Before we get started, I’d like to direct your attention to a really great cause (keep reading, this will cost you no money) that my friend Jamie alerted me to:
The Cystic Fybrosis Foundation is seeking $250,000 through the Pepsi Refresh Project to purchase and distribute breathing devices for infants with cystic fibrosis. If you want to help, please vote for the project here. Voting ends September 30.
What’s good about the Pepsi Refresh Project: (1) It’s not your money, it’s Pepsi’s. (2) All you have to do is register and vote. (3) It makes it easy to do something good today.
. . .
We’ve written here numerous times in relation to the new (becoming less new by the day) Massachusetts data privacy law and regulations (you may find all of our said musings linked out from this root post, on email encryption). (Yes, there’s still more to say. C’mon, I have to stay busy. Don’t make me write about being offline again, because I will.) One of the most vexing requirements of the revised regulations is that Massachusetts businesses, including (one more time, now solo and small firm attorneys (and any attorneys, or law offices, for that matter), maintaining statutorily-protected resident information must first vet, and then contract with (so that they will faithfully uphold the Massachusetts data privacy laws, too), third party vendors/service providers who will have access to their confidential information. We’ve discussed the potential difficulties with these requirements previously, here, specifically. For those of you unable, or unwilling, to click back, the essential difficulty is, as follows: How are you supposed to vet service providers without any guidance on how to do so? What if the service provider won’t sign off on a contract provision/you can’t get them to even address the issue of a contract provision (for the latter development, think of massive conglomerates, like Google and Microsoft)?
Stepping, anthropomorphically, forward, to fill the breach, just a little bit, is a proposed ethics opinion of the North Carolina Bar Association. The opinion, formally–perhaps that’s a redundant adverb in this case–known as (proposed) 2010 Formal Ethics Opinion 7, ostensibly addresses whether and how an attorney/law firm may select an SaaS (software as a service) provider. In addition to providing some good background information on what SaaS is, and how it functions in the legal environment, the opinion addresses two broad matters: First, North Carolina says, or, proposes, as of now, that its attorneys may use SaaS in their practice of law so long as steps are taken to avoid the inadvertent or unauthorized disclosure of confidential information. (Sound familiar?) Second, North Carolina, via this proposed opinion, offers a list (with the appropriate caveats) of 14 question sets meant to vet potential SaaS vendor companies’ risk factors for inadvertent or unauthorized disclosure of confidential information. (And, despite North Carolina’s lack of a data privacy statute similar to that adopted by Massachusetts, note that the third question set contains queries respecting contracting between vendors in relation to a lawyer’s professional duties and with respect to a potential agency relationship between the lawyer and vendor company; this suggests that contracting with vendors for risk minimization, with respect to data privacy, may be moving into the sphere of best practice, where it is not a legal requirement.)
But, What (more) does this mean for you, Massachusetts lawyer? Well, although there has been no similar ethical pronouncement respecting the use of SaaS by Massachusetts attorneys, the North Carolina Bar Association, through its proposed ethics opinion, provides, likely unwittingly, Massachusetts businesspersons with some guidance with respect to the two main issues related to the third party vendor vetting and contracting provisions of the Massachusetts data privacy regulations:
How are you supposed to vet service providers without any guidance on how to do so?
Well, now you’ve got 14 question sets to start with.
What if the service provider won’t sign off on a contract provision/you can’t get them to even address the issue of a contract provision (for the latter development, think of massive conglomerates, like Google and Microsoft)?
As we’ve said here at the blog before, if you can’t get the contract provision, you’re not strictly in compliance with the regulations. The semi-official answer, if you can’t get the contract provision, is that you should then look for similar service providers, until you find one who can do something for you close to what your original (preferred?) service provider would have done, but while signing off on a contract provision to uphold the Massachusetts regulations on data privacy in relation to their accessing of your data. But, What if you really liked your original service provider? What if they were an industry leader, perhaps the industry leader? Maybe the large, industry-leading company is just ignoring your efforts to contract with them, because they can. And, What if the similar service providers down on your list don’t vet well? Well, then, you’ve got two aspects of the statute butting against each other. Then this becomes a matter of risk management. Will appropriate vetting coupled with aggressive efforts to contract mean substantial compliance? Perhaps. But, no one knows for sure. If you believe that substantial compliance will become compliance, and you’re willing to take the risk of bypassing strict compliance, then your substantial compliance will look far better the deeper your vetting process is. Using the North Carolina question sets to begin vetting your service providers is a step in the appropriate direction, and will serve to buttress your general vetting procedure, a record of which, in addition to efforts to contract, will represent your stab at substantial compliance.
Some further notes:
-If this was not laid out clearly enough previously, it is an essential point, warranting reiteration: When you are vetting service providers and inquiring about contracts and contract provisions, keep records of everything you do. This is the building of your case for substantial compliance.
-The North Carolina Bar Association Ethics Committee has decided to send the proposed ethics opinion to a subcommittee for further study. So, if an official version of this ethics opinion is released, it may look a little different from the version we are seeing today, and which has been linked out from this post.
-No, not every vendor is SaaS; but, the majority of those that access your electronic data will be.
. . .
The fact that summer is ending is making me crazy. I want to reverse the rotation of the Earth, like a certain super man; but, alas, I cannot: Rodney keeps kryptonite in a jar in the office that I can’t touch.
I mean, it’s just unfair. This summer was bomb. I mean, the weather was dope, like all summer. I went to Branson. Played a ton of mini-golf. (Yes, I play miniature golf, and I’m awesome at it.) Found my favorite summer song in a long time: Brad Paisley’s “Water”. So, you can understandably blame my agitated state of mind for what I am about to do . . .
Here are some of the SaaSiest songs (haha!, I know) I know:
(Really, there’s nothing like some truly godawful 90’s pop music to lead you hurtling into your weekend. And, yes, I knew when “Unbelievable” came out without even looking it up.)
Yes, I’m ashamed. Thanks for asking.
(See, Rachel, you’re not the only one with absolutely horrific taste in music.)