The American Bar Association's Legal Technology Resource Center describes SaaS computing as the following:
"SaaS is distinguished from traditional software in several ways. Rather than installing the software to your computer or the firm's server, SaaS is accessed via a web browser (like Explorer or Firefox) over the internet. Data is stored on the vendor's data center rather than the firm's computers."The North Carolina Ethics Opinion clearly states the central question:
"SaaS for law firms may involve the storage of a law firm's data, including client files..., on remote servers rather than on the law firm's own computers and, therefore, outside the direct control of the firm's lawyers. Given the duty to safeguard confidential client information... may a law firm use SaaS?"The Ethics Opinion concluded that SaaS computing is acceptable by lawyers and law firms, provided that:
1) "Steps are taken effectively to minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property, including file information, from risk of loss...
Although a lawyer has a professional obligation to protect confidential information from unauthorized disclosure, the Ethics Committee has long held that this duty does not compel any particular mode of handling confidential information nor does it prohibit the employment of vendors whose services may involve the handling of documents or data containing client information. "
2) The law firm should be able to answer a number of questions, including:
- Who has access to the data besides the lawyer?
- Who owns the data -- the lawyer or the SaaS vendor?
- How does the SaaS vendor, or any third party hosting company, safeguard the physical and electronic security and confidentiality of stored data.
- Where is the data hosted? Is it in a country with less rigorous protections against unlawful search and seizure?
- If the SaaS vendor goes out of business, will the lawyer have access to the data and the software or source code?
- How often and on how many geographically distinct servers does the data get backed up?
As a Legal Process Outsourcing company with years of experience in data security on third party servers, the North Carolina Bar Association's opinion seems entirely pragmatic.
"...the Ethics Committee concludes that a law firm may use SaaS if reasonable care is taken effectively to minimize the risks to the confidentiality and to the security of client information and client files. However, the law firm is not required to guarantee that the system will be invulnerable to unauthorized access."