Thoughts on the Law Society of BC Bencher Bulletin Feature Article: The Real World of Virtual Law Firms
I read with interest an article out today in the Law Society of BC Bencher Bulletin about virtual law firms.
Some quotes caught my particular attention. Specifically, a Practice Advisor at the Law Society of BC is quoted as follows:
Some lawyers are so keen on the technology and reducing overhead by having a ‘virtual law firm’ that they are not putting their minds to the professional responsibility issues regarding confidentiality, conflicts, client identification and verification, determining mental capacity of the client to instruct, undue influence over the client and so on.
There are currently very few law firms that I am aware of in BC that are in fact “virtual.” The virtual firms that I am aware of in BC are actively involved in professional responsibility issues, have been in proactive communications with the Law Society of BC in this regard and ascribe to the American Bar Association Law Practice Management eLawyering Task Force Best Practices. I wonder what virtual law firms are being referred to that are not putting their minds to serious professional responsibility issues?
Another quote from the article struck me as interesting:
In terms of confidentiality, if clients are logging onto the firm’s website to exchange information then lawyers need to consider the site’s security, among other things,” advised Buchanan. “They need to protect it from hackers and fraudsters. Ideally their server should be in their office and, if not, they need a major provider with an air tight confidentiality agreement — not just a server in their garage. If your server is an American one there is a significant risk to the security of your clients’ information, because the US government could invoke the USA PATRIOT Act.
So, according to the Law Society of BC, if your server is an American one, there is a serious risk to client data under the USA Patriot Act? First of all, many major financial services providers and even governmental organizations in Canada engage in transborder data flows of confidential information through the use of contractors and subcontractors located in other jurisdictions. The use of information services suppliers between countries is a significant component of the world economy. To be clear, some departments of the Government of Canada itself contract with information services providers resulting in confidential personal information about Canadian citizens residing on foreign servers, including the US.
I will quote the Treasury Board of Canada:
How worried should I be that my personal information could be accessed under the USA PATRIOT Act? The chances of this happening are remote.
The Law Society stands by its advice in the fall edition of the Benchers’ Bulletin to lawyers who want to practice in a virtual setting. The Society is advising lawyers to approach this practice style prudently and with caution and to proactively consider risk management. The Society is determining what further rules and policies may be required in the evolution of law practice.
In relation to Ms. Garton-Jones’ criticism of the Law Society’s advice to lawyers to refrain from using an American server to store clients’ information, there are many reasons why it is prudent to use a server in this jurisdiction, including:
1. Law Society trust accounting rules require lawyers to store records at their chief place of practice in British Columbia (emphasis added, Rule 3-68);
2. The USA PATRIOT Act could be invoked by the American government.
3. Note that the BC Privacy Commissioner warned as early as 2004 that there is a “reasonable possibility” of unauthorized disclosure of British Columbians’ personal information under the USA PATRIOT Act, “rigorous other measures must be put into place to mitigate against illegal and surreptitious access.”
Even if the Treasury Board of Canada is of the view that chances of personal information being accessed by the American government via the USA PATRIOT Act are remote, the Law Society would discourage lawyers from taking any unnecessary risk, whether remote or otherwise, to confidential client information. Lawyers must ensure they are meeting their obligations in accordance with the Law Society Rules, the Professional Conduct Handbook and the law regardless of whether they choose to practice in a traditional manner or to embrace new practice methods, such as a virtual law firm.
Lawyers with questions or concerns about how to meet their obligations to their clients are encouraged to contact the Law Society’s Practice Advice Department.
Nicole, great article, and I think you’ve touched on an issue that could have a profound and negative effect on all Canadian, and especially BC-based, lawyers. I will plan on writing a bit more extensively on this in my Monday Slaw post.
As usual the “Head Up Their Ass” approach is still alive and well at LSBC. The quotes make me wonder what they will say about “Cloud” computing which will surely be the next BIG thing in technology and something that most law firms will/should embrace.
Keep up the good fight.
Michael Anderson
Innovative Consulting Ltd.
Nicole at least you were able to coax a position out of your law society.
