This is the final post in a three-part series on the virtual practice of law authored by Stephanie Kimbro for the LOMAP Blog. The first part in this series provided a basic introduction to the topic of virtual law practice and the unbundling of legal services online. The second part in this series covered the marketing of a virtual law office. This final installment of the series addresses the ethical issues associated with, and best practices in relation to, the delivering of legal services online.

To hear even more of Stephanie’s take on virtual law practice, listen to her appearance on my “Legal Toolkit” podcast, here.

Stephanie is the winner of the ABA’s 2009 James I. Keane Memorial Award, for Excellence in eLawyering. For more information on Stephanie and her practice, visit her blog. And, watch for Stephanie’s book on virtual law practice, to be released by the ABA later this year.

. . .

I would like to take a moment to express my sincere appreciation to Stephanie for choosing to grace our blog with this in-depth and thoughtful series on the virtual practice of law, now concluding. Thank you, Stephanie.

. . .

The delivery of legal services online carries with it a number of ethical concerns; however, these ethical concerns are not all that unlike those that have traditionally been addressed by offline law firms. The online lawyer is able to mitigate risks associated with virtual law practice just as a traditionally-practicing attorney would with an offline practice when, for example, installing and using software for law practice management. There are two separate categories of ethics matters to address in connection with the virtual practice of law. The first pertains to the attorney’s duty in selecting the service provider that will be setting up, hosting and maintaining the virtual law practice. With any cloud computing service, there are precautions that must be observed in researching and choosing a software provider. The second category of potential ethics concerns relates to the attorney’s daily operation of the virtual law office; and, the focus there is on ways to mitigate potential malpractice risks when working with clients online. Further issues related to each category are discussed in greater detail below; and, in addition, suggestions are made and additional resources are pointed to, for further guidance.

Researching the Service Provider

When researching prospective software as a service (SaaS) providers, who would set up, and maintain, your virtual law office, you should carefully read through the provider’s Service Level Agreement (SLA), and thoroughly query the provider as to any remaining areas of concerns, following review of the SLA. If you don’t quite know where to start, the North Carolina State Bar has recently published a useful, proposed ethics opinion that provides a list of questions for attorneys to ask of prospective service providers, as well as offering further information respecting how the provider’s responses may potentially impact your virtual law practice. In addition to the North Carolina proposed opinion, you should also review the ABA’s eLawyering Task Force’s “Suggested Minimum Requirements for Law Firms Delivering Legal Services Online”, for some additional guidance. In Massachusetts, there are further requirements for dealing with third party service providers accessing certain protected resident client information, including the mandate that a contract provision must be reached with such third party service providers guaranteeing their compliance with Massachusetts’ data privacy regulations with respect to their accessing of your data. All of LOMAP’s blog postings respecting Massachusetts data privacy may be located via this root post.

Below is a list of items that should either: be addressed within the provider’s SLA, or (otherwise) be effectively and satisfactorily addressed by the provider when questioned by the attorney. As technology changes, especially in relation to the virtual practice of law, this list of issues may expand; alternatively, some questions may become irrelevant. And, for this very reason: the recognition that technologies become quickly outdated, the proposed North Carolina ethics opinion regarding the use of SaaS in law practice management, and other state bars’ guidelines, do not mandate specific technology requirements. Accordingly, the attorney establishing a virtual law practice should satisfy himself that his chosen provider will keep current with shifting security standards in the industry and will constantly update its services to address those changes.

1. Data Return and Retention Policies

a. Return of law office data should be in a readable format, preferably encrypted; and, data should be returned within a reasonable amount of time after request is made by the attorney.
b. What is the policy on making a request for data return?
c. Find out what happens to data after the relationship between service provider and attorney is terminated.

2. Third-Party Hosting

a. Understand the provider’s relationships with other companies.
b. Obtain a copy of any agreements between the provider and another company that covers servers, support and/or maintenance of law office data.

3. Government and Civil Search and Seizure Actions

a. How would the provider handle the related request, if handed a subpoena to deliver contents of law office data?

