospective clients have been made aware that the method of their transmission is not private and, therefore, should not have a reasonable expectation that their communications to a lawyer using this method will result in legal representation. In many of these instances, the law firm that has set up an account for the firm is using the cloud-based method as a brand-building or marketing tool and is not intending to communicate directly with prospective clients. However, when a firm builds a fan page on Facebook and invites clients and others in the community to become fans of the page, this moves the use of the application into another category that may require additional steps by the law firm to avoid ethical missteps. The online presence that the law firm is publically disseminating through the cloud-based application may skew the public s perception of what expectations it should have regarding communications with the law firm. Accordingly, ethical use of social media applications for the purpose of marketing a law firm may require that that the firm ensure that it uses all the application s provided privacy settings to restrict the flow of unintended requests for legal services from prospective clients. 2. Expected Online Communication Similar to creating a fan page on Facebook, there are other instances when the lawyer does not intend to establish the lawyer-client relationship through the use of cloud-based technology, but does want to invite prospective clients to find out if the firm s services could meet their legal needs. For many law firms still using Web-based and e-mail-driven contact us or client intake forms on Web sites, the practice of responding to prospective clients in a clear and prompt manner to avoid the expectation of representation is critical. Lawyers who are contacted over social media applications by prospective clients should be careful to gather only as much information as needed to run an adequate conflicts check, such as the general subject of the legal need and the names of the potential parties involved. Making every attempt to limit the amount of information received before this conflicts check will help the lawyer fulfill his or her duty to protect the confidentiality of the prospective client s matter. Another way to avoid the ethics risk in this situation might be to also ask the prospective client to consent to waive the protection that Rule 1.18 provides by

having them click to accept that waiver. 24 However, there is the question of whether this is adequate. Any law firm using an online client intake form should be familiar with Barton v. U.S. Dist. Court for the Central Dist. of Cal. 25 In Barton, the first case to address this issue, the court held that, when prospective clients filled out an online intake form for the law firm, it gave rise to a lawyer-client relationship that was subject to the lawyer-client privilege and governed by the duty of confidentiality. The court noted that the communications online might be less secure and that any disclaimers or attempts to have the client waive their confidentiality may not be adequate. The court discussed how the online client s expectations might differ from the use of the online application, but concluded that a lawyer may be safe using a plain-language disclaimer to avoid the formation of the lawyer-client relationship so long as the lawyer s actions are also consistent in emphasizing this intention. Accordingly, a combination of both a plainlanguage disclaimer and clear actions on the part of the lawyer to promptly accept or decline the representation are the current standard to comply with Rules 1.2 and 1.18. Increasingly, law firm Web sites are evolving from the use of generic contact us forms that are e-mail based to the use of secure client portals for existing and prospective clients. The use of a client portal depends on a cloud-computing application to record the clients data and register them as a user on the law firm s site with account access. These forms of interacting with clients online through cloud computing more easily comply with Rules 1.18 and 1.2. Although more conservative law firms host the client portals on their firm Web sites only for existing clients, other firms invite prospective clients to register to request legal services from the law firm. The registration for the client portal typically includes a clickwrap agreement notifying the prospective client of the intended purpose for the client portal and explaining the nature of the technology used, including confidentiality and privacy notices. Furthermore, the firm s Web site may have video tutorials or explanations about the purpose of the client portal and how it may be used to request 24 See generally, Michael Loudenslager, E-Lawyering, The ABA s Current Choice of Ethics Law Rule and the Dormant Commerce Clause, 15 WM. & MARY BILL RTS. J. 587, 601 04 (Dec. 2006). 25 Barton v. U.S. Dist. Court for the Central Dist. of Cal, 410 F.3d 1104 (9th Cir. 2005).

legal services. Most of these firm sites also include standard disclaimers notifying the prospective client that registering and requesting legal services on the site does not automatically result in the law firm agreeing to represent the client in his or her legal matter. Once inside the client portal, the client is able to request legal services in a more secure, encrypted, digital environment where the lawyer may determine whether the firm will represent the prospective client in his or her matter. The prospective client is given a clear agreement or declination of the representation, which is recorded in digital format for both the client and the law firm to have on record. The combination of the clickwrap agreement, which serves to provide the disclaimer, and the actions required in the registration process by the prospective client and the lawyer to proceed should meet the requirements stated in Barton and comply with Rules 1.2 and 1.18. Public online forums, chat rooms, and cloud-based applications where the lawyer would be providing expert responses are other examples of expected communication with prospective clients. This form of interaction raises many different ethics red flags, including unauthorized practice of law in other jurisdictions, which will be discussed in more detail below. Several state bars have issued opinions on the subject of providing online legal advice and concluded that, if the lawyer s intention is to avoid forming the lawyer-client relationship, he or she must avoid specifically addressing any single prospective client s questions and instead limit the communication to posting online only items that cover general legal issues and are educational in nature. 26 D. Competency (Model Rule 1.1) and Diligence (Model Rule 1.3) Model Rules 1.1 and 1.3 come into play when selecting a technology provider and with the daily use of the cloud-computing technology to handle the representation of a client. For example, a lawyer decides to use a popular cloud-based project management application to map out a trial for the client s case. The application is still in beta, but the 26 See, e.g., D.C. Bar Legal Ethics Comm., Op. 316 (2002), http://www.dcbar.org/for_lawyers/ethics/legal_ethics/opinions/opinion316.cfm (accessed February 4, 2011); State Bar of Ariz., Formal Ethics Op. 97-04 (1997) http://www.myazbar.org/ethics/opinionview.cfm?id=480 (accessed February 4, 2011); Ass'n of the Bar of the City of New York, Comm. on Prof'l and Judicial Ethics, Formal Op. 1998-2 (1998) http:// www.abcny.org/ethics/eth1998-2.htm (accessed February 4, 2011).

lawyer has read positive reviews online and wants to try it out. The lawyer and other members of the firm input data from the client s case into the application leading up to the time of the trial. However, during this time, the technology provider is acquired by a larger company, and users are given notice that the beta version of the application will be ending and access will be terminated for paying users within a three-month period. The lawyer must remove the client s data from the application, but wants to retain the mapping and other organizational planning and strategy created for the case in that cloudbased system before the beta ends. The lawyer did not diligently research the software to ensure that the data would be exportable in a standard file format that would then easily transfer to another application. The lawyer is only able to export the data into an Excel file format that does not retain its usefulness for the management of the client s case. The law firm must attempt to recreate months of online preparation into another format, whether traditional or within another cloud-computing application, for use at the trial. In this example, the client may not be provided with diligent or thorough representation of his or her case at trial as a result of the firm s misuse of a cloud-computing technology. ABA Model Rule 1.1 provides that [a] lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation. Rule 1.0(j) defines reasonably as when a lawyer of reasonable prudence and competence would ascertain the matter in question. Rule 1.3 requires that lawyers act with reasonable diligence and promptness in representing a client. When using cloud computing in practice management, the lawyer cannot rely on the technology provider to ensure that the cloud-based tools the firm has chosen to implement in its practice are kept up to date with the most current industry standards. Rule 1.1 requires that the lawyer is thorough and makes preparations that are necessary to provide representation to the client. When applied to the use of cloud-computing applications in practice management, this implies that, at a minimum, the lawyer must understand the technology and security issues when using their chosen cloud-based method of handling the client s case. The lawyer must also act diligently by following regular best practices for daily management of that cloud-based technology because it is being used as a tool in representing the client.

No matter how confident the law firm is in the ability of the cloud-based technology, an application cannot replace the competent actions of a licensed professional. This is a particularly important point for lawyers using cloud-based document assembly and automation programs where the software may create a seemingly complete and ready-to-go legal document for the client s matter. The lawyer must review the final product to ensure competent delivery of legal services. The creation of law firm policies regarding the use of cloud-based technology as it applies to client representation may help minimize these ethics risk. Also related to compliance with Rule 1.3, a lawyer s use of social media may also give rise to claims that the lawyer is not providing the client with diligent representation. For example, a 2009 article in the New York Times noted a judge s negative response to viewing a lawyer s Facebook page showing what the judge perceived to be a lack of diligent representation on the part of the lawyer. The lawyer s Facebook page showed photos of the lawyer at a party when the lawyer had just requested a continuance from the judge on a case due to the death of a relative. 27 It may also be argued that, to comply with Rule 1.3, lawyers should use online social media, search engines, and other cloud-based methods of researching information about parties related to their client s case. Is a lawyer engaging in diligent representation by failing to check online for information that may be critical to understand his or her client s case? At the same time, opposing counsel may be researching online for information the lawyer s client has posted to cloud-based social media applications or on a blog or public forum. For this reason, it can be argued that, to comply with Rule 1.3, all lawyers today must incorporate cloud computing into their diligent representation of the client s case and also to educate their clients about the lack of privacy and confidentiality in the use of social media while the case is ongoing. E. Responsibilities of Partners, Managers and Supervisory Lawyers, Virtual Assistants, and Paralegals (Model Rule 5.3) Model Rule 5.3 comes into play when nonlawyers working for a law firm are given access to cloud-computing applications used by the firm, during the use of social 27 John Schwartz, A Legal Battle: Online Attitude vs. Rules of the Bar, N.Y. TIMES, Sept. 13, 2009, http://www.nytimes.com/2009/09/13/us/13lawyers.html (last visited July 11, 2011).

media applications by firm members, and when working with virtual assistants and virtual paralegals. For example, a small law firm requires additional administrative assistance from a nonlawyer. The firm retains the services of a virtual paralegal and provides remote access to the firm s network so that the paralegal may work with the firm s lawyers on specific matters. The firm has a client portal and allows the virtual paralegal to access the client case files and communicate with the clients on administrative matters, such as providing them with reminders of deadlines and court dates and answering basic questions regarding the status of their case. The cloud-based application used by the paralegal to communicate with clients was not permissions-based; therefore, the paralegal had full access to everything in the system and was not prevented from responding directly to clients or from uploading documents to the client s file. Wanting to expedite a matter in the client s case, the virtual paralegal drafted a document and uploaded it online directly to the client without the responsible lawyer s review of the document. The document contained errors that were upsetting to the client. Stricter regulation, perhaps including a specific firm policy for the use of the cloud-computing application, and closer supervision of the virtual paralegal by the responsible lawyer might have mitigated this ethics risk. Rule 5.3 provides that With respect to a nonlawyer employed or retained by or associated with a lawyer: (a) a partner, and a lawyer who individually or together with other lawyers possesses comparable managerial authority in a law firm shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that the person's conduct is compatible with the professional obligations of the lawyer; (b) a lawyer having direct supervisory authority over the nonlawyer shall make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer; and (c) a lawyer shall be responsible for conduct of such a person that would be a violation of the Rules of Professional Conduct if engaged in by a lawyer if:(1) the lawyer orders or, with the knowledge of the specific conduct, ratifies the conduct involved; or (2) the lawyer is a partner or has comparable managerial authority in the law firm in which the person is employed, or has direct supervisory authority over the person, and knows of the conduct at a time when its consequences can be avoided or mitigated but fails to take reasonable remedial action.

The use of virtual paralegals and assistants is becoming increasingly popular with law firms because cloud-computing applications may be used to provide these nonlawyers with the tools necessary to accomplish almost all of the tasks remotely that they would be able to handle in-person in a traditional law office. The convenience and cost-savings for the firm of employing a virtual assistant or paralegal also poses new ethics risks for the law firm to comply with Rule 5.3. Supervision over nonlawyers through the use of cloud computing may require the use of a permissions-based system if the nonlawyer is given access to the firm s VPN or other online system, such as a virtual law office. This allows the supervisory lawyer to dictate specifically which online tasks the virtual assistant or paralegal should handle and prevents them from accessing certain features, such as those that might allow them to upload documents or conduct conversations directly with the firm s clients. Another risk with the increased use of employed virtual paralegals and assistants is the possibility of conflicts. What is to prevent a virtual paralegal who works remotely from home for several different law firms from providing work on a case for one firm where he or she worked with another firm representing the opposing side on a related case? Law firms employing virtual assistants and virtual paralegals will want to have them sign confidentiality agreements prior to providing access to any cloud-based system containing law office data. The firm may also want to create and provide the nonlawyer assistant with a law firm policy for the use of the specific cloud-computing application that will be used. The firm may want to provide the nonlawyer assistant with the firm s social media policy so that they are aware of the firm s position on communicating with clients online. Providing this supervision and information to nonlawyer assistants regarding the use of cloud computing within the firm and educating them about the technology and security necessary for its use may go a long way to minimize the risk of noncompliance with Rule 5.3. A Debated Issue Is a Technology Provider a Nonlawyer under Rule 5.3? The ABA Commission on Ethics 20/20 recently raised an interesting question in its Working Group on the Implications of New Technologies Issues Paper Concerning

Client Confidentiality and Lawyers Use of Technology: Does employing the services of a cloud-computing provider fall under Rule 5.3? 28 A comment to Rule 5.3 provides that the duty to supervise nonlawyers extends to those who serve as independent contractors. The commission is considering possible amendments to the rule that would clarify the extent to which lawyers have a duty to supervise nonlawyer assistants who perform their work outside of the law firm. This might include providers of cloud-computing services. If amended to include cloud-computing providers, the implications would have a significant impact on the ability of law firms to implement cloud-based technology in law practice. Critics argue that it might also have the potential to stifle innovation in the development of future cloud-based technologies within the legal industry. How would a law firm directly supervise the actions of an independent technology provider to comply with Rule 5.3? Is there a double standard applied to the use of cloud-based software that does not exist with install software? Imagine a modified rule that included such large companies as Microsoft or LexisNexis as nonlawyers requiring supervision under Rule 5.3 simply because they were entrusted with storage of law office data on their cloudbased products. This is another ethics issue under review that law firms with an interest in using cloud-based technology should closely watch. F. Unauthorized Practice of Law (Model Rule 5.5) Model Rule 5.5 comes into play with the use of cloud computing in law firm marketing and online lawyer social networking; multijurisdictional virtual law practice and when providing clients with self-help software solutions. For example, a multijurisdictional law firm has formed that includes members licensed in three different state bars. Firm members are spread out across jurisdictions and serve clients located across the country and overseas. The firm uses a cloud-based technology to communicate with the firm s members and also provides clients with access to a client portal. 28 The ABA Commission on Ethics 20/20 Working Group on the Implications of New Technologies, Issues Paper Concerning Client Confidentiality and Lawyers Use of Technology, http://www.americanbar.org/content/dam/aba/migrated/2011_build/ethics_2020/clientconfidentiality_issue spaper.authcheckdam.pdf (last visited July 11, 2011).