I too use the US DirectLaw platform for the virtual component of my practice physically located in Calgary. I tried to get some guidance from our practice advisors before going virtual. Despite their best intentions, they were not able to provide much assistance simply because they are not familiar with the issues. As a result I’ve been very slow in moving forward with this initiative.
It’s unfortunate that those of us going “virtual” have had to find real guidance and practice advice from the ABA and our American colleagues and not our own law societies. Even though I could have used any number of local providers, I chose DirectLaw simply because it was created specifically for and run by lawyers who understand the ethical and security concerns lawyers must deal with. The gentleman behind Directlaw is a lawyer and currently the chair of the ABA’s eLawyering Task Force. I believe those are some pretty impressive credentials to weigh against the remote risk of disclosure under the Patriot Act. DirectLaw itself is an affiliate of a U.K. company. The U.K. is another jurisdiction where virtual law firms are successfully providing legal services.
Let’s not kid ourselves. Google “Canada Online Legal Documents” and you’ll get over 7 million hits. Right now legal services are being delivered on-line primarily by untrained and unregulated “legal document services”. Is it not in the public’s best interest to enable trained and regulated lawyers to provide these on-line services and address the ethical issues as they relate to providing legal services on-line?
Virtual law offices can be an important tool in bringing the cost of legal services down for lower and middle class families and owner-operated businesses. Lawyers operating in this sphere have an important role to play in improving the access to justice for many. If our law societies are serious about access to justice they have to start taking eLawyering seriously and adapt the rules to the realities of the marketplace.
It is true that the US government, using the PATRIOT Act (and possibly other statutory authority), can look at any records stored in the US, or maybe even accessible from the US. However, law enforcement authorities in Canada can also do a fair bit of searching and hacking, though they are supposed to respect privilege.
All the privacy commissioners in Canada have, I believe (without checking), accepted the storage of personal information about Canadians in the US, so long as there is notice that this will happen.
The bodies that store PI in the US (like most or all of the big banks) are not subject to obligations like the one cited by the Law Society of BC, that trust records be stored in the province. That rule was not intended to be a subsidy to local record-storage businesses, though. I suspect it has more to do with the ability to control the practices of the storage site. So the rule may need flexible interpretation – and the PATRIOT Act fears are a separate consideration.
So far as I am aware (a limited extent), the Law Society of BC is neither stupid nor luddite, au contraire, but it may need to rethink the wording of its warnings on a virtual practice. By all means underline the need to think about security, accessibilty and confidentiality. Blanket prohibitions of using US-based services may not be so justifiable.
And another representative of the Law Society of BC had some sensible comments on e-security on Slaw back in January, noting deficiencies in a US state bar ethics opinion on the same topic. So things are not simple, and one size as usual does not fit all…
http://www.slaw.ca/2010/01/07/ethics-and-the-on-line-storage-of-client-documents/
Note the comments as well.
I agree with Nicole’s comments. Most of the legal professionals I know operating a virtual law firm are very cautious in choosing the cloud computing technology and software provider. In fact, I’d have to say that the attorneys delivering legal services online are more careful in their planning and best practices than most attorneys in traditional firms who use cloud computing applications with law office data on a daily basis and do not go through the process of educating themselves about the software provider or reading through and understanding the service level agreement (SLA) for the product.
I wrote a longer blog post in response to the article by the LSBC and Nicole’s post.
It seems that the Law Society is responding to emerging technologies with the same knee jerk reaction as U.S. ethics committees. As I discuss frequently in the soon-to-be-published book (by the ABA) about cloud computing for lawyers that I’m in the process of writing, lawyers worship precedent and have a hard time accepting change, so these Draconian attitudes toward new technologies aren’t surprising to me.
It reminds me of the reaction to email in the 90s, when some ethics committees suggested that lawyers needed to obtain their client’s permission prior to contacting them via email.
As we all know, lawyers eventually accepted email as common practice simply because they had to–everyone else was using it. The same will be true of virtual law office technologies and cloud computing. Once these technologies are commonly accepted by other businesses, lawyers will be forced to adapt.
Better late than never, I suppose.
