January 2015 • Volume 103 • Number 1 • Page 20
Thank you for viewing this Illinois Bar Journal article. Please join the ISBA to access all of our IBJ articles and archives.
Feeling Secure in the Cloud
You're probably already using the Internet to access remote servers - aka cloud computing - whether you know it or not. And you should. But make sure you understand and minimize the risks, lawyer technologists advise.
When the Rockford firm of Holmstrom & Kennedy migrated its cloud services to NetDocuments, partner Aaron Brooks traveled to the company's Arizona headquarters, toured its data center to satisfy himself it was physically secure, and questioned corporate leaders about business practices and data center staff about cybersecurity.
Then, Brooks and his firm negotiated a contract with NetDocuments in which the latter agreed to follow the standards for cloud security laid out by the National Institute for Standards and Technology (NIST), a federal government agency. "It's a matter of reasonable due diligence," Brooks says. "There's no turning back the clock now. There's no good choice other than to use this technology. We need to understand it and feel comfortable with it."
The cloud, which has grown as a file storage and software solution for individuals and businesses of all types over the past few years, is best understood as a linkage among networks of servers that operate as if they are a single entity. Rather than accessing a file server housed on location - at a law-firm office, for example - cloud users connect through their computer, tablet, phone, or other device onto the Internet and onward to one or more servers where their documents and other files are stored - and can be edited from afar. Additionally, cloud-based software providers house their product on these remote servers and license it to you. It's a concept known as software as a service, or SaaS.
"It isn't the traditional model where you're on a server, and you can picture where the server is - in a closet, or the basement, or whatever," Brooks says. "When we say 'cloud,' there are lots and lots of servers everywhere. You can access them as one through the Internet."
Attorneys are already using the cloud, whether they realize it or not, at least through Gmail, Yahoo, or another web-based e-mail service, says Bryan Sims, principal with Sims Law Firm Ltd. in Naperville. "That's cloud computing," he says. "That's somebody delivering software as a service to you."
Users access cloud storage services by signing up, creating a username and password, and either paying for server space or signing an agreement for a free account, the latter of which usually provides less storage space and security. The most common global services include Dropbox, iCloud, Google Drive, and Amazon Cloud Drive, Brooks says, while top legal-specific services include NetDocuments and Clio.
But despite the cloud's ubiquity and many advantages, some lawyers feel uneasy about storing their data - and more to the point, their clients' data - on third- party servers in remote locations. And Edward Snowden's revelations about NSA cyberspying have only heightened that concern.
What if the cloud servers are hacked? What if the government serves a subpoena on the service provider for your client's data? It's enough to give even the boldest technophile pause. Still, as Brooks notes, there's no turning away from the cloud now. And its benefits for lawyers and clients are many.
What the cloud can do for you
Remote access. Sims has migrated to a variety of cloud services during the past several years and conducts all of his business there currently, including document storage and time-and-billing. "I just remote into that computer from wherever I happen to be to access all of my documents and all of my programs," he says.
That's a key advantage of cloud computing - you aren't tethered to your office or any particular location. "I'm accessing [everything] from my computer, my iPad, whatever it is.… It just sits on a server in an office in Minnesota."
Easy collaboration. It's also a great way to share documents, Sims says. "If you're working with one or more people in other locations, it makes it easy to collaborate. You can create a folder that you all have equal access to, add documents to it, and share them that way, just by saving to that folder," he says. Cloud access enables Sims and his assistant to work on documents without having to proactively share them, much as they would on an in-office server.
And then there's the cloud's platform independence. "It doesn't matter how I access [documents or software] - Windows, iPad, or Chrome Book with Google's operating system," Sims says.
Low-cost storage. The cloud provides a place to store documents and other materials at minimal expense. That's especially valuable for smaller firms, representing an improvement over what most have now, says Todd Flaming, of Chicago-based Kraus Flaming and a member of the ISBA's legal technology committee. "Most lawyers are in small shops," he says. "They can't afford to have the kind of high-level security that some of the larger firms have. It's not reasonable to expect that."
Sims agrees. "I'm not having to pay to buy and maintain a server to sit here," he says. "That's a not insignificant expense."
Entering the cloud doesn't necessarily have to mean moving your entire practice there, Sims says, noting that legal-specific practice management and time-and-billing solutions like Clio or Rocket Matter have become very popular. Quick Books Online provides accounting in the cloud, while SpiderOak is another document-sharing service like Dropbox. If you choose to use Google Docs, get the paid version for about $50 per year, which gives you greater control over security, he says.
