Practicing Law with SaaS

Originally published in National Magazine

Good lawyers have always been good collaborators. Have we entered an age where the most technologically tuned online collaborators win the lion’s share of business?

Perhaps. Many of today’s web-based software arrivistes enable lawyers to handle more of their business online than ever before, thanks to a phenomenon known as Software as a Service (SaaS).

How do you recognize SaaS? Ponder these present-day examples: you can author documents online using wikis and Google Docs instead of the tried-and-true Microsoft Word; you can hold meetings online with Webex instead of bringing people together physically; and you can keep digital documents on computer servers rather than paper ones in cabinets.

The most striking feature: SaaS software users don’t install any software on their computers. SaaS tools rely only on a standards-compliant web browser, since the application is “hosted” on another computer in the “cloud,” the symbol on computer network architecture diagrams that represents the Internet. (That symbol gave rise to the term “cloud computing”.)

And, to some extent, SaaS tools supplant the granddaddy of online business tools, electronic mail. That might not be so bad, according to David Poellhuber, CEO of Montréal-based ZeroSpam. “Nobody could have guessed that we would be in a situation where 95% of email traffic is spam,” he said. “It really congests your Internet link.”

Webtrepreneurs are tackling ever-more specialized niches, including law. Major Canadian law firms have established beachheads in the global online legal networking community LegalOnRamp.com. Meanwhile, lawyers send invoices using Toronto-based Freshbooks.com. They even manage cases via Florida-based RocketMatter.com.

Given the falling costs and rising availability of broadband Internet access, SaaS tools are feasible options. But are lawyers ready to share control over information that belongs to them and, more importantly, their clients, with these arguably SaaSy upstarts?

Maybe. Attorneys who regularly access information on the road may find SaaS attractive, as might small firms that want enterprise-quality tools at affordable rates without the hassle of managing IT infrastructure. And SaaS helps lawyers work with a variety of people, including administrators, support staff, associates, government agencies, contractors and clients.

David Fraser knows something about software costs. “A lot of work goes into upgrading software at a law firm,” said the privacy and technology lawyer for McInnes Cooper. “They have to make sure that one thing won’t break another thing.

“(With SaaS) all this responsibility is pushed off onto another organization,” Fraser continued. “You get the benefits and pay a reasonably low monthly fee.”

And unlike traditional software shops that maintain one distinct development effort for each operating system (Microsoft Windows and Apple’s Mac OS being the most common) that they want to serve, SaaS developers create and support software for one platform that works on every modern OS: the World Wide Web.

While “pure” SaaS providers base their entire operations in the cloud, traditional “installed” software makers like Microsoft and Adobe offer hybrids – part traditional installed software, part SaaS. Setups like these that straddle the fence between wholly installed and “pure” SaaS models may help to guard against the potential pitfalls of SaaS.

However, they do not avoid the most common critique: data resides outside a law firm’s firewall. In rebuttal, SaaS proponents point to services like package tracking, library reservation systems and online banking that offer online access. But computer consultant Steve Smith of Oakbridge Information Solutions makes an important distinction. “With banking, you can always drive over to a bank or an ATM and check your account. You can pick up the phone and call somebody.”

Like the phone system, Internet service is a utility. Larry Port, founding partner and chief software architect of Rocket Matter LLC, sourced a provider for his company’s servers that guarantees realistic “four nines” uptime (the service is available 99.99 percent of the time). “You want to be in that range.”

“If anybody offers you 100 percent uptime, I would be careful about that,” Port continued. “There are things that are external to their service, just like any utility.”

Other concerns also perturb attorneys. SaaS providers and their employees are usually outside the legal profession and outside the firm’s employ. Not all SaaS providers are created equal. And some attorneys doubt that clients want their information in a cloud, in case it rains somewhere it shouldn’t. “We are talking about putting our data in other people’s hands, outside of our offices,” said Jim Calloway, Director, Management Assistance Program for the Oklahoma Bar Association. “That’s what makes people nervous.”

Some of these worries resemble the ones that lawyers faced when they first started using email. “Email now travels over the Internet unencrypted and it goes through other people’s systems,” said Fraser. “There was a whole lot of hand-wringing over whether this would violate privilege, whether security was sufficient.”

“Clients themselves communicate with lawyers using email, so they implicitly consent to lawyers using email as well,” Fraser said, adding that disclaimer statements at the bottom of emails explain this implicit consent.

Those disclaimer statements helped strike a better balance between benefits and risks, and today, multitudes of lawyers check email on their BlackBerries without a second thought. Email managed the journey to widespread acceptability. Could SaaS do the same?

