Deciding to use cloud technology in your law practice is only the first step. It’s a great first step – but you still need to vet those cloud technology providers!
If you’ve ever heard me speak, you’ll know that I advocate for the use of cloud technology in today’s law firms. There are at least three rock solid reasons why I do that:
- Cost Savings. In many instances, cloud technology obviates the need for in-house servers and costly IT services to maintain them. Rather than pay a hefty lump sum for server technology and maintenance, cloud technology jives with law firm cash flow by offering subscription services paid on a monthly or annual basis. Maintenance and updates are woven into the subscription price.
- Increased Efficiency. Generally, access to your data remotely bodes efficiency and productivity. Copying files to a USB drive before traveling home from the office not only puts your client’s data at risk and is a recipe for malpractice because you now have multiple copies of documents stored in different places, but it is just plain time consuming and inefficient.
- Enhanced Security. Yes, I said it. This is particularly true for solo and small firms whose infrastructure could never match that of a cloud technology provider whose entire business relies on their ability to provide secure services. Reputable cloud providers have teams dedicated to security and monitoring data 24/7, employ the most up-to-date security measures, and have sophisticated protocols for backups, service interruption, and breach response.
If you are not already using the cloud, it may be time to make the leap. Indeed, nearly half of all the states, including Massachusetts (Opinion 12-03), have opined on the ethical use of the cloud. On the whole, the opinions deem it ethical to store your client’s data in the cloud, but state that attorneys must use “reasonable care or efforts” in doing so. To varying degrees, each opinion provides that reasonable care standards require the lawyer to vet the cloud service provider.
So, what exactly should you be looking for when you vet these cloud service providers? It goes without saying that your first step should be to review the Massachusetts Bar Association Ethics Committee Opinion 12-03 which lays out five factors that constitute “reasonable efforts”. While these factors provide the overarching concepts that you must consider, they don’t provide the level of detail you need to properly vet a provider.
Beyond our ethics opinions, we now have guidance from the legal cloud computing providers themselves. In 2010, a small group of legal cloud computing companies formed what is now the Legal Cloud Computing Association (LCCA).
The LCCA recently announced a formal set of standards to help lawyers understand what “reasonable care” entails. These standards should be used by lawyers as a guidepost for vetting cloud providers. You can find the LCCA standards at www.legalcloudcomputingassociation.org. Here are a few important takeaways that you can implement in your vetting process:
Policies. Providers should convey clear policies that describe their service obligations, data usage and privacy, breach response and notification practices, and disaster recovery and continuity plans.
Encryption. Data should be encrypted at rest, that is, when it is stored at the data center; and it should be encrypted when it is transmitted to and from the data center. Secure Sockets Layer (SSL) encryption technology is the industry standard for securing communications to and from a data center. More on encryption, here.
Location and Redundancies. Cloud providers should disclose the locations of their data centers that store your information. Your data should be backed up and redundantly stored at multiple centers in the event of an outage in one location.
Data Availability and Usage. Providers should make the following representations: only you own your data, data can be extracted in a usable and non-proprietary format, data permanently deleted from the cloud should be disposed of and no longer available to any entity, and private information should be treated as confidential and viewed only by the provider with your explicit consent.
You don’t need to be an expert in cloud technology to review a provider’s policies and ensure that it meets the best practice standards above. Not only do you have an ethical obligation to do so, but doing your due diligence will reduce security risks and enable you to get the most out of your cloud service.