If you've ever heard me speak, you'll know that I'm an advocate of using cloud technology in your law firm. Why? Here are three good reasons:
Cost Savings. In many instances, cloud
technology obviates the need for in-house servers and costly IT
services to maintain them. Rather than pay a hefty lump sum for
server technology and maintenance, cloud technology jives with law
firm cash flow by offering subscription services paid on a monthly
or annual basis. Maintenance and updates are woven into the
Increased Efficiency. Generally, access to your
data remotely bodes efficiency and productivity. Copying files to a
USB drive before traveling home from the office not only puts your
client's data at risk and is a recipe for malpractice because you
now have multiple copies of documents stored in different places,
but it is just plain time consuming and inefficient.
Enhanced Security. Yes, I said it. This is
particularly true for solo and small firms whose infrastructure
could never match that of a cloud technology provider whose entire
business relies on their ability to provide secure services.
Reputable cloud providers have teams dedicated to security and
monitoring data 24/7, employ the most up-to-date security measures,
and have sophisticated protocols for backups, service interruption,
and breach response.
If you are not already using the cloud, it may be time to make
the leap. Indeed, nearly half of all the states, including
Massachusetts (Opinion 12-03), have opined on the ethical use of
the cloud. By in large, the opinions deem it ethical to store your
client's data in the cloud, but state that attorneys must use
"reasonable care or efforts" in doing so. To varying degrees, each
opinion provides that reasonable care standards require the lawyer
to vet the cloud service provider.
So, what exactly should you be looking for when you vet these
cloud service providers? It goes without saying that your first
step should be to review the Massachusetts Bar Association Ethics
Committee Opinion 12-03 which lays out five factors that constitute
"reasonable efforts". While these factors provide the overarching
concepts that you must consider, they don't provide the level of
detail you need to properly vet a provider.
Beyond our ethics opinions, we now have guidance from the legal
cloud computing providers themselves. In 2010, a small group of
legal cloud computing companies formed what is now the Legal Cloud
Computing Association (LCCA). The LCCA recently announced a formal
set of standards to help lawyers understand what "reasonable care"
entails. These standards should be used by lawyers as a guidepost
for vetting cloud providers. You can find the LCCA standards at
www.legalcloudcomputingassociation.org. Here are a few important
takeaways that you can implement in your vetting process:
Policies. Providers should convey clear
policies that describe their service obligations, data usage and
privacy, breach response and notification practices, and disaster
recovery and continuity plans.
Encryption. Data should be encrypted at rest,
that is, when it is stored at the data center; and it should be
encrypted when it is transmitted to and from the data center.
Secure Sockets Layer (SSL) encryption technology is the industry
standard for securing communications to and from a data center.
Location and Redundancies. Cloud providers
should disclose the locations of their data centers that store your
information. Your data should be backed up and redundantly stored
at multiple centers in the event of an outage in one location.
Data Availability and Usage. Providers should
make the following representations: only you own your data, data
can be extracted in a usable and non-proprietary format, data
permanently deleted from the cloud should be disposed of and no
longer available to any entity, and private information should be
treated as confidential and viewed only by the provider with your
You don't need to be an expert in cloud technology to review a
provider's policies and ensure that it meets the best practice
standards above. Not only do you have an ethical obligation to do
so, but doing your due diligence will reduce security risks and
enable you to get the most out of your cloud service.
Heidi S. Alexander, Esq. is the director of Practice
Management Services for Lawyers Concerned for Lawyers, where she
advises lawyers on practice management matters, provides guidance
in implementing new law office technologies, and helps lawyers
develop healthy and sustainable practices. She frequently makes
presentations to the legal community and contributes to
publications on law practice management and technology. She is the
author of the forthcoming publication by the ABA's Law Practice
Division, Evernote as a Law Practice Tool and serves on the
ABA's TECHSHOW Planning Board.