The globalization of law firms has increased the number of lawyers practicing outside of the geographic location where they are licensed to practice law. Cloud-based technology is used to facilitate remote work situations and increase the convenience and cost-effectiveness of operating a law firm. Likewise, prospective clients may be located anywhere in the world. To be effective, it may be necessary for some firms to operate their practices in more than one state. This increases the risk of a lawyer committing unauthorized practice of law in other jurisdictions. Model Rule 5.5(a) and (b) provide that (a) [a] lawyer shall not practice law in a jurisdiction in violation of the regulation of the legal profession in that jurisdiction, or assist another in doing so. Section (b) provides that [a] lawyer who is not admitted to practice in this jurisdiction shall not: (1) except as authorized by these Rules or other law, establish an office or other systematic and continuous presence in this jurisdiction for the practice of law; or (2) hold out to the public or otherwise represent that the lawyer is admitted to practice law in this jurisdiction. To minimize the risk of UPL, lawyers should be clear when creating an online presence about where they are licensed to practice law and provide adequate notice to prospective clients about the jurisdictional limitations of the lawyer s practice. This may be done on Web sites, blogs, and any public profiles on cloud-based applications where the lawyer and law firm have an online presence. If the lawyer is using a cloud-based client portal to work with clients and to meet prospective clients online, they may want to have a jurisdiction check built into the system so that, upon initial registration, all prospective clients are given notice of the lawyer s jurisdiction, and the lawyer is able to run a check on the client s residency and legal issue to ensure that the client s matter may be handled by the firm. In all cases where the law firm is working with online prospective clients who may be located in other jurisdictions, the lawyer must make the determination on a case-by-case basis whether the firm may represent the client in compliance with Rule 5.5. A less prominent ethics issue that involves Rule 5.5 is a lawyer s use of cloudbased software applications that provide self-help to the pro se litigant. As a method of client development, some law firms are providing free legal forms and methods of assisting consumers with filling out legal forms in the hopes that these prospective clients

may retain the services of the law firm. Artificial intelligence will develop to the extent that a cloud-based application is able to take a client s data and generate more complete legal services that would constitute the practice of law. However, many online self-help documents and, in some cases, legal document assembly programs posted online do not undergo the review of the lawyer before the client obtains them and potentially proceeds with their legal matter. The individual using these applications may choose to proceed as a pro se litigant rather than retaining the services of the law firm. Does providing free forms and applications on the law firm s Web site to prospective clients constitute UPL if it is a law firm that directly provides the cloud-based application rather than a technology vendor? The most referenced case law related to technology and UPL is The Unauthorized Practice of Law Committee v. Parsons. 29 In this case, Texas sought to prohibit the sale of self-help legal software in the state. Parsons litigation and the legal technology industry s outcry over the proceedings resulted in a modification of the definition of Texas UPL statute to clarify that the practice of law does not include computer software so long as that software clearly provides that the product is not a substitute for the services of a lawyer. Parsons is frequently referred to when discussing how far a state would go to regulate different forms of legal technology, particularly those that are interactive with the public seeking legal assistance. Because almost each state has a different definition of the practice of law, the question of what constitutes UPL will also differ. For this reason, cloud computing used in multijurisdictional law firms raises interesting questions about which state s definitions apply and how the firm may minimize its risk of noncompliance with each. For now, if a law firm wishes to avoid noncompliance with Rule 5.5, it will follow the standard set in Parsons and post clear explanations and disclaimers around the free forms including clear notice on the documents themselves regarding the states laws to which it is limited. In addition to Rule 5.5, some state bars have residency requirements and bona fide office rules with which lawyers licensed in more than one state must be careful to comply when using cloud computing to practice law across jurisdictions. In the spring of 2010, the New Jersey State Bar issued a joint opinion related to its bona fide office rule 29 No. 99-10388 (5th Cir. 1999).

and virtual law offices. 30 The restrictions in the joint opinion drew attention from lawyers engaged in or considering a completely cloud-based virtual law practice. Several states have bona fide office requirements for members of their bar. 31 Bona fide office requirements differ from general residency requirements, but in essence they both place a geographic restriction on the practitioner. Residency requirements either apply to the presence of the lawyer in the state of jurisdiction for a specific event related to a legal matter, or they apply to the ongoing residence of the lawyer in that geographic location for a specific amount of time prior to an event related to a legal matter. The bona fide office rule applies to the latter situation. State bars are still able to require that the lawyer maintain a physical office within the jurisdiction in order to provide legal services there, as is the case in New York, or require a physical office location with regular business operating hours, as is the case in New Jersey. With cloud computing, law firms may attempt to establish practices that do not fall into their state bar s requirements to maintain a physical presence in the state. Although New Jersey s joint opinion was not promising for the use of cloud computing to create virtual law offices in that state, Pennsylvania published an ethics opinion in October of 2010 entitled Ethical Obligations on Maintaining a Virtual Office for the Practice of Law in Pennsylvania, which allowed for a law office without a physical office building. 32 At this time only a handful of states have issued ethics opinions specifically approving of virtual law offices. For lawyers seeking to use cloud computing to create a virtual law firm, it will be necessary to research and comply with any bona fide office or residency requirements of the states where the lawyer will be practicing law. 30 New Jersey State Bar Advisory Comm. on Prof l Ethics & Comm. on Lawyer Adver., Joint Op. 718/41 (2010), available at http://www.judiciary.state.nj.us/notices/2010/n100326a.pdf. 31 See MICH. COMP. LAWS 600.946(2) (2010) (requiring out-of-state lawyers to maintain an office and to practice actively in the state or teach the law); MO. SUP. CT. R. 9.02 (West 2010) (requiring that the out-ofstate lawyers have a local office, unless the state where the lawyer resides allows out-of-state lawyers to practice without a local office); Tolchin v. Supreme Court of New Jersey, 111 F.3d 1099, 1102-03 (3d Cir. 1997) (regarding New Jersey s bona fide office rule); Parnell v. Supreme Court of Appeals of West Virginia, 110 F.3d 1077, 1078 (4th Cir. 1997) (upholding West Virginia s local office and residency requirements); Lichtenstein v. Emerson, 674 N.Y.S.2d 298, 299 (N.Y. App. Div. 1998) (holding that New York s local office rule did not violate the Privileges and Immunities Clause). 32 Pennsylvania State Bar Formal Ethics Opinion 2010-200 (2010). The opinion recognizes different forms of virtual law practice and specifically states that it does not address issues related to client portals or cloud computing because both traditional and virtual offices may use these to work with clients online.

A Debated Issue Choice of Ethics Law, Model Rule 8.5 With lawyers and clients more frequently not located in the same geographic location, this raises the question of which jurisdiction s ethics laws apply. 33 The ABA Model Rule regarding choice of ethics provides that the ethics laws will apply based on the location where the lawyer s conduct occurred or where the main impact of the lawyer s conduct arose. 34 Comment 5 to Rule 8.5 provides that [w]hen a lawyer s conduct involves significant contacts with more than one jurisdiction, it may not be clear whether the predominant effect of the lawyer s conduct will occur in a jurisdiction other than the one in which the conduct occurred. So long as the lawyer s conduct conforms to the rules of a jurisdiction in which the lawyer reasonably believes the predominant effect will occur, the lawyer shall not be subject to discipline under this Rule. The lawyer delivering legal services online may have an ethical obligation to determine which states ethics laws will apply and then to comply with the stricter state s requirements. The difficulty comes in determining exactly where the legal representation occurs for the purposes of Rule 8.5(b) when the lawyer and client are communicating, and the client is receiving the legal services online across jurisdictions. On January 18, 2011, the ABA Commission on Ethics 20/20 Working Group on Uniformity, Choice of Law, and Conflicts of Interest released an issues paper entitled Choice of Law in Cross- Border Practice and seeks comments on the research and proposals submitted in the paper. 35 The commission proposed various solutions to interpreting or modifying Rule 8.5 in the paper. For further research, visit the American Bar Association s Commission on Multijurisdictional Law Practice, Center for Professional Responsibility, 33 See generally, Daniel Backer, Choice of Law in Online Legal Ethics: Changing a Vague Standard for Lawyer Advertising on the Internet, 70 FORDHAM L. REV. 2409, 2410, 2417 (2002). 34 ABA Model Rule 8.5(b) underwent revisions in 1993 and again in 2002. The dormant commerce clause of the Constitution also comes into play with choice of ethics law. See Michael Loudenslager, E- Lawyering, The ABA s Current Choice of Ethics Law Rule and the Dormant Commerce Clause, 15 WM. & MARY BILL RTS. J. 587, 601 04 (Dec. 2006). 35 ABA Commission on Ethics 20/20 Working Group on Uniformity, Choice of Law, and Conflicts of Interest, Issues Paper: Choice of Law in Cross-Border Practice, http://www.americanbar.org/content/dam/aba/migrated/2011_build/professional_responsibility/20111801.a uthcheckdam.pdf (last visited July 11, 2011).

http://www.americanbar.org/groups/professional_responsibility/committees_commission s/commission_on_multijurisditional_practice.html. G. Using Cloud-Based Tools for Client Development (Model Rules 7.1 7.5) Model Rules 7.1 through 7.5 come into play with Web-based, e-mail marketing campaigns, online legal matching services, Web sites that rate lawyers, social networking and social media applications used for marketing purposes, pay-per-click or performancebased legal advertising models, online lawyer directories, branded networks concept of matching consumers online with a specific network of lawyers, including self-help online legal services prior to lawyer matching. For example, a consumer visits the Web site of an online legal service company that provides self-help legal guidance. For a minimum fee, the consumer uses the cloudbased document assembly application to create a legal form. After reading the instructions that came with the form, the consumer determines that he or she would like to retain the services of a lawyer to assist in completing the legal matter. Lawyers pay to be listed in a zip code directory connected to the legal services company s Web site, and they also pay the company a performance-based fee for any prospective clients that result from their listing in the directory. The consumer follows a link that provides him or her with online access to communicate with one of the lawyers in that online network. The legal forms created using the cloud-based application provided by the legal services company are available to the consumer for use with their chosen lawyer for full-service representation. Rules 7.1 through 7.5 were updated in 2002 to cover advertising by electronic communication. Most applicable to cloud computing, Rule 7.2 was updated to include Internet advertising. Rule 7.2(a) provides that [s]ubject to the requirements of Rules 7.1 and 7.3, a lawyer may advertise services through written, recorded or electronic communication, including public media. Rule 7.3 was also updated in 2002 to include real-time electronic communication, such as the use of chat rooms or within virtual reality environments. Rule 7.3 prohibits direct solicitation to prospective clients. This ethics rule often works in conjunction with Model Rule 1.18 s duty to prospective clients, which is discussed above. Section (c) of

Rule 7.3 requires that [e]very... electronic communication from a lawyer soliciting professional employment from a prospective client known to be in need of legal services in a particular matter shall include the words "Advertising Material"... at the beginning and ending of any recorded or electronic communication, unless the recipient of the communication is a person specified in paragraphs (a)(1) or (a)(2). To apply this requirement to lawyers use of cloud computing, it is necessary to translate it into the different forms of online communication with prospective clients and to understand how that disclaimer would have to be posted in that cloud-based environment. The state bars differ in their solicitations rules; therefore, the lawyer seeking to use cloud-based methods to solicit legal services to prospective clients will want to first research their own state bar s rules. Also important to avoid running afoul of other state bar rules regarding online solicitation, the lawyer must make clear in every online posting his or her jurisdictional limitations. The most contested ethics issue regarding lawyers use of cloud computing in marketing has come in the interpretation of Rule 7.2. The rule as it is currently written does not cover pay-per-click or performance-based marketing two popular methods of online lawyer marketing that use cloud-based technology to provide arguably more costeffective results than traditional online or print lawyer directories. Section (b) of Rule 7.2 provides that [a] lawyer shall not give anything of value to a person for recommending the lawyer's services except that a lawyer may (1) pay the reasonable costs of advertisements or communications permitted by this Rule; (2) pay the usual charges of a legal service plan or a not-for-profit or qualified lawyer referral service. A qualified lawyer referral service is a lawyer referral service that has been approved by an appropriate regulatory authority; (3) pay for a law practice in accordance with Rule 1.17; and (4) refer clients to another lawyer or a nonlawyer professional pursuant to an agreement not otherwise prohibited under these Rules that provides for the other person to refer clients or customers to the lawyer, if (i) the reciprocal referral agreement is not exclusive, and (ii) the client is informed of the existence and nature of the agreement. This chapter will not attempt to cover all of the contested issues involving online lawyer advertising, many of which involve interpretation of Rule 7.2(b), Google AdWords and other pay-per-click advertising services. Lawyers using cloud computing

should be familiar with the 2009 Zelotes case in which an ethics complaint was filed in multiple states against a cloud-based legal service provider alleging marketing ethics violations pertaining to the company s pay-per-click advertising methods providing lead generation to lawyers who pay for the service. 36 All of the complaints were eventually dismissed in 2010 in favor of the lawyers using the cloud-based advertising method. However, in the Zelotes pleadings, careful distinctions were drawn between referral sites, directory listings, and other forms of lead generation marketing used by lawyers. State bars reviewing the differences among marketing methods and how each complies with state bar advertising rules may not come to the same conclusions. At the heart of this ethics issue may also be the fact that a large percentage of the public now shops for legal services using search engines and rating sites, rather than traditional advertising methods, such as the phone book or print ads and directories. Online methods of searching for legal assistance arguably has provided the public with increased access to general legal knowledge and potentially to greater access to justice by allowing them to broadly search for and review information about lawyers and firms. Lawyers unfamiliar with cloud-based forms of advertising are turning to their state bars for guidance in understanding how they may use these methods to remain competitive in their practice without running afoul of any ethics rules. Because online marketing methods change frequently, it may be difficult for slow-moving ethics committees and regulatory entities to keep up. Another factor in analyzing the application of Rules 7.1 through 7.5 to cloud computing is to make the distinction between social networking and direct advertising. The line may seem blurry for individuals not used to using cloud-based forms of social networking to communicate with colleagues and other business professionals. However, for the lawyer or law firm using cloud-based applications to build its online presence, there are clear methods of interacting online without engaging in direct advertising or solicitation of prospective clients. 36 The summary decision, Zelotes v. Rousseau, published January 2010; http://www.legalethicsforum.com/files/summary-decision-in-09-0412-zelotes-v-rousseau-et-al.pdf (accessed February 4, 2011).