Sims suggests that those dipping their toes into the cloud start with the free version of Dropbox, which provides 2 GB of storage; he uses the paid account, 1 TB (terabyte) for $100 per year, which "is just ridiculous" in terms of storage. "It's a great deal when it comes to storage," he says. (But be mindful of security when you're using Dropbox and similar services - see "The importance of encryption" below.)
Security and the cloud
Security is another big plus for cloud computing. A reputable cloud service offers 24-7 security that's constantly focused on building firewalls to keep out hackers, as well as combating any physical threats through strong traditional security, Brooks says. Your data is automatically backed up, and it's available anywhere you can find an Internet connection.
On the other side of the coin, there is at least some danger that your data - and your clients' - could fall into the wrong hands, Brooks says. And protecting client information is more than an important business best practice for lawyers - its an ethical obligation, the breach of which can lead to disciplinary action (see sidebar). The other common fear is that data could become inaccessible any time the Internet goes down in one's local area, he adds.
There is good reason to fear that hackers might be coming after your law firm, Brooks says. "The legal industry, in particular, is the target of a lot of hacker attacks right now," he says. "We're targets because we handle sensitive financial information and we're behind the curve in terms of security."
And that's exactly why cloud providers make sense for firms to consider, Brooks says. "You need to put your data in the hands of somebody who knows what they're doing, and that's what cloud providers are for," he says. "It's definitely much safer. There is no way we can secure our own data centers anymore."
Even larger firms should outsource their data functions, Brooks says. "They would have the resources to do this in-house," he says. "But when you look at the bottom line and the expenses [of what] you can do in-house versus what can be outsourced, this is an obvious one."
It's larger firms that face the most risk, Flaming says. That's "because (a) you go from having a few people to having thousands of people, each of whom has his own password, (b) they're much bigger targets, and (c) the data they hold is much more valuable to someone trying to hack in," he says.
For the most part, given the type of information a smaller firm would have, "the Chinese government is not going to try to hack that," Flaming adds. "If they do, they have too much time on their hands. A firm like Kirkland & Ellis that handles sophisticated cases, they're at much greater risk. They have to be more careful with their data."
"Don't be afraid of the cloud, but don't be ignorant, either," says Nerino Petro, chief information officer at Holmstrom & Kennedy. "Do some research. Do your homework. Pick a provider who has a track record. Figure out what extra steps you need to take, and you'll be fine. Don't forget to encrypt your document."
The importance of encryption
Former Chicago Legal Clinic staff attorney R. Andrew Smith, an associate at O'Brien & Wolf in Rochester, Minn., but still an ISBA member, cautions attorneys and firms against using Dropbox unless you purchase additional software to adequately encrypt the data. He suggests using products that provide client-side data encryption, such as SpiderOak or another product called Treasorit, which provides a bit more space in its free version than other providers. With client-side encryption, the provider doesn't even know your encryption password and thus couldn't reveal it if it wanted to - nor can it give you your password if you lose it.
Petro notes that several companies offer encryption software, some for all online providers and some just for one service, like Dropbox. He mentions Sookasa and Viivo as paid services and Boxcryptor and Cloudfogger as free ones, which as far as Petro can tell, work equally well in protecting data. "Using the cloud is not an overly complex process," he says. "You just need to use a little judgment and common sense."
Even if the data is encrypted, it's important to know who holds the encryption key, Petro says. If the provider holds the key - or even if you do - you need to make sure that it is stored on a different server from your data. "The reason for that is simple," he says. "They may be able to breach one [server], but they may not be able to breach the other. However, if both pieces are stored on the same server, all they have to do is breach one gate, and they've got all the information they need."
Flaming is somewhat less concerned about who holds the key because "even though Dropbox has the key, my copy shop has the key," to its machines, which often store electronic versions of what's been copied, he says. If subpoenaed, "Federal Express could open up a document. Even the U.S. Postal Service has the key." But he does counsel encrypting files to make services like Dropbox more secure.
Illinois lawyers are subject to stricter client confidentiality standards than attorneys in some other states, Smith says. While Minnesota has adopted the American Bar Association's "far more permissive" rules that say lawyers "shall not knowingly release" client data, Illinois still uses an older version of the model rules that simply read: "Lawyers shall protect against disclosures of client confidentiality," he says.
"Under Minnesota's rule, I can put data in the cloud if it's been represented to me that it's secure" by the cloud provider, Smith says, without fear of breach of duty. "The same situation would not apply in Illinois," he says. "The rules are much more severe."
