There's a lot of talk about "the cloud" right now, especially in the wake of last week's announcement of the iCloud. The cloud, better known as Software as a Service (SaaS) is, in a nutshell, software and storage capabilities accessed via the internet, with data stored at sites owned by a vendor or vendors. A few states either already adopted or have proposed guidelines for attorneys using SaaS models. Most recently my home state of North Carolina issued a proposed opinion that states, yes, you can use software as a service for your practice "provided the lawyer uses reasonable care to assure that the risks that confidential client information may be disclosed or lost are effectively minimized."
So exactly what does "effectively minimized" mean? And how does one know if its "reasonable care" or not? The NC Bar opinion attempts to define it by offering a set of mandatory steps including:
The opinion offers other suggested guidelines for minimizing risk like installing security software on end-user computers, reviewing copies of vendor's security audits and contracting with vendor to limit the employees with accessibility to the firm documents.
The concern - breached confidential data - is understandable and very real. But are these mandatory steps too constricting? Many small or solo practices would benefit from the economical side of using SaaS models, but may not have the resources to meet the mandatory steps, thus stunting the possibility of using this model at all. And while vendors are continually improving security, there seems to be a news story every week about a big corporation suffering from a random hacker's handiwork.
Would you trust a law firm that used SaaS to store your confidential records?
Read the NC Bar Opinion here. Scroll down to Opinion 6.