In researching an article on international cloud security regulations I recently wrote for LJN’s Legal Tech Newsletter (http://bit.ly/dqRNya, but you must subscribe or pay for it, that includes me), it became clear that the US is frowned upon for it’s lack of cloud security regulation (as opposed to a blanket regulatory scheme like the EU Directive). The perception is that the US pro-business stance has a chilling effect on any comprehensive regulation. In addition, the original article’s references to the US Patriot Act are accurate as far as perception goes. Unfortunately, Canada joins with the rest of the world’s fear that any personal data stored on servers located within the US will be subject to governmental scrutiny, without understanding the circumstances under which that may occur.
International committees are currently conducting meetings to determine if it is possible to create international security standards for virtual law practices. I fear this can only result in more regulation rather than less. On the other hand, lawyers must learn and understand their duties to conduct due diligence in choosing a cloud vendor to comply with their professional obligations. However, given the nature of the cloud storage, many of the old rules (i.e., BC trust account data must be stored in BC) must be changed to reflect new methods of data storage and transmission. Seems like a resolution to this is going to be a long up-hill climb.
Generally speaking I think the original article in Benchers’ Bulletin is an enjoyable “lifestyle” piece. It’s a feel-good piece about a couple big-corp lawyers who took life by the horns and started their own practice to regain balance in their lives.
However, it’s discomforting to see a great piece be tainted by generalizations and misinformation.
Take for example this quote:
True, but come on. The paragraph immediately following it mentions
, and
. Good grief.
Yes attorneys must always abide by their moral and ethical obligations. And Yes there are bad guys out there writing computer viruses as well as trying to break into your brick-and-mortar Big Law office. Fanning the flames of fear isn’t helping attorneys or clients.
To step back a second, as most readers of Ms. Garton-Jones’ column know, there are many many different services and applications that exist “in the cloud”. They’re innumerable and their capabilities, effectiveness, and applicability, ranges widely. However, responsibility rests with the Firm’s who choose to use them. No matter what tools, employees, or sub-contractors firms use, they are ethically and morally obliged to protect confidentiality and abide by rules of professional conduct.
Cloud-computing is a boon for small businesses and it’s no surprise to see the model bringing cost-effective capabilities to small and solo law firms. Those capabilities can provide a virtual law-office, individual unbundled legal services, or merely point solutions like secure attorney-client communication.
Now, for full disclosure, I’m CTO at Total Attorneys. We provide cloud-based applications and services. Regardless, just like in life itself we must take responsibility for the actions of ourselves, our employees, and tools we use to get the job done.
It sounds to me like the Practice Advisor is reacting out of fear. That’s unfortunate and it’s particularly disturbing given that this is someone advising other practitioners. Fear creates an environment with minimal innovation. If we need anything in the legal arena it’s innovation.
Clients at every level are calling for innovative approaches to problem solving. It’s our job to come up with new solutions. Our practice advisors should be helping us, not holding us back.
My investigation shows me that recent technological advances do lower cost for clients, but they also increase security, add convenience for clients and assist clients in making better informed decisions.
We need practice advisors that are focused on moving forward. We don’t need advice from people hanging on to the status quo out of fear of change.
Nicole, you are, as usual, right on track.
Lee Rosen
DivorceDiscourse.com
Great posts, and great conversation.
Take a look at most traditional law firm offices and tell me that client information isn’t MORE at risk by casual visitors into offices, cleaners, and security guards. Consider the risks packing around disks, portable drives, flash drives, and other physical items that can be lost.
To suggest that lawyers should host their servers in-house is to force lawyers to engage in a degree of security that most can’t afford and that could servers can economically provide. Effective protection against hackers, physical data loss, and business continuity and the risks of such events happening are far better borne by professional businesses who specialize in such activity that the attempts by small firms to ask their part-time IT contractor to monitor – let alone impose significant physical security constraints to protect hardware from direct hacking.
Ultimately, the choice should be with the client – arguments about clients who are not in a position to judge such things well taken. My engagement agreement contain clauses specifically disclosing my use of cloud services and even setting out the alleged risks. Most of my clients will tell you: \I put my most personal details on Facebook … why AREN’T lawyers using cloud services to save us money????\.
This is an issue that will resolve in favour of cloud services in time. But it will take educated lawyers to help our regulators get comfortable with inevitable evolutions in the industry.