Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

Cloud Storage and Computing: What Must We Do To Utilize this Technology?

Written by: Cameron G. Shilling

Published in NH Bar News (12/16/2020)

Lawyers and law firms should no longer be asking if we can or should use cloud storage and computing. That technology is simply too ubiquitous and useful to ignore. Rather, we need to be asking how we ensure that the clouds we already use or would like to use provide appropriate information privacy and security controls for our privileged and sensitive client information.

It is ethically permissible to use cloud technology. See N.H. Ethics Committee Advisory Opinion #2012-13/4, The Use of Cloud Computing in the Practice of Law. That 2013 opinion contains a thorough analysis of the issue, and recites a lengthy list of factors that we should consider when using clouds, many of which remain relevant today.

As a result, lawyers and law firms are utilizing clouds for a wide variety of purposes, including email, record retention, specialized software applications, disaster recovery, etc. Despite our ethical obligations, many of us use clouds without ensuring that they incorporate safeguards that are appropriately up-to-date and comply with applicable laws, particularly newly emerging privacy laws. While not exhaustive, the following summarizes a few of the most important factors we need to consider when evaluating cloud technology.

1. Access Controls: Requiring a strong password (even if changed routinely) to access client information is no longer a sufficient security control. Multi-factor authentication (MFA) is the standard of care. While MFA previously commonly required a user to carry a security token or retrieve a code from a mobile device, it can now be more easily accomplished without user involvement by embedding a certificate on the user’s computer or mobile device.

2. Encryption: Client information must be encrypted whenever transmitted to or from a cloud, which is called data ‘in motion.’ However, as technology advances, so does our standard of care. Some providers are incorporating encryption of data ‘at rest’ in the cloud. Doing so affords an additional safeguard because, if the cloud is accessed or data is exported through a sophisticated cyber attack (which are unfortunately prevalent now), the information will not be compromised and a breach does not occur because the data was encrypted. Lawyers and law firms therefore need to determine whether the clouds we use incorporate encryption at rest.

3. Due Diligence and Agreements: Client information is only as secure as our weakest cloud. Before we can use a cloud, we need to conduct due diligence that is appropriate to the sensitivity of the information we will be storing in that cloud and the services that technology will be providing. Depending on the nature of the cloud, due diligence often requires either: (a) obtaining from the vendor a certificate of compliance with an industry standard, such as a Service Organization Control 2 (SOC 2) Report, International Organization for Standardization (ISO) 27001 certification, or statement of compliance with the National Institute of Standards and Technology (NIST) Cyber Security and Privacy Frameworks, or (b) if such a certificate is not available, obtaining and reviewing the vendor’s written information security policy and training program, and following up with appropriate inquires for further information. In addition to due diligence, we must enter into data security agreements with clouds we use to handle client information, to contractually solidify those safeguards as well as impose appropriate obligations and liability in the event of a breach.

4. Access Limits and Logging: While we rely on clouds to have appropriate security and privacy controls in place, we remain responsible for managing the level of access we grant to employees and clients. Access should be limited to only the data that they need to perform their jobs and access their information. Administrator access should be strictly limited to only a few people, who should also use regular credentials whenever they are not performing administrator functions. Additionally, we need to configure the cloud’s logging functionality to ensure that the technology records access and a broad scope of user activities.

5. Privacy Restrictions and Policies: The privileged and sensitive client information we handle requires steadfast privacy protection. We would never use one client’s information to manage another client’s matter, harvest client information for marketing purposes, or disclose a client’s information without express permission from the client. However, these activities are common for many cloud providers, which often intend (indeed, base their pricing and economic model) on using information for their own marketing and selling certain information to data aggregators. We need to ensure that the clouds we use adhere to the same privacy rules we must follow, and that the privacy policies posted publicly on the clouds reflect that commitment.

Cloud storage and computing is so useful and prevalent that it has become unavoidable. Reliance on this technology is ethically permissible, as long as lawyers and law firms ensure that the clouds we use employ appropriate security and privacy controls. We all should commit to invest the time and resources necessary to do so.

Cam Shilling founded and chairs McLane Middleton’s Information Privacy and Security Group. The group assists businesses and private clients to improve their information privacy and security compliance, and address any security incident or breach that arises.

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.