Moving to the Cloud, But Which One?

By Michael D Bach
According to ABA Model Rule 1.6(c), “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”[1] A comment to the rule gives some “[f]actors to be considered in determining the reasonableness of the lawyer’s efforts [which] include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients.”[2] Without specifically defining “reasonable efforts”, attorneys and law firms are left to decide the best practices for storing confidential information and data. Recent data breaches of companies and law firms should have firms of all sizes reconsidering the way they store their data.[3] According to a 2017 ABA TechReport, more than half of firms have begun to transition to using a primarily cloud based storage system.[4] Despite rising popularity, there are still security concerns firms need to consider depending on the cloud based system they opt for. Firms have the option of choosing a public cloud, a private cloud, or a hybrid cloud.[5]
The most commonly used cloud service by firms is the public cloud, with 59% of respondents noting they used Dropbox in the ABA Legal Technology Survey Report of 2017.[6] Public clouds, such as Dropbox, Google Apps, and iCloud, are owned and operated by a third-party cloud service provider and delivered over the internet.[7] Firms opting for a public cloud reap benefits such as lower costs, no maintenance, near-unlimited scalability, and high reliability.[8] While these features are enticing, the documents circulating a law firm can contain a wide array of confidential client information that requires heightened security. “Breaches involving health information, trade secrets and intellectual property are typically the most devastating.”[9] Another thing to consider when operating with a public cloud is that the firm’s information is stored in a cloud not within the organization’s control.[10] This creates the issue that a firm runs the risk of their confidential information being transmitted over the open internet to the cloud provider.[11]
Due to the variety and amount of confidential information law firms deal with, firms “should consider a cloud-based provider that focuses on the legal industry and offers private servers with enhanced security measures, such as enterprise-grade firewalls, intrusion detection/prevention systems, and dual-factor authentication.”[12] A private cloud mainly differs from a public cloud because the cloud that is being used by the firm is dedicated solely to that firm, instead of sharing a cloud infrastructure with multiple users.[13] Private clouds offer more flexibility for a firm to customize it’s cloud to meet their specific needs, allocate their resources accordingly, and provide enhanced security and privacy.[14] Heightened security and privacy come with the implementation of a private cloud because its resources are isolated to the firm who owns the cloud.[15] Further, a private cloud provides the firm with more control over where the data actually resides. Firms have the option between storing their private cloud infrastructure in-house, or to entrust their private cloud with a third-party.[16] Unlike a public cloud, when a firm outsources their private cloud to a third-party, the cloud is solely used by the firm it belongs too, not shared with other users.[17] Not sharing a third-party’s hardware with other users allows firms to maintain confidentiality and privilege when handling their sensitive data.[18] Private clouds are optimal for firms where security and control of information are highly important, and where the highest performance of applications is desired.[19] There are some disadvantages to using a private cloud, such as being primarily responsible for security and data breaches because the firm has more control of who can access the servers.[20] However, there are several private clouds and applications available solely to benefit law firms.[21] This helps make it easier for firms to transition to a private cloud and select which applications are the most useful for the services they provide.
Combining both public and private clouds, the hybrid cloud gives a firm the benefits from both while maintaining a desirable level of security. “In a hybrid cloud, data and applications can move between private and public clouds for greater flexibility and more deployment options.”[22] With a hybrid cloud, firms have the ability to store less sensitive information on a public cloud, while keeping highly confidential information on the firm’s private cloud.[23]