One of the more popular forms of lawyer brand-building online involves the sharing of educational content to the general public. For example, lawyers may post general legal information or resources on their Twitter feed or on the firm s Facebook page. This builds the firm s reputation online as an expert in a specific practice area, but is not a form of direct advertising because this information is available for anyone in the public to view. Recently, some state bars have published more stringent restrictions on lawyers use of social networking, even proposing that lawyers remove their profiles or that they create pop-up disclaimers for law firm Web sites. 37 For example, the Texas State Bar Advertising Committee published its Interpretive Comment No. 17(A)-(I) (2010) in March 2010, which provides that [a] digitally transmitted message that addresses the availability of a Texas lawyer s services is a communication subject to Rule 7.02, and when published to the Internet, constitutes an advertisement in the public media. Taking this broad approach to all electronic communications by lawyers online, the Texas Comment provides regulations for everything from Web sites and blogs to a lawyers use of online social networking. Each state bar has different rules for advertising, many including very specific requirements for law firm Web sites and the use of online marketing. Some state bars may even require that the law firm seek approval of the Web site design and disclaimers posted on the site before it is published online. Others require registration of the law firm s URL with the state bar. Lawyers will want to carefully review the rules related to online advertising in their jurisdictions. If lawyers are licensed in more than one jurisdiction, they must comply with the rules of each state. Additionally, a significant use of cloud computing in practice management involves marketing. For virtual law firms that work almost exclusively with online clients through a secure client portal on the firm s Web site, the use of cloud-based forms of advertising is critical to establishing and maintaining a law practice that delivers legal 37 See, e.g.,, page 10 of the Florida State Bar Motion to Further Amend Rules Regulating the Florida Bar - 4-7.6 Computer Accessed Communications. (proposing pop-up disclaimers on law firm Web sites), http://www.floridabar.org/tfb/tfbresources.nsf/attachments/9f624959350d15338525773700451c31/$ FILE/SC08-1181%20Motion%20to%20Amend%20Rule%204-7.6%20and%20All%20Appendices%206-1- 10.pdf.pdf?OpenElement (accessed February 8, 2011).

services online. Unfortunately, because of the fast pace at which forms of online marketing develop, ethics rules are difficult to keep up-to-date and relevant. This aspect of cloud computing in law practice is full of gray areas. The use of cloud-based application for legal marketing also involves compliance with Model Rules 1.1, 1.6, and 1.15, as well as some states data privacy laws. In September 2010, the ABA Commission on Ethics 20/20 Working Group on the Implications of New Technologies released an Issues Paper Concerning Lawyers Use of Internet Based Client Development Tools. 38 The paper discusses the potential ethics issues that arise from the use of various cloud-based applications to market legal services. Proposed changes to the model rules to reflect the use of cloud computing in practice management may occur in the near future. As with many of the ethics rules related to technology, lawyers using these tools should keep a close watch on these proceedings. For many firms that rely upon cloud computing to market their law practice, there is hope that the ABA and state bar will consider regulation of the content of the lawyer s communication over the cloud, which is where the primary ethics risks lie, rather than focus on the delivery method which will change as fast as the technology develops. Also related to cloud-based marketing is Model Rule 5.4, which covers fee sharing with nonlawyers. New methods of cloud computing that assist members of the public in obtaining self-help legal assistance online and in finding a lawyer in their jurisdiction may involve the payment of fees by the lawyer to the cloud vendor for that referral service, and the payment may be based on a future fee that the lawyer receives from the client. We may expect that these upcoming models of matching up prospective clients with lawyers will raise additional ethics questions that may not have simple solutions if the focus is on the delivery method rather than the content of communication. 39 38 ABA Commission on Ethics 20/20 Working Group on the Implications of New Technologies, Issues Paper Concerning Lawyers Use of Internet Based Client Development Tools (Sept. 20, 2010), http://www.americanbar.org/content/dam/aba/migrated/2011_build/ethics_2020/clientdevelopment_issuesp aper.authcheckdam.pdf (last visited July 11, 2011). 39 For further resources, see ABA Formal Ethics Opinion 10-457 (2010), http://www.americanbar.org/content/dam/aba/migrated/cpr/pdfs/10_457.authcheckdam.pdf AUTHOR LINK BROKEN PLS VERIFY(last visited Feb. 4, 2010); Will Hornsby, Lawyers Shouldn't Have To Guess on Ethics of Online Marketing, MICH. L. WKLY., Aug. 18, 2008, available at 2008 WLNR 25703029. AUTHOR: WHAT IS THIS?

A Debated Issue Is Cloud Computing Outsourcing? The ABA Ethics Commission 20/20 has raised the issue of whether cloud computing should be classified as a form of outsourcing in one of its recent issues papers. 40 ABA Formal Ethics Opinion 08-451 describes a lawyer s obligations when outsourcing work to lawyers and nonlawyers. This issue may cause confusion because cloud-based solutions are often used to facilitate the practice of outsourcing legal services. Work conducted overseas by a nonlawyer entity on behalf of a law firm may be reviewed, discussed, managed, and purchased all through the use of a cloud-based application. Yet, the law firm supervises the work of the nonlawyers providing the legal product, not the platform used to transmit that product across geographic boundaries. Should the U.S. Postal Service be included in the outsourcing rule, and should all firms have obligations for supervising these traditional snail mail methods? There appears to be a double standard surrounding cloud computing in practice management that may partly be a result of misunderstanding how it is used by law firms. Would including cloud computing as outsourcing require modification of Model Rule 5.3 to include a cloud vendor as a nonlawyer working for the firm requiring supervision? If cloud computing is included as a form of outsourcing, it would be difficult to foresee how a standard cloud-computing technology vendor would be able to form working relationships with law firms. A related issue here is the potential for a notice and consent requirement for the use of cloud computing. Should lawyers be required to provide notice to their clients of their use of cloud computing in practice management and receive clients consent prior to using these methods for the client s case? If cloud computing were considered a form of outsourcing, client notice and consent might be required by the law firm to comply with ethics rules. This is yet another unanswered and debated ethics issue related to cloud computing in practice management. 40 The ABA Commission on Ethics 20/20 Working Group on the Implications of New Technologies, Issues Paper Concerning Client Confidentiality and Lawyers Use of Technology (Sept. 20, 2010), http://www.americanbar.org/content/dam/aba/migrated/2011_build/ethics_2020/clientconfidentiality_issue spaper.authcheckdam.pdf (last visited July 11, 2011).

A Debated Issue Should Cyber Insurance Be Required? Malpractice insurance policies may not adequately cover the use of cloud computing in law practice. In fact, many policies specifically exclude claims resulting from software. If this is the case, then many cloud-based applications, such as those that operate on software as a service (SaaS) models, would not be covered. Most state bars require that lawyers maintain professional liability insurance for their practice. Should lawyers operating some portion of their practice in the cloud be required to obtain separate cyber insurance to cover this potential gap in coverage? H. Electronic Discovery To comply with the Federal Rules of Civil Procedure Rule 26 regarding e- discovery, firms that handle litigation in the cloud must carefully evaluate the service level agreements of the chosen technology provider. 41 The data must be searchable, retrievable, and retained by the cloud provider in a manner that complies with e- discovery rules. Storage of law office data in the cloud raises the ethical issue of how the law firm can recover and produce e-discovery material that may have been deleted in the process of being managed in the cloud. Whereas as computer forensic tools would once have been used to retrieve data in its original form from in-house systems, obtaining this from a cloud-based system may be more difficult. Law firms must understand key issues such as access, data ownership, and the flow and protection of data when it is under the control of the service provider. Federal Rule of Civil Procedure Rule 34 provides that A party may serve on any other party a request within the scope of Rule 26(b): (1) to produce and permit the requesting party or its representative to inspect, copy, test, or sample the following items 41 See generally SHARON D. NELSON, BRUCE A. OLSON & JOHN W. SIMEK, THE ELECTRONIC EVIDENCE AND DISCOVERY HANDBOOK (ABA Law Practice Management 2006). See also www.discoveryresources.org.

in the responding party's possession, custody, or control. 42 Even though much of the control and possession over the data stored online is in the hands of the cloud provider, the lawyer is still responsible for complying with e-discovery requests. 43 Some cloud providers may have archiving capabilities, and for an extra fee will assist a law firm with managing the product of data in the event of an e-discovery request. Ethical compliance with e-discovery requests may also raise questions about privacy and confidentiality, and involve federal search and seizure laws or compliance with the data privacy laws of other countries, as discussed in more detail above. In other ways, the use of cloud computing to manage and store law office data may provide a law firm with better control over records management. For example, with cloud-based case and client management, data pertaining to a single client typically is stored in a specific location on the system, and records are logged indicating the date and time of the data creation and who has had access to that file within the system. Cloud computing may make compliance with e-discovery requests more cost-effective than a traditional law firm s management of paper files by making it easier to search, organize, and produce the requested data. I. When Cloud Computing Supports Ethical Practice On a more positive note, there are some rules of professional responsibility where cloud computing may actually assist a law firm in complying with ethics rules. The use of cloud-based applications provides the lawyer with more efficient forms of communicating with their clients. For example, Model Rule 1.4, entitled Communication, requires that the lawyer keep clients informed of the representation. Cloud computing may also provide clients with greater control over their own legal matters by allowing them access to their case files, calendars, and discussions with members of the law firm in ways that traditional firms cannot provide. By allowing clients online access to their case information, the client stays better informed of the status of their legal matter. Lawyers may use technology to transmit information to their 42 Fed. R. Civ. Pro. 34, available at http://www.law.cornell.edu/rules/frcp/rule34.htm (last visited July 11, 2011). 43 Lawyers should also be aware of Fed. R. Civ. Pro. 502 (2008). This rule was created to help law firms manage the costs associated with privilege review and liability that might come from the inadvertent disclosure of privileged information during the course of discovery.

clients while clients are overseas or otherwise unable to travel into a traditional law office or to pick up the phone for a conference with the lawyer. Cloud computing may also facilitate the unbundling legal services through the use of technology and to deliver those services online. ABA Model Rule 1.2(c) entitled Scope of Representation provides that (c) A lawyer may limit the scope of the representation if the limitation is reasonable under the circumstances and the client gives informed consent. 44 Considering that most businesses, including corporations, banking, and investing, are now relying on cloud computing for many of their operations, it may be imperative that law firms working with business clients in these different professions are also able to use the technology to help their clients make quick decisions. In that sense, it might be considered malpractice for the lawyers working with those clients not to use the most efficient and cost-effective form of transmitting information between parties. Most likely, larger corporate clients are already seeking out law firms that have implemented forms of cloud computing to work with clients online. J. Future Ethical Issues in Cloud Computing Future methods of delivering legal services to the public may involve the use of cloud-based technologies that provide more direct interaction between the prospective client and artificial intelligence. Although the legal professional will always play a critical role in providing legal services, technology may be used to handle more aspects of the day-to-day practice of law and even begin to handle simple, legal decision making for self-help clients. New forms of cloud-based communication and methods of online social networking and marketing will change the ethics playing field again, perhaps even before many of the issues discussed in this chapter have been settled and written out in rules of professional conduct. This rapid development of cloud computing for practice management may increase access to justice and provide the public with more control and choice in solving their legal needs. However, it will also continue raise unique ethics issues as lawyers and regulatory bodies struggle with how to best protect the public from potentially harmful practices. Because these ethical issues in cloud computing will never fit neatly into the existing rules of a single state or even country, the use of this 44 MODEL RULES OF PROF L CONDUCT R. 1.2(c), available at http://www.abanet.org/cpr/mrpc/rule_1_2.html (last visited July 11, 2011).

technology by the legal profession may serve as a catalyst for some form of rule and ethics standardization within the profession.

APPENDIX D

By Stephanie L. Kimbro Virtual Law Practice How to Deliver Legal Services Online

Commitment to Quality: The Law Practice Management Section is committed to quality in our publications. Our authors are experienced practitioners in their fields. Prior to publication, the contents of all our books are rigorously reviewed by experts to ensure the highest quality product and presentation. Because we are committed to serving our readers needs, we welcome your feedback on how we can improve future editions of this book. Cover design by RIPE Creative, Inc. Nothing contained in this book is to be considered as the rendering of legal advice for specific cases, and readers are responsible for obtaining such advice from their own legal counsel. This book and any forms and agreements herein are intended for educational and informational purposes only. The products and services mentioned in this publication are under or may be under trademark or service mark protection. Product and service names and terms are used throughout only in an editorial fashion, to the benefit of the product manufacturer or service provider, with no intention of infringement. Use of a product or service name or term in this publication should not be regarded as affecting the validity of any trademark or service mark. The Law Practice Management Section, American Bar Association, offers an educational program for lawyers in practice. Books and other materials are published in furtherance of that program. Authors and editors of publications may express their own legal interpretations and opinions, which are not necessarily those of either the American Bar Association or the Law Practice Management Section unless adopted pursuant to the bylaws of the Association. The opinions expressed do not reflect in any way a position of the Section or the American Bar Association. 2010 American Bar Association. All rights reserved. Printed in the United States of America. 12 11 10 5 4 3 2 1 Library of Congress Cataloging-in-Publication Data Kimbro, Stephanie L. Virtual law practice : how to deliver legal services online / by Stephanie L. Kimbro. p. cm. Includes index. ISBN 978-1-60442-828-5 1. Law offices United States Automation. 2. Internet in legal services United States. 3. Legal services Internet marketing United States. 4. Practice of law United States. I. Title. KF320.A9K56 2010 347.73002854678 dc22 2010035985 Discounts are available for books ordered in bulk. Special consideration is given to state bars, CLE programs, and other bar-related organizations. Inquire at Book Publishing, American Bar Association, 321 N. Clark Street, Chicago, Illinois 60654.