4. Server Information

a. Find out where servers are located, and if there is geo-redundancy.
b. Realize that servers located outside of the United States may be subject to international laws.
c. Does the service provider offer data escrow with servers located overseas?
d. Make sure that the servers are housed in Tier 4 data centers.

5. Compliance with Federal Regulations

a. If your provider will be collecting credit card information, rather than redirecting that service to another third-party hosting company, make sure that the service is PCI compliant.

6. Confidentiality Breaches

a. Will the attorney need to hold the service provider to unlimited liability for data breaches? If so, the provider should have adequate business insurance to cover the cost.

7. Security and Backups

a. Who has access to law office data?
b. Find and review confidentiality, privacy policy and nondisclosure statements.
c. Law office data should remain encrypted, and should only be decrypted with the permission of the lawyer/law firm.
d. Understand how backups, maintenance and updates to the service affect the security of law office data. Does the provider conduct regular secu
rity audits? How often do they backup data? Is there any downtime for maintenance, or for upgrades to service?

8. Transferring Data/Compatibility

a. Are there export features that allow for data to be transferred to other software applications, or backed up in-house, in addition to the online storage and backup? How easy would it be to transfer online law office data to a compatible system, if the virtual law office service were terminated? Would there be a resulting time gap when attorneys and/or clients would not have access to needed law office data?

Other, more general, questions for the service provider (including about: subscription costs, training availability and cost, support, infrastructure for growth, etc.) are not included above as ethics concerns; but, these matters should also be addressed, separately, within the selection process.

Daily Best Practices for the Virtual Law Office

There are other potential ethical concerns that arise from the attorney’s use of software for the delivery of legal services to clients online. However, the online form of practice management is no different than traditional forms of practice management in that there are daily best practices that the attorney must employ to ensure that he is acting responsibly, and ethically. With respect to many of the ethical concerns related to the virtual practice of law, the technology itself may be utilized in helping to prevent malpractice in the online delivery of legal services. Regardless of the structure of the virtual law practice, or the technology chosen to implement it, the following ethics concerns should be addressed prior to engaging in the delivery of legal services online.

1. Unauthorized Practice of Law

a. Attention must be paid to matters of compliance with respect to the marketing and advertising rules and regulations of each jurisdiction in which the virtual law office provides legal services. Jurisdiction checks need to be in place, so that, when a prospective client registers through the client portal, the attorney is informed as to whether the legal matter is within, or without, his jurisdiction. This process should also serve to notify the prospective client of the restricted jurisdictions in which the attorney is licensed to practice law.
b. Unauthorized Practice of Law with Multijurisdictional Virtual Law Firms: This species of virtual law firm must be especially careful respecting compliance with marketing and advertising rules and regulations of the several state bars implicated, which rules and regulations may include additional registration of URLs, and approval of website design (as are read the rules in multiple states).
c. Residency Requirements and Unauthorized Practice of Law: Residency requirements exist for a handful of state bars, which specifically require a “bona fide office” for a law practice. However, most of these rules do not specifically address the use of cloud computing or of a virtual law office, whether completely web-based, or as integrated into a traditional law practice.

2. Conflict of Interest

a. Conflict of interest checks should be run on both online and offline contacts.

3. Competency

a. The virtual attorney must make the decision on a case-by-case basis as to whether a prospective client’s legal matter may be adequately handled online, or whether that matter requires the attention of a full-service law firm. Different practice areas and client bases require different processes and forms of communication. The attorney should recognize what level of legal assistance he or she may provide online, and then adequately inform the prospective client of the limitations of those services.
b. A virtual law practice may streamline the legal workflow, but it should never compromise the quality of legal services delivered to clients, or affect the attorney’s zealous representation in a legal matter.

4. Conflict of Laws

a. This issue occurs when an attorney provides federal law–related legal services, like intellectual property law services, online. The attorney practicing in this wise may handle the online client’s matter as far as it relates to the federal law issue; but, if that same online client requires the drafting of a state-specific legal document, such as a contract, the attorney may not handle this aspect of the project for the online client if that client is not located in a state in which the attorney is licensed to practice law.

