Ethical Use of On-Line Form Tools by Law Firms

Prepared as material for

7 Keys to Managing the 21st Century Practice Washington State Bar Association Continuing Legal Education January 22, 2016 (Seattle)

Digital form tools can be really useful for lawyers

Let’s stop doing data entry whenever possible. That’s the basic idea. If anyone at your firm is routinely inputting lots of information, you might want to explore whether you could automate that system. How? Fundamentally it’s by letting the person who originally has the information – often your client – input it into your system without human intervention.

Here are a few examples of how you might use a form tool in your practice. If you’re one of the many attorneys who feel their clients “don’t use computers,” start looking at your clients’ phones. Chances are that the phone is a computer. The tools discussed here will work nicely on web-enabled mobile devices.

  • Prospective clients. Sales professionals religiously collect data on any “lead” that enters their “intake funnel.” Whether we like that language or not, it’s common for lawyers not to memorialize the contact information, etc., of a prospective client before s/he sets up an initial appointment. Form tools can channel prospect data into with whatever contact database or Customer Relations Management (CRM) tool a firm is using.
  • Do you make your client sit in your lobby and fill out a doctor’s office-style questionnaire before you meet with them? Worse yet, does a staff person – or even you – spend time filling in a questionnaire while the client talks? What if this form could be shared with the client before the initial meeting, and the answers saved in whatever format it is that you ultimately need them?
  • Routine case information. I’m an immigration lawyer and need the same information for most clients in a given legal scenario. Becoming a citizen? There’s a standard 15-pages worth of information I’ll need for any such case. Even litigators with highly fact-specific matters often have standardized information that they collect on each case. That could come straight from the client.
  • Customer satisfaction surveys. What do our clients actually think about us? We could always ask them. The easiest way is with the so-called net promoter score – a one question survey that assesses whether they’d actually recommend us.[1] Note that unlike other tasks described here, this one does not necessarily capture data protected by client confidence rules, so your choice of (free) tools may be broader.

The duty of tech competence

An attorney has an ethical responsibility to competently use technology that she chooses to deploy in practice.[2] Why? As a derivative responsibility with respect to her many fiduciary duties to a client. For present purposes the primary duty is that of safeguarding client information.[3] When using technology to handle client information, an attorney has the responsibility to ensure that the technology offers appropriate safeguards.[4] This is no different than saying that if an attorney elects to store client files in a warehouse, she needs to take appropriate steps to ensure the files are safe. Well, what steps count as appropriate in this context?

In 2012 the Washington State Bar Association’s former Committee on Professional Ethics issued Advisory Opinion 2215 concerning the use of online data storage by third parties (i.e., “cloud computing”).[5] Recognizing that it was “impossible” to give “specific guidelines” about appropriate security measures given the changing nature of technology, the Opinion sets forth seven considerations to be taken:

  1. Familiarization with the potential risks of online data storage and review of available general audience literature and literature directed at the legal profession, on cloud computing industry standards and desirable features. 2. Evaluation of the provider’s practices, reputation and history.3. Comparison of provisions in service provider agreements to the extent that the service provider recognizes the lawyer’s duty of confidentiality and agrees to handle the information accordingly.4. Comparison of provisions in service provider agreements to the extent that the agreement gives the lawyer methods for retrieving the data if the agreement is terminated or the service provider goes out of business.5. Confirming provisions in the agreement that will give the lawyer prompt notice of any nonauthorized access to the lawyer’s stored data.6. Ensure secure and tightly controlled access to the storage system maintained by the service provider.7. Ensure reasonable measures for secure backup of the data that is maintained by the service provider.[6]

Deploying this seemingly extensive test is supposed to require less sophistication than complete mastery of the technology at issue.[7] But the decision is clear that this due diligence inquiry should be made of any technology that handles client information. The crude bottom line is that client information almost certainly needs to be encrypted when it is stored “online.”

The duty to safeguard client data follows also from the attorney’s duty of competence.[8] The now-famous Comment 8 to Model Rule 1.1 states:

To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.[9]

At last count 18 states have adopted Comment 8, though Washington is not yet one of them.[10] It is almost certainly a safe bet that ours will soon be among the jurisdictions adopting this generalized duty of competence. In the meantime, a Washington attorney still has a duty to competently deploy any technology that she chooses, pursuant to Advisory Opinion 2215. If adopted, Comment 8 would entail that an attorney might be blameworthy, not only for incompetently deploying technology, but for incompetently failing to use technology when doing so presents a benefit to her clients.

How encryption works, in 95 words

By default your data is stored online in the same format in which you access it. This means that if bad people can access the data, they can use the data as you can. Data encrypted while at rest is scrambled and requires a cipher to be used. So if bad guys get the data, it’s as much use as the Washington Reporters without a law degree. Allowing access to unencrypted data would be like a magic Washington Reporters series that beamed a law degree and 40 years of practice experience into the reader’s head.

Possible form solutions

Here are a half-dozen tools that I’ve personally experimented with for building forms. There are many more out there, but these are some of the biggest players. Other factors being equal, you’ll want to gravitate to popular tools, since industry reputation is one of the seven factors endorsed by Advisory Opinion 2215. As a bonus, support tends to be better for these established tools.

As is ever the case with technology, before starting to shop, first decide what problem you are trying to solve. Consider:

  • How are you going to be using this data? Is this background information about a client that you want to be able to reference later for context? Is this data that you want to be able to import into some form of document automation tool (Word can be such a tool)?
  • What type of data is being collected? Will you be capturing sensitive financial data, social security numbers, etc.? Or do you need to store only the client’s name and email address… or just a 1-10 rating of an interaction they had with your office staff?
  • What are the dividends you stand to gain? Are you collecting data for a use that’s core to your practice, used in daily client work? Or is this a small amount of information used for an isolated purpose? Some tools are cheaper and easier to implement than others.

