“Are you in the cloud yet?” “What do you think of the cloud?” “Does your firm have cloud storage?” These questions, and more like them, have been flying around (no pun intended) for quite some time now. But do you truly know what “the cloud” is, and do you know how it impacts your law firm’s online security?
According to a January 2013 Google Consumer Survey, 60% of people thought that Dropbox, iTunes, Gmail and hosting weren’t cloud services even though they all are. In the U.S., less than 25% of people claimed to have a clear understanding of what ‘the cloud’ means, and 60% don’t have a clue what the cloud is.
Chances are that you are already in the cloud. LexisNexis, Google, WestLaw, Skype, Verizon, Google Talk, Citrix, T-Mobile–if you use any of these company’s services, you have a cloud presence. Even your phone’s voicemail is in the cloud!
What Does Being In The Cloud Mean?
Apparently, even search engines are not clear in their understanding of the cloud! A basic Google search shows the definition of cloud to be: “a visible mass of condensed water vapor floating in the atmosphere, typically high above the ground.” Or, “a state or cause of gloom, suspicion, trouble, or worry.” In reality, “the cloud” is not usually clearly defined because it has widely different usage in the tech community.
An easy way to think about the cloud is that it is the opposite of historical computing. Instead of local servers or personal computers, data is stored remotely (on Internet servers, usually) and accessed using a network (usually the World Wide Web).
How Should my Law Firm Use the Cloud?
Since your firm is likely already using the cloud for much of its operations, I will bypass discussing whether to utilize cloud storage or not. Instead, let’s address how it can be used effectively and securely.
Security and the Cloud
According to the ABA’s model rule of professional conduct on the client-lawyer relationship, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” In this day and age, that is difficult to do.
Recent revelations about how communication is unsecure have troubled many people. Even U.S. Intelligence Agencies announced their unauthorized collection of emails. In this environment, many lawyers are wondering how to respond. Recently, I received an email thread from several concerned attorneys.
The debate-sparking question was from Craig Stokes, a Miami agriculture attorney: “If we have an ethical duty to take steps to protect client data from hacking, then don’t we have a duty to not use email which we know, at least in the case of Google, is not confidential?”
The responses were varied and spanned the spectrum from nonplussed to suspicious.
“My simplistic understanding is that the only really secure email is one using public key encryption (a la Edward Snowden). I anticipate a real problem getting clients to use that system.” – Jon van Horne, Government Contract Attorney
“…Even if I’m perfectly secure on MY end, what about the clients end? All sorts of people [have] Gmail, or Yahoo, or whatever; am I going to refuse to send them information via email?” – Ronald A. Jones, Estate Planning Attorney, Summerfield, FL
“I want to hope that Google might rethink its arrogance if a few state bars and other state level professional regulatory bodies say that it is an ethics violation to use Gmail because they are flat out saying they do not consider their own service to be confidential. .. But I doubt that will happen.” – Craig Stokes, Agriculture Attorney, Miami, FL
“…secure email is practically a delusion. In my mind, the last thing we need is some high and mighty ethics opinion, probably written by academics and tall building lawyers who are misinformed by their very, very expensive internet service providers, saying all email must be totally secure. Because that is a fiction.” — Amy Clark Kleinpeter, Consumer Law Attorney, Austin, TX
“If you have the type of practice where you are concerned about the government snooping into emails between you and your clients, then you shouldn’t be emailing at all. If you are just concerned about “random” people picking your emails out of the billions of emails sent each day, I wouldn’t be too concerned.” – David A. Shulman, Estate Planning Attorney, Fort Lauderdale, FL
“Our jobs [as] attorneys are not to ENSURE security, but to take reasonable steps to protect security. The fact that an email may be intercepted at ANY stage from your server storing it, in route, receiving server storing it, is and always has been general practice of email. We are not under a duty to avoid things that are not 100% secure. We can rely on the fact that, well this is just how it works.” – Erin M. Schmidt, Social Security Disability Attorney, Hudson, OH
In the end, Darrell Stewart provided us with his thoughts on the issue, bringing the email thread to a close eloquently:
“In person meetings can be insecure. Lasers on windows can pick up vibrations. Bugs can be planted. Unless criminal issues are in play (probably for the attorney also) or unless high-stakes corporate intelligence is involved, most of the time the in person communication is “good enough.
…One has to do a risk assessment, and determine what is “good enough” and the bar is not always going to be current on technology or on evaluating the level of risk.
Security of anything is not a light switch with an on and off button, where one position is secure and a second is insecure. Instead one deals with a large gradient range.” – Darrell G. Stewart, Attorney, San Antonio, TX
What Should I Do?
To be sure, security is increasingly just a false perception. If someone wants to intercept your client communications, they will find a way. Instead, the focus should be on taking “reasonable efforts” to protect your clients’ information and privacy.
Meet Face-to-Face
Even in our digital world, sometimes we need to go offline to ensure privacy. For certain types of meetings, in person is always the best format. This is not always convenient, but if you need particularly heavy security precautions, meeting face-to-face may be worth it.
Host Your Server Safely
At Consultwebs, our servers are kept in such a safe place that even if there was a nuclear war, your website would be available to anyone accessing the Internet. As Vice President Magnus Simonarson puts it, “When the world ends, our servers will still be running!”
Communicate About Privacy in Your Marketing
If you decide to have a particular emphasis on keeping your client’s data lock-tight, or even just to reassure your firm’s prospects of their security, be sure to include those messages in your marketing.
While your instincts may encourage you to not publicly comment on issues of privacy, your prospective clients will likely be just as concerned or more so.
Ask Your Vendors What Steps They Take To Protect You
Whether you outsource your firm management or marketing, it is always wise to ask how your information will be protected. Are your firm’s metrics shared publicly without permission? Does your marketing vendor share the strategies that have worked for you with competitors in your market area? (If they work with unlimited firms in one area this can be a heightened concern.) Do they have login permissions to protect your information?
Sometimes the best defense against privacy issues is common sense. If you think through the potential issues associated with a mode of communication and the costs outweigh the benefits, you need to change your strategy.