If you've ever heard me speak, you'll know that I'm an advocate of
using cloud technology in your law firm. Why? Here are three good
reasons:
Cost Savings. In many instances, cloud technology obviates the need
for in-house servers and costly IT services to maintain them.
Rather than pay a hefty lump sum for server technology and
maintenance, cloud technology jives with law firm cash flow by
offering subscription services paid on a monthly or annual basis.
Maintenance and updates are woven into the subscription
price.
Increased Efficiency. Generally, access to your data remotely bodes
efficiency and productivity. Copying files to a USB drive before
traveling home from the office not only puts your client's data at
risk and is a recipe for malpractice because you now have multiple
copies of documents stored in different places, but it is just
plain time consuming and inefficient.
Enhanced Security. Yes, I said it. This is particularly true for
solo and small firms whose infrastructure could never match that of
a cloud technology provider whose entire business relies on their
ability to provide secure services. Reputable cloud providers have
teams dedicated to security and monitoring data 24/7, employ the
most up-to-date security measures, and have sophisticated protocols
for backups, service interruption, and breach response.
If you are not already using the cloud, it may be time to make the
leap. Indeed, nearly half of all the states, including
Massachusetts (Opinion 12-03), have opined on the ethical use of
the cloud. By in large, the opinions deem it ethical to store your
client's data in the cloud, but state that attorneys must use
"reasonable care or efforts" in doing so. To varying degrees, each
opinion provides that reasonable care standards require the lawyer
to vet the cloud service provider.
So, what exactly should you be looking for when you vet these cloud
service providers? It goes without saying that your first step
should be to review the Massachusetts Bar Association Ethics
Committee Opinion 12-03 which lays out five factors that constitute
"reasonable efforts". While these factors provide the overarching
concepts that you must consider, they don't provide the level of
detail you need to properly vet a provider.
Beyond our ethics opinions, we now have guidance from the legal
cloud computing providers themselves. In 2010, a small group of
legal cloud computing companies formed what is now the Legal Cloud
Computing Association (LCCA). The LCCA recently announced a formal
set of standards to help lawyers understand what "reasonable care"
entails. These standards should be used by lawyers as a guidepost
for vetting cloud providers. You can find the LCCA standards at
www.legalcloudcomputingassociation.org. Here are a few important
takeaways that you can implement in your vetting process:
Policies. Providers should convey clear policies that describe
their service obligations, data usage and privacy, breach response
and notification practices, and disaster recovery and continuity
plans.
Encryption. Data should be encrypted at rest, that is, when it is
stored at the data center; and it should be encrypted when it is
transmitted to and from the data center. Secure Sockets Layer (SSL)
encryption technology is the industry standard for securing
communications to and from a data center.
Location and Redundancies. Cloud providers should disclose the
locations of their data centers that store your information. Your
data should be backed up and redundantly stored at multiple centers
in the event of an outage in one location.
Data Availability and Usage. Providers should make the following
representations: only you own your data, data can be extracted in a
usable and non-proprietary format, data permanently deleted from
the cloud should be disposed of and no longer available to any
entity, and private information should be treated as confidential
and viewed only by the provider with your explicit consent.
You don't need to be an expert in cloud technology to review a
provider's policies and ensure that it meets the best practice
standards above. Not only do you have an ethical obligation to do
so, but doing your due diligence will reduce security risks and
enable you to get the most out of your cloud service. ■
Heidi S. Alexander, Esq. is the director of Practice Management
Services for Lawyers Concerned for Lawyers, where she advises
lawyers on practice management matters, provides guidance in
implementing new law office technologies, and helps lawyers develop
healthy and sustainable practices. She frequently makes
presentations to the legal community and contributes to
publications on law practice management and technology. She is the
author of the forthcoming publication by the ABA's Law Practice
Division, Evernote as a Law Practice Tool and serves on the
ABA's TECHSHOW Planning Board.If
you've ever heard me speak, you'll know that I'm an advocate of
using cloud technology in your law firm. Why? Here are three good
reasons:If you've ever heard me speak, you'll know that I'm an advocate of using cloud technology in your law firm. Why? Here are three good reasonsIf you:
If you've ever heard me speak, you'll know that I'm an advocate of using cloud technology in your law firm. Why? Here are three good reasons:
Cost Savings. In many instances, cloud
technology obviates the need for in-house servers and costly IT
services to maintain them. Rather than pay a hefty lump sum for
server technology and maintenance, cloud technology jives with law
firm cash flow by offering subscription services paid on a monthly
or annual basis. Maintenance and updates are woven into the
subscription price.
