Proving, Without a Shadow of Doubt, The Acceptability of the Public Cloud for Legal Data
By Bill Tolson, Vice President of Marketing at Archive 360 (www.archive360.com)
There are a number of benefits that present a persuasive business case for attorney’s leveraging public cloud storage which include: security, cost, flexible scalability, disaster recovery (DR) and ease of access – but the question is: Is it ethical for lawyers to use it?
On an almost daily basis, I have attorneys argue with me about the appropriateness of storing client-related data such as, client notes/data, case notes, and eDiscovery results sets in the cloud. The argument stems primarily from the fact that storing data in the public cloud means that you are storing it outside of the protection and security of your own firewall, on someone else’s IT equipment, under the management control of virtual strangers. These simple facts continue to generate concerns for many – especially lawyers, regarding its acceptability under applicable professional ethics rules.
Concern #1: Public Clouds Are Not Secure
The first argument I usually hear is that the public cloud is not secure enough, and because of that I will be violating the ABA Model Rules of Professional Conduct by potentially putting the client’s information at risk. Many legal professionals backup this fear by referring to the various well publicized hacks over the last several years to prove their point that cloud computing/storage is not secure. What is generally not as well publicized nor as widely understood is that in most/all cases, these hacks were not initiated against a public cloud storage facility, but rather through other methods targeting onsite IT, such as through the payment systems, or through simple employee error.
The second argument underscoring cloud security concerns comes from the FBI where, in 2013, they stated “the vulnerability of American law firms to online attacks is a particular concern to law enforcement agencies because the firms are a rich repository of corporate secrets, business strategies and intellectual property.” Unfortunately, many law firms and even some corporate legal departments have been quick to accept, but relatively slow to respond to the new cyber risk. Most continue to store sensitive data on on-premises systems, with all too often inadequate measures to protect and secure the data against ever more sophisticated cyber criminals. And again, many have a false sense of security thinking their data is safer if it is sitting under their own roof, rather than in a public cloud.
Concern #2: Competent Representation
The ABA Model Rules of Professional Conduct state, “A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” Rule 1.6(a) goes further and states, “A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.”
However, model Rule 1.1 was amended to include the following comment on an attorney’s responsibility around technology (comment 8); “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”
Many State ABA organizations have addressed this question about the ethics of utilizing public cloud storage by publishing specific opinions. The opinions from the twenty or so states that have published an opinion for utilizing public cloud resources can be found here. All of the state ABA opinions incorporate the “Reasonable Care” standard when cloud resources are chosen. A sampling of the specific recommendations or requirements include:
- Know how provider handles storage/security of data.
- Reasonably ensure confidentiality agreement is followed.
- Stay abreast of best practices regarding data safeguards.
- Ensure “reasonable security precautions,” including password protection, encryption, etc.
- Consult an expert if lawyer’s technology expertise is lacking in online computer security.
- Periodically review cloud security measures.
- Consult with the client about their preferences – follow clients’ express instructions regarding use of cloud technology to store or transmit data.
- Ensure that attorney’s ownership and access to the data must not be hindered.
- Cloud vendor must have an enforceable obligation to preserve confidentiality and security.
- Provide reasonable supervision of cloud vendor.
- Ensure adequate backup.
- Store in native format.
To build on the last bullet, storing legal data in its native format is critical to ensure the data is not converted, potentially changing or destroying metadata or calling into question its “authoritative copy” status. Some proprietary cloud vendors will convert your data to make it easier for them to store and manage. This conversion also means that when you want to extract your data for whatever reason, it must be reconverted – calling into question its authenticity. This re-conversion also sets up the cloud provider to charge you additional fees for the re-conversion.
The bottom line is that for the states with a published cloud opinion, utilizing cloud resources does not violate the state ABA Model Rules of Professional Conduct, if care is taken when choosing the technology and vendors. This is not to say that those states without an opinion about cloud storage by default, prohibits its use. Rather, those state ABA organizations have not yet needed to publish an opinion.
Resting Your Case for the Public Cloud
In addressing legal professionals’ anxiety over security in the cloud, it comes down to their responsibility to take reasonable care in choosing public cloud technology and service providers.
The first and most important consideration when choosing a cloud vendor is that the client data you store is yours with no ownership rights to the vendor. This can be controlled by the contract. However, several years ago a major public cloud storage provider changed their T&Cs to state that anything stored in their cloud was theirs and they could use it as they saw fit. The uproar was instantaneous and that decision was reversed quickly. Another major cloud provider has a history of accessing client email accounts and scanning the email for advertising purposes – a clear deal-breaker for legal data.
An obvious solution to this issue is to contract with a cloud provider that directly agrees that ownership of client data is the client’s alone and that client data will never be accessed and used without the client’s express permission. An additional safeguard would be to work with a cloud vendor that provides the ability to encrypt your data with only your organization having the encryption key.
More Than Storage in The Cloud
Microsoft Azure is a cloud platform service that provides a collection of integrated services which include, but is not limited to, state of the art security infrastructure that’s continuously updated, Azure Search, KeyVault, and several performance tiers of storage. With Azure storage, your organization is the sole subscriber and can add additional outside services to customize your capabilities.
In addition to providing much higher security for your legal data in the cloud, Azure also offers the potential of adding additional services to lower your storage cost and speed the eDiscovery process. For example, what if your Azure cloud account could provide you with built-in case management, automatic translation, the ability to index and search audio and video files, review and tagging, litigation hold, and export? These additional features would be a huge time saver as well as a way to move more of the discovery process in-house to reduce overall litigation costs. (And, as mentioned above, simply moving your huge data stores from in-house resources to the public cloud could save your organization tens of thousands to millions in capital and operational expense.)
Enhancing Your Microsoft Azure
Layering innovative third party solutions on top of your public cloud – in this case Azure, can further extend your capabilities, provide deeper levels or security and protection, and save you even more time and money (that is billable hours we are talking about). Look for a cloud-managed solution for compliance and long-term data management built on Azure Cloud Services (such as Archive360’s Archive2Azure) that creates a highly secure and low cost, legally compliant enterprise storage repository and archive perfect for the storage and management of legal data sets. And equally important, make sure your solution eliminates the need to hand your data over to someone else. And last but absolutely not least, your organization’s sensitive client data should be held in your Azure subscription, using your encryption key(s) in its native format so you never have to worry about security or access again.
Greater security, easier to manage, ensured DR, faster and more accurate seek and retrieval, more time to dedicate to activities that more directly impact client outcomes, and tens of thousands – even millions of dollars in savings… I rest my case.