Ignorance is Not a Defense Using Cloud Software Securely, 0917 SCBJ, SC Lawyer, September 2017, #24

Author:Gerald Auger and Aaron Heath, J.
 
FREE EXCERPT

Ignorance is Not a Defense Using Cloud Software Securely

Vol. 29 Issue 2 Pg. 24

South Carolina BAR Journal

September, 2017

Gerald Auger and Aaron Heath, J.

For years, there has been a steady increase in the integration of technology to support the modern law firm. Cloud software solutions, in particular, have seen increases in adoption due to their cost effectiveness, features, ease of use and low maintenance. In fact, law firms likely stand to improve data security when moving to the cloud.[1] However, firms have significant information security considerations that should be considered when using these solutions. Without awareness and ability to mitigate effectively, firms may be exposing themselves to unnecessary and unacceptable risks including reputational, financial, intellectual property and legal, among others. None of these risks garners more attention than the risk of compromising client trust.[2]

Protecting attorney-client communications is foundational to the legal profession. In Upjohn Co. v. United States, the Supreme Court made a point of affirming the principle that "[Legal] assistance can only be safely and readily availed of when free from the consequences or the apprehension of disclosure."[3] Effective legal assistance depends upon maintaining the confidence of communications between attorneys and their clients; if clients become reluctant to engage in full and frank communications out of fear that they may be disclosed to the public or the opposing party, the "professional mission" cannot be carried out.[4]

The obligation to protect the confidentiality of client information is codified in Rule 1.6 of the South Carolina Rules of Professional Responsibility (SCRPR). Comments 19 and 20, in particular, discuss attorneys' obligation to implement reasonable and appropriate safeguards to prevent the unauthorized disclosure of sensitive client information. In addition, storing client data with a third party triggers SCRPR Rule 5.3, which requires attorneys to adequately supervise non-lawyer assistants, including a third party cloud vendor who is acting as a data custodian. Finally, many states' rules also include a requirement that bar members maintain technological competence, and courts are beginning to hear cases regarding the failure of attorneys to secure privileged information in the use of cloud services.[5] The decision by a firm to employ cloud software means that highly sensitive information will be placed in the hands of a third party. Consequently, a firm should carefully consider which cloud vendors it chooses and diligently educate itself on secure use of the solution to ensure that client and firm interests are adequately protected. While cloud software and services come in a few different categories, this article focuses on Software-as-a-Service (SaaS), also known as "cloud software." The ABA provides a fairly simple answer to the question, "What is SaaS?": SaaS is a subscription-based model where software and services are accessed via the internet, generally using a web browser (such as Chrome, Safari or Internet Explorer), rather than installed directly onto a user's computer.[6] In even simpler terms—your data, stored on someone else's computer, accessed via the internet. The most appealing aspects of employing cloud software are: •reasonable fees in exchange for up-to-date, feature-rich software

• easy, flexible access

• data security

• system reliability Cloud software solutions range from iCloud, Dropbox and Google Docs for storage; Gmail, AOL and Office 365 for email; to Clio, Rocket Matter and MyCase, which are case management and billing products tailored to law firms.

Cloud software solutions offer a great deal of value, but they also introduce often-overlooked risks to law practices. While the vendor's security controls may be very good, firms must keep in mind that data security is ultimately their responsibility, especially with regard to securely using and configuring the solution. For example, Dropbox encrypts all files when they are retrieved over the internet and stored on their servers, but if an associate sets an entire client folder to be "public" (i.e., accessible by anyone), Dropbox's security controls would provide no protection against unauthorized access to the folder.[7] While information security risks cannot be fully avoided, there are several high value measures that can be taken by any law firm to lower the risks and evidence due diligence in its handling of client data and choice of cloud vendors. The recommendations in this article are intended to be practical and not generally technical in nature. These recommendations, while certainly non-exhaustive...

To continue reading

FREE SIGN UP