Technology is one of the greatest equalizers for solo and small firms competing with large law firms. Unfortunately, it is not the greatest equalizer when it comes to negotiating with technology companies. Techies will often recommend you look for cloud service providers with negotiable terms to meet needs specific to your firm. At the end of the day, however, technology companies do not want to make their terms of service so adaptable. It is burdensome and un-economical, and solos and small firms do not have great leverage individually and no organized collective bargaining power to persuade technology companies to offer such flexibility. So we are left with identifying those software as a service (SaaS) providers that have terms of service in place that are sufficient to put lawyers moving to the cloud at ease.
The authors have contributed several articles on cloud security over the years. Given the rapidly adaptive nature of the field, it seems like a good time to reexamine the guidelines for utilizing cloud services and some best practices for those with their heads (or at least their practices) in the cloud.
What Is the “Cloud”?
Cloud computing is the process of storing and accessing your data (documents, images, spreadsheets, etc.) and sometimes your program applications over the Internet instead of solely on your computer’s hard drive. The cloud is simply another way of saying the Internet. The term “cloud computing” dates back as early as 1996 when marketing executives at Compaq computers in Houston, Texas, were visualizing business software moving to the Internet (for more on this history, see tinyurl.com/ooj7v8y). It gained momentum around 2006 when Google and Amazon began using the term to describe the growing trend of people accessing software and files over the Internet.
What Are My Ethical Obligations in the Cloud?
Just as the American Bar Association’s Model Rules of Professional Conduct require lawyers to keep current on changes in the law, they also require us to keep current on changes to technology that affect the practice of law. In 2012 the ABA adopted changes to the model rules, which add this to the list of a lawyer’s duty to the client. In Model Rule 1.1, concerning Competence, comment  now reads:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
In other words, you need a working understanding of technology and the various ways that technology can help or hinder your clients. Model Rule 1.6, concerning the confidentiality of client information, also got an update in 2012. Model Rule 1.6(c) now reads, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
All state bar governing bodies, along with the American Bar Association’s Model Rules, require attorneys to take appropriate precautions to protect their clients’ privileged and confidential information. Ironically, people have become much more concerned about data security now that we store so much information electronically. Historically, protecting data meant securing physical files in locked cabinets and file rooms and monitoring paperwork closely when out of the office. Very few law firms had backup copies of their files (physical redundancy) or stored duplicates in secondary locations (geographic redundancy). Today, most of us store some or all of our clients’ most privileged information in a pocket-sized smartphone or on a tablet, laptop, or portable hard disk. The cloud represents the latest evolution of that practice. We can put data into the cloud, where it will wait for us to reach for it with any of our Internet-capable devices. If we take appropriate precautions, storing data in the cloud can provide considerable convenience and likely better protection for our data than it ever had when we relied exclusively on physical storage. Because we do not have to carry it with us, we do not have to risk losing the device on which we carry it either through inadvertence or theft. On the other hand, leaving unprotected data in cyberspace makes it almost as accessible to the bad guys as leaving your briefcase unattended with client files in it, and that poses additional risks with which we must concern ourselves.
Several states have issued ethics opinions recognizing that attorneys have a continuing obligation to stay abreast of changes in technology respecting appropriate safeguards that the lawyer and the provider should use. (See Alabama Ethics Opinion 2010-02; California Formal Opinion No. 2010-179; Vermont Advisory Ethics Opinion 2010-6; and Washington Advisory Opinion 2215.)
How Do I Vet Prospective Providers?
Safely moving your practice into the cloud requires that you take the time to vet potential providers. As yet, we remain somewhat in an ethical quagmire: We understand that attorneys have the ethical obligation of due diligence respecting the use of cloud technology and prospective providers, but we do not have generally accepted standards to use in evaluating providers. Nevertheless, it remains the attorney’s responsibility to evaluate the security and confidentiality of any cloud product in light of applicable rules respecting the state that issued that attorney’s license to practice law. Attorneys licensed in more than one state need to comply with the requirements in each state that has licensed them. The best practice for multi-state licensed attorneys would be to follow the most restrictive of the requirements imposed by those jurisdictions to ensure compliance with all of them. Although we have no official status respecting the establishment of such standards, we wrote this article to, among other things, shed some light on the topic and help you find the light at the end of the tunnel.
In vetting a provider, you should expect the provider to clearly state its privacy policies in writing. Not all do, and you will want to seek out a provider that does. Look into how the provider protects, shares, manipulates, and disposes of data placed on its servers. Ideally, your potential provider will make this information easily available for you to access and review before you decide to use the provider’s services. If a provider does not make such information available to you on its website, you should contact the provider and ask for it. If a provider will not provide this information to you, be wary of the provider. You might wish to exclude from your consideration any provider that will not provide this information to you.
