The cloud offers an effective way to store large amounts of information, improve mobile access, reduce storage costs of paper documents, and provide scalability. In using this technology, however, there is still an obligation for lawyers to ensure that in taking advantage of the benefits of the cloud client data is still protected. By asking the right questions and implementing specific best practices, your firm can utilize the power of the cloud while still staying compliant.
Bar associations have recognized the value in using cloud-based technology in a legal practice, with over 20 associations issuing ethics opinions on the topic and permitting lawyers to use cloud computing. These opinions, as well as an ABA opinion, stress the obligation lawyers have to exercise reasonable care to keep data and files confidential. This reasonable care extends to enacting adequate due diligence when choosing a cloud-based vendor or program, requiring lawyers to look into the provider’s policies and capabilities.
If you’re not sure what’s important when vetting cloud-based vendors or what best practices to make sure you have in place in order to fulfill your ethical obligations, consider the below topics as a starting point.
What country data is stored in
Don’t assume data will be stored in the United States. Not every vendor uses a data center within the country and using one located outside of the US can present ethical issues.
Physical security
Most cloud providers have their servers and equipment in a data center, so it makes sense to ensure the physical location is well-protected. Swipe access, video monitoring and man traps (a point requiring access by a card reader or biometric scanner) are all ways for providers to implement physical security.
Passwords and two-factor authentication
Use strong passwords and always enable two-factor authentication when possible. Recent guidance from NIST recommends using long passwords, as these are much more difficult to crack by bots than shorter ones using a combination of numbers, letters and special characters.
Backups
Regularly scheduled backups should be conducted by the cloud provider. It’s especially helpful if these backups are stored on redundant servers in different locations, meaning that if a natural disaster or building damage occurred the data would still be accessible.
Terms of Service
Is there any guarantee of uptime in your contract? Look for specific guarantees, such as 99.999% uptime during the work week and 99.9% on the weekends.
Encryption
Encryption during transmission is an absolute must for any cloud provider. Another layer of encryption, encryption at rest, is an additional security aspect that leaves the data encrypted while in storage at the data center.
Data ownership
Should you ever want to leave, it’s important to make sure you can take your data with you. Make sure the data will be provided in a format that would be easily read by another provider.
Don’t consider this a one time task for your cloud vendors. Be sure to look out for any changes to the terms of services or practices that would have an impact on your ability to confidently store your client’s information.
To use cloud-based technology requires research into the provider as well as implementation of best practices, but the benefits and ultimate time savings and efficiencies can far outweigh the initial legwork.
For more details on how to best protect your client’s data, take a look at What security must my cloud storage have?