As legal professionals, we must keep our clients’ information confidential. At the same time, cloud storage of client files is starting to become popular. The benefits of cloud services are significant; not only for the end user, but also from a security perspective.
All our clients, whether professionally or individually, and indeed many of us, use one form or another of a cloud service. The Wall Street Journal reports from July 2011 to February 2014, the number of people using online storage provider Dropbox went up to 11.4 million from 1.6 million.
Moving computing online saves tremendous ongoing maintenance. It is also far more efficient to work with users’ devices, most notably mobile devices such as tablets and smartphones, but also remote desktop computers, which practically every lawyer has (or ought to have) to enable work from a home office. Ease of remote and mobile access also promotes better access for clients and third-party users to files, be it opposing counsel, experts, or even triers of fact.
Many lawyers have concerns about using the cloud for storing client files. Much has been written about ways of dealing with cloud services, such as terms of the service agreement, encryption, access, backup, and ensuring your cloud service does not “mine” your data like Google does. This article does not purport to deal with these issues. Rather, I will focus here on practical security concerns, advantages, and disadvantages.
There are legitimate concerns about cloud security services — there is indeed an inherent risk in putting files on the cloud. But so is there inherent risk to everything we do on Earth, including driving — and even for those few of us lucky enough — walking or cycling, to work.
The Law Society of Upper Canada does not have a particular rule or regulation with respect to cloud storage, other than, of course, the lawyer’s general duty to maintain confidentiality over client information (for lawyers, see rule 2.03 of the Rules of Professional Conduct; for paralegals, see rule 3.03 of their rules).
At issue is the degree of risk, weighing it against the user and security benefits, and deciding whether the decision to use the cloud is a reasonable and competent one in light of these circumstances.
Putting client files on the cloud naturally makes the information vulnerable to cyber-attacks. But the same may be said of e-mail: it is far from being the most secure means of communications (in addition to further risks associated with your clients’ cloud-based e-mails). Yet, virtually every lawyer’s daily communications rely heavily on e-mail.
What good is it to maintain files in a locally fortified hard drive, when the firm routinely exposes key aspects of a file strategy, privileged information, or confidential or otherwise sensitive communications through e-mail?
Is e-mail, then, not the weak link in most modern legal practices? And should the overall security of a firm not focus at least in part on its weakest link? A chain is only as strong as its weakest link.
Let us not kid ourselves about office security. Let us put ourselves for a moment in the shoes or the mindset of a criminal, malicious, opposing party. What would be the more efficient and practical means of gaining access to an opponent’s files: trying to hack into the electronic files of the law firm or paying off the building evening cleaning crew or a disgruntled staff employee to enter the office after midnight?
If you are in a small or mid-sized firm, how many times have you noticed (if you haven’t noticed, you may want to look into this) the main reception glass or wooden doors open or unlocked while the evening cleaning crew is cleaning the office? During this time, is anyone guarding the reception doors? Would any of the cleaning persons know a lawyerly looking person, dressed in a suit walking confidently through the office premises, is really a thief? How about dressing up as maintenance crew who are after some property belonging to the firm? Do you think this has not happened before, even to the best and largest law firms? Think again.
Once inside the office premises, it never ceases to amaze me how most or all files are in plain view, sometimes in the staff cubicle typically right across from the lawyer’s office.
In larger firms, more doors are locked and require access cards. How genuinely difficult would it be to gain access to one of those access cards from the hundreds of staff?
On the other hand, gaining access to a firm’s electronic systems is a far more complex and sophisticated operation. Why would a criminally minded party even bother with that complexity when it is far easier to get into your office?
Even in terms of security, do your law firm’s capabilities compare with those of a reasonably sized and sophisticated cloud storage system? For instance, a 2013 survey by McAfee found 200 new malware samples are unleashed every minute. It is far more likely your cloud host will do a significantly better job in maintaining, regularly upgrading, and monitoring the security of a law firm’s files — including upgrading hardware, updating software, regularly improving security, and migrating information to new formats or versions — than what most law firms do on their own.
What about maliciously minded governments, like the government of China or indeed many other governments with questionable ethics, wanting to gain access to your firm’s files? First, I doubt either the government of China or President Vladimir Putin’s oligarch cronies would want to access my firm’s files, or indeed the vast majority of Canadian law firms.
For those firms that do business or otherwise have matters involving governments, do you think these maliciously minded entities have not already hacked into their opposing parties’ relevant file systems, particularly those locally maintained, rather than cloud-based? Think again. Very recently, the Obama administration made public what has already been publicly known for a long time: some governments do engage in the electronic theft of North American companies’ intellectual property. More often than not, this is done to companies’ local systems, not cloud-based systems.
Overall, it may very well be that hosting files on the cloud, with appropriate encryption and other measures, is more secure than storing them in the office premises.
Lawyers should evaluate all these factors, utilize the various tips available in CLE materials with respect to using a cloud service, and arrive at an overall decision with which they are comfortable about balancing technological advances, promoting ease of access, and putting in place the most efficient and realistically safe security of client data.