Online backups

There are two types of computer hard drives: those that have failed and those that will. And when they do, the information on them may be irretrievably lost.

Even knowing this, and all the other risks to digital data, starting and maintaining a data backup routine can easily slip onto the same “to do (later)” list commonly occupied by tasks like doing one’s taxes, starting a book or updating insurance policies.

If this sounds like you, consider this: if you lose data to a hard drive crash, malware or a misplaced laptop, you need to replace at least three things: hardware, software and client data. You can easily get replacement hardware and software from the respective vendors. Who will you ask to replace your client data?

Questions like these have helped data backup concepts and products breach the computing consciousness of the masses. Major operating systems even ship with backup utilities.

Not to be left behind, Software as a Service (SaaS) providers have also entered the data backup market, funnelling their clients’ information onto their own servers.

“In my view, the main benefits of online backup are that it is done regularly, automatically and an offsite copy is made,” said Jim Calloway, the Director, Management Assistance Program for the Oklahoma Bar Association. (Note: The Oklahoma Bar Association recently vetted an online backup service, CoreVault, on behalf of its members.)

“Katrina taught us that just taking a backup home, if you live within a few miles of your office, may not be a sufficient safeguard,” Calloway added.

Online backups often add one step that onsite backups might forgo – encryption. “Customers encrypt their data before it leaves their offices,” said Steve Rodin, president of data protection service provider StoragePipe Solutions Inc. “Customers choose the encryption keys, so we cannot look at their data. In many cases, we don’t even know what kind of data a customer stores with us.”

Online backup providers also tout typical benefits of SaaS: one monthly fee replaces hardware, software and maintenance costs of onsite backups; serving many customers results in economies of scale that help keep costs low; staff can drop routine backup drudgery in favour of more interesting work.

Yet many businesses also have a backup plan B. Calloway, for instance, recommends smaller firms back up to three separate portable hard drives. One stays on-site for daily backups, one should stay off-site every week and a monthly backup on the third can stay in a bank vault or similarly secure spot.

Upload speeds lag behind download speeds, so Calloway backs up less information online. For instance, he omits “closed” data such as closed files. “The point of online backup is to back up today’s work,” he said.

Rodin calls this continuous data protection, or CDP. “Many companies have a problem with people storing data on their laptops and PCs and not on centralized servers,” he said. The CDP feature ensures backups happen immediately as users saves files, as long as they have an Internet connection.

Calloway is sanguine when he handles objections about placing client data in another firm’s hands. “You can’t look at these services in a vacuum,” he said. “You have to recognize the risk of using online backup providers and minimize that risk.”

“But there’s a more significant risk in not backing up your data, or backing up your data but not taking anything offsite.”

Online document creation

Collaboration has never been optional for lawyers. That fact spurred Tom Mighell and Dennis Kennedy to write The Lawyer’s Guide to Collaboration Tools and Technologies: Smart Ways to Work Together.

Since Mighell lives in Dallas, Texas, and Kennedy calls St. Louis, Missouri home, the two lawyers had to “eat their own dog food” to write the book. So they made every chapter a separate Google Docs word processing document.

Wiki online collaboration

Reference: The original version of this graphic is accredited to US Central Command analyst and “Intellipedian” Manny Wilson.

Mighell, then Senior Counsel and Litigation Technology Support Coordinator for Cowles & Thompson PC in Dallas, praised the technology effusively. “It was just so much more convenient,” he said. “There would always be one version of the document. We wouldn’t have to email back and forth. We wouldn’t have multiple copies of things on different computers.”

Perhaps because it’s both free and well-known, Google Docs leads the charge of today’s web-based office productivity suites (word processing, spreadsheet and presentation software). These products allow people to create documents from scratch, although many people upload existing documents to get started.

Mighell and Kennedy chose to accept both edges of the security sword. “Google’s security is probably better than any law firm’s security,” said Mighell, “but that’s not necessarily a reason to trust them. The Google Docs licence agreement makes it clear that they have access to that doc if they choose to access it.”

“The more sensitive and confidential a document is, the more you want to use something more secure, like a client extranet, where you have more control over document security than Google.”

Mighell also noted that online authoring tools frequently lack more advanced features such as headers, footers and tables of authorities common to their “installed” competitors.

Meanwhile, makers of installed software have been stretching tentacles into the cloud. Adobe, for instance, offers a suite of five online applications called Acrobat.com that features the online authoring tool Buzzword. Microsoft supplements its Office suite with Office Live.

From a security standpoint, tools like Acrobat.com may prove more attractive than “pure” SaaS. For instance, Acrobat enables authors to imbue every PDF they create with 256-bit encryption and determine lifecycle rights management for each individual document.