CHAPTER SIX Ethics and Malpractice Issues AS WITH ANY TRADITIONAL law practice, it is the responsibility of the lawyer delivering legal services online not the hosting company, the software provider, the state bar, the ABA, or any other entity to ensure that the daily online practice avoids malpractice and complies with the high ethical standards required by the lawyer s law license. This responsibility often means that the lawyer must take ethics or advisory opinions from his or her state bar and interpret them to apply to the use of new technology and forms of elawyering. If the lawyer s state bar has not directly addressed virtual law practice, there may be other directives related to unbundling, limited legal services or forms of elawyering that may answer the lawyer s ethics questions as they relate to online law practice. Please see the state-by-state opinions and resources listed in the appendix. Where Do State Bars Stand on Virtual Law Practice? If you have questions about your state bar s opinion on virtual law practice, you should contact them directly for a formal or informal advisory opinion. In many cases, they may want you to educate them on the structure of the virtual law practice and how the technology will be used to deliver legal services online. Be prepared at this stage in the development of virtual law practice to provide detailed information in this regard. The state bar may also want to review the virtual law practice s static Web site before it is launched and may also require the approval and registration of the firm s URL with the state bar. These steps may be necessary for a traditional law firm s creation of a Web site or use of online advertising, but there will be additional scrutiny of the terms and conditions or dis- 133

134 Ethics and Malpractice Issues claimers and other notices to the public on the virtual law practice Web site. Items that the state bar may look for in the static Web site include the following: Adequate notice of the jurisdiction that the practice covers Terms and conditions and disclaimer that are always accessible to the public on the site Current contact information for the lawyer or the firm Regarding current contact information on the Web site, with some state bars, this may include a physical office location. This is an issue that some lawyers who reside in one state and practice law in another are dealing with. Residency requirements are discussed in more detail below. It may be necessary to negotiate with the state bar to add a line to the Web site explaining that the lawyer is not physically located in that state where the legal services are provided. If this is the case, then the lawyer must emphasize in this disclaimer that the site only provides limited legal services and not the representation of a full-service law firm. In other instances, the state bar may be satisfied with providing a PO box address as contact information, and the lawyer must then be responsible for retaining a service that mails the contents of the PO box on a regular basis to his or her home office or other physical address. The problem is that the rules of requiring contact information for the clients in many states have not been updated to recognize the delivery of legal services online. With so many other methods of communication available aside from snail mail, these rules seem outdated and in need of updating. Furthermore, individuals seeking online legal services are not typically members of the public that will then be turning around and communicating by writing letters and mailing them to the lawyer. In the event that a document needed to be mailed to the lawyer rather than electronically uploaded to the virtual law office and handled completely online, then some lawyers will have a PO box near their physical location and may give that address out to the occasional client and other entities that still mail out invoices, licenses, notices, and other transactions related to the business that are not handled online. Malpractice Insurance Coverage Malpractice insurance for your virtual law practice is just as much of a nobrainer as it is in a traditional law office. You should have it. The good news: The use of technology may actually help to limit the risk of mal-

Malpractice Insurance Coverage 135 practice in delivering legal services online. When discussing malpractice insurance coverage, the lawyer may want to mention the automated checks and processes set up within the technology that are designed to prevent malpractice. For example, a jurisdiction check may occur upon registration of a prospective client to the virtual law office Web site, which may throw up a red flag warning to both the lawyer and the prospective client to ensure that each individual is aware that the physical location of the prospective client may not be within the jurisdiction in which the lawyer is licensed to practice law. This system does not prevent the lawyer from taking the case. There are many instances when a client residing in one state may need the assistance of a lawyer licensed in another state for example, if the client owns property in a state outside of his or her primary residence and needs legal assistance related to that real property. Furthermore, the high-level security of a virtual law practice when compared to the use of unsecure methods of electronic communication, including unencrypted e-mail, also helps to prevent malpractice risks when communicating with clients online. The added protection of this level of security helps to protect client confidences. Please refer to the section of the book related to security and privacy of the technology for additional information. When approaching the malpractice carrier, if the entity has not directly addressed a virtual law practice, be prepared to educate the representative on the topic by including walkthroughs of the software, samples of how the lawyer works with clients online, copies of the terms and conditions for your site, examples of how the engagement process works, how your conflict of interest checking works, and any other processes that might assist the company in understanding fully how you deliver legal services online. Some lawyers taking this educational approach to obtaining malpractice insurance have found that they qualified for a discount due to the use of the technology to automate many of the malpractice concerns in their practice. While this may not be available with every carrier, as more virtual law practices emerge, we may see different policies being offered to address them directly. When evaluating the policy for your virtual law practice, make sure to read through the exclusions to ensure that the insurance company is not attempting to reduce its risk by adding in provisions that may exclude aspects of your technology used for practicing law online. Consider, too, that depending on the type of practice that you structure, you may be dealing with more quantity of online clients than with a handful of

136 Ethics and Malpractice Issues quality clients, meaning that you may be dealing with many smaller online drafting projects rather than one or two online clients who are paying larger total legal services. This may mean that in any instance the total loss might not be as large as if you were working with larger paying clients. Again, it completely depends on the structure of the practice and how automated you will be in delivering legal services. If you will be working with higher paying online clients, then you will want to check that the coverage is sufficient to address that risk. If the virtual law practice is structured as a firm or partnership of other lawyers, whether multijurisdictional or not, your malpractice insurance policy should cover all of the members of that virtual law practice. This will ensure that the firm itself or all the members will not be held responsible for the acts or omissions of one of the other lawyers in the virtual law firm. This is an important safeguard even if the lawyers are located in different states to form the virtual law practice. The challenge will come in finding a malpractice carrier that will be willing to write a policy for lawyers that crosses over several states. Given the additional risks that this structure of virtual law practice brings, any carrier may likewise be hesitant to draft a policy that provides adequate coverage, or, if they do, the cost may be significantly greater than what would be provided to a traditional multimember firm. Another option would be for the lawyers within this larger firm to draft into their fee structure, partnership agreement, or other governing document a provision that every lawyer will be individually responsible for their own acts or omissions as well as individually responsible for obtaining insurance coverage for their section of the virtual law practice. Insurance for Your Hardware Your law practice is located online, and you can t access it without your hardware. You may also have other law office data stored on your computer or hard drive as backup. Protection for the loss of the use of this hardware may be something to consider in an insurance policy. At this time, coverage by most insurance companies is limited when it comes to loss related to electronic data, use of computers, software, or access to backups and other law office data. Another area for loss with a virtual law practice might be the risk of a security breach associated with the activities of a malicious hacker or online identity theft. Again, these are risks that most insurance carriers are not willing to take on at this time.

Case Study: Camille Stell 137 There are ways to protect your law practice in this regard. Make sure that you have more than one method of accessing your law office data. Reducing your risk means being meticulous about backups and choosing a service provider that offers geo-redundancy, regular daily backups and data escrow. The service agreement you have with the software provider will more than likely not protect you from the risk of the loss of data if it is related to your own acts or omissions or the failure of your own hardware in the operation of your virtual law practice. Make sure that your virtual law practice abides by daily best practices for the use of the technology. The best measure is to come up with your own methods to minimize the risk of loss in these areas that will most likely not be covered by an insurance policy. Please see the section entitled Daily Best Practices in Chapter Five above. Case Study: Malpractice Insurance Carrier Camille Stell, Director of Client Services, with the contributions of the underwriters and claims lawyers, at Lawyers Mutual Liability Insurance Company of North Carolina (www.lawyersmutualnc.com). Lawyers Mutual provides financial protection from professional liability for more than 8000 lawyers throughout the State of North Carolina. The basic idea among myself and our underwriters that we would not consider a virtual practice more problematic than any other sort of practice. In some ways, it could be considered like a niche area of practice. A couple of thoughts: (1) general/basic risk-management principles apply, such as client screening you need to beware of red flag clients, but so do all lawyers. You need a clear understanding of the fee up front, but so do all lawyers. There is a thought that maintaining privilege and confidentiality can be more challenging in a virtual world; an example might be since all communications are via e-mail, the risk of sending, replying, or forwarding to the wrong person might be higher; (2) anytime you unbundle legal services, clearly defining the scope of the representation is critical, as is revisiting scope of services as that can change (lawyers also need to be careful about not unreasonably limiting the scope); and (3) in theory, documentation should be easier, given the virtual nature of the relationship, which could be good or bad, but it definitely means that e-mail content should not be an afterthought.

138 Ethics and Malpractice Issues Do insurance policies for a virtual law office differ from those offered to traditional law practices? No. Is there anything unique that you require from a lawyer prior to providing policy estimates? No. What should a lawyer look for from their malpractice insurance carrier when shopping for a policy for his or her virtual law practice in terms of policies, premiums, support, services, etc.? You want to make sure that you are purchasing the right amount of coverage for your area of practice. If you handle commercial real estate deals in excess of a million dollars, you want to make sure that you get more than $300,000 in limits. Likewise, if you are in a criminal defense practice, you probably don t need as large limits, and you might feel more comfortable with a large deductible, as you are in a safer area of practice. You also want to think about continuity of coverage. Legal malpractice insurance policies are claims-made policies as opposed to occurrence policies like your car insurance. The coverage is not when the act or omission occurred but when it is reported. You want to make sure that if you change companies, and even if you are remaining with the same company, that when you complete a new application every year to respond properly to questions about potential problems of which you are aware. Prior acts coverage can prevent gaps in coverage when a lawyer is changing companies or changing employment. Is this provided, or something you need to purchase separately? Is your malpractice company approved or recommended by your state bar association? Many companies do have special relationships with their bar association, and they are bar approved or bar related. NABRICO is the National Association of Bar Related Insurance Companies, and many of the companies that are members are mutual companies, meaning that their policyholders are the owners of the company. Does your malpractice provider offer risk-management resources or CLE? Can you call with a question when you run into trouble? Do they have claims-repair efforts before suit is filed when they will offer assistance to avoid a malpractice claim? Do they have local claims counsel? The ABA Standing Committee on Lawyers Professional Liability has a section on the ABA Web site with helpful articles and resources.

Case Study: Camille Stell 139 Are you aware of any complaints or grievances that have been brought up against a lawyer delivering legal services online? If so, what was the nature of those actions, and how could they be prevented? No malpractice claims. I am aware of issues that the NC State Bar Authorized Practice of Law Committee is looking into that involve Web companies such as Ask.com and whether lawyers who participate in those are aiding in the unauthorized practice of law. The same issues arise with debt-relief companies that offer a marketing opportunity for lawyers to belong to a network where you are referred cases in a geographic area. Some of these are document-preparation companies who do all the work with no lawyers involved, then they need a local lawyer to sign off on the work product. The economy is driving some lawyers to make poor choices to get involved with some of these companies, but I would not view these as virtual law practices. Can you recommend any tips to avoid malpractice when delivering legal services online? Develop proper forms for checking conflicts, client screening, and engagement, non-engagement, and disengagement. Understanding the scope of the representation is important for both client and lawyer, and if the scope changes, update the engagement letter. Fee agreements are key. Keeping client expectations reasonable early in a case usually leads to a more satisfied client. Do they know what to expect in fees? Do they know how they are going to be billed? Do they understand what the final work product will look like? Do they understand how the virtual relationship will work? Documentation will be key in defending against bar grievances or malpractice cases when the client complains about things that are the very essence of a virtual practice I never met my lawyer. My lawyer didn t return my phone calls, etc. What would you identify as the key ethics issues that may arise in the operation of a virtual law practice? Staying up-to-date in your practice area so that you are offering competent services. Conflicts of interest issues are always problematic for lawyers. Do you see the potential to prevent malpractice through the use of technology to deliver legal services online? In what ways may the technology be used to prevent malpractice? The common areas of malpractice are not those cases where lawyers don t know the substantive areas of law but those where lawyers miss

140 Ethics and Malpractice Issues deadlines or have a conflict of interest. Technology is great for dealing with these kinds of problems. Having a calendar system is important, but also important is building in advance warnings it s not helpful to determine that a major deadline is today; you need to factor in prep time. Having a conflict-check system is important, and technology is a great tool to manage your client and adverse relationships. If we know that certain clients are problematic, you can develop questions on your intake form to help with client screening. Where do you see virtual law practice headed in the future of the legal profession? I think there is a generation of lawyers who are not interested in high compensation but more in a lifestyle that suits their personality. I believe those individuals will chose careers of interest, then make them fit into their lifestyle. You may have lawyers who have a virtual practice for a season of life while they have children at home or aging parents then they may return to a more traditional practice. I think our current economic situation has also shown lawyers that they don t need to pay for fancy reception areas and conference rooms and that virtual practices make economic sense even when the economy rebounds. I also think when you look at many consumers today, they expect to make most purchases online not just books or DVDs, but they choose colleges online, they make major purchasing decisions (such as cars) online, and they will expect this to translate into professional services as well. Preventing Malpractice through the Use of Technology Unauthorized Practice of Law One of the foremost ethics issues is the unauthorized practice of law (UPL). To be at risk of UPL, the lawyer s actions must constitute practicing law as defined by the rules and regulations of his or her state bar. 1 Some state bars have a different definition of practicing law, and there has been some question about whether providing forms to clients to fill out online with no other lawyer interaction constitutes the practice of 1 See the ABA s Task Force on the Model Definition of the Practice of Law Web site for resources and a list of the different state definitions of the practice of law: http://www.abanet.org/cpr/ model-def/home.html (accessed May 30, 2010) and the Task Force s Report issued April 2003: http://www.abanet.org/cpr/model-def/taskforce_rpt_803.pdf (accessed May 30, 2010).