Increased Efficiency. Generally, access to your
data remotely bodes efficiency and productivity. Copying files to a
USB drive before traveling home from the office not only puts your
client's data at risk and is a recipe for malpractice because you
now have multiple copies of documents stored in different places,
but it is just plain time consuming and inefficient.
Enhanced Security. Yes, I said it. This is
particularly true for solo and small firms whose infrastructure
could never match that of a cloud technology provider whose entire
business relies on their ability to provide secure services.
Reputable cloud providers have teams dedicated to security and
monitoring data 24/7, employ the most up-to-date security measures,
and have sophisticated protocols for backups, service interruption,
and breach response.
If you are not already using the cloud, it may be time to make
the leap. Indeed, nearly half of all the states, including
Massachusetts (Opinion 12-03), have opined on the ethical use of
the cloud. By in large, the opinions deem it ethical to store your
client's data in the cloud, but state that attorneys must use
"reasonable care or efforts" in doing so. To varying degrees, each
opinion provides that reasonable care standards require the lawyer
to vet the cloud service provider.
So, what exactly should you be looking for when you vet these
cloud service providers? It goes without saying that your first
step should be to review the Massachusetts Bar Association Ethics
Committee Opinion 12-03 which lays out five factors that constitute
"reasonable efforts". While these factors provide the overarching
concepts that you must consider, they don't provide the level of
detail you need to properly vet a provider.
Beyond our ethics opinions, we now have guidance from the legal
cloud computing providers themselves. In 2010, a small group of
legal cloud computing companies formed what is now the Legal Cloud
Computing Association (LCCA). The LCCA recently announced a formal
set of standards to help lawyers understand what "reasonable care"
entails. These standards should be used by lawyers as a guidepost
for vetting cloud providers. You can find the LCCA standards at
www.legalcloudcomputingassociation.org. Here are a few important
takeaways that you can implement in your vetting process:
Policies. Providers should convey clear
policies that describe their service obligations, data usage and
privacy, breach response and notification practices, and disaster
recovery and continuity plans.
Encryption. Data should be encrypted at rest,
that is, when it is stored at the data center; and it should be
encrypted when it is transmitted to and from the data center.
Secure Sockets Layer (SSL) encryption technology is the industry
standard for securing communications to and from a data center.
Location and Redundancies. Cloud providers
should disclose the locations of their data centers that store your
information. Your data should be backed up and redundantly stored
at multiple centers in the event of an outage in one location.
Data Availability and Usage. Providers should
make the following representations: only you own your data, data
can be extracted in a usable and non-proprietary format, data
permanently deleted from the cloud should be disposed of and no
longer available to any entity, and private information should be
treated as confidential and viewed only by the provider with your
explicit consent.
You don't need to be an expert in cloud technology to review a
provider's policies and ensure that it meets the best practice
standards above. Not only do you have an ethical obligation to do
so, but doing your due diligence will reduce security risks and
enable you to get the most out of your cloud service.
Heidi S. Alexander, Esq. is the director of Practice
Management Services for Lawyers Concerned for Lawyers, where she
advises lawyers on practice management matters, provides guidance
in implementing new law office technologies, and helps lawyers
develop healthy and sustainable practices. She frequently makes
presentations to the legal community and contributes to
publications on law practice management and technology. She is the
author of the forthcoming publication by the ABA's Law Practice
Division, Evernote as a Law Practice Tool and serves on the
ABA's TECHSHOW Planning Board.