EMINUTES places cookies on your device to give you the best user experience. By using our website, you agree to the placement of these cookies. Please read our updated Privacy and Cookie Policy.

Nov
8 • 2017
Share
Article

Attorney Opinion Letters and Extended Validation (EV) SSL Certificates

When setting up a new business entity for a client, we sometimes get asked to provide an attorney opinion letter to support the issuance of an Extended Validation (EV) SSL Certificate.  We typically discourage clinets from this, because an opinion letter adds a significant and unnecessary cost to the already expensive process of obtaining an EV Certificate.

Even apart from an attorney opinion letter, there is some question as to whether it is worth the added cost of getting an EV SSL Certificate. SSL (Secure Sockets Layer) is a standard security technology for creating a secure, encrypted link between a business entity’s website and the visitor’s browser. SSL allows sensitive information such as credit card numbers to be transmitted securely over the Internet. To use SSL security technology, the business entity must obtain an SSL Certificate from a Certificate Authority (CA). So if your entity plans to sell products or services through your website and accept credit cards to receive payment, then you need an SSL Certificate. But if you don’t sell anything online, then you may not need an SSL Certificate for website security.

Internet transactions are secured when a CA issues a Standard SSL Certificate, which requires the CA to authenticate the identity of the entity obtaining the certificate. A CA can also issue an EV Certificate. An EV Certificate requires a higher level of authentication by the CA, but does not provide any more data protection than a Standard Certificate, which encrypts traffic to the web server in precisely the same way as an EV Certificate.

The EV process was established by the CA/Browser Forum, an association of Certificate Authorities and Internet browser software vendors such as Apple, Google, Microsoft, and Mozilla. The CA/Browser Forum claims that EV Certificates, among other things, “significantly enhance[e] cybersecurity by helping establish the legitimacy of an organization claiming to operate a Web site.”[1] But even the CA/Browser Forum concedes that an EV Certificate provides no assurances, and does not otherwise represent or warrant, that (1) the entity named in the EV Certificate is (a) actively engaged in doing business, (b) trustworthy, honest, or reputable in its business dealings, or (c) in compliance with applicable laws; or (2) it is safe to do business with the named entity.[2] Even so, CAs claim that entities should spend the extra money to obtain an EV Certificate—which can cost two, three, or even four times as much as a Standard Certificate depending on the CA—because users are more likely to trust, and therefore do business with, a website having an EV Certificate. That is probably debatable for the vast majority of Internet users, but that is not the subject of this article.

The EV Guidelines issued by the CA/Browser Forum establish the process for issuing an EV Certificate, which requires the CA to verify the applicant’s legal, physical, and operational existence. The EV Guidelines specify various acceptable methods of verifying that information about the applicant. For example, a CA may verify a business entity’s legal existence, name, and registration number by (1) obtaining that information directly from the secretary of state (or similar state registration agency), or (2) relying on an attorney opinion letter establishing that information.[3] The EV Guidelines attach an acceptable form of attorney opinion letter confirming specified factual information about the applicant, including (1) that the business entity was “duly formed” and is “active,” “valid,” or “current” in the state where it was formed, (2) the entity’s physical address and telephone number, and (3) that the entity has an active demand deposit account with a regulated financial institution.[4]

The sample attorney opinion letter provided in the EV Guidelines recognizes that, after verifying this factual information, the attorney will need to insert all “customary limitations and disclaimers for opinion letters in your jurisdiction.”[5] This language recognizes that attorney opinion letters always contain limitations and disclaimers because they are fraught with peril for the issuing attorney. Even in a relatively simple situation, the process of issuing the opinion can transfer liability to the attorney,[6] with the usual malpractice and insurance concerns, which is why law firms usually have an opinion committee that reviews, and oversees the risk management of, all opinions before they are issued. That makes the process of issuing any opinion time consuming and therefore expensive.

Most nonlawyers have no idea what goes into providing any sort of formal attorney opinion letter. But given the concerns outlined above, all lawyers

take great care to establish the factual and legal bases for their opinions. Their reputations are on the line, and the damages that may be caused by error are enormous. They support their opinions with careful legal research, extensive factual investigation, and certificates from company officers and government officials. They submit their conclusions to formalized review procedures, which sometimes include “second-partner review” or review by an opinion committee. They worry and negotiate over niceties of syntax and vocabulary.[7]

As a result, even though an opinion that an entity is duly formed or organized and validly existing, like the one called for in the EV Guidelines’ sample opinion, is, relatively speaking, the easiest and least expensive type of attorney opinion, the cost of giving such an opinion will still run the client at least several thousand dollars. Why in the world should our clients shell out thousands of dollars to obtain an attorney opinion letter just to verify factual information that can be verified by one of the other methods specifically provided for in the EV Guidelines for a fraction of the cost?[8] In short, while there are times when confirming facts is an appropriate subject for an attorney opinion letter,[9] we don’t think it makes to do so in the context of an EV Certificate.

[1] CA/Browser Forum, Guidelines for the Issuance and Management of Extended Validation Certificates v. 1.6.6 (“EV Guidelines”), at II.

[2] Id. § 2.1.3.

[3] See id. §§ 11.2.1(3)(A)-(C), 11.2.2(3), (6).

[4] Id. app’x B.

[5] Id.

[6] See, e.g., Restatement (Third) of the Law Governing Lawyers § 95(1), (3) (2000) (“In furtherance of the objectives of a client in a representation, a lawyer may provide to a nonclient the results of the lawyer’s investigation and analysis of facts or the lawyer’s professional evaluation or opinion on the matter.”; in providing such an opinion, the lawyer owes a duty of care to the nonclient); Dean Foods Co. v. Pappathanasi, 18 Mass. L. Rptr. 598, 2004 WL 3019442, at *12 (Mass. Super. Ct. Dec. 3, 2004) (the opinion recipient has a right to rely on the opinion and may bring a claim against the lawyer if the opinion is negligently given and results in damage to the recipient).

[7] Scott FitzGibb & Donald W. Glazer, Legal Opinions on Incorporation, Good Standing, and Qualification to Do Business, 41 Bus. Law. 461, 461 (1986).

[8] See Thomas L. Ambro & J. Truman Bidwell, Jr., Some Thoughts on the Economics of Legal Opinions, 1989 Colum. Bus. L. Rev. 307 (1989) (“[T]he necessity for and scope of an Opinion should be measured in part on the basis of a cost/benefit analysis.”).

[9] See Dean Foods, 2004 WL 3019442, at *13 & n.8.