Preventing Malpractice through the Use of Technology 141 law under those states rules. But with a virtual law practice, the lawyer is not providing online forms or other law-specific interaction with the client until the attorney-client relationship has been established. The lawyer is conducting work with the client just as he or she would in a traditional law practice, only in the online environment using the processes set up in the technology. There should be no question that these actions constitute the practice of law. Aside from this, there are two main issues related to UPL. The first is UPL in other jurisdictions. This arises when the virtual law practice Web site is located on the Internet and therefore is accessible by anyone who has Internet access. This is discussed in greater detail below. The second issue is UPL by non-licensed individuals. Companies such as LegalZoom and Nolo, Inc., providing legal forms for sale online take up a large portion of the market for online legal services because of their ease of use by the public and their affordability. But neither service provides the customer with the benefit of legal advice or review of the legal documents being purchased. The question is whether the general public understands the value and importance of having personalized consultation by a lawyer. In many cases, it may be acceptable for consumers to use those services, but in others there is the danger that the consumer is not filling out the forms correctly and believes that the provisions in the legal documents he or she has purchased are providing protections that do not exist. At the same time, there is an increasing need for affordable access to justice, which the legal profession alone is not able to meet. This problem continues to grow as more court administrations become overburdened with the handholding involved in working with the large number of pro se litigants flooding their court systems. The legal profession cannot step up to meet this public need without the use of technology to assist in automating many of the transactional legal advice and form generation that that is needed in most basic legal matters. A virtual law practice provides a balanced and safer alternative for consumers seeking online legal services because it includes the ability to consult directly with a lawyer regarding the individual circumstances of the customer s legal issue. Any legal documents provided to the client as unbundled legal services are not released to the client until after the lawyer has released them and in some cases not until the payment for legal services has been rendered. In addition, because there is lower overhead to operating a virtual law practice and because much of the process

142 Ethics and Malpractice Issues may be automated, the lawyer providing these services should be able to provide lower fees for the services that they provide, whether that is through fixed fee, billable hour, or a combination fee structure. Another concern with UPL by non-licensed individuals may be the ability of individuals to open a virtual law office who are not qualified or licensed to do. As more virtual law practices emerge, it may fall to the responsibility of the individual state bars to ensure that any virtual law practices within their jurisdictions are being operated by legal professionals who are licensed and in good standing. Because of the ease and low cost of setting up a virtual law practice, it may be tempting for a lawyer who is not qualified or not in good standing with his or her state bar to open up a virtual law practice. But just as with a traditional law practice, that responsibility for enforcement should fall to the state bars. UPL in Other Jurisdictions The main concern regarding UPL relates to the risk that the lawyer may be practicing law outside his or her jurisdiction when contacted by an online client who is a resident of another state where the lawyer is not licensed. The responsibility of avoiding UPL falls to the lawyer delivering legal services online, even with a jurisdiction check in the software, so that he or she is able to handle the requested legal services without committing malpractice. In many respects, the analysis does not differ greatly from the process that a lawyer in a traditional law office would go through to avoid committing UPL. But there are two primary differences of which a lawyer practicing law online should be aware. One difference is that the notification to the prospective client of the lawyer s jurisdiction to practice law is handled online rather than in person or through a mailed engagement letter. The other difference is that the scope of potential online clients registering for legal assistance will be greater in number, requiring added careful examination for the unauthorized practice of law in each online request for legal services presented by a prospective client. ABA Model Code Rule 5.5(b) states that [a] lawyer who is not admitted to practice in this jurisdiction shall not: (1) except as authorized by these Rules or other law, establish an office or other systematic and continuous presence in this jurisdiction for the practice of law; or (2) hold out to the public or otherwise represent that the lawyer is admitted to practice law

Preventing Malpractice through the Use of Technology 143 in this jurisdiction. 2 This rule applies to any law firm Internet presence, not just a virtual law practice. But because clients will be able to work with and purchase legal services from the Web-based law office, the virtual law practice Web site needs to be even clearer to the public about the services that are provided and the nature of unbundled legal services in general. To comply with the ABA Model Rule 5.5(b) and the rules of most state bars, the lawyer setting up a virtual law practice should pay close attention to the Web site content and advertising rules established by the state bar(s) in which he or she is licensed. Regarding UPL in other jurisdictions, it is the responsibility of the virtual law practitioner to provide clear notice throughout the virtual law practice Web site that he or she is only licensed to practice law in the state(s) in which the lawyer holds an active bar license. Furthermore, to also guard against UPL in other jurisdictions, the virtual law practice should contain the name of the lawyer(s) practicing law online and current contact information. By providing adequate notice, the lawyer should not be found to be soliciting clients from a state where he or she is not able to practice law. To prevent UPL, a virtual law practice should contain some form of automated jurisdiction check for the benefit of the client and the lawyer. This is best handled from the very beginning of the process of engaging the prospective client during the initial registration on the virtual law practice Web site. For example, when the client registers on the Web site, a simple check for the zip code would notify the lawyer that the client is a resident outside his or her jurisdiction. A notice would then appear to the client stating that the lawyer may only be retained to answer legal questions and handle legal work related to the laws of the state for which the lawyer has an active law license. Any jurisdiction check should not prevent the client from continuing with the registration process, but it serves the purpose of providing more than adequate notice of the lawyer s jurisdiction. Through this process, the lawyer is provided with a red flag on the back end of the law office to let him or her know that the client resides in a different state and may have a legal matter that the lawyer is not permitted to handle. 2 ABA Center for Professional Responsibility Web site, http://www.abanet.org/cpr/mrpc/rule_5_5.html (accessed January 3, 2010). See also the ABA Commission on Multijurisdictional Practice Report to the House of Delegates. The recommendations in this final report were all adopted on August 12, 2002. http://www.abanet.org/cpr/mjp/201b.pdf (accessed January 3, 2010).

144 Ethics and Malpractice Issues The unauthorized practice of law in another jurisdiction would occur if a lawyer used his or her virtual law office to draft a legal document that pertained to the laws of another state where the online client was a resident but where the lawyer did not have a license to practice law. But if the lawyer operating the virtual law office were partnering with lawyers and legal assistants on his or her virtual law office who were licensed in other jurisdictions, then this should prevent UPL. For example, a virtual paralegal could work on the virtual law office to draft a will or other estate planning document for a client in a jurisdiction where the virtual paralegal was familiar with that state s estate planning laws. The virtual paralegal would then flag the document for review by the lawyer on the virtual law office who was licensed in that online client s state. The review and approval of that legal document by the lawyer licensed to handle that state s laws would permit the virtual paralegal to complete the transaction for the online client without it constituting UPL in another jurisdiction. UPL with Multijurisdictional Virtual Law Firms UPL must be carefully considered when virtual law practice is structured as a multijurisdictional practice. In some respects it operates no differently than a traditional firm with offices in different states. But the key here is in ensuring that the prospective client registering for legal services online is connected to the lawyer who is licensed to handle the legal matter at hand. This may mean a more robust system for checking the jurisdiction or the use of a virtual paralegal or assistant to handle the initial filtering of requests for legal services from new registrants. Residency Requirements and UPL Residency requirements exist for a handful of state bars and are another example of a restriction on the legal profession that may need to be updated to reflect changes in law practice management. 3 These residency requirements focus on the lawyer actively practicing law within the state or maintaining a bona fide office. 4 How should this be interpreted if the lawyer physically resides in one state and actively practices 3 See, for example, Missouri State Bar Informal Advisory Opinion Number 970098 regarding Rule 5.5; Tolchin v. New Jersey Supreme Court, 111 F.3d 1099 (3d Cir. 1997); Lichtenstein v. Emerson, 674 N.Y.S.2d 298 (App. Div. 1998); Parnell v. West Virginia Supreme Court of Appeals, 110 F.3d 1077 (4th Cir. 1997). 4 See, for example, Mich. Comp. Laws Ann. 600.946 (the lawyer must show intent either to maintain an office in this state for the practice of law, and to practice actively in this state, or to engage in the teaching of law ).

Preventing Malpractice through the Use of Technology 145 law from a virtual law office providing the legal services pertaining to the laws of another state? He or she is actively practicing law, just not physically within the state. In some instances, the residency requirements have been reduced to only lawyers who are handling litigation in that state. If the lawyer is required to appear before a court in that state, then he or she is required to have a physical residency in that state. This makes practical sense, but New Jersey s Advisory Committee on Professional Ethics and the Committee on Attorney Advertising have gone one step even more backward. They released a joint opinion stating that even when a lawyer hires a virtual assistant or receptionist or shares a rented office space for conferences to attempt to create an office presence in the state, this does not create a bona fide office that complies with the state s residency requirements practicing law. 5 The opinion significantly limits lawyers licensed in New Jersey to having a physical law office where clients may call during regular business hours. This restriction on business discriminates against many solos and in particular women lawyers who may need to practice law from home, but for personal and security reasons, they do not want to provide their home address or phone number to clients. How this restriction will affect solos and small firms wanting to form completely virtual law offices is yet to be seen, but the joint opinion does allow for lawyers with a traditional law practice to also operate a virtual law office with adequate notice to prospective clients of the firm s physical office location. For other virtual law practices where their state has a residency requirement, this may be met by forming associations between the virtual law firm and a physical, traditional firm in that state. In that case, the virtual law practice Web site should include in the disclaimer that there is not a physical law office location for the virtual law practice itself, but that in the event of the client requiring a full-service firm for the purposes of litigation or in-person representation, the virtual law practice will refer the client to the firm associated with it that is within the geographic location of the client. But as in New Jersey, other state bars may require out-ofstate lawyers to maintain an office as a condition of practicing in the jurisdiction. While these rules have survived constitutional challenges to 5 Joint Opinion, ACPE 718/CAA 41 (March, 2010), http://www.judiciary.state.nj.us/notices/2010/ n100326a.pdf (accessed March 30, 2010). The opinion refers to virtual law offices but does not specifically define a virtual law office as a Web-based practice and instead refers to rented office space.

146 Ethics and Malpractice Issues date, many need to be reconsidered in light of new advancements in law practice management and to reflect the needs of both the public and members of the profession. 6 Providing Competent Online Representation Depending on the structure established for your virtual law practice, there may be some practice areas and legal matters that do not translate as well into the services offered through a virtual law practice. You may also have a client base in your practice that is less comfortable using technology. In those cases, the key is to know what level of legal assistance you may provide online and then to adequately inform the prospective client of the limitations of those services. As with a traditional law practice, you must comply with your state bar s rules of professional responsibility to provide competent and diligent representation, one time phrased as zealous representation. If you are operating a virtual law firm in addition to a traditional law practice, this is easily accomplished by meeting with your client in person and then handling smaller matters associated with the administration of the case online, such as payment of invoices, calendaring, and document review, if the client so chooses to use the virtual law firm as more of an amenity to working with you rather than as the sole method of communicating. If you are providing strictly unbundled or limited legal services online, then it is important to know when the online client s legal matter requires in-person representation for competent and diligent representation to occur. For example, a client would need to be referred offline if he or she had a criminal defense case that would require continued and consistent full-service representation. Can you adequately convey the nuances of a legal matter online, or does it require at a minimum that the lawyer pick up the phone and speak with the client? The answer to this question raises the biggest difference in the generation gap between lawyers. Lawyers who attended law school with their laptops and smart phones on at all times during each lecture, and maybe even took their bar exam on a computer, feel more confident that they can adequately communicate using technology, even if it is 6 For further research, see Supreme Court of New Hampshire v. Piper, 470 U.S. 274 (1985); Supreme Court of Virginia v. Friedman, 487 U.S. 59 (1988); In re CARLTON, United States District Court, D. Maryland, No. 10-mc-160, 2010 WL 1707722 (D.Md.) (April 26, 2010); Schoenefeld v. State of New York, 1:09-CV-0504 (LEK/RFT), United States District Court, N.D. New York, (February 8, 2010).

Providing Competent Online Representation 147 only limited to text or a combination of instant messaging, text, video, and real-time chats. Online forms on a virtual law practice Web site both provide legal guidance to clients and prompt them to answer additional questions to guide the lawyer through their individual circumstances. Armed with these collected data, the lawyer then may follow up with additional online communication to verify the situation and clarify anything that is needed with the online clients. Lawyers who did not begin their legal careers with this comfort level with technology may be more accustomed to speaking with clients in person or by the phone. They may claim to hear certain inflexions in the tone of voice of the client that hint to them that the client is unsure or hiding something from them. At the same time, the lawyers who are used to communicating online know how to use online methods to comfortably determine the underlying emotion or motivation of the person they are communicating with. The same doubt and resistance between generation gaps occurred when phones were new to the law office and another older generation of lawyers swore that it was impossible to gauge the client s motivations and veracity without looking the client directly in the eyes. The best response to this argument against completely Web-based delivery of legal services is that lawyers should know their own comfort level with technology and consider the methods of working with each client on a case-by-case basis. If the legal service requested online requires the lawyer to call the client or if the lawyer feels more comfortable calling each client by phone, then the lawyer should do so. If it is necessary for the legal service requested, then it is the responsibility of the lawyer to speak with the client by phone to competently handle the matter or refer the client to a full-service law practice. As far as the ability to streamline the delivery of legal services online, this extra step of picking up the phone may slow up the delivery process and add a level of inconvenience to the client and the lawyer that was not there when both parties could handle the matters 24/7 and without having to schedule an appointment within the business hours of a work week. This added step would also need to be taken into consideration with any fixed-fee or value-based billing system, as it may take additional time to conduct a phone conversation and the client then would have access to a phone number to contact the lawyer at any time following that initial call. This would thus defeat another benefit of virtual law practice, which is the ability of the entire transaction and conversation to be documented, with date and time, online within each client s case file.

148 Ethics and Malpractice Issues Many states have given formal approval to unbundled legal services. 7 At the same time, many of them have added requirements that the lawyer provide notice of lawyer authorship on the unbundled legal documents to be filed with the court system and provide adequate contact and bar license information for the lawyer that provided the unbundled legal services. Several of the existing ethics and advisory opinions by state bars were written before virtual law practice had expanded beyond the communication between lawyers and clients by e-mail. The main concern in these opinions is that it might be difficult to provide competent representation online with limited client contact. Virtual law practice and other forms of elawyering, however, provide for a great deal more personal interaction with clients than the use of e-mail exchanges. A secure virtual law practice does not rely on e-mail, which is unencrypted, to handle any attorney-client communications or transactions. A virtual law practice permits extended communication between lawyer and client through the interface and provides an additional method of online communicating that extend beyond simply sending text notes between the parties. For example, within the client portal, every client has their own home page where they may store communications between the parties; documents that are uploaded by clients or by the lawyer; an interactive calendar; sticky notes with reminders for invoices, deadlines, and other billing items; and client information. The lawyer might conduct Web conferences or Skype calls in which the lawyer and client may speak and see each other while online. In addition, through the use of other online social networking tools, such as LinkedIn, Facebook, and Twitter, a lawyer has the ability to let clients know what he or she is doing on a minute-byminute basis. While this may not be desirable in most cases, the ability to form close business relationships through Web-based applications is fully available. Accordingly, written concerns by state bars regarding the ability of a virtual law practice to provide competent limited legal representation may not recognize these advancements in technology. They may be tailored more toward e-mail communication between client and lawyer and may not relate to the ability of the virtual law practice to assist the lawyer in identifying conflict of interest issues or providing personalized, competent online representation. Another safeguard provided by the technology is the use of an online referral database that may be built into the online back-end law office. 7 See the appendix topic Unbundled Legal Services for a list of state bar ethics and advisory opinions approving of unbundling.