You also will want to examine the provider’s backup strategy. A provider should have a reasonable plan to address server failure and data protection. A provider should have redundant backup capabilities that keep duplicates available on other servers so that if one goes down, another can still supply your documents to you. Recognizing that a power failure or a disaster can affect a large geographic region, the provider ideally will have the replacement servers located in more than one region. Properly operated, a switchover should occur almost immediately on the failure of the first server.
What Are Public Clouds, Private Clouds, and Hybrids?
In a perfectly secure world, you would run your document management, practice management, communications, and financial software on private cloud systems, giving you and your staff virtual access to everything, anytime, anywhere. Unfortunately, setting up and maintaining such an infrastructure at this stage of cloud development is still cost prohibitive for most solo and small law firms. However, you can run portions of your practice on private clouds. Developing a hybrid system of private and public clouds offers the best of both worlds.
What are public clouds? A public cloud is a set of network resources that a service provider makes available to the general public for running applications and/or file storage. Examples of public clouds include Amazon Elastic Compute Cloud (Amazon EC2; aws.amazon.com/ec2), Microsoft Azure (azure.microsoft.com), and Google App Engine (cloud.google.com/products/app-engine). These engines form the platform on which your cloud applications and file storage can be run, but they are limited in terms of how they can be configured, their security, and service-level agreement specificity. These limitations make purely public clouds a danger zone for users concerned with ethical compliance and privileged information. More familiar examples (many of which were built from the above-referenced engines) include Google Docs (docs.google.com), Dropbox (dropbox.com), Office 365 (office.com), iCloud (icloud.com), and Box (box.com). Some of the public clouds offer better security than others. Some offer a less public environment (think of them as semi-private) than others. One hopes that those built for law firms will pay more attention to privacy and security than others, but do not rely on that. It is important to check out the provider and the structure that they use to ensure that you have done your due diligence respecting privacy and security.
What are private clouds? One of the drawbacks of popular services such as Google Docs, Dropbox, and iCloud is that they act like a storage building where millions of people are storing their files and data. You may be the only one with a key to your stall, but all of those files you are trying to protect are housed in the same location as the people you may be trying to protect them from. Contrast that to a private cloud. A private cloud is basically a portion of the Internet solely under your control. You (or your IT staff) control it, and only you and the people you authorize have access to it. (Note that, as with public clouds, private clouds sometimes get hacked. If you have a private cloud and plan to store confidential data in it, you need to take appropriate security precautions.) Some computing aspects, such as file storage, can easily be set up on a private cloud. Running applications through a private cloud can get trickier and more cumbersome in a solo or small firm setting. As a practical matter, solo and small firm attorneys will most likely want to limit use of a private cloud to data storage.
Setting up a private cloud has become increasingly easy in the last year or so. A number of vendors have reasonably priced hardware that will connect directly to a router, allowing you to access it through the Internet. Others, such as Transporter (filetransporter.com), have intermediate hardware that connects other hardware to a router enabling Internet access. One of the nice things about the Transporter system is that, if you get two, you can put them in different locations and they will continuously update each other to ensure that you have the data in each location, providing the potential for both physical and geographic redundancy (backup), essential for good cloud practice.
Remember, however, that if you choose to use a private cloud, you function as the service provider and need to explore the issues of data availability, physical security, etc. Before rushing off to set yourself up with a private cloud for your client’s confidential information, examine what you propose to do just as you would vet a commercial provider. If you would not accept from a third party what you will provide, you should not accept it from yourself. One downside of having your own system is that you have to be able to access the drives if something goes wrong and they require repair. This can make geographic redundancy a problem if the drives are too far away from you. Also consider that, if they are too close to each other, they may not give you the protection you seek from geographic redundancy (avoiding susceptibility to a common disaster). The physical security of the server poses yet another issue. You will want a safe and secure place to keep your server where it has reasonable protection from the elements, natural disasters, man-made disasters, and the bad guys.
What are hybrid clouds? Hybrid clouds are the peace treaty when you get public and private clouds together. They incorporate a public cloud element for data that you want to access anytime, and a private cloud element for data that needs to remain protected in-house. A few examples of public cloud elements in this scenario would include Thomson Reuters’ Firm Central (thomsonreuters.com/firm-central), Clio (goclio.com), Amicus Cloud (amicus-cloud.com), and Rocket Matter (rocketmatter.com).
Now I’m Confused by These Options—What Should I Do?
The authors recommend that if you are going to use a public cloud, use it to run applications and store non-privileged data or non-protected health information if applicable. Use a semi-private cloud that you have properly vetted from a well-established and reliable provider familiar with the needs of law firms and/or a properly protected private cloud for files with your personal, privileged, or protected information. By way of example, Firm Central employs several layers of security to protect your data, including:
- AES 256-bit encryption to encrypt the data that they store on your servers;
- 2048-bit SSL certificates for data in transit;
- Secured data centers with physical and geographic redundancy;
- Nightly backups of data stored on their servers;
- Highly restricted internal employee access to customer-stored data; and
- A viable procedure for switching from one server to another in the event of a problem with the primary server.