When evaluating online collaboration options, a tight focus on security is no longer the point: when software industry titans embrace SaaS, the trend is here to stay.

SaaS SLA – “shopping list”

After years of installing software directly on computers, along comes a wave of software that promises to relieve computers of that overhead – software delivered as a service instead of as a product.

Though the terms aren’t technically synonyms, SaaS is also called cloud computing. The name isn’t entirely inapt, though, since people’s understanding of it is often nebulous at best. Despite successes such as SalesForce.com, most SaaS vendors have yet to achieve the trust of name brands like Microsoft and Adobe.

If you’re kicking a SaaS provider’s tires, looking under the hood means carefully checking the contract. Consider the words of Chris Bennett, an intellectual property lawyer with Davis LLP: “Many of the contracts start off remarkably one-sided in favour of the SaaS provider. It’s worthwhile taking a good look at that contract and focusing on the areas where SaaS is most vulnerable.”

“It’s important to reduce risk as much as possible, both in the contract and practically,” Bennett added.

An ethical decision?

SaaS providers don’t just keep your software on their servers. They store your information too – outside your firm’s firewall. That fact alone gives many lawyers pause for a gut check. If the service meets all of a lawyer’s confidentiality and privacy concerns and those of the relevant bar association, SaaS may be an option.

Some organizations refuse to deal with SaaS providers who use servers located in the United States owing to the spectre of the American Patriot Act. Among the reasons for this particular act’s infamy, the American government can seize data located on American servers – without the data’s owners ever finding out.

Finally, David Fraser suggests you float the idea with clients whose data will float in the cloud. “Discuss whether the convenience of the service outweighs risks to privilege,” said the privacy and technology lawyer for McInnes Cooper, “or determine what sort of information can go on these systems.”

No-obligation tryout

When you place mission-critical information into another company’s hands, don’t just test their technology – test their support and training options. “Send an email or make a phone call and see what kind of response you get,” said Mike McDerment, CEO of online billing service Freshbooks.com. “That’s often the most telling way to evaluate a prospective vcndor.”

Spendi di meno, paghi di più

Roughly translated, “Cheaper things are always more expensive.”
Given the nascent nature of the SaaS sector, some service providers may compete on price. Ask yourself: do the vendor’s pricing model and other practices indicate a sustainable business model?

Audit clause

To win a prospective client’s trust, some vendors offer tours of their offices and server facilities. Take them up on it, and take a good look around.

Has the vendor (in IT parlance) “hardened” the server facility? Hardening involves numerous details such as secure building access, quality server hardware and monitoring technology, sound backup facilities (including fuel tanks), and redundant Internet connections.
Tangible assets are only as good as the processes that govern them and the people who enact those processes. Ask the provider about hiring criteria, staff qualifications and the approach they use to protect your data.

While Bennett admitted that few customers will take advantage of that audit clause, “A number of privacy commissioners in Canada have said this is a good idea,” he said. “Besides, it gives the SaaS provider a little additional motivation to do what they’re supposed to be doing.”

Legal liability

Even after you perform due diligence, what if the provider compromises privilege?

“I would want to ensure that the liability of the company isn’t limited,” said Fraser. “I would want them to indemnify me against any claims that would be made against me as a lawyer for something that went wrong at the service provider’s end.”

While a contractual demand like this might not be feasible, “I would rather have a service provider that would agree to stand behind their service,” Fraser said.

Moving data in (and taking it out)

Make sure the initial migration of your information into the provider’s systems works smoothly. Also, ask about the ability to take a copy of your data from the cloud at regular intervals (reminder: it is your data, after all).

To make this easier, certain providers follow standards such as iCal for calendar entries, vcard for contact files and Legal Electronic Data Exchange Standard (LEDES) for ebilling.

Saying Goodbye

Should you need to switch to another system, make sure you can easily extract all your data in a format that lets you quickly put it into another system. “Getting data out of an application is a resource- and bandwidth-intensive process,” warned Larry Port, Founding Partner and Chief Software Architect of RocketMatter LLC.

Clients aren’t the only parties who can terminate a service agreement. “What happens if I don’t pay my subscription fee?” asked Tom Mighell, Litigation Technology Support Coordinator with Dallas, Texas-based Cowles & Thompson. “Do you shut me out of my data? If you cancel my account for non-payment, do I get my data back?”

Port welcomes these types of questions, even though nobody asks them before installing Microsoft or Adobe products. “Vendors have the responsibility to answer difficult questions about SaaS,” he said.

To read the article as published in National Magazine (PDF), click here.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.