Google Forms (Free)

Google offers an excellent, free forms tool that seamlessly integrates with Google Drive (also free). I use this tool often for various non-client scenarios. In the screenshot below, for example, I was creating a form to collect information about colleagues who expressed interested in collaborating with my firm.

Google recently revamped Forms, and its drag-and-drop interface is now even better than it was. The catch? Google Forms does not presently support encryption. There are, however, third-party services that can encrypt data on Google Drive, which is where information from Forms is stored.[11] A second limitation of Forms, however, is that it does not support “save and continue” functionality, which you need for anything beyond a very brief form. Imagine the anguish of spending ten minutes filling out a form, getting interrupted, shutting down your computer, and then realizing you need to start back at square one! Note also that Google’s terms of service reserve the right for its staff to access your data. The implications of that clause are debated, but it’s somewhat of a moot point in present context since the fact Drive data is unencrypted makes it problematic for many law firm uses.

JotForm (free for up to 100 submissions)

JotForm is a drag-and-drop form builder which is probably a great fit for many attorney uses. The user interface of the forms-builder is intuitive, if not beautiful. (See screen shot below). Happily, JotForm – as of pretty recently – supports encryption and also has a save/continue feature. The encryption tool is potentially clunky depending on how you plan to manipulate the data once a form is submitted.

WuFoo ($29.95/mo for “bona fide” plan)

WuFoo is another drag-and-drop form builder that works basically like JotForm. Personally, I feel their interface is easier to use, and that it’s easier to customize a great-looking end product. Like JotForm, WuFoo offers encryption. The rub – you have to pay for it.

Intake 123 ($9-$79/mo)

This tool was specially crafted for lawyers with security issues in mind. For this reason, it’s designed around lawyer “use cases,” meaning its templates and interface point you towards common law scenarios such as client intake. When I tried it, I didn’t enjoy my user experience. Their customer service was responsive, however, and the fact that they designed their tool for lawyers means that you could get (for example) an intake questionnaire set up more quickly than with other tools.

Gravity Forms ($39/license, not per month)

One last tool that I’ve experimented with is Gravity Forms. This tool is a plugin for your Wordpress site; if you don’t know what that means, probably stop reading. As of pretty recently, Gravity Forms allows for encryption and save/continue functionality. A major appeal is that you pay for the one-time license and are set to go. Easy to use, this tool can build a form that’s nicely integrated into your Wordpress site (though the other tools mentioned above can be embedded by a script). The fact that it’s hosted on your site’s host, though, means that if you bungle something, your data will be lost. This may or may not have happened to your author at the time he was experimenting with using this for a client intake tool (though if it did happen to your author, your author assures you that no actual client data was lost or compromised).

Pdf + Clio Hack (free)

The cheapest technology is always the technology you already have.[12] Consider the following scenario.

What I wanted to do was populate official immigration forms with information pulled from a database. I created customized pdf versions of the immigration forms, with unique identifiers for each field. Armed with that, I could pull data from any spreadsheet to populate the document. The trick was getting information from my client into the spreadsheet.

At first I tried using a JotForm, but it was cumbersome to do this with the encryption they offered. Decrypting and manipulating a particular set of client data was just a bit of a hassle. What to do?

We’ve long been users of WSBA-endorsed Clio,[13] a cloud-based practice management system I heartily recommend. Clio includes the feature of a secure client portal for the exchange of documents. So, we created a questionnaire (first in Word, then converted to pdf) with data fields whose names matched the immigration form we wanted to populate. The client simply completes the pdf on her computer or mobile device, then uploads it to her secure file on Clio. In two quick steps we extract the data from the questionnaire pdf (in .txt format) and import it into the immigration form. Mission accomplished.

What’s nice about this approach is that it keeps all client data isolated in that client’s secure case file. Instead of a master spreadsheet with lots of different client data, there just a single .pdf in the client’s folder, from which we can easily pull and manipulate data. Also, there wasn’t a dime of expense, time aside.

[1] Sam Glover, Net Promoter Score: the One Number You Need to Grow Your Law Practice, Lawyerist, Oct. 28, 2015, http://bit.ly/1m6OW3M.

[2]Cf. Megan Zavieh, Luddite Lawyers Are Ethical Violations Waiting To Happen, Lawyerist, July 10, 2015, http://bit.ly/1S9AdBc.

[3]See RPC 1.6.

[4] RPC 1.6, Cmt. 16 (“A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1 and 5.3.”).

[5] Washington Bar Association Advis. Op. 2215 (2012), available athttp://bit.ly/1zdnBBu (last visited Dec. 22, 2015).

[6]Id.

[7]Id. (“It is also impractical to expect every lawyer who uses such services to be able to understand the technology sufficiently in order to evaluate a particular service provider’s security systems.”)

[8]Id. (A lawyer has a general duty of competence under RPC 1.1, which includes the duty ‘to keep abreast of changes in the law and its practice’”) (quoting RPC 1.1).

[9] Model Rule 1.1, Cmt. 8.

[10] Robert Ambrogi, 13 15 17 18 States Have Adopted Ethical Duty of Technology Competence, LawSites, Dec. 17, 2015, http://bit.ly/1MGgSS1.

[11] Dennis O’Reilly, Two free ways to encrypt Google Drive files, CNet, July 2, 2013, http://www.cnet.com/how-to/two-free-ways-to-encrypt-google-drive-files/.

[12] Actually, not always, since your time is valuable, and wasting time on ineffective tools can be very costly.

[13]Cf. www.goclio.com.