The Firm: Vetting your cloud's security

By Sylvia Hsieh The Daily Record Newswire Cloud-computing has become so convenient for lawyers that security has almost become an after-thought. But the cloud recently rained down a flurry of concern about security and client confidentiality when users of the popular provider Dropbox learned that a security breach allowed access without a password for a period of four hours. When the company revised its security agreement to say that some employees had access, many lawyers began to question the level of security in transmitting and storing client information in the cloud. Several state bar associations have weighed in with ethics opinions on cloud computing, with most giving lawyers the green light as long as they take reasonable steps to maintain client confidentiality. At least one state, Arizona, has cautioned that lawyers should periodically review security measures to make sure they are still reasonable as technology advances. And the ABA Ethics Commission 20/20 is considering issuing its own set of recommendations to guide lawyers in using cloud services while complying with ethical standards. Choosing a provider While free services make it incredibly easy to transfer and store files, and you can't beat the price, some say you get what you pay for. William Latham, a partner at Nelson, Mullins, Riley & Scarborough in Columbia, S.C. who blogs about law technology at HyTechLawyer.com, summed it up as: "Buyer beware. If you didn't pay anything for it, then really beware." But Stephanie Kimbro, a Wilmington, N.C. attorney and leader in the virtual law practice movement, said there are free open source providers, like SpiderOak, that provide security, such as encryption, that lawyers can use without giving up user-friendliness. Eric Cooperstein, a Minneapolis ethics attorney, said the level of security needed will depend on the type of practice, size of the firm and the sensitivity of confidential information. "Some lawyers work on very confidential matters for clients, like trade secrets and patents, that might attract attention. [They] would want to take higher security precautions," he said. What to look for in service agreement While it's tempting to breeze through the terms of service and click "agree" without really reading, as an attorney you are ethically required to review the agreement, Latham said. Here are the key terms to look for: Encryption Make sure the provider encrypts your data and that you understand the extent of encryption. For example, is the data encrypted at all times, during transfer and at rest? Latham stopped using Dropbox in part because the data is only encrypted in transfer, but not while stored. "We recommend to our attorneys to use Dropbox only for transmission of data, then delete it so it's no longer resident on the cloud," said Latham, who is on his firm's technology committee. A lot of lawyers are using public providers that are not specifically geared toward lawyers, and their service agreements do not address these concerns, Kimbro said. "You also want some promise that the provider is not going to unencrypt your data," said Kimbro, who uses TrueCrypt, a free encryption service. Who has access? Another factor to consider in vetting your cloud provider is who has access to the data. Ideally, the service agreement will say that only you and your law firm have access to your data and no one else has the key. "Look for a confidentiality provision that restricts access," and applies to employees of the provider, said Kimbro. You want to see "an explicit provision that you and no one else have ownership of the data," said Brett Burney of Burney Consultants in Cleveland. Also find out what the company will do if it is hit with a subpoena. "The terms of service should say, 'We are not going to turn over the data absent compulsion by legal means and we will notify you if a subpoena is issued so you have the opportunity to fight it in court,'" said Latham. Location, location, location Find out where your data will live. Be aware that the vast majority of providers use other cloud service providers for storage and other services. "You want to know who those companies are and where they are geographically, because a lot of storage is going offshore," said Jeffrey Goens, who heads the International Legal Technical Standards Organization, which attempts to set standards for cloud computing. Goens also owns a cloud service company in Carmel, Ind. aimed at the legal market. Most lawyers would not want client information stored at a foreign location where laws, language and accessibility might stand in the way of getting to the data, he said. Getting data back Another provision to look for is the data return and retention policy. "It's a major red flag if you can't get data out in the same time and in the same format" as when you stored it, if you close your account, said Goens. "If something happens to the company and they go under, you need to be able to get the data back and when it's returned it needs to be compatible and transferable in a standard file format," Kimbro. Backup plans Find out where the second copy or "redundancy backup" of your data is located. "If they are backing up two times a day and a hurricane comes, you want to know they've still got it in another location," said Kimbro. In addition to online backup, consider backing up data yourself. Kimbro has a portable hard drive that is also encrypted where she backs up her data in-house. "I don't want to sound like a total curmudgeon. My husband is a security freak, so I'm covering myself just in case. My system is completely secure," she said. Published: Tue, Aug 16, 2011