[Originally published on the Slaw.ca collaborative blog, March 7, 2012]
Lawyers have not adequately met the vague notion of due diligence when it comes to legal technology, probably because they are unable to. This realization hit me at a CLE seminar when one of the panelists – perhaps me – made the comment that, if lawyers want to use cloud computing, they should perform due diligence about the company they were going to use. The lawyer’s response was, “how do I do that?”
Due diligence is way of showing one has acted reasonably. When it comes to technology, it’s an assessment of all of the variables that impact the use of that technology within your practice. In essence, it is an extension of the prevalent thou shalt be reasonable ethical standard for lawyers. The challenge comes when we devise lists of risk avoidance steps that may or may not be achievable.
I’m a Lawyer, not a Techie
There is an increasing expectation that lawyers are able to use technology to efficiently and professionally manage their practices. Fine, no problem there. But there can be a significant gulf between understanding how to perform technology functions, even more complicated ones like backups or encryption, and understanding the underlying strengths and weaknesses of the technology. It may be fair to say that due diligence in practice technology has, to date, relied on the too big to fail concept: no-one was ever fired for buying Microsoft, Cisco, etc.
Let’s assume for a moment that you do not have a dedicated IT person and perhaps not even a technology consultant helping you with your practice. Hardware selection is still relatively straight forward: read a couple of reviews or ask the Buy More Nerd Herd what they recommend. They’ll lard your purchase with recommend sufficient warranties and replacement deals to enable you to recreate your hardware environment should it fail.
Software is a bit more complex. Most lawyers do not have the ability to assess whether the software they buy is well designed nor whether the company who distributes it is solvent. Microsoft patches its software every month, which might suggest to some that it wasn’t as good as it could have been when it was released. At least they fix it. We rely on software companies to eliminate bugs and other problems but there is usually no proactive way for a lawyer to identify these flaws before they are patched.
The legal vertical market is comprised of many, smaller companies selling software. They are either selling highly customizable software to mid-size and large law firms or they are selling off-the-shelf software to the entire market. While recommending that lawyers review software licensing agreements and negotiating specific clauses in or out of a given contract sounds like a good strategy, in the end it is not something that will be achievable in all cases. At some point the bargaining power of the lawyer or firm is going to be sufficiently small that it better to lose their custom rather than tweak the agreement.
It begs the question of the level of sophistication lawyers need in order to practice using technology. The statement “use due diligence” is often followed by a laundry list of risk management questions to ask a technology provider. These lists make me wonder how many lawyers have actually been able to invoke when buying the hardware and software for their offices. Even when a law firm relies on a technology expert, there is an assumption that that person is able to bridge the two knowledge sets of technology and legal ethics and help the lawyers ask the right questions.
Why is the Cloud Different?
The due diligence drumbeat has grown as more lawyers have started to use cloud-based systems in their professional lives. This shift from personal adoption to professional adoption creates new behavioral and ethical risks that may be overlooked. Our selection of online mail or social software can rely as much on what all of our friends are using rather than which company is most viable and whether this particular product in the portfolio will be long-lived. The cloud may actually create fewer options for the kinds of flexibility – specialized contracts or features – that common due diligence advice suggest.
Cloud computing doesn’t require more risk awareness than other technologies, the risks just sometimes look different. Lawyers might have been caught out by the many Google products cancelled in the past twelve months but local software and hardware is discontinued just as often, sometimes replaced with a new product. It can be hard to be aware of the trends that will lead to the sunset of your software or its provider.
If due diligence is called for – and something is, whether it needs that name or not – then it should apply equally to the wireless routers, operating systems, and locally installed software within law practices. When the concept is applied only to the cloud, it creates the idea that this is somehow a new obligation and, potentially, easier to do with Internet-based systems.
This is probably the biggest challenge of cloud due diligence. The companies that aretoo big to fail are probably not the companies who will reveal their business intricacies nor are they likely to adapt to the requests of an individual lawyer or firm. At the other end, the legal vertical market is filled with smaller players who are building their hosted systems with the same entrepreneurialism as the traditional software companies. It is not always going to be clear by looking at their current financial state, even if they are willing to disclose it, the likelihood of their viability. That’s not to say that no-one could make a guess, but that lawyers may struggle to understand those sorts of documents if they have not dealt with them before.
Knowing Your Systems
There is no question that lawyers should understand the impact of selecting a software application or hardware device on their ethical and practice obligations. At the same time, blowing this awareness into something called due diligence may create unachievable demands on lawyers. Not every lawyer will have the same abilities – or make the same professional determination – as to the risk raised by a given technology used in a particular way. We set up lawyers to fail, out of fear, to use technology when we create an expectation that a risk avoidance wish list is achievable, or necessary, in every selection process.