Firms have a few options to choose from when deciding to move to a cloud. Each firm operates differently and deals with a variety of confidential information so each firm needs to conduct their own internal analysis to determine which type best serves their purposes. Although a private cloud has its downsides, it seems the heightened levels of things like control, access, and privacy would be the go-to option for firms who are genuinely concerned about applying the best possible “reasonable efforts”. Regardless of the type of data storage a firm decides to use, they must conduct their own research in order to assure they are in compliance with the ABA Model Rule 1.6(c), despite there being no clear definition of what a reasonable effort consists of.
  1. Christopher T. Anderson and Dan Barahona, When “secure enough” isn’t enough: A Law Firm Guide to Protecting the Confidentiality of Shared Client Files, American Bar Association, https://www.americanbar.org/content/dam/aba/events/professional_responsibility/2015/May/Conference/Materials/4_byod_lexisnexis_document_security_whitepaper.authcheckdam.pdf.
  2. Model Rules of Prof’l Conduct r. 1.6(c) cmt. 18 (Am. Bar Ass’n 2016).
  3. See Jeff John Roberts, Law Firm DLA Piper Reels Under Cyber Attack, Fate of Files Unclear, Fortune (June 29, 2017), http://fortune.com/2017/06/29/dla-piper-cyber-attack/; See also, Jeff John Roberts, Exclusive: China Stole Data From Major U.S. Law Firms, Fortune (Dec. 7, 2016), http://fortune.com/2016/12/07/china-law-firms/; See also, Staci Zaretsky, Global Biglaw Firm ‘Paralyzed’ By New Ransomware Attack, Above the Law (Jun. 27, 2017, 11:44 AM), https://abovethelaw.com/2017/06/global-biglaw-firm-paralyzed-by-new-ransomware-attack/?rf=1.
  4. Dennis Kennedy, Cloud Computing, American Bar Association, https://www.americanbar.org/groups/law_practice/publications/techreport/2017/cloud_computing.html.
  5. See What are public, private, and hybrid clouds?, Microsoft Azure, https://azure.microsoft.com/en-us/overview/what-are-private-public-hybrid-clouds/.
  6. Techreport Series: Cloud Computing, Law Technology Today (Mar. 22, 2018), https://www.lawtechnologytoday.org/2018/03/techreport-series-cloud-computing/.
  7. What are public, private, and hybrid clouds?, Microsoft Azure, https://azure.microsoft.com/en-us/overview/what-are-private-public-hybrid-clouds/.
  8. Id.
  9. Alex Bennett, 8 Public Cloud Security Threats to Enterprise in 2018, Compare the Cloud (Apr. 10, 2018), https://www.comparethecloud.net/articles/8-public-cloud-security-threats-to-enterprises-in-2017/.
  10. Id.
  11. David Gewirtz, Security Implications of Public vs. Private Clouds, ZDNet (Apr. 22, 2013, 7:20 AM), https://www.zdnet.com/article/security-implications-of-public-vs-private-clouds/.
  12. Joe Kelly, In-House or in the Cloud: Choosing the Right IT for Your Law Firm, Legal Workspace (Aug. 1, 2016), https://legal-workspace.com/house-cloud-choosing-right-law-firm/.
  13. See Tim Pat Dufficy, What is Private Cloud? Advantages and Disadvantages, Server Space (Oct. 22, 2014), http://www.serverspace.co.uk/blog/what-is-private-cloud-plus-advantages-disadvantages.
  14. See id.
  15. See id.
  16. See id.
  17. See What are public, private, and hybrid clouds?, Microsoft Azure, https://azure.microsoft.com/en-us/overview/what-are-private-public-hybrid-clouds/.
  18. Joe Kelly, In-House or in the Cloud: Choosing the Right IT for Your Law Firm, Legal Workspace (Aug. 1, 2016), https://legal-workspace.com/house-cloud-choosing-right-law-firm/.
  19. See Single-Tenant Security For Your Cloud, Rackspace, https://www.rackspace.com/cloud/private.
  20. David Gewirtz, Security Implications of Public vs. Private Clouds, ZDNet (Apr. 22, 2013, 7:20 AM), https://www.zdnet.com/article/security-implications-of-public-vs-private-clouds/.
  21. See Stephanie L. Kimbro and Tom Mighell, Popular Cloud Computing Services for Lawyers: Practice Management Online, American Bar Association, https://www.americanbar.org/publications/law_practice_magazine/2011/september_october/popular_cloud_computing_services_for_lawyers.html.
  22. See What are public, private, and hybrid clouds?, Microsoft Azure.
  23. See id.

Leave a Reply

Your email address will not be published. Required fields are marked *