Is Cloud Storage Safe Enough for Legal Data?
There's a compelling business case for attorney’s utilizing cloud storage including cost, ease of access, and security, but can lawyers ethically use it?
I still have attorneys argue with me about the appropriateness of storing client-related data, client notes, case notes, and eDiscovery results sets in the cloud. Because cloud storage involves storing data, on remote servers/storage outside of the lawyer's direct control, it continues to generate concerns regarding its acceptability under applicable professional ethics rules.
“I hear the cloud is still not secure”
The two arguments I usually hear are; it’s not secure enough, and because of that I will be violating the ABA Model Rules of Professional Conduct by potentially putting the client's information at risk. Many attorneys mention the various publicized hacks over the last several years to prove their point that cloud computing/storage is not secure…they do not understand the facts of these hacks. In most/all cases, these hacks were not initiated against a cloud storage facility, rather through other methods such as through the payment system or through employee error.
Another argument highlighting cloud security concerns comes from the FBI where, in 2013, they stated “the vulnerability of American law firms to online attacks is a particular concern to law enforcement agencies because the firms are a rich repository of corporate secrets, business strategies and intellectual property.” Law firms and corporate legal departments have been relatively slow to acknowledge the new cyber risk. They continue to store huge amounts of sensitive client data with sometimes inadequate security processes and technology.
The ABA Model Rules of Professional Conduct state that “A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” Rule 1.6(a) goes further and states “A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.”
However, model Rule 1.1 was amended to include the following comment on an attorney’s responsibility around technology (comment 8); “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”
Many State ABA organizations have addressed this question about the ethics of utilizing cloud storage by publishing specific opinions. The opinions from the twenty or so states that have published an opinion for utilizing cloud resources can be found here. All of the state ABA opinions incorporate the “Reasonable Care” standard when cloud resources are chosen. A sampling of the specific recommendations or requirements include:
- Know how provider handles storage/security of data.
- Reasonably ensure confidentiality agreement is followed.
- Stay abreast of best practices regarding data safeguards.
- Ensure "reasonable security precautions," including password protection, encryption, etc.
- Consult an expert if lawyer's technology expertise is lacking in online computer security.
- Periodically review cloud security measures.
- Consult with the client about their preferences - follow clients' express instructions regarding use of cloud technology to store or transmit data.
- Ensure that attorney’s ownership and access to the data must not be hindered.
- Cloud vendor must have an enforceable obligation to preserve confidentiality and security.
- Provide reasonable supervision of cloud vendor.
- Ensure adequate backup.
- Store in native format.
To expand on the last bullet, storing legal data in its native format is important to ensure the data is not converted, potentially changing or destroying metadata or calling into question its “authoritative copy” status. Some proprietary cloud vendors will convert your data to make it easier for them to store and manage. This conversion also means that when you want to pull your data for whatever reason, it must be reconverted – calling into question its authenticity. This re-conversion also sets up the cloud provider to charge you additional fees for the re-conversion.
The bottom line is that for the states with a published cloud opinion, utilizing cloud resources does not violate the state ABA Model Rules of Professional Conduct if care is taken when choosing the technology and vendors. This is not to say that those states without an opinion about cloud storage by default, prohibits its use, rather those state ABA organizations have yet not needed to publish an opinion.
Cloud security and access
In addressing attorney (and law firm) anxiety over security in the cloud, it comes down to their responsibility to take reasonable care in choosing cloud technology and vendors.
The first and most important point to consider when choosing a cloud vendor is that the client data you store is yours with no ownership rights to the vendor. This can be controlled by the contract however, several years ago a major public cloud storage provider changed their T&Cs to state that anything stored in their cloud was theirs and they could use it as they saw fit. The uproar was instantaneous and that decision was reversed quickly. Another major cloud provider has a history of accessing client email accounts and scanning the email for advertising purposes – an obvious non-starter for legal data.
An obvious solution to this issue is to contract with a cloud provider that directly agrees that ownership of client data is the client’s alone and that client data will never be accessed and used without the client’s express permission. An additional safeguard would be to work with a cloud vendor that provides the ability to encrypt your data with only your organization having the encryption key. Moving legal data storage requirements to the cloud also potentially provides huge cost saving over that of on premise enterprise storage.
Microsoft Azure is a cloud platform service that provides a collection of integrated services which includes, but is not limited to state of the art security infrastructure that’s continuously updated, Azure Search, KeyVault, and several performance tiers of storage. With Azure storage, your organization is the sole subscriber and can add additional outside services to customize your capabilities.
More than storage in the cloud
Besides providing much higher security for your legal data in the cloud, you are also provided the potential of adding additional services to lower your storage cost and speed the eDiscovery process. For example, what if your Azure cloud account could provide you with built-in case management, automatic translation, the ability to index and search audio and video files, review and tagging, litigation hold, and export? These additional features would be a huge time saver as well as a way to move more of the discovery process in-house to reduce overall litigation costs.
Archive2Azure plus Microsoft Azure
Archive2Azure is the first cloud-managed solution for compliance and long-term data management built on Azure Cloud Services that creates a highly secure and low cost, legally compliant enterprise storage repository and archive perfect for the storage and management of legal data sets. And the best thing about Archive2Azure is that you don’t need to hand over your data to someone else. Your organization’s sensitive client data is held in your Azure subscription, using your encryption keys in its native format so you never have to worry about security or access again.