As is often the case with new technologies, the concept of storing legal data in the cloud battled its share of skeptics before it gained wide acceptance from vendors and law firms alike.
Let’s face it, the imagery it conjures up isn’t great (clouds seem pretty out in the open), and for the technophobic, there were concerns that data connected to the larger internet might be exposed to cyber-hacking threats. But, lawyers who once shivered at the thought of keeping privileged data any more than an arm’s length away are now seeing the cloud as the most secure solution.
An attorney’s ethical duty to protect client data is made clear in the American Bar Association’s Model Rule 1.6, which states:
“A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.”
When Nextpoint first moved its clients’ data storage to the cloud in 2006, it was perceived as a risky business move by those uneducated in cybersecurity. We heard quite often that law firms—not known for being at the forefront of technology adoption—didn’t want to put their clients data “out there.”
A Turning Point for Legal Cloud Computing
In 2013, the winds began to shift after well-publicized breaches of some of the most allegedly secure on-site servers in the world—first by former U.S. Army Pfc. Chelsey Manning, and most notably by National Security Administration contractor Edward Snowden. These incidents made it clearer than ever that keeping sensitive data in on-site servers exposes it to a number of serious vulnerabilities not present in the cloud.
In a landmark move later that year, the Central Intelligence Agency finalized a $600 million deal with Amazon Web Services—the world’s leading private cloud computing service—to help the U.S. intelligence community discover and share information. Today, our government uses AWS as a secure workspace to handle and share classified information, just as Nextpoint uses AWS to store sensitive data belonging to users’ end clients.
So why did the CIA choose the same solution we did (albeit nine years later)?
Price of Storage
One huge consideration was surely cost. Amazon absorbs the costs of maintaining and physically protecting its cloud servers, charging AWS clients only for the data storage they use.
This same efficiency principle enables cloud eDiscovery providers who use AWS for hosting to offer much more competitive pricing than non-cloud products like Relativity and Concordance, which are designed to run on traditional infrastructure that must be paid for up-front—either directly by the user or through a third-party vendor.
But the CIA certainly wasn’t willing to compromise national security for mere cost savings—and they didn’t have to. A senior official interviewed by The Atlantic stated, “security in the IC cloud will be as safe as or safer than security on our current data centers.” Two years later, the system has suffered no significant known security breaches.
Don’t chalk it up to beginner’s luck, either. There are plenty of reasons why hosting data in the cloud is more secure than traditional storage.
Security of the Cloud
Well-designed cloud computing systems have fewer points of entry than on-site data storage systems, presenting fewer opportunities for unauthorized users to break in.
For starters, the physical and environmental controls employed at Amazon’s data storage centers are snagged right out of Mission: Impossible. These facilities can operate independently of the electrical grid and feature 24/7 surveillance, state of the art intrusion detection systems and military-grade defense barriers. Employees don’t know which data is stored where, and their system access is logged and regularly audited.
“…A far better question is whether it’s ethical to keep your client’s data at your office.”
Much of the fear surrounding the cloud has historically focused on perceived vulnerabilities in the connection between cloud data centers and the outside world. (This despite the fact that most in-house servers can also be accessed remotely.) However, good cloud software addresses these fears with simple, smart controls.
User Authentication & Audit Trails
First, it’s impossible to access Nextpoint data without using a profile that has been granted explicit permission from the administrator account. All other connection attempts are denied by default. This built-in “firewall” of sorts can’t be spoofed, and it grants users access only to documents the administrator allows them to see—not the entire system.
Nextpoint employs two-factor authentication, meaning both users and their specific device (laptop, tablet, etc.) must be verified with a unique password and PIN to log in. Even if someone obtains your password, they can’t access your user profile from an unauthenticated device.
The single-login setup of Amazon AWS makes it easy to track exactly when a user logs in and audits every action taken within the system, so if a breach does occur, the system administrator knows exactly what was compromised.
To use a real-world example, had the CIA used Amazon AWS instead of their local networks five years ago, Edward Snowden would not have had access to data he wasn’t cleared for. And had Snowden decided to leak data he was cleared to access, Amazon’s user audit trail would have shown the government precisely what he had in his possession. To this day, we still don’t know the extent of the Snowden breach.
Courts Have Ruled on Storing Legal Data in the Cloud
As of April 2016, all 20 U.S. states that have weighed in on storing legal data in the cloud have unanimously permitted it under the standard of reasonable care, according to the American Bar Association. The Alabama Disciplinary Commission even went out of its way to praise cloud computing in its opinion, citing “the lawyer’s increased access to client data” and its promise for granting clients easier access to their own files.
While exercising reasonable care with respect to complex security measures might seem daunting to an attorney, this problem is exactly what the Legal Cloud Computing Association was formed to address.
In March, the LCCA issued 21 security standards that cloud computing vendors should meet or exceed to satisfy an attorney’s ethical duty to safeguard client data. This provides a simple, consistent benchmark attorneys can use to establish reasonable care in selecting a technology vendor.
Today, the ethical implications cloud computing creates for law firms are no greater than the ethical implications of storing client data on-site. In fact, a far better question is whether it’s ethical to keep your client’s data at your office.
For a complete breakdown of the practical, ethical and technical aspects attorneys should consider when evaluating a legal software-as-a-service, download our free e-book, “Managing eDiscovery in the Cloud.”