This post on what every litigator needs to know about cloud security is the second in a series of blog posts designed to help demystify cloud security, translate technical buzzwords into language a lawyer can understand, and to answer questions that lawyers frequently ask us about cloud security.
In my previous post, titled "Cloud Software For Lawyers Offers Improved Security," I argued that cloud software can be and probably is more secure than the servers hosted by your own law firm. But that doesn't mean using a cloud provider has the same level of risk.
Cloud software is not less secure, but it is riskier
As a general rule, I don't subscribe to the notion that cloud software is inherently less secure than hosting applications on your own servers. However, I do believe that using a cloud provider is riskier for 2 main reasons:
- You and your firm have less control. With your own IT department, you most likely have very clear policies and procedures that must be followed, with written documentation in case there is ever a suspected breach. With a cloud provider, you have very little to no control over the measures that they have taken, or know whether they are even following their own procedures on a regular basis.
- Cloud providers are more attractive targets for hackers. It's unlikely that your law firm or practice is a target of hackers, because the benefit of having only your data isn't that great. But a successful breach of cloud software can provide hackers with data from hundreds or thousands of their clients.
Risks you need to mitigate
If you are already using or decide to use a cloud provider for your law firm or practice, you should be aware of and try to mitigate the following risks.
- Unauthorized access to client data The biggest risk when it comes to your ethical obligation is that your clients' data will end up in the wrong hands.
- Loss of client data If the only copy of your clients' data is stored with a cloud provider, you're at the mercy of the cloud provider to back up your data so you never lose it. You’re obviously going to have a very hard time representing clients if you lose data, whether it is your own internal data or your clients’ data as part of ongoing case management.
- Inability to access client data When using cloud software, any downtime will also mean you will not have access to your data. Depending on the data that is stored with your provider, the risk varies from not being able to send out an invoice to not being able to effectively represent your client in trial.
- Vendor lock-in If your data is stored with a cloud provider in a proprietary manner, and it is difficult to export, then you will have a hard time switching vendors if there is a major data breach or if they simply end up being the wrong solution for you.
- Regulatory compliance Depending on who your clients are, you may also be responsible for complying with certain regulations, so in that scenario you will need to find out if the vendor you use complies with those regulations too.
As an attorney, it is your duty to protect your clients' confidential information, and that means doing what is necessary to reduce these risks.
Why you should you care about minimizing risks
The "ethical responsibility" verbiage isn't just a mantra. The ABA has issued guidelines on your responsibility as an attorney in protecting client information. Specifically, ABA Rule 1.6 (c) states that:
A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
In addition to this rule, there may be other common law duties, state laws, or contractual duties that apply to you or your practice. When it comes to cloud computing specifically, 19 states have issued ethics rulings on using cloud software. While they differ somewhat, they all agree on 2 important points:
- All opinions affirm the right of an attorney to use cloud software
- All opinions place responsibility on the attorney to take "reasonable care" to ensure that client data is protected and doesn't end up in the wrong hands
So you may be wondering what constitutes "reasonable care"? Glad you asked. In subsequent posts, I will provide you with specific questions you should ask your cloud vendors in order to start mitigating the risks mentioned above.
Interested in cloud software for lawyers, or just want to dig deeper? Sign up for one of our FREE webinars on cloud security:
- Legal Ethics of Using the Cloud and Ensuring Security for Your Clients
- Evaluating Legal Technology Vendors