Ignorance is Not a Defense Using Cloud Software Securely, 0917 SCBJ, SC Lawyer, September 2017, #24
Author | Gerald Auger and Aaron Heath, J. |
Gerald Auger and Aaron Heath, J.
For years, there has been a steady increase in the integration of technology to support the modern law firm. Cloud software solutions, in particular, have seen increases in adoption due to their cost effectiveness, features, ease of use and low maintenance. In fact, law firms likely stand to improve data security when moving to the cloud.
Protecting attorney-client communications is foundational to the legal profession. In Upjohn Co. v. United States, the Supreme Court made a point of affirming the principle that "[Legal] assistance can only be safely and readily availed of when free from the consequences or the apprehension of disclosure."
The obligation to protect the confidentiality of client information is codified in Rule 1.6 of the South Carolina Rules of Professional Responsibility (SCRPR). Comments 19 and 20, in particular, discuss attorneys' obligation to implement reasonable and appropriate safeguards to prevent the unauthorized disclosure of sensitive client information. In addition, storing client data with a third party triggers SCRPR Rule 5.3, which requires attorneys to adequately supervise non-lawyer assistants, including a third party cloud vendor who is acting as a data custodian. Finally, many states' rules also include a requirement that bar members maintain technological competence, and courts are beginning to hear cases regarding the failure of attorneys to secure privileged information in the use of cloud services.[5] The decision by a firm to employ cloud software means that highly sensitive information will be placed in the hands of a third party. Consequently, a firm should carefully consider which cloud vendors it chooses and diligently educate itself on secure use of the solution to ensure that client and firm interests are adequately protected. While cloud software and services come in a few different categories, this article focuses on Software-as-a-Service (SaaS), also known as "cloud software." The ABA provides a fairly simple answer to the question, "What is SaaS?": SaaS is a subscription-based model where software and services are accessed via the internet, generally using a web browser (such as Chrome, Safari or Internet Explorer), rather than installed directly onto a user's computer.[6] In even simpler terms—your data, stored on someone else's computer, accessed via the internet. The most appealing aspects of employing cloud software are: •reasonable fees in exchange for up-to-date, feature-rich software
• easy, flexible access
• data security
• system reliability Cloud software solutions range from iCloud, Dropbox and Google Docs for storage; Gmail, AOL and Office 365 for email; to Clio, Rocket Matter and MyCase, which are case management and billing products tailored to law firms.
Cloud software solutions offer a great deal of value, but they also introduce often-overlooked risks to law practices. While the vendor's security controls may be very good, firms must keep in mind that data security is ultimately their responsibility, especially with regard to securely using and configuring the solution. For example, Dropbox encrypts all files when they are retrieved over the internet and stored on their servers, but if an associate sets an entire client folder to be "public" (i.e., accessible by anyone), Dropbox's security controls would provide no protection against unauthorized access to the folder.
To continue reading
Request your trial