Exclusive Report on Cloud Security for Law Firms
June 26, 2016
Most states have not issued ethics opinions on cloud computing security. However, firms that do use third-party cloud computing services still need to follow standards to ensure client information is safeguarded.
The rapid development of information technology has increased efficiency in law firms, and has also raised security issues. Attorneys have a responsibility to keep clients’ confidential information secure, and cloud computing is of particular concern in this regard.
In the context of law firms, the term "cloud computing" most often refers to law practice management software or another type of software that is not hosted on the firm’s own computers, but is accessed over the internet through a web browser. Such programs are also called "software as a service," or SaaS.
More broadly, cloud computing may include any situation where data that belongs to the firm or the firm’s clients is physically stored on off-site servers. Under this definition, any third party data backup service may be thought of as cloud computing.
Regardless of the terms used to describe it, any situation where client information is stored outside of the firm’s direct control raises the same types of security concerns. Attorneys and law firms generally recognize the duty to adhere to security standards, but a problem may arise in identifying just what standards are to be followed.
State Bar and ABA Standards
Attorneys are bound by the rules of their state bar association. According to the American Bar Association, only 20 states have issued ethics opinions that specifically address cloud computing. Attorneys outside of those states must refer to their state’s more general rules regarding the security of client information.
As for the states that have addressed cloud computing, the ethics opinions vary in their details, but the ABA reports that they all permit cloud computing to be used, and all impose the standard of reasonable care on attorneys using such technology.
Rules and guidance vary widely from state to state. New York State’s ethics opinion states that attorneys should investigate the security practices of a cloud computing vendor, ensure that the vendor has an enforceable obligation to preserve the confidentiality of information, and use available technology to protect against foreseeable attempts to infiltrate information systems. California’s opinion states that attorneys should consult an expert if their own technological expertise is lacking. Connecticut’s rules require that an attorney’s ownership and access to the data not be hindered, and that the data be segregated to prevent unauthorized access, including by the cloud service provider itself. Florida attorneys should ensure that a provider will give notice if served with process.
The ABA itself has also addressed the ethics of cloud computing, by updating the Model Rules of Professional Conduct, to state that when dealing with information relating to the representation of a client, attorneys should make reasonable efforts to prevent unauthorized access or inadvertent disclosure of such information. The Model Rules state that attorneys should weigh the costs and benefits of additional safeguards to protect client information.
Legal Cloud Computing Association Standards
With the majority of states so far declining to issue guidelines that specifically address cloud computing, the Legal Cloud Computing Association has issued its own set of 21 standards, which it calls "Version 1.0" of the LCCA Security Standards, to emphasize that standards that apply to rapidly-changing technology must themselves evolve.
It is important to be aware that LCCA is a trade association made up of cloud computing providers; state bar associations and law firms may wish to impose different standards than these companies suggest for themselves. Nevertheless, the LCCA’s standards set sensible benchmarks, which are more detailed than many state bar ethics opinions that have so far been issued.
Providers should explicitly state that the user owns their data and the provider cannot acquire any rights to it, and they should notify users in the event of a data breach or a third party demand for data, unless prohibited by law from doing so. According to the standards, providers should also maintain encryption protocols covering data in storage and in transit, and disclose how frequently security protocols are tested. The full list of standards is available at legalcloudcomputingassociation.org.
The future of cloud security
Most states have not issued ethics opinions on cloud computing security, while those that have instruct attorneys to use reasonable care in ensuring that clients’ confidential information is protected. Most lawyers are not information security experts, and firms will therefore rely on in-house or outside experts to advise them on technical matters such as encryption protocols employed or levels of certification obtained. The LCCA standards are an excellent starting point for firms evaluating the security of a cloud computing service. However, there are more general concerns that law firms should be aware of as cloud computing technology develops.
One important issue is government access to data by circumventing encryption, either through a proposed built-in encryption "backdoor" or by demanding that a cloud computing provider break existing encryption. Law firms whose clients may be vulnerable to such risks should take necessary precautions to ensure that the firm itself is the ultimate gatekeeper of clients’ confidential information.
A related concern is the access that cloud computing providers themselves have to law firms’ data. While all reputable providers encrypt user data both in transit and in storage, the provider itself is usually able to access the information, and the only protection that firms have from unauthorized access or use of the data by the provider is its obligations under the service contract. However, technological solutions to this problem may soon be developed. SpiderOak, a cloud storage provider, pioneered a "zero knowledge" encryption system which prevents the provider itself from having any access to the user’s data. The company is currently developing a "team feed" style workplace collaboration software that will also follow the zero knowledge protocol. As such techniques continue to be developed, law firms may demand such a protocol for law practice management software in the cloud as well.