Conflict of Laws 149 This allows the lawyer to build a network of other legal professionals and easily and quickly refer prospective online clients to other virtual law offices or full-service law firms if the lawyer is unable to provide competent legal representation online. The use of a virtual paralegal or assistant to filter through prospective online clients and refer unqualified candidates to other resources may be a more efficient method of handling a large influx of online clients. Other options toward helping to avoid malpractice is to partner with another virtual law office that will handle practice areas that you are not familiar with or to partner with a full-service firm in a different geographic location that will send referrals to you when clients want to work online in exchange for your referrals of clients needing in-person representation. The key to avoiding this malpractice risk is the same as with any traditional law practice: the lawyer has the duty to determine, on a case-by-case basis, whether he or she has the requisite legal experience to provide quality legal representation to the client requesting services. Conflict of Laws Conflict of laws raises one of the more complex issues as it relates to virtual law practice. The issue comes up when a lawyer opens a virtual law practice with the intent of providing federal law related legal services, such as in the practice areas of immigration law or intellectual property law. The lawyer is able to handle the online client s matter as far as it relates to the federal law matter. For example, he or she may file the patent application for the online client who may be a company or small business instead of an individual. But if that same online client then asks the lawyer to draft a contract through the virtual law office, the lawyer is faced with the question of whether he or she may handle that aspect of the legal services that extends outside of federal law. The contract for the online client should be drafted in accordance with the state law in which that online client is a resident or where the client who is a business or company does its primary business. Therefore, the lawyer must run a jurisdiction check to make sure that he or she is able to assist the client based on the state(s) in which he or she is licensed to practice law. If the virtual law practice is being marketed nationally or regionally as providing federal law legal services, then it may become frustrating to the online client to be restricted in the amount of work the contracted lawyer may legally handle for the client online. The client would be required to

150 Ethics and Malpractice Issues go to another lawyer, full-service or virtual, within the proper jurisdiction for the state law related matters, which may end up costing more than if the client were able to go online to obtain all of the business-related legal services that were needed. What if the service that the online client was requesting included a privacy policy and disclaimers for the online client s Web site? The client s Web site is accessible to customers across the world, and the client conducts business though that site nationally. There is not a lot of precedence for providing a solution to this issue within law practice management or ethics texts. While technology has already erased state boundaries for conducting business and other transactions, the regulations and state laws have not kept up. The safe answer would be that the virtual law practice is not able to work with that online client to draft that document unless the client is located within the lawyer s jurisdiction. The state in which the privacy policy or any other online contract would be expected to be enforced would be whose law would have to be applied. One safer solution to conflict of laws issues as they arise in virtual law practice is for the federal law focused virtual law offices to form networks with other virtual law practices in other states. Online clients requiring state law contracts could be referred to other virtual law offices or partnerships could be formed between virtual law offices wherein the lawyer not licensed in the state could draft the document and forward it to the lawyer contact in the correct jurisdiction for review and approval. Then that contract could be provided to the online client through the same virtual law office without that online client having to transfer the file to another lawyer. This is provided that the online client has notice that the lawyer will need to have another lawyer review the draft first and has approved this practice. Another issue related to this form of multijurisdictional virtual law practice is the application of the attorney-client privilege. If the lawyer licensed in one state is providing the client who resides in another state with legal services related to federal law, which state s attorney-client privilege applies? Since the primary purpose of the privilege is to protect the client, the simple answer might be that it would be the client s state s laws regarding attorney-client privilege that apply. 8 But this is another 8 In the event of a case that comes up in the federal court system, the Federal Rules of Evidence, Article V, Rule 501, would be applied, and this would determine whether the attorney/client privilege law of the state or federal common law would apply. http://www.law.cornell.edu/rules/ fre/rules.htm (access on May 30, 2010).

Authentication of the Client s Identity: Is It Our Duty to Prevent Fraud? 151 area related to multijurisdictional virtual law firms and conflicts of law issues that are being worked out as more of these virtual firms emerge. Conflict of interest checks on the drafting lawyer in this transaction would need to be handled as well. The additional step in this process before the online delivery of legal services to the client may mean that the cost for the legal services would be higher than it normally might be. These are all ideas to take into consideration as the first group of innovative lawyers begins to forge the path for virtual law practices that cover both federal and state law matters for online clients. Authentication of the Client s Identity: Is It Our Duty to Prevent Fraud? The Internet facilitates the potential for individuals to commit fraud regarding their true identities. Accordingly, a lawyer with a virtual law practice should conduct some form of online verification to ensure that clients are who they claim to be. But it is not the lawyer s duty to identify and prevent fraud. Lawyers should be allowed to rely on the contact and other information provided to them online by clients. If a client is signing a clickwrap agreement confirming his or her identity and accepts the terms of the representation, then the lawyer must be able to rely on this contract just as he or she would a written engagement letter in the mail. The reality is that lawyers will encounter dishonest individuals in a traditional law practice just as they do online. While a lawyer cannot ensure that the final use of the legal documents he or she has created never falls into the wrong hands, the lawyer may draft legal documents to the best of his or her ability with the information provided by the online client. There has been some question of whether anti money laundering regulations (AML compliance), such as those implemented in the 2001 U.S. Patriot Act, would apply to a virtual law practice, but the list of businesses affected by these provisions at this time does not include law firms, only banking and financial institutions. 9 Furthermore, the application of 9 See IRS, Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot) Act of 2001 (Public Law 107-56), http://www.irs.gov/businesses/ small/article/0,,id=154565,00.html (accessed March 28, 2010). Because this may change in the near future, see also Financial Action Task Force Risk Based Approach (FATF RBA) 2008 Guidance for Legal Professionals, http://www.fatf-gafi.org/dataoecd/5/58/41584211.pdf (accessed September 30, 2010); and Voluntary Good Practices Guidance for Lawyers to Detect and Combat Money Laundering and Terrorist Financing, Recommendation of the ABA Task Force on Gatekeeper Regulation and the Profession, approved on April 23, 2010, http://alturl.com/4xy2q (accessed September 30, 2010).

152 Ethics and Malpractice Issues these provisions would not appear to be practical because the money paid by the clients for legal services rendered online would most likely be processed with a credit card online and be reviewed through PCI compliance and other federal regulations during that process. Any funds collected and held through the virtual law practice would go through the same process of being deposited in the lawyer s trust account as would occur in a traditional law firm. Again, fraud occurs in person as well as online, and in both instances, the lawyer must be able to rely on the information collected from the client during the intake process without being expected to run extensive, costly, and impractical background checks on each prospective client. Because the legal services purchased through an online client portal may be largely transactional or unbundled legal services, it is often left to the online client to complete the final steps to execute the prepared legal documents. Including detailed instruction regarding proper execution of the documents, as well as the assurance that the client may return to the lawyer with any questions or concerns until the matter is completed, is good virtual practice procedure. In addition to any identity check conducted by the lawyer through the registration process, a notary public assisting the client in executing the legal document will be required to check the driver s license of the individuals signing the documents. In many cases, witnesses may also be required in addition to the notary public to sign the legal document verifying that the client is who he or she claims to be. In addition, there are other methods that a lawyer may use to verify the online client s identity. A lawyer may choose to request that the online client upload a copy of his or her driver s license to the virtual law practice so that the lawyer may check the client s identification and contact information. There are online services that a lawyer may purchase that provide additional verification measures, but in most cases this is not practical for the daily operation of a virtual law office, and in most cases, the prospective clients will not appreciate the inconvenience of taking this additional step before consulting with the lawyer when it is a step that would not be required if the client visited a traditional law office. Frankly, if individuals seeking legal services online are going to commit fraud, they would be more likely to purchase the less individualized services of one of the companies selling legal forms online without lawyer review. They would have the option of purchasing legal do-it-yourself kits or software from an office supply store or simply going online and run-

Defining the Scope of Representation Online 153 ning Internet searches to cut and paste together their legal documents. They are probably not going to register with a virtual law office to pay for legal services provided by a licensed professional when there are cheaper and less risky methods for them to accomplish their nefarious goals. Defining the Scope of Representation Online A traditional law practice uses an engagement or retainer letter to define the scope of the representation and to notify the client of the billing procedures, deadlines, and other information about working with that law firm. Providing unbundled services online requires that the lawyer pay extra attention to ensure that prospective online clients understand the scope and nature of the legal representation being offered and provide informed consent. The notice will depend on the structure of the virtual law practice if it is completely Web based or being run in conjunction with a full-service firm. Please see the Appendix for two sample terms and conditions for a virtual law practice one for a completely Web-based practice and the other for a virtual law office integrated into a traditional law firm. Notices should be provided to the prospective online client, and the lawyer should receive assurance that these notices have been read and accepted by the client. The scope of representation may be communicated and further refined multiple times through secure online messages from lawyer to client. There are multiple ways that this may be accomplished with a virtual law practice, and the method will depend on the type of technology used as well as the methods that your online client base is most comfortable handling. In many cases, given the different levels of comfort with technology that your clients may have, the best approach would be to offer more than one method of providing notice to clients and having them accept and return that agreement. For example, a traditional limited scope of representation agreement may be uploaded for the client to sign and return to the lawyer online, either by scanning and uploading to the virtual law office, or it may be returned by traditional mail or fax. An online form may be used to allow the online client to click through and accept each individual provision of the agreement, ensuring that each term was read and accepted before proceeding. This would work like a clickwrap agreement but require more active acceptance by the online client of the entire document. Another method

154 Ethics and Malpractice Issues would be the use of digital signatures to send a traditional agreement for the client to sign digitally. Copies of that signed document could then be stored in the client s file in the client portal. A combination of two or more of these methods might be used by lawyers who require added assurance that the client has read, understood, and provides informed consent to the nature of the unbundled legal services being provided online. If you are operating a virtual law practice in addition to a traditional law firm, it is critical that the clients using the client portal for any form of communication with the lawyer sign some form of understanding that describes the use of the technology, privacy, and confidentiality of the virtual law office in addition to the traditional engagement letter provided by the full-service firm. This may be an addition to the traditional engagement letter discussing the firm s offerings and terms and conditions for its online use, or the lawyer may choose to have the client read and accept two different letters one for the traditional law office services and another for the use of the online client portal. Establishing the Attorney-Client Relationship Online Clearly establishing the attorney-client relationship when delivering legal services online is key to avoiding malpractice risks. 10 One ethics concern may be that the virtual lawyer may create an unintended client/lawyer relationship. 11 This issue is addressed by the use of multiple clickwrap agreements and communications with the prospective client, which require that he or she acknowledge and agree to the terms of use of the virtual law office and client portal. Further, it is the responsibility of the lawyer to limit and define the scope of the representation following the initial online consultation. This process is no different than if a lawyer were to accept or decline representation of a client in person. The scope of representation or decision to decline representation is presented to the online client. If the client accepts the services of the lawyer, then the client is required again for an additional time to acknowledge that he or 10 See, generally, ABA Model Rule 1.18, Client-Lawyer Relationship, Duties to Prospective Client. 11 See Barton v. U.S. Dist. Court for the Central Dist. of Cal., 410 F.3d 1104 (9th Cir. 2005) (holding that the attorney/client relationship was formed and a duty of confidentiality arose when prospective clients filled out an online form that the law firm had posted on its Web site. See also Kelcey Nichols, Client Confidentiality, Professional Privilege and Online Communication: Potential Implications of the Barton Decision, 3 Shidler J. L. Com. & Tech. 10 (Feb. 14, 2007), at http://www.lctjournal.washington.edu/vol3/a010nichols.html (accessed May 30, 2010).

Establishing the Attorney-client Relationship Online 155 she has notice of this arrangement and is agreeing to it through a tailored clickwrap agreement. In addition to using a clickwrap agreement to establish the attorneyclient relationship, the lawyer may also use a combination of online and traditional methods to ensure that he or she has covered all of the bases. A written engagement letter could be uploaded to the client for his or her signature to store in the client s online case file. The lawyer could have the online client execute this agreement by electronic signature rather than a physical signature that would need to be scanned in and uploaded back to the client file on the virtual law office Web site. While only one process would mostly likely provide adequate notice to the prospective client of the terms of the representation, the flexibility of the technology allows lawyers to design their own additional methods of protecting themselves from professional malpractice based on their own comfort levels and what their state bars require. In addition to the notice and acceptance process provided to each client, the process itself may be audited. The full history of each transaction may be viewed in both the lawyer s online case files and in an audit log managed by the technology company used to host the software. In the audit log, the lawyer may review if there were any overrides conducted by himor herself or another lawyer, such as if the terms of the engagement and other billing process were ever bypassed, if management features were reset, or if terms for the representation were provided to the client for another notice and acceptance process. In other words, the technology may provide an additional trail documenting the establishment of the attorney-client relationship. This documentation would extend beyond the online dialogue between the lawyer and the client in the client s case file to maintain a record of the transactions to establish the attorneyclient relationship. This process of establishing the attorney-client online relationship is required before either the client or the lawyer may proceed to engage in any transactions related to the online delivery of legal services. By this method, a virtual law practice may provide more protection for the prospective client than a telephone call, unencrypted e-mail communication, or even a short in-person office visit. Clickwrap Agreements As with most online businesses offering services over the Internet, the lawyer relies on a clickwrap agreement, which online clients are required to review and accept in the client portal before proceeding with the online

156 Ethics and Malpractice Issues delivery of legal services. A clickwrap agreement or click through agreement is the common method of clicking on a button on a Web site to accept the terms or user agreement associated with the use of that site or the online software application provided on that Web site. Clients are familiar with clickwrap agreements from registering for online banking, signing up for profiles on social media sites, such as Facebook or LinkedIn, or have encountered it before purchasing items online with a credit card. A typical clickwrap agreement in a virtual law practice provides the client with notice of the terms and conditions for use of the client portal and the online legal services being offered. The online client is required to assent to the agreement by clicking on a button in a dialog box or pop-up window that reads OK or agree. Many clickwrap agreements require that the client scroll down the entire text of the agreement or check an additional box, such as one stating I am over the age of 18, before clicking on the OK or agree button to finalize the agreement. If the online client declines to accept the agreement, he or she has the option of clicking on cancel or closing the window containing the agreement. When first introduced, the clickwrap, or shrinkwrap, agreement was viewed as a contract of adhesion, but this form of agreement is now accepted as a valid and enforceable contract form, as long as the terms and conditions related to the agreement are accessible at all times by the online client. 12 A clickwrap agreement contains the terms and conditions of the lawyer s online representation to the client, explains the nature of unbundled legal services, defines the scope of representation, and may contain other provisions tailored to the lawyer s virtual law practice. For example, the online client is required to accept a clickwrap agreement before registering on the client portal and again when agreeing to the purchase of specific legal services. The lawyer should take care to define the scope of legal representation (or clearly decline representation) with each individual client who contacts the lawyer through the virtual law office. This process may be handled securely on each client s home page, and the complexity depends on the legal work the client is seeking. As more lawyers go online with their law practices, the use of the clickwrap agreement will most likely be a standard on virtual law offices. While retainer fees, payment arrangements, and further definition of the scope of legal representation are communicated to the client through the client s secure home page, the standard clickwrap agreement for the vir- 12 See ProCD, Inc. v. Zeidenberg, 86 F.3d 1447 (7th Cir., 1996).