The authors have toured the data facility utilized by Thomson Reuters for its Firm Central operation and took due notice of the restrictive access and impressive backup measures employed at that facility. Several semi-private cloud providers employ similar measures, and you will want to check out your prospective provider in that regard. The bulleted list above offers a good basic set of standards to go by in evaluating potential providers.
How Would It Work?
If you find yourself out of the office often, you will want easy access to client files, your calendar, and your research. The public cloud systems designed specifically for law firms (e.g., Firm Central, Clio, Amicus Cloud, and Rocket Matter) are excellent choices for your practice management and time and billing applications. Firm Central, for example, is a law practice management system designed ideally for law firms of ten attorneys or fewer. It excels at integrating your client files with your research and your time and billing module so you can conduct your business in the moment, saving you time and the headache of assembling the research or entering your billing later. All these modules are accessible anywhere you have Internet access. Firm Central integrates with Westlaw Next, and if that is your research tool of choice, then Firm Central may prove an excellent fit for your practice.
We could give a detailed overview of what is in each of these programs, but by the time you read this article these features may have changed—these services generally present a moving target. Most of them now offer some form of time and billing and calendaring. Some, like Clio, have recently added e-mail and document storage and retrieval; others, like Firm Central, have also recently added rules-based calendaring, document processing, and research connectivity. Most of these systems continue to evolve and will add new and better features as time goes on. For example, we recently saw a demonstration of the new rules-based calendaring features in Firm Central, and while it is fairly full-featured now, we are advised that they plan to add further enhancements over the next several months.
We often get asked whether people should adopt new technology today or wait for further evolution. We consistently answer that question by responding that the only certainty about technology is that there will almost always be a better system or improvements to a system in the future. If you wait for the “ultimate” system, you will never get anything. In reality, currently available systems offer many helpful features, and you will likely benefit from having them in your practice. If you find a system that provides benefits to your practice now, there is no reason not to employ it, provided that you check it out and it offers appropriate security and stability.
You need to evaluate your own practice to determine how big a commitment you want to make to the cloud and what portions of your practice make sense to move to the cloud. Not all attorneys and law firms will answer these questions identically. The factors that will bear on the decision include the size of the firm, the nature of the practice, the age of the attorneys, and the technical know-how the attorneys have and/or will spend the time (and resources) to acquire.
Do I Really Need to Get My Practice in the Cloud?
In a word, “no.” But, then again, nobody told the dinosaurs that they needed to evolve. Bear two factors in mind. First, having your practice in the cloud makes it more easily available to you in a variety of locations, enhancing your flexibility and efficiency. Second, law practices have definitely started a migration to the cloud. If you are a year or two from retirement, you may be able to keep your feet on the ground and your head in the sand until you retire. If you are five or ten or 30 years from retirement, the cloud is here to stay. Deal with it. Failing to do so puts you at a competitive disadvantage, just as relying on hard copies of law books instead of using online legal research capabilities already does because you can get more current information about cases and decisions online than you can from physical volumes.
What about Encryption?
Encryption is the process of converting data into an unreadable (or at least exceptionally difficult to read) format that is reversible with the application of the user’s security key or password. It is the digital equival
ent of securely locking your office at the end of the day. You have the key, and those you trust may have a key, but the rest of the world cannot get to your data. The difference in the digital world of encryption is that even if violators get access to your data, what they see in the file is gibberish unless they have your key. One thing you need to understand is that while you can generally encrypt your own data before storing it
in the cloud, if you use a cloud-based document management or practice management setup, you will not be able to do that and get the organizational and productivity benefits you expect from
the program because your pre-loading encryption will prevent the software from reading the file and enabling the program to interact with it successfully. When you use that type of program, you need to ensure that the provider will impose its own encryption to protect the data and that the encryption it uses offers adequ
ate security for your data.
Securely encrypting your data is a best practice. Storing unencrypted confidential information in the cloud or on your computer unnecessarily and unreasonably exposes it to risk. Although many states do not have specific requirements respecting the storage of data by atto
rneys, those that do have gravitated toward a reasonable conduct standard that requires attorneys to familiarize themselves with the nature of the data they have, the technology available to protect it, a
nd the means of implementing that technology. Further, the standard requires that lawyers implement those processes sufficiently to reasonably protect the confidential information they hold for their clie
Maybe encryption seems like an extra and unnecessary step
. Your computer sits in your office, which you lock at the end of the day, so it is secured . . . right? Wrong. You may have your data duplicated on your laptop stored “securely” in your locked car. It takes
about 20 seconds for a thief to do a smash-and-grab. You may have your laptop at home. People’s homes get broken into all the time. For that matter, criminals have broken into offices to steal compute
rs and other items of value with regularity. Some of us store information on portable hard drives or on flash memory devices (such as U
SB sticks). Portable memory storage devices can be lost or stolen. If you store your data in the cloud, someone who has your computer and your passwords can access your data in the cloud as well. In fact, if they have the information (account and password), the bad guys don’t need your computer; they can access the data from any computer, just like you can.