5. Authentication of the Online Client’s Identity

a. While the attorney should conduct some form of online verification to ensure that the prospective client with his virtual law office is who he claims to be, it is not the attorney’s duty to so identify the prospective client to prevent fraud.
b. The online client should sign clickwrap agreements in order to confirm his identity online, and in order to accept the terms of representation. Just as a traditional law firm would accept a signed engagement letter from a client, an online attorney should be able to rely on contact and other information provided via the client portal.
c. Forms of video and web-conferencing could be used to speak to prospective online clients initially, and, specifically, to assist in the verification of identity, if necessary.
d. It is the attorney’s responsibility to refer the prospective online client to a full-service law firm for legal matters where the attorney does not believe that online methods used to authenticate identity are adequate under the circumstances.

6. Defining the Scope of Online Representation

a. Prospective online clients must understand the scope and nature of the legal representation being offered through the virtual law office, and must provide their informed consent as to the scope and nature of that representation. Notice will depend upon whether the virtual practice will provide completely web-based, unbundled legal services or whether the virtual practice will be run in conjunction with a full-service firm. One current debate is whether the attorney should be required to inform the client of where law office data is hosted, and, further, more generally about the chosen SaaS applications used to deliver the online legal services.
b. If unbundling legal services, the attorney should check with his state bar for any ethics or advisory opinions on the subject. There may be rules and regulations in place regarding the procedures for limited representation. In Massachusetts, you should review, on this head, the Massachusetts Bar Association’s Ethics Opinion No. 98-1, regarding unbundling legal services. You should also review, as persuasive matter, this handout, from Lawyers Mutual of North Carolina, which features recommended guidelines for the unbundling of legal services.

7. Establishing the Attorney/Client Relationship Online

a. Another ethics concern may be that the virtual lawyer creates an unintended lawyer/client relationship online. Multiple clickwrap agreements and communications with prospective clients address this concern and ensure that the client has adequate understanding of the nature of the relationship, and so provides informed consent to the attorney.
b. In addition to using a clickwrap agreement to establish the attorney-client relationship, the attorney may also use a combination of online and traditional methods to ensure that he has clearly established the attorney-client relationship.

8. Protecting Client Confidences

a. Most state bars have rules of professional conduct requiring that communications transmitted from the client to the lawyer be kept confidential. Accordingly, a virtual law offic
e should have an SSL certificate, and should provide the client with secure data transmission.
b. Ensuring the protection of client confidences depends on the ability of the attorney to thoroughly research the cloud computing provider used so as to achieve a real understanding of the technology behind the system, the security of the system and how the virtual law office data is stored and protected.

9. Online Storage and Retention of Client Data

a. The attorney has a duty to safeguard client property throughout the legal representation, and for a number of years following the completion of the client’s legal matter. The attorney needs to understand how the law office data is stored and retained by the service provider used. For questions to ask, and considerations to take, in vetting a service provider, review the above section related to researching the cloud computing service provider.

10. Online Payments and Trust Accounting/IOLTA Compliance

a. Ensure that funds are allocated to the correct trust account in each client’s jurisdiction, and that your trust accounts are in compliance with your state’s IOLTA requirements. This takes additional work when there is more than one lawyer, and where there are multiple jurisdictions’ regulations in play, requiring compliance with sets (versus a set) of rules.

11. Daily Best Practices to Avoid Malpractice

a. It is the responsibility of the attorney to ensure that he or she is not only well-educated, but also keeps up to date, on security issues related to the use of the technology package selected for delivering online legal services.
b. Virtual law firms should consider establishing best practices guides for use by attorneys using remote devices, like laptops and smartphones. An attorney using such devices should know, for example, how to protect his or her unique username and password and to avoid remotely accessing client information via free, public WiFi networks. A best practices guide would address these, and similar, questions.
c. Provide online clients with educational content pertaining to the protection of their client portal usernames and passwords and respecting guidance as to how to protect themselves from identity theft and other security risks associated with conducting business online.

While many of the ethics concerns discussed above do not differ overmuch from those attending traditional law practice, these concerns do require that a baseline of careful research and consideration must be undertaken before an attorney begins to deliver legal services online.