Partly Cloudy With A Chance Of Rain: Contractual Considerations For Lawyers Using The Cloud

Create an umbrella of reasonable protection under applicable SaaS agreements with your practice.

You have probably heard the old maxims that “nothing in life is free” and that some things may be “too good to be true” — good counsel for any generation, but when it comes to the use of technology in your legal practice, these sayings are equally applicable. As online computing resources become more and more practical and cost-effective, more and more legal practices large and small are using them.  I have previously written on some of the ethical considerations that should be kept in mind when considering the use of software-as-a-service (“SaaS”) platforms. When it comes to considering the contractual considerations when implementing these technologies in legal practice, however, there is more to consider than you know, and a lot more at stake for your clients and practice than you may think.

Needless to say, there has been a proliferation in the use of SaaS platforms in legal practices, and a great deal of it has been driven by necessity.  Given the growth in computer hacking over just the last five years, law firms have been forced to invest considerable sums in technologies designed to secure their internal computer networks (such as in intrusion prevention and detection systems), not to mention the investment in personnel and training necessary for proper operation and overall reduction in cybersecurity risk.  Let’s face it: law firms have become very desirable targets for hackers due to the valuable confidential information that is resident on law firm systems.  These hackers, however, are highly motivated and skilled in their methods, requiring these technologies (and attendant personnel) to be updated and trained to simply remain vigilant and (hopefully) stay ahead of the threats.  This endless loop comes at an ever increasing cost.  SaaS platforms help offset this cost by offloading the technical and security expertise to the SaaS provider, at significantly less cost than housing software and client data internally.

This is where the maxims hold true — SaaS is no panacea to this risk, and in fact, adds some additional risk regarding client confidential information that may be housed on the SaaS platform. First, not all SaaS platforms are the same — the actual locations of your firm (and client) data may not be fixed in one location, but in fact may be distributed across different locations (and even abroad).  Further, the standard terms usually provided by these providers do not weigh in favor of your firm — they usually provide little to not warranties, severely limit liability, and may not include mechanisms for data portability in the event of termination.  Worse, such service providers are well aware of data security risks and frequently refuse to take on such risks beyond what they can directly control.

Needless to say, this is not your traditional license model, but there are a number of contractual considerations you can (indeed, should) take into account when implementing a SaaS solution to minimize risk.  Here a few to consider:

  • Limitations and Indemnities Are a Mutual Consideration.  Most SaaS contracts limit liability and damages exposure of the provider, and in many cases no provider indemnification is provided.  Given the housing of critical confidential information on the platform, the provider must accept specific contractual indemnities regarding the storage and handling of your firm (and client) confidential information, and you should push to exclude breaches of confidentiality from such limitations of liability and damages. The success of this tactic relies heavily on a number of factors (not the least of which is the nature of the services provided and amounts being paid), but it should be actively negotiated.
  • Service Credits Are Not Your Friend.  Service level credits are credits provided from platform downtime.  Although most reputable SaaS platforms guarantee at least 99 percent uptime, service credits are little help when your firm cannot access its applications and commensurate client confidential information. From my perspective, service credits are necessary but not the end all, be all for downtime redress.  Instead, you should address backup and failover capabilities of the provider and how they relate to uptime guarantees.  Accessing the service is a paramount concern, and no level of service credits can make up for productivity lost.
  • Consider the End at the Beginning. The termination conditions of the SaaS agreement are important, but the effect of termination provisions must be well-handled.  If the SaaS agreement needs to be terminated for non-performance, the ability to effectively and quickly export the data housed at the provider cannot be stressed enough.  If the SaaS provider is less established, you should carefully consider specific provisions to protect continued access and use in the event of the SaaS provider’s bankruptcy.

Sponsored

Lawyers not only have a duty to maintain the confidentiality of client information, but a duty to implement reasonable safeguards to ensure the security of such client information.  SaaS can make this both easier and harder. Whether you like it or not, SaaS is here to stay, so do yourself (and your clients) a favor — create an umbrella of reasonable protection under applicable SaaS agreements with your practice so you can shed the inevitable rain that may follow in the process.


Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at tom.kulik@solidcounsel.com.

Sponsored