Should Bar Associations Vet Technology Service Providers for Attorneys?
[Originally published in GPSOLO, Vol. 36, No. 6, November/December 2019, by the American Bar Association. Reproduced with permission. All rights reserved.]
Image Credit: Gerd Altmann from Pixabay1
Bar associations across the country have similar goals: advance the rule of law, serve the legal profession, and promote equal access to justice. Technology can easily support these goals. From online research and billing software, to virtual receptionist and SEO services, technology vendors improve the efficiency and accessibility of attorneys. It is no wonder then that bar associations around the country are promoting technology solutions for their members.
Despite the obvious benefits, bar associations need to be diligent about vetting technology vendors. By promoting one technology provider over another, bar associations could run afoul of advertising laws, tax requirements, and software agreements. In addition, bar associations and their members need to pay close attention to technology vendors’ cybersecurity safeguards to protect client confidences.
This article will briefly address each of these issues in turn and provide a non-exhaustive checklist of considerations before choosing a legal technology provider.
Bar Associations as Influencers
When we think of product endorsements today, we think of social media influencers, bloggers, and vloggers—not bar associations. Yet, bar associations wield incredible influence over the purchasing decisions of their members. Given this influence, bar associations should stay mindful of laws addressing unfair and deceptive advertising, such as Section 5 of the Federal Trade Commission Act (FTC Act), state false advertising laws, and state unfair trade practices acts (little FTC acts).
Section 5(a) of the FTC Act (15 USC §45), for example, prohibits “unfair or deceptive acts or practices in or affecting commerce.” This includes online advertising and product endorsements. The FTC has issued several guidance documents addressing “unfair or deceptive acts” in online advertising, such as its 2013 revised guidance “Dot Com Disclosures, a guide to online advertising” and online “FAQs” for “Endorsement Guidelines”.
These guidance documents all highlight the same basic principles:
1. Endorsers should substantiate all product claims.
2. Endorsers should disclose whether they receive compensation for their endorsement from a sponsor.
3. Disclosures should be included in the endorsement itself, through hashtags on social media posts (#ad) or direct disclosures next to the product image or review.
4. Simply disclosing a connection to the sponsor on a website or profile page is not enough—the connection between sponsor and endorser must be displayed as close to the advertisement as possible.
Applying this logic, bar associations should substantiate all claims regarding technology service products. Bar associations should also disclose any consideration received for positive reviews and product endorsements—as close to the review and endorsement as possible—and not on a separate webpage, newsletter, or bulletin. Finally, bar associations should consider disclosing other non-monetary connections to technology service providers (e.g., shared board or leadership positions, exclusive arrangements) that may affect consumer perception of a review or endorsement.
Liability for False and Deceptive Advertising?
Though bar associations are generally 501(c)(3) or 501(c)(6) organizations, they cannot rely solely on their tax-exempt status to avoid potential liability under the FTC Act and similarly written little FTC acts. In California Dental Assn. v. FTC, 526 U.S. 756 (1999), the Supreme Court found that the FTC had jurisdiction over a nonprofit association of local dental societies. The Court highlighted that the nonprofit provided substantial economic benefits to their for-profit members, through desirable insurance and preferential financing arrangements, and lobbying, litigation, marketing, and public relations services. These “commercial” activities were enough to trigger FTC jurisdiction, despite the California Dental Association’s nonprofit status.
Furthermore, bar associations must be careful about offering advertising services to any service providers (technology vendor or not), if they wish to maintain their 501(c)(3) or 501(c)(6) status. By receiving compensation for advertising services—beyond ordinary charitable sponsorships—bar associations risk corporate tax treatment for “unrelated business income” or the loss of their tax-exempt status altogether.
Keeping the Click-Through
“Terms of Use” or “Terms and Conditions” (“terms”) generally govern the relationship between consumers and online service providers. These terms usually disclaim implied warranties, set limitations on the liability of the technology provider, and set other boundaries on consumer expectations. In situations where consumers “assent” to the terms, either through a click-through agreement, expiration of a return period, or some conspicuous disclosure of the terms prior to agreement, court will generally enforce these disclaimers (see Scott v. Bell Atlantic Corp., 282 A.D.2d 180 (1st Dept 2001) (warranty disclaimer in the terms and conditions governed, even when advertisements for DSL Internet promised fast and reliable service)).
In contrast, courts have been reluctant to enforce terms that are unreadable or hidden on an online platform (see Specht v. Netscape Commc’ns Corp., 306 F.3d 17, 23 (2d Cir. 2002) (terms unenforceable where they “would have become visible to plaintiffs only if they had scrolled down to the next screen”); In re Zappos.com, Inc., Customer Data Sec. Breach Litig., 893 F. Supp. 2d 1058, 1064 (D. Nev. 2012) (“The Terms of Use is inconspicuous, buried in the middle to bottom of every Zappos.com webpage among many other links, and the website never directs a user to the Terms of Use”)).
Liability for the Terms?
Bar associations may be tempted to “uberize” their online presence and create web-based portals for legal service providers. This runs the risk, however, of creating implied warranties that the technology vendor is suitable and appropriate for attorneys. Though terms generally disclaim such implied warranties, as noted above, the bar association may inadvertently modify or hide third-party terms, making these disclaimers unenforceable. This creates a potential liability risk for the bar association and technology vendor.
