With the advent of DropBox and other cloud-storage possibilities, cloud computing has become a way to increase productivity and mobility while decreasing information technology costs. But, as with most technological advances, firms must address ethical and business risks before floating their practices to the cloud.
Despite the popularity of cloud computing, many attorneys are unfamiliar with how cloud computing works. A basic understanding of the technology can prepare lawyers to address potential pitfalls before they arise.
Traditionally, most firms have kept software and data on their own on-site servers. That meant buying servers and software to manage those servers. The firm was responsible for server security and maintenance. This was a costly model with high set-up costs and ongoing expenses for security, maintenance and upgrades.
Cloud computing, however, allows users to access software and data over the Internet via a third-party server. Firms contract for use of off-site, secure third-party servers to store their data and software. This arrangement lets a firm establish a complete network in its office without physically installing servers and manually setting up a network, eliminating up-front, maintenance and security costs. All the firm and its lawyers need is Internet access to create the network. Although this concept may seem abstract and unfamiliar, most lawyers use cloud computing every day, when accessing email accounts via the Internet.
What to Consider?
Before lawyers decide to switch part or all of a firm’s data to cloud computing, then start choosing a provider, they need to ponder three key issues.
• Security:Data security is of paramount concern. Data must be encrypted, and the physical servers must be protected. These are key areas of questioning for any potential cloud-computing vendors.
Unencrypted data is vulnerable to access by savvy third parties. Encryption secures the communication, transfer and storage of data to and from the third-party servers.
Most cloud-computing providers provide encryption through authentication, secure transfer and true encryption.
The first line of defense against unauthorized access is authentication — requiring a username and password to access, edit or transfer files.
The second defense against unwanted access of files is a secure transfer of files. The hallmark of this security is a web address of "HTTPS:." Most websites utilize a "HTTP:" web address; the addition of the "S" indicates that the communication between a computer and a server is secured.
The third, and arguably most important, defense is true encryption. Encrypting data ensures its security even when it’s not being transferred, i.e. when it is sitting on the third-party servers.
Assuming that the files remain encrypted on the third-party server, it’s also important to ask cloud-computing vendors how they would handle a law enforcement request to decrypt firm data.
The security of the third-party servers differs from the issue of data encryption. Server security blocks a hacker from accessing the servers that hold not only firm information but all of the cloud-computing provider’s client information.
Server security has two aspects: physical and cyber.
Physical security means the servers are stored in a location reasonably protected from burglary, unauthorized access and fire. It’s wise to ask how many people are authorized to access the servers.
Cyber-security is protection from unauthorized access by a sophisticated hacker. It generally will involve appropriate software and regular scans conducted by the cloud-computing provider. Server security is the complete responsibility of the cloud-computing provider; however, attorneys are required to do their due diligence. At the end of the day, lawyers are responsible for any breach of client information.
• Reliability: As with all IT matters, reliability is key. If the cloud-computing provider experiences a service outage, lawyers could be unable to access their files. A number of things can cause outages, such as regular server maintenance, a large and unexpected volume of users on the server, and a breach of server security.
Lawyers should pose questions to vendors and knowledgeable third parties about how much downtime a given cloud-computing provider experiences. When inquiring about website downtime, ask the cloud-computing provider for the amount of time the servers were inaccessible. Do not settle for a time percentage. For example, "Our severs had downtime of only 2 percent" does not reveal the length of time the severs were down, i.e. one hour, three hours, etc.
However, it’s often difficult to gather information on a website’s reliability. Lawyers should scrutinize the service agreement for terms concerning downtime of the cloud, possible proration of bills, etc.
• Ethical considerations: Attorneys must perform due diligence before entrusting a third party with client information. Proration of bills after a cloud outage is nice, but it can pale in comparison to the fallout resulting from file inaccessibility or exposure of confidential client information.
Cloud computing is an excellent way for attorneys and staff to access files and data anywhere there is an Internet connection. This is helpful when lawyers and staff travel or work remotely. It also can help a firm go paperless. However, lawyers making the decision must do their research, carefully examining the company for security and reliability, and reflecting on the ethical issues that could arrive in such a move.