Establishing the Attorney-client Relationship Online 157 tual law office serves as the legal contract between the lawyer and his or her online clients and should be a stagnant feature on the lawyer s virtual law office. Think of it as the replacement for a traditional engagement or retainer letter. The ABA Committee on Cyberspace Law, during a panel discussion at the ABA s Annual Meeting in 2007, provided these recommendations for forming legally binding online agreements: 1. The user must have adequate notice that the proposed terms exist. 2. The user must have a meaningful opportunity to review the terms. 3. The user must have adequate notice that taking a specified, optional action manifests assent to the terms. 4. The user must, in fact, take that action. Lawyers must draft the terms and conditions for use with the virtual law office Web sites and clickwrap agreements that conform to their individual practices and the services that they intend to offer online. The ABA Cyberspace Law Web site has a searchable archive for members that contains many good resources to assist lawyers in researching this topic and drafting their online engagement agreements. 13 Unique to a virtual law office, the terms and conditions for use of the site and client portal should explain or provide, at a minimum, the following information for the prospective client: 1. Notice of the jurisdiction in which the lawyer is licensed to practice law 2. Nature of unbundled or limited legal services 3. How and when the attorney-client relationship and scope of the relationship will be defined 4. Confidentiality policy 5. How client funds and payment of invoices for legal work are handled online 6. E-mail policy 7. Security of the site, PCI compliance if accepting credit cards 8. Web tracking, including cookies, information collection, and privacy policy 13 ABA Committee on Cyberspace Law Web site: http://www.abanet.org/dch/committee.cfm? com=cl320000 (accessed on May 13, 2008).

158 Ethics and Malpractice Issues 9. Registration process and the nature of a clickwrap agreement 10. Contact information for the lawyer operating the VLO and a helpdesk e-mail or contact for technical matters related to the client s use of the Web site Furthermore, each individual solo or small-firm practitioner may want to use an additional retainer or engagement agreement or other contracting method with clients after registration that conforms to a more traditional contract. The flexibility of the Web-based technology allows for the operation of both a clickwrap agreement and additional methods. For example, the lawyer may want to upload a traditional engagement or retainer agreement to the online client through the online client s home page. The client may then sign the contract, scan it to PDF, and upload it back to their online case file. If the lawyer prefers to have the original signature of the agreement, there is no reason why the lawyer may not request that the client send the contract via snail mail to the lawyer before the legal work is commenced. A retainer fee may be paid by the online client at any point in the process. The lawyer permits the client to pay this fee when appropriate, and steps must be taken to ensure that the retainer payment is routed to the lawyer s trust account. See the section in Chapter Four discussing online payments and billing options for a virtual law practice. Protecting Client Confidences The virtual lawyer should take reasonable precautions to protect confidential information that is transmitted between the lawyer and the client and to preserve the attorney/client privilege. All state bars have rules of professional conduct requiring that communications transmitted from the client to the lawyer be kept confidential. 14 In this regard, e-mail is not the safest method for lawyers to rely upon to transmit confidential client data. Most e-mail is not encrypted and is therefore not secure. A virtual 14 Rule 1.6 (a) of the ABA s Model Rules of Professional Conduct states, A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation.... See, in particular, comments 16 and 17 to Rule 1.6. Comment 17 provides that lawyers must take reasonable precautions to safeguard confidential information and prevent it from going to unintended recipients during the transmission. http://www.abanet.org/cpr/mrpc/rule_1_6.html (accessed January 17, 2009); For a detailed analysis and review of ABA Model Rule 1.6 (a) and other state bar opinions related to the duty of confidentiality, see Washington State Bar Informal Opinion 2080 (issued 2006) http://mcle.mywsba.org/io/print.aspx?id=1553 (accessed May 30, 2010), This opinion specifically addresses confidentiality issues arising from inquiries through a law firm s website.

Protecting Client Confidences 159 law office should have an SSL certificate and provide the client with secure transmission of data. See the above Chapter Three: Choosing the Technology, which discusses security used to protect sensitive lawyer and client data. As an example of what may be coming down the pipeline in terms of protecting confidential client information, a 2010 Massachusetts law was passed that provides regulations for how entities owning or processing personal information of Massachusetts residents need to protect those data. 15 The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR), which passed the regulation, determined that personal information must be encrypted in order to provide adequate security for the confidential data. Nevada also updated its encryption law in January 2010 to require any businesses storing personal information where the storage is outside of the control of the physical business to ensure that the data is encrypted. 16 If the encryption requirement is seen as standard for business professionals entrusted with their client s personal information, then it may be only a matter of time before the state bars recognize that lawyers should be held to the same if not higher standards for protecting the confidentiality of their clients data. If lawyers know that unencrypted methods of communication with clients, such as unencrypted e-mail, are not the most secure methods of protecting confidentiality, then wouldn t those lawyers be in violation of most state bar rules and regulations requiring lawyers to take reasonable precautions to protect their clients confidential information? Accordingly, the same technology used by online banking and government tax authorities to provide services is the same level of security that should be used in operating a virtual law office. With a virtual law office, the only individuals who should have access to confidential attorney-client information are the lawyer and the client. The company hosting the law office data should keep the data encrypted even during updates to the software application that protects any attorney-client confidences from being viewed by a third party. By following these guidelines and conducting careful research of the third-party provider as discussed above in Chapter Three: Choosing the Technology, the lawyer may be confident that he or she is complying with the reasonable care standards required by the ABA and most state bars regarding protecting client confidential information. 15 See the General Law of Massachusetts, Chapter 93A, Regulation of Business Practices for Consumers Protection, http://www.mass.gov/legis/laws/mgl/gl-93a-toc.htm (accessed May 30, 2010). 16 See Nevada Revised Statute Chapter 603A Security of Personal Information, (2009) http:// search.leg.state.nv.us/isysquery/irl5021/1/doc (accessed May 30, 2010).

160 Ethics and Malpractice Issues There is some debate about whether a law firm should disclose to its clients details about the technology and any third-party service providers that it has chosen to create and maintain the firm s virtual law office. The author is of the opinion that it is not the duty of a law practice to disclose its professional practice management decisions to prospective clients and no state bar ethics or advisory opinions could be found to indicate otherwise. In the event that prospective clients request specific information about the technology, security or the user agreement with any third-party provider, the law firm will need to make the decision about which management aspects of the firm the clients need to make an educated decision about using the virtual law office for legal services. Rather than incorporating this information into a clickwrap or engagement letter, another option might be for the firm to provide reassurance and adequate notice to prospective clients through an educational page or section on the virtual law office Web site that discloses the nature of the technology, addresses security concerns and details how client data is handled and stored by the firm. Storage and Retention of Client Data The case file organization and document retention in a virtual law office may actually protect a lawyer from the malpractice risks that could be associated with a traditional law practice using basic e-mail as the only form of digital communication with clients. The lawyer has a duty to safeguard client property throughout the legal representation and for a number of years following the completion of the client s legal matter. The client s files and documents related to the case are the property of that client. 17 Recent state bar advisory opinions address the fact that not only are lawyers communicating with clients using technology, but they are also retaining their clients case files and other data related to their clients legal matters digitally. 18 For example, the Association of the Bar of 17 See ABA Model Rule 1.16(d): Upon termination of representation, a lawyer shall take steps to the extent reasonably practicable to protect a client s interests, such as giving reasonable notice to the client, allowing time for employment of other counsel, surrendering papers and property to which the client is entitled and refunding any advance payment of fee that has not been earned. The lawyer may retain papers relating to the client to the extent permitted by other law. http://www.abanet.org/cpr/ethicsearch/file_retention.html (accessed May 30, 2010). 18 The Association of the Bar of the City of New York Committee on Professional and Judicial Ethics, Formal Opinion 2008-1, A Lawyer s Ethical Obligations to Retain and to Provide a Client with Electronic Documents Relating to a Representation, NYC Eth. Op. 2008-1, 2008 WL

Storage and Retention of Client Data 161 the City of New York Committee on Professional and Judicial Ethics Formal Opinion 2008-1 addressed the lawyer s ethics obligation to retain and provide the client with electronic documents related to the legal representation. The opinion stated that the lawyer must take affirmative action to preserve any digital communication regarding the representation that may otherwise be deleted or lost from their digital filing system. The opinion also recommended that the lawyer discuss storage and retrieval of electronic documents and data at the beginning of the representation. The Arizona State Bar Committee on the Rules of Professional Conduct also published an advisory opinion concluding that lawyers may store law office data online and use a system that allows their clients to access the information online as long as the lawyer takes reasonable precautions to safeguard the security of that confidential information. 19 Lawyers operating virtual law practices are easily able to comply and go beyond what the ethics opinions recommend through the digital storage and recording of the case files within a virtual law office. Inside the client portal, each communication between the lawyer and the client is stored in a separate discussion section of the main case file. Each communication is labeled with the date and time of the transmission as well as the name of the individual who entered the message into the file. Likewise, any files that the lawyer has placed in the case file are labeled with the date and time of the online storage as well as information such as whether that document is a draft or a final legal document. Forms provided for the client to fill out online may also contain information regarding the last time the documents were edited and who edited them. Clients should be unable themselves to delete anything from their online case files in the client portal, which allows the lawyer to properly store data covering the entire representation. Because most state bars require that lawyers retain their case files for a period of years, all of the data stored in the virtual law office remain on the hosted system and are subject to regular backups on the server host- 3911383, (N.Y.C.Assn.B.Comm.Prof.Jud.Eth.), July 2008, http://www.nycbar.org/publications/ reports/show_html.php?rid=794 (accessed January 17, 2009). See also the State Bar of Wisconsin, Professional Ethics Opinion E-00-3, http://www.wisbar.org/am/template.cfm?section= Wisconsin_ethics_opinions&TEMPLATE=/CM/ContentDisplay.cfm&CONTENTID=48462 (accessed January 17, 2009), and the appendix State Bar Ethics and Advisory Opinions and Other Resources by Topic: Electronic Storage of Law Office Data. 19 Arizona State Bar Opinion 09-04 (December 9, 2009), http://www.myazbar.org/ethics/opinion view.cfm?id=704 (accessed May 30, 2010). See also Rule 1.6(a) of the ABA s Model Rules of Professional Conduct and specifically Comment 17 related to reasonable precautions.

162 Ethics and Malpractice Issues ing the virtual law office. In the event that the lawyer wants to discontinue his or her use of a virtual law office, wants to switch technologies providing virtual law practice management tools, or wants to leave the practice of law completely, he or she may contact the software company to return all of the law office data in encrypted format to the lawyer for storage and retention. It is recommended that a lawyer first check with the company providing the technology to ensure that the data collected and stored on the virtual law office during the course of the online practice may be easily returned to the lawyer in encrypted, digital format. See the above Chapter Three: Choosing the Technology. Complying with the reasonable precautions requirement to safeguard client property and protect confidential client communications means that lawyers delivering legal services online have the responsibility to keep updated on what is reasonable, given the speed at which technology is developing and the increasing number of security risks. Furthermore, it may be in the best interests of the virtual law practice to draft an additional provision in the clickwrap or other engagement agreement related to client data storage, return and retention. The virtual law firm could require that the prospective client agree to the nature of the online storage and digital format of their case file and acknowledge that the return of client data will be in digital format and most likely through electronic delivery. Considering that most clients seeking online legal services expect this feature from a virtual law firm and see it as a benefit to selecting a firm that delivers legal services online, it should not be a problem to add these details to the clickwrap or other engagement letter. For a law firm operating a virtual law office in conjunction with a brick and mortar law office, clients could be offered their files in paper and/or digital format depending on what the firm decides would be best for its clients. Electronic Discovery Consider that all data transmitted through and stored in a virtual law office has the potential to become electronic evidence in a legal case. Electronic discovery (ED) has crept into every law practice, including solos and small firms. Electronic activities may hang around longer than contracts written on paper and stuck in a file and may be easier to obtain if needed. Electronic discovery, as with any discovery, must be produced in a timely and proper manner when required. In the case of ED, much of this issue comes down to proper electronic data management and the ability to retrieve the necessary data. Accordingly, ED business standards

Case Study: Sharon D. Nelson 163 and best practices are critical for a virtual law practice. Lawyers operating a virtual law office should be familiar with ED and its potential impact on their businesses as well as their clients. 20 Case Study: Impact of Virtual Law Practice on Electronic Discovery Sharon D. Nelson, President of Sensei Enterprises, Inc., a computer forensics and legal technology firm in Fairfax, Virginia (www.senseient.com) Sharon D. Nelson is the coauthor of The Electronic Evidence and Discovery Handbook: Forms, Checklists and Guidelines (ABA, 2006) and Information Security for Lawyers and Law Firms (ABA, 2006), as well as The Solo and Small Firm Legal Technology Guide for 2008, 2009, and 2010 (ABA, 2008, 2009, 2010). She is also a co-author of How Good Lawyers Survive Bad Times (ABA, 2009). Ms. Nelson is also the author of the noted electronic evidence blog Ride the Lightning (http://ridethelightning.senseient.com) and is a co-host of the American Bar Association podcast series called The Digital Edge: Lawyers and Technology. The virtual practice of law is a fascinating development. Keeping costs low has allowed virtual firms to offer very competitive rates. This new and exciting model for practicing law is changing the face of lawyering in ways that lawyers of the last century could not possibly have imagined. Virtual lawyering has many potential implications. I ve been thinking about the possible effects of a completely Web-based practice on electronic discovery. Certainly virtual lawyers will use hosted electronic discovery repositories and SaaS versions of electronic discovery tools. In that, they will be no different than many other lawyers. They will, of course, want to carefully vet the pricing, capability, and security of these repositories and tools. Curiously, I think the biggest impact of virtual lawyering will come when the virtual law firm itself is a party to litigation. Simply because everything is outsourced, the virtual law firm will have data everywhere. Ruby Receptionist may have phone data, Legal Typist may have documents, Clio or Rocket Matter may have a wealth of information about 20 Comprehensive information on this topic may be found in The Electronic Evidence and Discovery Handbook, by Sharon D. Nelson, Bruce A. Olson, and John W. Simek (Chicago: ABA Law Practice Management Section, 2006), and also at DiscoveryResources.org (www.discoveryresources.org).

