Attorneys Should Do Homework About Cloud Security

Attorneys who do their due diligence need not be overly concerned about the security of storing their firm and client information in the online “cloud,” the network of servers that operate as a single entity, to which users connect through their computer, tablet, phone or other device.

That due diligence includes research into the various providers, asking questions about their business practices, choosing one with a track record, and potentially negotiating for certain standards and practices, such as those promulgated by the National Institute for Standards and Technology, a federal government agency.

Larger cloud providers are less likely to negotiate such details, but they are more likely to publish what they do provide, and they might be more reliable overall. Lawyers and firms should ask smaller companies detailed questions about security certificates, risk management programs and adherence to industry standards.

Although attorneys and firms who do not yet have a dedicated cloud provider are storing most of their information on a local server in their utility room or closet, even they are often using the cloud through Gmail, Yahoo or other web-based e-mail service.

Still others are using free services (at least, their basic versions are free) like Dropbox, Google Drive and Amazon Cloud Drive. Free services don’t typically provide the same level of security, though, so be sure to encrypt files.

Firms and attorneys might want to consider upgrading to a paid version of Dropbox, which provides 1 terabyte of storage for $100 per year, or a legal-specific service like NetDocuments, some of which only provide certain discrete functions—Clio and RocketMatter handle practice management and time-and-billing, for example—if you don’t want to dive in all the way.

Storage with cloud providers is relatively inexpensive compared with other line items in a law firm budget, and they are probably more sophisticated than all but the largest law firms in terms of keeping data secure, which is important as hackers continue to become more sophisticated.

But even larger firms might want to consider outsourcing, given the large number of staff and thus greater exposure to passwords being compromised, their sheer size, and the value of the data they hold being that much larger. Attorneys and law firms have become targets not so much for their own information as that of their clients, especially in industries like financial services or healthcare.

If your firm experiences a client data breach, whether on your servers or a cloud provider’s, you are legally obligated to notify clients promptly, although that doesn’t necessarily protect you from negligence or breach of confidentiality claims if your data is not properly encrypted.

The Rules of Professional Conduct do not differentiate between theft of electronic vs. paper files, and state bar ethics opinions have begun to delineate what constitutes a reasonable standard of care in choosing a provider, based on terms of services and policies and procedures.

While some states following the relatively permissive American Bar Association rules that say lawyers “shall not knowingly release” client data, Illinois continues to use an older version of the model rules that simply states: “Lawyers shall protect against disclosures of client confidentiality.”

The Illinois State Bar Association has issued an ethics opinion (ISBA Professional Conduct Advisory Opinion No. 16-06) affirming that it is ethical to store client information in the cloud so long as specific steps are taken.

Among those are the stipulation in Illinois Rule of Professional Conduct 1.1 mandating that attorneys stay abreast of modern security standards–and be conscious of whether their cloud provider uses them.

Another point of reference should be Illinois Rule 1.6(e), which says attorneys must undertake “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to” confidential information.

Bottom line: As long as attorneys or firms act reasonably or competently to protect client data, they are not likely to be found to have acted unethically if a hacker steals confidential information.

Which means: do your homework.