N.C. Bar Association Issues Proposed Ethics Opinions Addressing Use of "Software as a Service" by Attorneys

Attorneys and law firms (like the rest of the business world) are beginning to migrate to "software as a service" (SaaS) for various practice applications. (The ABA Legal Technology Resource Center has a good primer on SaaS here)

The nature of SaaS presents new challenges for attorneys with respect to the protection of client information. The North Carolina State Bar has issued two proposed Ethics Opinions (scroll down) concluding that lawyers may use SaaS as long as certain steps are taken to safeguard the confidentiality and security of client information.

The second opinion also contains a number of "best practices" that an attorney should follow when contracting with a SaaS vendor. The questions that an attorney should ask an SaaS vendor include where the data is hosted, who owns the data, does the agreement address confidentiality, how does the vendor protect the security and confidentiality of data, how the data is backed up, and how the data is retrieved or returned if the vendor goes out of business or the agreement is terminated.

Thanks to the K&L Gates Electronic Discovery Law Blog for its summary on this topic.

Popular posts from this blog

What Authority the Principal Chose: Arredondo, POAs, and Arbitrability

Image
It was only a matter of time before arbitrability (the enforceability of an agreement to arbitrate) put a South Carolina courts in the position to construe the language in a power of attorney ("POA"). And this opinion did.  I try to view these decisions through the lens of how an attorney practicing in South Carolina might learn from them. And this decision, like some others involving the FAA and arbitrability, (for example, Grant v. Kuhn Chevrolet  or Herron v. Century BMW  , had the litigator and the drafter in me scratching my head.  Or at least I was confused until I learned about what had happened legislatively in the time since the POAs at issue in Arredondo were scrutinized by three (3) South Carolina courts. This decision, involving a POA executed before January 1, 2017, is likely an anomaly or a one-off, as going forward the S.C. Uniform Power of Attorney Act (SCUPOA) provides a guide for the creation of POAs that may avoid the necessity for so much judicial scruti
Read more

Legalized, But Regulated: Commercial Hemp in South Carolina

Image
On December 20, 2018 the Agricultural Improvement Act of 2018  (the "2018 Farm Bill") became law.  Following closely on the heels of the 2018 Farm Bill, on March 28, 2019 the South Carolina Hemp Farming Act  ("S.C. Hemp Farming Act") was signed into law.  The following is a brief overview of the status of hemp (also called "commercial hemp" or "industrial hemp") farming and regulation in South Carolina in the wake of the 2018 Farm Bill and the S.C. Hemp Farming Act. Background The terms "hemp" (which has non-drug connotations and uses) and "marijuana" (no further explanation necessary) describe the same plant genus: cannabis. The difference between the two is generally based on the relative amount of tetrahydrocannabinol (THC) contained in the plant. Hemp plants are cultivated to produce fiber and seeds and very little if any THC. Marijuana plants, on the other hand, are cultivated to produce more THC. THC
Read more

The SC Insurance Data Security Act: Ask Some Questions to Evaluate Your Security Program

Image
The  South Carolina Insurance Data Security Act  (“Act”), fashioned after the  NAIC Insurance Data Security Model Law  (Model Law), went into effect on January 1, 2019. South Carolina was the first state in the nation to pass this legislation, and others (Ohio, Mississippi), have followed suit. The Act requires that each South Carolina person licensed or authorized by the South Carolina Department of Insurance (DOI) a “Licensee” must implement, no later than July 1, 2019, a “comprehensive written information security program” (“Program”) designed to protect nonpublic information (NPI) and the security of the Licensee’s information system. In addition, the Act requires a Licensee to report to the Director of the DOI within 72 hours following an actual or potential “cybersecurity event.” S.C. Code Section 38-99-40(A) (Section 6(A) of the Model Act). While South Carolina Licensees (hopefully) are well down the path to meeting the Act’s requirements, the following may be u
Read more