In addition, if bar associations contract to use, distribute, or resell technology services (through group licenses or otherwise)—they may be required by contract to pass on third-party terms to their membership. Failure to incorporate these terms may constitute a breach of contract with the technology vendor. Furthermore, the vendor may try to seek indemnity from the bar association, if the bar association’s actions led to third-party claims against the vendor.
Consequently, it is up to bar associations to either direct attorneys to third-party vendor terms before attorneys use their services, or appropriately incorporate these terms into their agreements with members. Bar associations may look to several American Bar Association (ABA) resources to create valid online agreements (see, e.g., Christina L. Kunz, Heather Thayer, Maureen F. Del Duca, and Jennifer Debrow, “Click-Through Agreements: Strategies for Avoiding Disputes on Validity of Assent,” Business Lawyer, November 2001 (57:1), at 401).
Cybersecurity and Confidentiality
When it comes to cybersecurity, ignorance is no excuse for attorneys. In 2017, DLA Piper was hit with a “wiper-ware” attack, following previous e-mail hacks of Cravath and Weil Gotshal. Last year, a UK-based cybersecurity firm reported that almost 800,000 UK and global law firm e-mail addresses and affiliated passwords were available on the dark web.
To respond to the growing specter of law firm data breaches, the ABA has issued Formal Opinion 477R concerning the security of confidential client information, and Formal Opinion 483 concerning attorneys’ ethical obligations following a data breach. In addition, Comment [8] to ABA Model Rule of Professional Conduct 1.1 Duty of Competence states that a lawyer “should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”
At their core, these opinions and ethics rules require attorneys to implement “reasonable” administrative, technical, and physical security measures to protect client confidentiality and monitor attorney networks and systems. This includes ongoing risk assessments of an attorney’s exposure to cyber incidents and business interruptions, in light of the sensitivity of client data, existing technical safeguards, and the cost and difficulty of implementing new safeguards (ABA Formal Opinion 483).
The ABA recognizes, however, that attorneys may need assistance with evaluating and implementing technology solutions. According to ABA Formal Opinion 477R, “[a]ny lack of individual competence by a lawyer to evaluate and employ safeguards to protect client confidences may be addressed through association with another lawyer or expert, or by education.” Bar associations can fulfill their natural role of training lawyers by providing CLEs and written materials from members and third-party IT and security experts on technology competence. Bar associations may also provide similar guidance to Formal Opinion 477R on basic cybersecurity hygiene for attorneys, such as the use of encryption for sensitive files, VPNs, multifactor authentication, antivirus software, and firewalls.
To protect their members—and the public at large—bar associations should also conduct cybersecurity due diligence for all technology service providers before promoting, offering, or otherwise displaying the services of these providers on bar websites and other media. Ideally, this due diligence would occur on an ongoing basis, or at least annually, to account for changing cybersecurity risks. It should be clear to all parties involved, however, that the bar association’s role in cybersecurity due diligence is limited to screening for minimum security requirements, and that these minimum requirements do not necessarily meet the “reasonable security” requirements of the Model Rules.
This caveat is important. Attorneys cannot completely outsource their cybersecurity obligations, nor can bar associations operate as outsourced IT providers. This is because the “reasonability” standard of the Model Rules is fact-specific, and attorneys bear the responsibility for assessing the sensitivity of their clients’ files, understanding their technological needs, and appropriately training and supervising their staff on client confidentiality. In addition, attorneys need to conduct separate inquiries into their privacy and cybersecurity obligations under new and existing laws—whether it is the General Data Protection Regulation (GDPR) in Europe, the domestic alphabet soup of CCPA, HIPAA, GLBA, or FedRAMP, or laws in other jurisdictions. These laws may impose more stringent standards than what is required by Model Rules 1.1 or 1.6.
As a result, bar associations cannot represent that any particular service provider or technology product has adequate security safeguards for its membership as a whole. And even if such a miracle technology existed, attorneys would still be responsible for properly configuring the technology to their computers and networks, keeping their access credentials secure, and maintaining regular software updates on their systems.
Conclusion
Technology cycles move very quickly, hence the famous catchphrase “move fast and break things.” Bar associations and attorneys alike can easily get caught in the fervor of short product cycles and the next, best product, thinking—all the while—that it will improve the prospects of the legal community and the public at large.
While technology can improve the public’s access to justice, not all technology vendors are equal. Bar associations need to remember that their guidance on technology may impact the decision making of an entire generation of lawyers. So before proceeding, their motto should be—for lack of a better phrase—“move slowly and fix things.”
Technology Vendor Due Diligence Checklist
Security and Internet standards to protect client confidentiality
- Encryption (in transit and at rest, where appropriate to the sensitivity of data)
- Access controls (including multi-factor authentication and strong passwords)
- Backup and disaster recovery systems
- Antivirus
- Firewall
Contractual obligations
- Notification of security breaches
- Confidentiality of client data and/or limitations on service provider’s ability to share or use data
- Check for incorporation of third-party terms or requirements to provide notice of third-party terms
- Check for indemnity and limitation of liability clauses
Service-level commitments to prevent business interruption
- Service-level availability/uptime commitments
- Provision of regular updates/software patches
- Integrations with popular operating systems and software
- Trust accounting capabilities for any billing provider, or disclosures concerning whether attorneys will need to do separate configurations for trust accounting