As the coronavirus pandemic continues to restrict our movements, attorneys across the United States have quickly learned how to adapt to the vagaries of remote work. What happens, though, to the day-to-day activities of a law firm when its employees can no longer visit their offices, archives or libraries?
Luckily, the proliferation of cloud computing technologies has lessened the effects of lockdown restrictions on our workflows. Access to the cloud frees users from tethering to their own local computers and hard drives. It is possible for us to work anywhere, at any time, with incredible ease. According to a survey conducted by MyCase, the use of cloud computing legal software has steadily increased since the start of the pandemic. In fact, 70% of the law firms surveyed attributed their financial stability to cloud-based technologies.
Is It Safe? Cloud Computing and Its Gatekeepers
The “cloud” is a vague term that can be used to describe any place where digital data is remotely created, stored or shared. To put it simply, cloud computing outsources computing functions to servers owned by cloud computing providers, making it possible for a geographically dispersed workforce to access applications and digital data via the internet, from any location.
You are probably already familiar with a number of cloud services. Many lawyers use public clouds like Google Drive and Amazon Simple Storage Service to create documents and store files. Others have adopted legal research tools like Westlaw, LexisNexis and Trellis (my company), which free law firms from the burden of having to independently collect, store and curate millions of court records in their own filing cabinets and computer systems.
When stored in a cloud, the usefulness of a document or a file no longer depends on access to the physical filing cabinet or law office in which it sits. For many, this is liberating. For others, it is concerning. These documents often contain confidential information, which may be put at risk if placed on web-based servers.
Such concerns, however, overlook the extent to which confidential information is always already at risk. There are risks to placing client documents within physical storage systems, whether those be inside the law firm itself or inside a third-party storage facility. Cloud computing may actually offer more extensive security than many law firms can provide on their own, as cloud databases lie within “intricate, multitiered security networks that are constantly being upgraded and tested for potential weaknesses,” notes Thomson Reuters.
How to Prepare for Cloudy Days: Terms of Service
Most state bar organizations have concluded that lawyers may entrust confidential documents to most cloud computing providers. These organizations recognize that the cloud is not necessarily a more (or less) safe place to store sensitive information than a physical repository. Cloud computing security concerns are simply different.
Perhaps the biggest difference is the loss of control. The terms of service agreements written by cloud computing providers often stipulate that your data may be stored or backed up in countries outside of the United States. That is, in a country with different privacy laws. It is important to remember that laws governing cloud computing are based on the physical location of the cloud provider’s servers, not the location of the company whose information is being stored. This is where things get complicated. Any data submitted to a cloud computing provider is often duplicated and stored in many different locations around the globe, a feature that ensures our data will remain safe and accessible in the event a data center goes offline.
Other agreements may clarify (with more or less ambiguity) what happens to your data after you store it in the cloud. Do you still maintain perpetual ownership over the data? Do you maintain control over who can use the data and for what purposes? In other words, is the cloud computing provider a data processing agent or a data controller? The former will only process data on your behalf while the latter has the right to use your data for its own purposes.
There is also the question of how data gets removed from the cloud. Is manually removing documents from the cloud’s user interface enough? How long does data linger in the cloud provider’s servers before it is permanently erased?
Protecting Clients in the Cloud
Law firms have always been concerned with questions about confidential information. How should it be stored? How should it be made available? How should it be destroyed? In the past, locked filing cabinets and shredders performed much of this work. What happens, though, when cloud computing becomes an accepted, trusted means for storing confidential data?
Normalizing the use of cloud services has the potential to make us a little too comfortable with everything these services afford us — a comfort that can lead us to overlook the legal terms to which we are agreeing. It should go without saying that it is important to read the details of any cloud provider’s terms of service agreements. Still, fewer than one-third of cloud-computing lawyers even bother to read these contracts. This might have something to do with the fact that the average attorney has little or no leverage to negotiate favorable terms of service with a cloud computing provider. Nonetheless, terms of service vary widely across providers, and it is our responsibility to know where our data is stored and how that data is accessed or used.
Remember that cloud computing providers are no different from any other third-party vendor. Our rush to access the cloud, especially in the time of corona, should not blind us to the risks of outsourcing the stewardship of confidential information to others.