What Happens after a Breach or Theft?
In terms of recovery of your information, you can bounce back quickly from any loss of data or hardware failure, provided you have a decent backup and recovery system. In some cases (e.g., the bad guys accessing your data in the cloud), you have not even lost your own access to your data. Under any circumstances, the loss of the data or the bad guys’ getting access to it presents the real problem as that can expose you to a world of headaches and possibly some hefty fines. Worse yet, if you have not taken appropriate precautions to protect your data, you could find yourself the subject of state bar disciplinary proceedings for violation of your ethical responsibilities to your clients.
Any lawyer who works with protected health information likely understands that he or she can be classified as a “business associate” of covered entities, and consequently can be subject to some of the same regulatory requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). One of those requirements, the Breach Notification Rule, embodies notice and mitigation requirements in the event that unsecured protected health information is acquired, accessed, used, or disclosed in violation of the HIPAA Privacy or Security Rules. The simple solution here? Encrypt the hardware on which you plan to access and store protected health information. This encompasses all hardware: desktops, laptops, and mobile devices.
A press release dated April 22, 2014, from the U.S. Department of Health and Human Services reveals that two entities paid the department’s Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential HIPAA violations owing to unencrypted laptop computers and mobile devices (tinyurl.com/lr7832u). In February 2012, the OCR was notified of a breach from QCA Health Plan, Inc., of Arkansas after an unencrypted laptop computer containing electronic protected health information had been stolen from a worker’s car, triggering an investigation that revealed multiple HIPAA Privacy and Security violations. Susan McAndrew, the deputy director of health information privacy at the OCR, commented, “Our message to these organizations is simple: encryption is your best defense against these incidents.”
What Type of Encryption Should I Use?
Data encryption comes in many forms using various technologies. Encryption’s current gold standard requires the use of AES (Advanced Encryption Standard) 256-bit encryption. The Advanced Encryption Standard refers to an encryption algorithm used to secure sensitive material by many U.S. government agencies that is in the process of becoming the accepted standard for private-sector encryption. Whatever encryption software you employ (or the provider uses), you will want to ensure that it provides AES 256-bit encryption. The original data should be “shredded” (rendered unreadable) after you have encrypted it, requiring the use of the password to decrypt and read it. You will also want to do some testing during the vetting process to ensure that after encryption and decryption, you end up with the same data in the same condition as when you started.
What about Passwords?
Remember, however, that you can use the best possible encryption and not provide adequate security for the data if you do not use a strong password to protect it. As with all security measures, encryption defaults to its weakest link. Often the password used to unlock and decrypt the file proves the weakest link in the chain respecting encryption. For that reason, you always want to use a strong password (i.e., a combination of letters, numbers, and non-alphanumeric characters) and store the password safely and securely. Using and safely storing strong passwords represents a best practice.
Unfortunately, as a general rule, the stronger the password, the more difficult you will find it to remember. A completely random combination of characters is ideal, but if you cannot remember your password, you cannot access your own data. Many people try to solve the problem by writing the password down. The rest of that story is that if you write the password down and tape it to your computer monitor, anyone can read it and use it. Using a secure password storage system such as 1Password (agilebits.com/onepassword) or LastPass (lastpass.com) can help you generate secure passwords (that you will not be able to remember) and then remember them for you, so that you have them available to you. That being the case, you will only need to remember two passwords, one to get into the device you use to store the passwords and the other to get into the program. It will remember all your other passwords.
If you do not wish to employ one of these services, consider using a “pass phrase,” which can be complex but still memorable. As with passwords, the strongest pass phrases include a combination of alphabetic, numeric, and symbolic characters; alphabetic characters should use both lower- and uppercase (assuming that the system you work with recognizes lower- and uppercase as different). The algorithms used by most password-cracking software make longer passwords more difficult and time consuming to crack. For that reason you might want to use a longer pass phrase. Generally your hardware and the providers you choose will each have parameters for passwords/phrases with which you must comply when setting your password/phrase. Whatever password/phrase you choose, store it in a safe place—don’t write it on a sticky note and put it on your monitor.
This article represents the opinions of the authors and should not be construed to be those of either the American Bar Association or of the Solo, Small Firm and General Practice Division. All comments that appear are solely those of the individuals, and do not reflect ABA positions or policy. The ABA endorses no comments made herein.