Is Cloud Secure Enough for Legal Data Storage?
- Bill Tolson |
- June 14, 2020 |
- minute read
In 2013, the FBI stated that "the vulnerability of American law firms to online attacks is a particular concern to law enforcement agencies because the firms are a rich repository of corporate secrets, business strategies, and intellectual property."
Five years later, the American Bar Association Standing Committee on Ethics and Professional Responsibility released Formal Opinion 483 in which they stated: “Data breaches and cyber threats involving or targeting lawyers and law firms are a major professional responsibility and liability threat facing the legal profession. As custodians of highly sensitive information, law firms are inviting targets for hackers. … Indeed, the data security threat is so high that law enforcement officials regularly divide business entities into two categories: those that have been hacked and those that will be.”
Despite these dire warnings about cyber risk, law firms and corporate legal departments continue to store vast amounts of sensitive client data on-premises, and have been relatively slow to adopt adequate security processes and technology.
There's a compelling business case for attorneys to utilize cloud storage to manage client data, including cost, ease of access, and security. But while the business case may be strong, can lawyers ethically use the cloud?
I still have attorneys argue with me about the appropriateness of storing client-related data, client notes, case notes, and eDiscovery results sets in the cloud. Because cloud storage involves storing data on remote servers/storage outside of the lawyer's direct control, it continues to generate concerns regarding its acceptability under applicable professional ethics rules.
"I hear the cloud is still not secure"
The two arguments I usually hear from concerned lawyers are first that the cloud is not secure enough for legal data storage. Secondly, because of perceived security limitations, concerns that they will be violating the ABA Model Rules of Professional Conduct by potentially putting the client's information at risk. Many attorneys mention the various publicized hacks over the last several years to prove their point that cloud computing and cloud storage for law firms are not secure enough. What concerned attorneys need to understand are the facts of these hacks. In the majority of cases, these hacks were not initiated directly against a cloud storage facility. Rather, the data was accessed through other methods such as via a payment system or as a result of employee error.
The ABA Model Rules of Professional Conduct state that "A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation." Rule 1.6(a) goes further and states, "A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent."
However, model Rule 1.1 was amended to include the following comment on an attorney's responsibility around technology (comment 8); "To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject."
Many State ABA organizations have addressed this question about the ethics of utilizing cloud storage for law firms by publishing specific opinions. All state ABA opinions incorporate the "Reasonable Care" standard when cloud resources are chosen. A sampling of the specific recommendations or requirements include:
- Know how the provider handles the security/storage of legal data.
- Reasonably ensure confidentiality agreement is followed.
- Stay abreast of best practices regarding data safeguards.
- Ensure "reasonable security precautions," including password protection, encryption, etc.
- Consult an expert if the lawyer's technology expertise is lacking in online computer security.
- Periodically review cloud security measures.
- Consult with the client about their preferences - follow clients' express instructions regarding the use of cloud technology to store or transmit data.
- Ensure that the attorney's ownership and access to the data must not be hindered.
- Cloud vendors must have an enforceable obligation to preserve confidentiality and security.
- Provide reasonable supervision of the cloud vendor.
- Ensure adequate backup.
- Store in native format.
To expand on the last bullet, storing legal data in its native format is essential to ensure the data is not converted, potentially changing or destroying metadata or calling into question its "authoritative copy" status. Some proprietary cloud vendors will convert your data to make it easier for them to store and manage. This conversion also means that when you want to pull your data for whatever reason, it must be reconverted – calling into question its authenticity. This re-conversion also sets up the cloud provider to charge you additional fees for the re-conversion – otherwise known as "data ransom".
The bottom line is that for the states with a published cloud opinion, utilizing cloud resources does not violate the state ABA Model Rules of Professional Conduct - if care is taken when choosing the technology and vendors. This is not to say that those states without an opinion about cloud storage, by default, prohibit its use. Rather those state ABA organizations have yet not needed to publish an opinion.
Cloud storage security and access
In addressing attorney (and law firm) anxiety over cloud security, it comes down to their responsibility to take reasonable care in choosing cloud technology and vendors.
The first and most important point to consider when choosing a cloud vendor is that the client data you store remains in full possession and control of the firm with no ownership rights or access by the cloud vendor. The vendor contract can control this, however. Several years ago, a major public cloud storage provider changed their T&Cs to state that anything stored in their cloud was theirs, and they could use it as they saw fit. The uproar was instantaneous, and that decision was reversed quickly. Another major cloud provider has a history of accessing client email accounts and scanning the email for advertising purposes – an obvious non-starter for legal data.
An obvious solution to this issue is to contract with a cloud provider that directly agrees that ownership of client data is the client's alone and that client data will never be accessed and used without the client's express permission. An additional safeguard would be to encrypt the client data and keep the encryption keys within the law firm before data movement to the cloud. Moving legal data storage requirements to the cloud also potentially provide huge cost saving over that of on premises enterprise storage – including freeing up floor space for additional billable attorneys.
Microsoft Azure is a cloud platform service that provides a collection of integrated services, which includes, but is not limited to, state of the art security infrastructure that's continuously updated, Azure Search, Azure KeyVault, and several performance tiers of storage. With Azure Cloud storage, your organization is the sole subscriber and controls the data in your own Azure tenancy, and can add additional applications to customize your capabilities.
More than storage in the cloud
Besides providing much higher security for the storage of your client's legal data, you are also offered the potential of adding additional services to lower your storage cost and speed up the eDiscovery process. For example, what if your Azure cloud account could provide you with built-in case management, automatic translation, the ability to index and search audio and video files, transcription, review and tagging, litigation hold, and export? These additional features would be a considerable time and cost saver as well as a way to move more of the discovery process in-house to reduce overall litigation costs.
Archive2Azure plus Microsoft Azure
Archive2Azure is the first cloud-managed information management and archiving solution for compliance and long-term data management built on the Azure Cloud and deployed in the law firm's own cloud tenant that creates a highly secure and low cost, legally compliant enterprise storage repository and archive perfect for the storage and management of legal data sets. And the best thing about Archive2Azure is that you do not need to hand over your data to someone else. Your organization's sensitive client data is held in your Azure subscription using your on-premises encryption keys and data storage in its native format, so you never have to worry about security, access, or third-party data ransoming again.
If you’re journaling today, the stakes are high.
Your legal, compliance and security teams rely on having an immutable copy of all of your emails. Office 365 archiving does not support journaling. So what should we do?
This eBook provides actionable tips to empower IT to solve the problem.
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.