Ultimately, Smith says, the reality is that third-party data providers are "going to be the big thing for the next decade," and "there is no foolproof system. Data breaches are going to happen. It's a matter of, do you win the lottery. That's the risk.… It all comes back to, you have to take reasonable steps."
Encrypting data with an encryption key that you maintain is a key step toward that reasonable standard, Petro says. "The rules don't require that we be perfect," he says. "The rules don't require 100 percent certainty that you won't be breached. You're going to put it someplace where there's a locked door and ideally somewhere where there's an alarm. If you take those steps, you can use [the cloud]."
Requiring 100 percent certainty would be 100 percent certain to create major problems for the legal profession - and its clients, Flaming says. "The standard is not and cannot be that a lawyer has to provide absolute certainty that the client's information will never be hacked or leaked or taken," he says. "If that were the case, none of us could practice. Even highly sophisticated organizations get hacked. The question is, what's reasonable?"
What if there's a data breach?
The central legal obligation, if a firm experiences a data breach, is to provide notification to clients within a given time period, Brooks says. Tort law may impose some element of professional responsibility on top of that, he says, which is why firm laptops, mobile phones, and anything else that stores data should be encrypted at NIST standards.
"You had a duty, breached the duty, and were negligent in doing it," he explains. "If you don't encrypt your laptop, and you lose the laptop, you need to give notification [to clients], plus it might be viewed as a breach of obligations of client confidentiality."
Lawyers and firms need to start with the rules of professional conduct, which don't differentiate between electronic and paper records - or electronic and paper breaches, Petro says.
"As more and more states move to enforce data breach laws, you need to be aware of those, as well," he says. And then pay attention to ethics opinions that have come out "regarding what you should be looking for, what constitutes reasonable care in selecting a cloud provider. What are the terms of service? Who do the terms of service say owns the data? What procedures and policies are in place?"
Sims urges attorneys and firms to closely read the terms of service and do their due diligence to ensure that "people can't just run off with your information" and, as much as possible, use providers that specifically target lawyers and law firms.
"They understand a lot of the ethical issues we face," he says. "A lot of times, these are companies owned by what I call 'recovering attorneys.' They understand our confidentiality requirements and other things and have built their service with that in mind. It's something that's designed for attorneys. To the extent you can do that, it's probably a better model than a straight consumer-based model."
Paid versions of the consumer cloud are more favorable in their terms than the free versions, Sims adds, noting that, for example, the terms of service for Google Docs' free version "is very much one-sided toward Google. I'm not going to tell you the paid version is friendly to the consumer, but what I can tell you is that you have more rights with respect to the paid version."
Smith also stresses reading user license agreements very thoroughly. "Lawyers should read every single word in a user license agreement because that will say whether or not the company holding the data has access to it, and it will say whether they share the data with third parties," he says. "One of the reasons I'm telling people Dropbox is a bad idea is because they are very clear that if they get a third-party subpoena, they will respond to it. If the data they are holding is not encrypted from prying eyes, that data will be freely released."
And attorneys and firms will be open to ethical pitfalls that they otherwise could have avoided, Smith says. "It's 100 pages of dry boringness," he says of user license agreements. "But we should take the time. Everybody needs something to put themselves to sleep at night."
Ed Finkel is an Evanston-based freelance writer.
Cloud computing ethics opinions
While the ISBA has yet to issue a formal ethics opinion on the use of the cloud, 19 other state bar associations have. All reach the conclusion that lawyers may ethically use cloud computing, provided that they exercise reasonable care to ensure that client information and files remain confidential.
The vast majority of these opinions set out specific due diligence-related steps to take and issues to consider, which are clearly defined as non-binding recommendations. Also, some opinions go as far as suggesting that you obtain the informed consent of your client before placing confidential information in the cloud.
For quick summaries and links to the full opinions, go to http://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/cloud-ethics-chart.html. A useful (though three-year-old) discussion of "Cloud computing and client confidentiality" that discusses these issues in more depth appears in a sidebar to Maria Kantzavelos's cover story in the April 2012 IBJ at http://www.isba.org/ibj/2012/04/takingyourpracticetothecloud.
FIND OUT MORE ›› EARN CLE CREDIT
Can Attorneys Work in the Cloud?
Learn the important issues you must consider when using cloud-based services like Dropbox and Google Drive to store business and client information. Presenters include Aaron Brooks and Bryan Sims; topics covered include -
Available free to ISBA members at http://isba.fastcle.com -you'll find it listed by title among the On-Demand Seminars.