164 Ethics and Malpractice Issues cases and clients, VoIP providers will also have phone data, cell phone providers will have data, Google Wave or any other application function of Google will have data. Live data may be stored perhaps at one data center and backup data may be stored at another center. The law firm may not even know the location of these data centers, just the names of the companies they contracted with. The tentacles of data just go on and on. Large law firms always have a lot of data in many places, but that was typically not true of smaller firms. Generally, the firm held its own data. It might outsource payroll, have a CPA and, today, cell phone and Internet providers. Not a lot of third parties tended to be involved. In the electronic discovery world, one of the major headaches is simply locating the data, always a nightmare with a large entity. Virtual law firms will have to be looked at carefully to ascertain all of the third parties who have relevant data, depending on the nature of the case. The law firms themselves will have to do this in response to discovery requests, and the requestors would be well advised to look at their standard discovery requests and perhaps retool them for virtual law firms. I would retool in such a way that I identified in the request the kinds of third parties who might be involved. One of the biggest potholes in ED is overlooking a source of relevant data, often innocently. So if I make a request for data, it is prudent to carefully identify all possible sources of relevant evidence to prevent anything from being overlooked. The other aspect I would mention is security. At this point, I m assuming that the law firm is representing a client in an e-discovery matter. If trial strategy and privileged documents are located in the cloud, cloud security is always being penetrated by hackers and by those who perform electronic business espionage, which is an increasingly lucrative profession. It is very hard for a virtual law firm to truly know how secure its data are. I am not suggesting that brick and mortar law firms always secure their data well, just that they at least know what security measures have been taken. Every day brings us a new data breach story in the news, so security must be a prime concern. I also find that lawyers don t generally scrutinize their contracts with providers very carefully from a security standpoint. Sometimes providers provide soothing and incomplete assurances that a security specialist would quickly unravel. In any event, virtual lawyers should tread carefully when placing their data in the hands of others.

Selected Books from... THE ABA LAW PRACTICE MANAGEMENT SECTION The Lawyer s Guide to Collaboration Tools and Technologies: Smart Ways to Work Together By Dennis Kennedy and Tom Mighell This first-of-its-kind guide for the legal profession shows you how to use standard technology you already have and the latest Web 2.0 resources and other tech tools, like Google Docs, Microsoft Office and Share-Point, and Adobe Acrobat, to work more effectively on projects with colleagues, clients, co-counsel and even opposing counsel. In The Lawyer s Guide to Collaboration Tools and Technologies: Smart Ways to Work Together, wellknown legal technology authorities Dennis Kennedy and Tom Mighell provides a wealth of information useful to lawyers who are just beginning to try these tools, as well as tips and techniques for those lawyers with intermediate and advanced collaboration experience. The Lawyer s Guide to Marketing on the Internet, Third Edition By Gregory H. Siskind, Deborah McMurray, and Richard P. Klau In today s competitive environment, it is critical to have a comprehensive online marketing strategy that uses all the tools possible to differentiate your firm and gain new clients. The Lawyer s Guide to Marketing on the Internet, in a completely updated and revised third edition, showcases practical online strategies and the latest innovations so that you can immediately participate in decisions about your firm s Web marketing effort. With advice that can be implemented by established and young practices alike, this comprehensive guide will be a crucial component to streamlining your marketing efforts. The Lawyer s Guide to Adobe Acrobat, Third Edition By David L. Masters This book was written to help lawyers increase productivity, decrease costs, and improve client services by moving from paper-based files to digital records. This updated and revised edition focuses on the ways lawyers can benefit from using the most current software, Adobe Acrobat 8, to create Portable Document Format (PDF) files. PDF files are reliable, easy-to-use, electronic files for sharing, reviewing, filing, and archiving documents across diverse applications, business processes, and platforms. The format is so reliable that the federal courts Case Management/Electronic Case Files (CM/ ECF) program and state courts that use Lexis-Nexis File & Serve have settled on PDF as the standard. You ll learn how to: Create PDF files from a number of programs, including Microsoft Office Use PDF files the smart way Markup text and add comments Digitally, and securely, sign documents Extract content from PDF files Create electronic briefs and forms The Electronic Evidence and Discovery Handbook: Forms, Checklists, and Guidelines By Sharon D. Nelson, Bruce A. Olson, and John W. Simek The use of electronic evidence has increased dramatically over the past few years, but many lawyers still struggle with the complexities of electronic discovery. This substantial book provides lawyers with the templates they need to frame their discovery requests and provides helpful advice on what they can subpoena. In addition to the ready-made forms, the authors also supply explanations to bring you up to speed on the electronic discovery field. The accompanying CD-ROM features over 70 forms, including, Motions for Protective Orders, Preservation and Spoliation Documents, Motions to Compel, Electronic Evidence Protocol Agreements, Requests for Production, Internet Services Agreements, and more. Also included is a full electronic evidence case digest with over 300 cases detailed! Virtual Law Practice: How to Deliver Legal Services Online By Stephanie L. Kimbro Virtual law practice is revolutionizing the way the public receives legal services and how legal professionals work with clients. If you are interested in this form of practice, Stephanie Kimbro will show you how to successfully set up and operate a virtual law office and responsibly deliver legal services online to your clients. This practical guide also provides case studies of individual virtual law practices along with client scenarios to show how web-based technology may be used by legal professionals to work with online clients and avoid malpractice risks. Social Media for Lawyers: The Next Frontier By Carolyn Elefant and Nicole Black The world of legal marketing has changed with the rise of social media sites such as Linkedin, Twitter, and Facebook. Law firms are seeking their companies attention with tweets, videos, blog posts, pictures, and online content. Social media is fast and delivers news at record pace. This book provides you with a practical, goal-centric approach to using social media in your law practice that will enable you to identify social media platforms and tools that fit your practice and implement them easily, efficiently, and ethically. How to Start and Build a Law Practice, Fifth Edition By Jay G Foonberg This classic ABA bestseller has been used by tens of thousands of lawyers as the comprehensive guide to planning, launching, and growing a successful practice. It s packed with over 600 pages of guidance on identifying the right location, finding clients, setting fees, managing your office, maintaining an ethical and responsible practice, maximizing available resources, upholding your standards, and much more. If you re committed to starting your own practice, this book will give you the expert advice you need to make it succeed.

Google for Lawyers: Essential Search Tips and Productivity Tools By Carole A. Levitt and Mark E. Rosch This book introduces novice Internet searchers to the diverse collection of information locatable through Google. The book discusses the importance of including effective Google searching as part of a lawyer s due diligence, and cites case law that mandates that lawyers should use Google and other resources available on the Internet, where applicable. For intermediate and advanced users, the book unlocks the power of various advanced search strategies and hidden search features they might not be aware of. The Lawyer s Guide to Working Smarter with Knowledge Tools By Marc Lauritsen This ground-breaking guide introduces lawyers and other professionals to a powerful class of software that supports core aspects of legal work. The author discusses how technologies like practice systems, work product retrieval, document assembly, and interactive checklists help people work smarter. If you are looking to work more effectively, this book provides a clear roadmap, with many concrete examples and thoughtprovoking ideas. The Lawyer s Guide to Microsoft Outlook 2007 By Ben M. Schorr Outlook is the most used application in Microsoft Office, but are you using it to your greatest advantage? The Lawyer s Guide to Microsoft Outlook 2007 is the only guide written specifically for lawyers to help you be more productive, more efficient and more successful. More than just email, Outlook is also a powerful task, contact, and scheduling manager that will improve your practice. From helping you log and track phone calls, meetings, and correspondence to archiving closed case material in one easy-to-store location, this book unlocks the secrets of underappreciated features that you will use every day. Written in plain language by a twenty-year veteran of law office technol-ogy and ABA member, you ll find: Tips and tricks to effectively transfer information between all components of the software The eight new features in Outlook 2007 that lawyers will love A tour of major product features and how lawyers can best use them Mistakes lawyers should avoid when using Outlook What to do when you re away from the office The Lawyer s Guide to Microsoft Word 2007 By Ben M. Schorr Microsoft Word is one of the most used applications in the Microsoft Office suite there are few applications more fundamental than putting words on paper. Most lawyers use Word and few of them get everything they can from it. Because the documents you create are complex and important your law practice depends, to some degree, upon the quality of the documents you produce and the efficiency with which you can produce them. Focusing on the tools and features that are essential for lawyers in their everyday practice, The Lawyer s Guide to Microsoft Word explains in detail the key components to help make you more effective, more efficient and more successful. The Lawyer s Guide to Microsoft Excel 2007 By John C. Tredennick Did you know Excel can help you analyze and present your cases more effectively or help you better understand and manage complex business transactions? Designed as a hands-on manual for beginners as well as longtime spreadsheet users, you ll learn how to build spreadsheets from scratch, use them to analyze issues, and to create graphics presentation. Key lessons include: Spreadsheets 101: How to get started for beginners Advanced Spreadsheets: How to use formulas to calculate values for settlement offers, and damages, business deals Simple Graphics and Charts: How to make sophisticated charts for the court or to impress your clients Sorting and filtering data and more Find Info Like a Pro, Volume 1: Mining the Internet s Publicly Available Resources for Investigative Research By Carole A. Levitt and Mark E. Rosch This complete hands-on guide shares the secrets, shortcuts, and realities of conducting investigative and background research using the sources of publicly available information available on the Internet. Written for legal professionals, this comprehensive desk book lists, categorizes, and describes hundreds of free and fee-based Internet sites. The resources and techniques in this book are useful for investigations; depositions; locating missing witnesses, clients, or heirs; and trial preparation, among other research challenges facing legal professionals. In addition, a CD-ROM is included, which features clickable links to all of the sites contained in the book. TO ORDER CALL TOLL-FREE: 1-800-285-2221 VISIT OUR WEB SITE: www.lawpractice.org/catalog

30-Day Risk-Free Order Form Call Today! 1-800-285-2221 Monday Friday, 7:30 AM 5:30 PM, Central Time LPM Regular Qty Title Price Price Total The Lawyer s Guide to Collaboration Tools and Technologies: Smart Ways to Work Together (5110589) $59.95 $ 89.95 $ The Lawyer s Guide to Marketing on the Internet, Third Edition (5110585) 74.95 84.95 $ The Lawyer s Guide to Adobe Acrobat, Third Edition (5110588) 49.95 79.95 $ The Electronic Evidence and Discovery Handbook: Forms, Checklists, and Guidelines (5110569) 99.95 129.95 $ Virtual Law Practice: How to Deliver Legal Services Online (5110707) 47.95 79.95 $ Social Media for Lawyers: The Next Frontier (5110710) 47.95 79.95 $ How to Start and Build a Law Practice, Fifth Edition (5110508) 57.95 69.95 $ Google for Lawyers: Essential Search Tips and Productivity Tools (5110704) 47.95 79.95 $ The Lawyer s Guide to Working Smarter with Knowledge Tools (5110706) 47.95 79.95 $ The Lawyer s Guide to Microsoft Outlook 2007 (5110661) 49.99 69.99 $ The Lawyer s Guide to Microsoft Word 2007 (5110697) 49.95 69.95 $ The Lawyer s Guide to Microsoft Excel 2007 (5110665) 49.95 69.95 $ Find Info Like a Pro, Volume 1: Mining the Internet s Publicly Available Resources for Investigative Research (5110708) 47.95 79.95 $ *Postage and Handling $10.00 to $49.99 $5.95 $50.00 to $99.99 $7.95 $100.00 to $199.99 $9.95 $200.00+ $12.95 **Tax DC residents add 5.75% IL residents add 10.25% *Postage and Handling **Tax TOTAL $ $ $ PAYMENT Check enclosed (to the ABA) Name Firm Visa MasterCard American Express Address City State Zip Account Number Exp. Date Signature Phone Number E-Mail Address Guarantee If for any reason you are not satisfied with your purchase, you may return it within 30 days of receipt for a complete refund of the price of the book(s). No questions asked! Mail: ABA Publication Orders, P.O. Box 10892, Chicago, Illinois 60610-0892 Phone: 1-800-285-2221 FAX: 312-988-5568 E-Mail: abasvcctr@abanet.org Internet: http://www.lawpractice.org/catalog

Are You in Your Element? Tap into the Resources of the ABA Law Practice Management Section ABA Law Practice Management Section Membership Benefits The ABA Law Practice Management Section (LPM) is a professional membership organization of the American Bar Association that helps lawyers and other legal professionals with the business of practicing law. LPM focuses on providing information and resources in the core areas of marketing, management, technology, and finance through its award-winning magazine, teleconference series, Webzine, educational programs (CLE), Web site, and publishing division. For more than thirty years, LPM has established itself as a leader within the ABA and the profession-at-large by producing the world's largest legal technology conference (ABA TECHSHOW ) each year. In addition, LPM's publishing program is one of the largest in the ABA, with more than eighty-five titles in print. In addition to significant book discounts, LPM Section membership offers these benefits: ABA TECHSHOW Membership includes a $100 discount to ABA TECHSHOW, the world's largest legal technology conference & expo! Teleconference Series Convenient, monthly CLE teleconferences on hot topics in marketing, management, technology and finance. Access educational opportunities from the comfort of your office chair today s practical way to earn CLE credits! Law Practice Magazine Eight issues of our award-winning Law Practice magazine, full of insightful articles and practical tips on Marketing/Client Development, Practice Management, Legal Technology, and Finance. Law Practice Today LPM's unique Web-based magazine covers all the hot topics in law practice management today identify current issues, face today s challenges, find solutions quickly. Visit www.lawpracticetoday.org. Law Technology Today LPM's newest Webzine focuses on legal technology issues in law practice management covering a broad spectrum of the technology, tools, strategies and their implementation to help lawyers build a successful practice. Visit www.lawtechnologytoday.org. LawPractice.news Brings Section news, educational opportunities, book releases, and special offers to members via e-mail each month. To learn more about the ABA Law Practice Management Section, visit www.lawpractice.org or call 1-800-285-2221.