Column

The Myth of Due Diligence

Lawyers have not adequately met the vague notion of due diligence when it comes to legal technology, probably because they are unable to. This realization hit me at a CLE seminar when one of the panelists – perhaps me – made the comment that, if lawyers want to use cloud computing, they should perform due diligence about the company they were going to use. The lawyer’s response was, “how do I do that?”

Due diligence is way of showing one has acted reasonably. When it comes to technology, it’s an assessment of all of the variables that impact the use of that technology within your practice. In essence, it is an extension of the prevalent thou shalt be reasonable ethical standard for lawyers. The challenge comes when we devise lists of risk avoidance steps that may or may not be achievable.

I’m a Lawyer, not a Techie

There is an increasing expectation that lawyers are able to use technology to efficiently and professionally manage their practices. Fine, no problem there. But there can be a significant gulf between understanding how to perform technology functions, even more complicated ones like backups or encryption, and understanding the underlying strengths and weaknesses of the technology. It may be fair to say that due diligence in practice technology has, to date, relied on the too big to fail concept: no-one was ever fired for buying Microsoft, Cisco, etc.

Let’s assume for a moment that you do not have a dedicated IT person and perhaps not even a technology consultant helping you with your practice. Hardware selection is still relatively straight forward: read a couple of reviews or ask the Buy More Nerd Herd what they recommend. They’ll lard your purchase with recommend sufficient warranties and replacement deals to enable you to recreate your hardware environment should it fail.

Software is a bit more complex. Most lawyers do not have the ability to assess whether the software they buy is well designed nor whether the company who distributes it is solvent. Microsoft patches its software every month, which might suggest to some that it wasn’t as good as it could have been when it was released. At least they fix it. We rely on software companies to eliminate bugs and other problems but there is usually no proactive way for a lawyer to identify these flaws before they are patched.

The legal vertical market is comprised of many, smaller companies selling software. They are either selling highly customizable software to mid-size and large law firms or they are selling off-the-shelf software to the entire market. While recommending that lawyers review software licensing agreements and negotiating specific clauses in or out of a given contract sounds like a good strategy, in the end it is not something that will be achievable in all cases. At some point the bargaining power of the lawyer or firm is going to be sufficiently small that it better to lose their custom rather than tweak the agreement.

It begs the question of the level of sophistication lawyers need in order to practice using technology. The statement “use due diligence” is often followed by a laundry list of risk management questions to ask a technology provider. These lists make me wonder how many lawyers have actually been able to invoke when buying the hardware and software for their offices. Even when a law firm relies on a technology expert, there is an assumption that that person is able to bridge the two knowledge sets of technology and legal ethics and help the lawyers ask the right questions.

Why is the Cloud Different?

The due diligence drumbeat has grown as more lawyers have started to use cloud-based systems in their professional lives. This shift from personal adoption to professional adoption creates new behavioral and ethical risks that may be overlooked. Our selection of online mail or social software can rely as much on what all of our friends are using rather than which company is most viable and whether this particular product in the portfolio will be long-lived. The cloud may actually create fewer options for the kinds of flexibility – specialized contracts or features – that common due diligence advice suggest.

Cloud computing doesn’t require more risk awareness than other technologies, the risks just sometimes look different. Lawyers might have been caught out by the many Google products cancelled in the past twelve months but local software and hardware is discontinued just as often, sometimes replaced with a new product. It can be hard to be aware of the trends that will lead to the sunset of your software or its provider.

If due diligence is called for – and something is, whether it needs that name or not – then it should apply equally to the wireless routers, operating systems, and locally installed software within law practices. When the concept is applied only to the cloud, it creates the idea that this is somehow a new obligation and, potentially, easier to do with Internet-based systems.

This is probably the biggest challenge of cloud due diligence. The companies that are too big to fail are probably not the companies who will reveal their business intricacies nor are they likely to adapt to the requests of an individual lawyer or firm. At the other end, the legal vertical market is filled with smaller players who are building their hosted systems with the same entrepreneurialism as the traditional software companies. It is not always going to be clear by looking at their current financial state, even if they are willing to disclose it, the likelihood of their viability. That’s not to say that no-one could make a guess, but that lawyers may struggle to understand those sorts of documents if they have not dealt with them before.

Knowing Your Systems

There is no question that lawyers should understand the impact of selecting a software application or hardware device on their ethical and practice obligations. At the same time, blowing this awareness into something called due diligence may create unachievable demands on lawyers. Not every lawyer will have the same abilities – or make the same professional determination – as to the risk raised by a given technology used in a particular way. We set up lawyers to fail, out of fear, to use technology when we create an expectation that a risk avoidance wish list is achievable, or necessary, in every selection process.

Comments

  1. A lot of words, but at the end of the day the article really said nothing and didn’t provide any useful information. No information on best practices for due diligence. No information on companies that this author may have already vetted. No information on minimum encryption standards for storage in and transport to the cloud. No information regarding determining where the encryption keys are stored and whether the companies employees could access the documents stored in the cloud.

  2. Dear David,

    While I enjoyed your title, Due Diligence is not a myth!

    Like you, I was quite stunned that in the 21st century a lawyer at a CLE seminar, one of the panelists no less, actually asked how to do due diligence.

    The scientific methods of due diligence were invented back in 1993, and Due Diligence Standards (Best Practices) have been available since 2003.

    It is clear that someone in the legal profession is not doing their job… informing lawyers of these very basic facts.

    It would be particularly embarrassing if a lawyer actually told their clients that they did not know how to do due diligence.

    Please let me know if we could publish your article in our forums.

    All the Best,

    Georgina Lee
    The Association of Due Diligence Professionals

  3. @Anthony: fair enough. The point wasn’t to give you the buying advice; I think that’s well-documented. My concern is that lawyers may think that there is a perfect list of things to verify, and that their inability to comply reflects their reasonableness. Also, I think it’s wrong to approach lawyer ethics surrounding technology by giving the cloud a higher set of standards than are applied to local technologies.

    @Georgina: due diligence is a reality. I think it’s a misnomer when applied, as it commonly is, to buying decisions for software and hardware. There is a place for due diligence – and lawyers need to do it as part of their professional roles – but I think the term is used far too loosely where legal technology and ethics overlap.

  4. David,

    You are quite right, due diligence is definitely “used far too loosely where legal technology and ethics overlap.” unless of course the due diligence work is performed by people who have learned the training to perform due diligence to the Due Diligence Standards.

    Also, please let me know if we could publish your article in our forums.

    All the Best,

    Georgina Lee
    The Association of Due Diligence Professionals