You and your law firm have finally made the decision. Most of your files, including those of your clients, will be migrated to the cloud for storage, safekeeping, and future use. Congratulations!
More and more lawyers are making this decision to migrate files and documents to the cloud. Technological advances have made it possible, convenient, and, in many cases, compelling for firms to turn to a secure storage vendor/facility that can exist within a cloud-based server. That can free up the firm’s proprietary server and mean multiple security measures formerly meant to secure files can be outsourced. It may no longer make sense for you and your firm to do this yourself anymore. A third-party vendor can offer scale and allow lawyers to work from anywhere, any time and with other lawyers from remote locations.
If you are experiencing some trepidation about moving your client data online, we know exactly how you feel. It’s neither an easy decision to make, nor a simple execution to undertake. You understand that the likelihood of a breach could put your law firm out of business. Just look at the recent cyber-hacking of the files of Panama City-based law firm Mossack Fonseca and the confidential client information that is slowly being revealed. How can you best protect yourself and your clients?
Before you jump in, ask yourself if you have fully considered both ethical and security issues relevant to that seemingly monumental move to a cloud-based server.
Here’s what you need to know.
Is it Ethical?
If you and your law firm are on the precipice and ready to make the leap to cloud storage, you will likely have been discussing whether storing files in the cloud is ethical. This is a very common concern. The key underlying issue is whether this change of venue impacts lawyers’ professional responsibilities. Lawyers know that those who aren’t following all of the rules could have their licenses suspended.
People often conflate control with security. The thought is that if my client data is sitting on a server in my office, then it is secure. But the reality is that control is not the same as security. Security is a far different matter than who’s in possession and control of the information. Lawyers are the owners of all of their firms’ and clients’ data, while cloud-based vendors are the day-to-day caretakers.
In 2009, the American Bar Association established the ABA Commission on Ethics 20/20 in recognition of the increasing advances of technology and the globalized legal marketplace. The goal was to review all rules and determine if/how the rules for lawyers needed to be changed in light of the new, technologically-enhanced landscape. Since then, the Commission has recommended and made evolutionary—rather then revolutionary—changes and tweaks to the ABA Model Rules for Professional Conduct, in consultation with the Commission’s Standing Committee on Ethics and Professional Responsibility.
While I encourage you to read through the many small but important changes made by the Commission, I will point you to two ABA rule updates that are of significance for this discussion of ethics and technology.
Competency Includes Technology Risks/Benefits
With regard to the all-important issue of lawyer competence, Rule 1.1 states the following: “A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” That reasonable representation means that the lawyer must know enough–but not necessarily everything—about a client. There is no laundry list, or checklist, stipulated by ABA rules. But this rule provides the general guidelines about how a lawyer must behave with the presumed understand that they stay far away from contrary, inappropriate or unethical actions.
Moreover, within that scope of competency, the ABA Commission’s revised rule for maintaining competence added technology into the mix. The rule as amended mandates, “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”
In a nutshell, that means that to be considered competent, practicing lawyers should understand the positive, negatives and risks associated with today’s relevant technology. Without much of a stretch to the imagination, that requirement can include storage, safekeeping and usage of client files, documents and privileged information that resides on an off-site, cloud-based server.
Following on from that, Rule 1.6 added a new twist in acknowledgement of the security of client data, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” In essence, lawyers can be held accountable for actions, taken or not taken, toward safeguarding client information and protecting against unauthorized access by third-parties that do not meet the “reasonable” standard. That is an important responsibility that simply cannot be taken lightly.
Is it Safe?
So the real question becomes, how can lawyers reasonably ensure that clients’ info is safe, secure and accessible once it is residing in the cloud?
It’s important to understand that today’s cloud storage is done through a “Software as a Solution” (SaaS) platform that may very likely be new and perhaps not that well established. You can opt out of new and fancy and into old, reliable cloud storage. But it’s important to carefully do your homework.
Here are some smart tips to follow as you plan for your cloud storage transition:
- Vet multiple vendors: Talk with several vendors, and ask questions as to how they store client data, how breaches are prevented and what happens if one occurs, and how accessible those files are to you and your firm as needed. Also assess what happens if the data is secured but the vendor loses functionality
- Read all of the terms of a cloud-storage vendor’s agreement: Don’t let the fine print trip you—or your clients—up. Understand exactly what a vendor will do, won’t do, and how the responsibilities are divvied up between your firm and the vendor. Are there different levels of security? What are the vendor’s obligations for securing your data? Who “owns” the data? Also determine what your pricing is now and will be in the future given the scope of the services provided by a vendor.
- Understand a vendor’s multi-factor authentication and encryption processes: Both are typically employed for cloud-base security and can be complex. Identify someone at your firm who will learn the ins and outs. In addition, being able to decrypt—for purposes of access to data that has been encrypted—is important, so be sure that functionality is a standard practice.
- Plan for the unexpected: Be sure you and your chosen vendor have a coordinated back-up plan in place. Unexpected events, such as the bombings at the World Trade Center towers and the Pentagon, or the devastating hurricane in New Orleans, are just that—unexpected. Data can become insecure in a nanosecond. Have a step-by-step emergency plan in place from the very start to move, secure or otherwise duplicate all files at a far enough away location. Redundancy is critically important.
- Determine what data should be stored in the cloud: The reality is that no system is absolutely 100% guaranteed to protect against every single possible data breach from now until eternity. If your firm is the keeper of key trade secrets or the wildly confidential recipe for Coca-Cola, or Colonel Sanders’ secret recipe for Kentucky Fried Chicken’s 11 herbs and spices, consider where these one-of-a-kind documents should be stored and whether cloud-storage is the best option.
- Know who has access to data: Make it a priority to know your vendor and know exactly who has access to any/all data. Ensure you and those in your firm have appropriate levels of access. Also make sure you have a pre-determined exit plan should you choose to separate from that vendor at some future point.
- Make sure your clients know where data is: It just makes good business sense to let your clients know that their data will now be living in the cloud. You can reassure them and confidently explain how this will better protect their confidential information. Make sure you include all relevant technology information in your engagement letters.
Transitioning to cloud-based storage can be a significant commitment for you and your law firm. Taking the time to consider all related issues and what you need to know to choose a competent vendor is incredibly important. The worst thing you can do is put your head in the sand. Follow some practical tips and you can soon feel light as a cloud.