Should Responsible Law Firms Use Cloud Storage?

Protecting privilege is one reason law firms have been hesitant to adopt using the cloud for document storage and sharing. Fears of hacking or inadvertently providing access to privileged documents have kept many firms from embracing technology that could save them time and money.

Most tech-savvy law firms have taken precautions and put protocols in place to secure client documents and communications as they’ve upgraded to cloud sharing. However, some firms have been lax in their safeguarding procedures — which means their clients were left unprotected.

Unprotected file-sharing

 You’ve likely heard of file-sharing options such as Box, Google Docs, OneDrive or Dropbox. Free cloud storage options like these allow users to access documents from any device and to share files by creating custom URLs. They’re convenient, and — when used properly — can be a secure way to share information.

A problem arises when users take shortcuts or don’t take advantage of all of the security features available in cloud storage and sharing systems. That’s what happened with Harleysville Insurance Co. v. Holding Funeral Home. Harleysville’s counsel shared privileged information via Box, using its feature that creates direct links — and they didn’t password-protect the links. That meant that anyone who had access to the link could see the files. As a result, the defendant’s counsel was able to access this information.

A Virginia magistrate recently ruled that the plaintiff’s law firm’s actions “were the cyber-world equivalent of leaving its claims files on a bench in the public square and telling its counsel where they could find it.” In other words, its failure to password-protect and otherwise secure those files waived privilege.

Use the cloud safely

 This ruling doesn’t mean that law firms should discontinue cloud usage. Rather, it emphasizes the importance of putting security measures in place to block access and uphold attorney-client privilege.

Here are some ways to keep your data in the cloud secure:

1. Require log-ins (on both sides of the fence—attorneys and clients) to gain access to shared information.

2. Keep access contained. Only permit a select few team leads to share information with additional parties.

3. Some programs have a “notify when accessed” feature. Using this feature tells the content owners how and when the information has been accessed — so if there is unauthorized access, you’ll know about it right away.

4. Put an expiration date on the shared information. It’s better to re-share the information than to let it dwell on the internet in perpetuity.

Legal Workspace recommends that law firms use document management and file-sharing programs created specifically for law firms such as iManage, NetDocs, Citrix Sharefile and Egnyte. That way, you know the technology was created with attorney-client privilege in mind.

Legal Workspace provides a base package with its cloud environment service and encourages clients to customize their environments to incorporate legal applications to formalize their processes and take extra steps toward protecting attorney-client privilege.

The cloud can be a safe place. Document sharing over the cloud can be secure. Law firms simply need to understand how breaches can occur and take precautions to protect all parties using the cloud.

If you have any questions about safe cloud sharing, feel free to reach out to our legal app experts here.

 

Owning Your Data in the Cloud

As many law firms are discovering, the cloud can be a wonderful business tool. With cloud services, lawyers on the go can access their data wherever they are, on their preferred devices. They aren’t tethered to the office or cumbersome physical servers.

Some sites even offer free storage, which may be conveniently tied to email or smartphones. Yet as tempting as iCloud, Google Drive, Dropbox, or other sites may be, lawyers need to do their research first before uploading their important, confidential, or privileged information to these types of free and low-cost services.

Many of these sites are geared toward consumers, not law firms. Such sites may lack key security provisions, and it may not be clear where the data resides or whether users surrender their ownership rights to information in that particular cloud.

When weighing whether to use a cloud provider for any type of information storage, lawyers have a responsibility to know where their data is, feel confident that it won’t be lost or stolen, and understand who truly owns it.

Who Owns the Data?

With free and low-cost services, lawyers might not even own their intellectual property after they upload it. Terms of ownership can vary across sites such as Google Drive, Dropbox, Apple’s iCloud, and Microsoft’s SkyDrive. Clicking “agree” to extremely long-winded service agreements and uploading data often means that users automatically abide by the provider’s terms. As Microsoft says on its Services Agreement page, “By using or accessing the Services, or by agreeing to these terms where the option is made available to you in the user interface, you agree to abide by this Agreement without modification by you. If you don’t agree, you may not use the Services.”

These “free” services may not cost money, but that doesn’t mean they are truly free. Consider that Google sells ads based on the data it collects, which means someone at the company is looking at the data.

Many of these sites also retain the right to determine whether data is offensive or violates copyright or intellectual property law. For example, Apple reserves the right to delete any information in iCloud that it finds objectionable.

According to Apple’s service terms: “However, Apple reserves the right at all times to determine whether Content is appropriate and in compliance with this Agreement, and may pre-screen, move, refuse, modify and/or remove Content at any time, without prior notice and in its sole discretion, if such Content is found to be in violation of this Agreement or is otherwise objectionable.”

How Secure is the Data?

Data breaches are becoming a distressingly common occurrence. When hackers can penetrate the online defenses of highly sophisticated companies and publicize their most sensitive business information, lawyers should rightfully worry about the security of consumer-grade storage. If users have questions about security features and approaches, it may be difficult to even find someone at the provider’s organization who can answer questions thoroughly and knowledgeably.

These types of storage approaches are often associated with emails that require few log-in steps. If a user has her Gmail account stored on her smartphone and accidently loses it, whoever finds the phone may have an easy time accessing all the files connected to the cloud through that email address.

Where is the Data?

With something called the “cloud,” users should not be surprised that data can be located anywhere. Google alone operates data centers in South Carolina, Iowa, Georgia, Oklahoma, North Carolina, Oregon, Chile, Taiwan, Singapore, Finland, Belgium, Ireland, and the Netherlands. If lawyers need to find their data quickly, it may be far more time-consuming than they initially expect. If the information resides in countries with different privacy laws than the United States, lawyers may also find themselves with cross-border jurisdictional headaches.

Finding the Right Cloud Provider

While free or cheap cloud providers may seem like a bargain in the short term, they can be very costly in the long run if data is left vulnerable or lawyers have unwittingly surrendered their ownership rights to their own information. Law firms would be better off paying a little more for legal-specific cloud providers to get the security and peace of mind they need.

When looking at different cloud providers, there are several things to consider.

Thorough Security Protocols. While free and low-cost services certainly try to keep data secure, it may be difficult for lawyers, or any user, to find out exactly what protocols, firewalls, and operating systems are in place to protect information. When weighing whether to use a cloud provider for any type of information storage, lawyers have a responsibility to know where their data is, feel confident that it won’t be lost or stolen, and understand who truly owns it.

It may also be difficult for users to find out which employees have physical and virtual access to their data and what background checks have been performed on those employees.

Legal-specific Software and Infrastructure. While many of these cloud services are easy to use, they may not integrate well with the other tools and software the firm uses. This means that data may be difficult to access and merge with the other technology.

Trained and Vetted Staff. When lawyers using free cloud storage have questions, they may not know who to contact for information. It may also be difficult to determine the level of training and expertise of those they do speak with. If a lawyer has trouble getting data in the cloud, finding someone who can help could be a serious issue. There may also be little recourse if the data cannot be recovered.

Conclusion

“Free” doesn’t always equate to inexpensive. Lawyers looking for cloud storage options should be willing to pay a little more for enterprise-grade, legal-specific data storage. Otherwise, they may find out too late that they don’t truly own their data or that someone else has taken it.