The NYSBA Ethics Opinions commented on utilizing the cloud in their opinion 842 topic: Using an outside online storage provider to store client confidential information.
Here’s what they came up with:
“We conclude that a lawyer may use an online “cloud” computer data backup system to store client files provided that the lawyer takes reasonable care to ensure that the system is secure and that client confidentiality will be maintained. “Reasonable care” to protect a client’s confidential information against unauthorized disclosure may include consideration of the following steps:
- Ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information;
- Investigating the online data storage provider’s security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances;
- Employing available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored”
The short story here folks is that there is some homework to do. All cloud providers are not created equal.
Cloud computing offers law firms unparalleled scalability and computing power for data storage and manipulation. It CAN offer the highest level of security provisioning around that data. But lawyers have an obligation to do their homework and ensure THEIR CHOSEN cloud provider has institutionalized proper security provisions, and can offer contractual assurances of this data security.
Here is a list of questions for any cloud provider to get you started:
- Cloud provider’s terms and conditions clear and airtight?
- Security protocols published and unequivocal?
- Intrusion testing and ethical hacking validation?
- Privacy and data protection (EU Safe Harbor) validation?
- Two use factor authentication for log-ins?
- Certified as SaaS-70 compliant?
- Data encrypted at rest?
- High-grade SSL Encryption Certificate (AES-256, 256-bit keys)?
- Data export and deletion certification?
- Backup and disaster recovery procedures?
- Physical security provisioning?
- Geo-location and redundancy?