Published in NH Bar News (12/16/2020)
Lawyers and law firms should no longer be asking if we can or should use cloud storage and computing. That technology is simply too ubiquitous and useful to ignore. Rather, we need to be asking how we ensure that the clouds we already use or would like to use provide appropriate information privacy and security controls for our privileged and sensitive client information.
It is ethically permissible to use cloud technology. See N.H. Ethics Committee Advisory Opinion #2012-13/4, The Use of Cloud Computing in the Practice of Law. That 2013 opinion contains a thorough analysis of the issue, and recites a lengthy list of factors that we should consider when using clouds, many of which remain relevant today.
As a result, lawyers and law firms are utilizing clouds for a wide variety of purposes, including email, record retention, specialized software applications, disaster recovery, etc. Despite our ethical obligations, many of us use clouds without ensuring that they incorporate safeguards that are appropriately up-to-date and comply with applicable laws, particularly newly emerging privacy laws. While not exhaustive, the following summarizes a few of the most important factors we need to consider when evaluating cloud technology.
1. Access Controls: Requiring a strong password (even if changed routinely) to access client information is no longer a sufficient security control. Multi-factor authentication (MFA) is the standard of care. While MFA previously commonly required a user to carry a security token or retrieve a code from a mobile device, it can now be more easily accomplished without user involvement by embedding a certificate on the user’s computer or mobile device.
2. Encryption: Client information must be encrypted whenever transmitted to or from a cloud, which is called data ‘in motion.’ However, as technology advances, so does our standard of care. Some providers are incorporating encryption of data ‘at rest’ in the cloud. Doing so affords an additional safeguard because, if the cloud is accessed or data is exported through a sophisticated cyber attack (which are unfortunately prevalent now), the information will not be compromised and a breach does not occur because the data was encrypted. Lawyers and law firms therefore need to determine whether the clouds we use incorporate encryption at rest.
3. Due Diligence and Agreements: Client information is only as secure as our weakest cloud. Before we can use a cloud, we need to conduct due diligence that is appropriate to the sensitivity of the information we will be storing in that cloud and the services that technology will be providing. Depending on the nature of the cloud, due diligence often requires either: (a) obtaining from the vendor a certificate of compliance with an industry standard, such as a Service Organization Control 2 (SOC 2) Report, International Organization for Standardization (ISO) 27001 certification, or statement of compliance with the National Institute of Standards and Technology (NIST) Cyber Security and Privacy Frameworks, or (b) if such a certificate is not available, obtaining and reviewing the vendor’s written information security policy and training program, and following up with appropriate inquires for further information. In addition to due diligence, we must enter into data security agreements with clouds we use to handle client information, to contractually solidify those safeguards as well as impose appropriate obligations and liability in the event of a breach.
4. Access Limits and Logging: While we rely on clouds to have appropriate security and privacy controls in place, we remain responsible for managing the level of access we grant to employees and clients. Access should be limited to only the data that they need to perform their jobs and access their information. Administrator access should be strictly limited to only a few people, who should also use regular credentials whenever they are not performing administrator functions. Additionally, we need to configure the cloud’s logging functionality to ensure that the technology records access and a broad scope of user activities.
5. Privacy Restrictions and Policies: The privileged and sensitive client information we handle requires steadfast privacy protection. We would never use one client’s information to manage another client’s matter, harvest client information for marketing purposes, or disclose a client’s information without express permission from the client. However, these activities are common for many cloud providers, which often intend (indeed, base their pricing and economic model) on using information for their own marketing and selling certain information to data aggregators. We need to ensure that the clouds we use adhere to the same privacy rules we must follow, and that the privacy policies posted publicly on the clouds reflect that commitment.
Cloud storage and computing is so useful and prevalent that it has become unavoidable. Reliance on this technology is ethically permissible, as long as lawyers and law firms ensure that the clouds we use employ appropriate security and privacy controls. We all should commit to invest the time and resources necessary to do so.
Cam Shilling founded and chairs McLane Middleton’s Information Privacy and Security Group. The group assists businesses and private clients to improve their information privacy and security compliance, and address any security incident or breach that arises.