Moore’s Law suggests that computer technology, through transistors and integrated circuits, along with digital electronic devices, will double every 18 months to two years. It’s a steep curve that began in the 1960s and is expected to continue until about 2020. It is anticipated in the coming years there will be more than one trillion cloud-ready devices, allowing users to work more quickly, conveniently, and sometimes at a lower cost.
There will continue to be more ways through which we can work on the go. But for those dealing with sensitive information, it means treading carefully. Questions that arise include what methods are available and how can that information remain secure to ensure client protection and confidentiality?
While criminal lawyers, for instance, might benefit a great deal from the services available through cloud computing in between court appearances, protecting their client information might well trump the convenience of accessing those files if they can’t be satisfied the information can remain secure.
David Whelan has explored many of the options and issues surrounding them, from the technical perspective. Whelan is the manager of legal information with the Law Society of Upper Canada and author of Practice Law in the Cloud. He points out there are a variety of ways for lawyers to work remotely while having access to their office files. “A law firm using a virtual private network, a virtual desktop tool like GoToMyPC, or even a personal cloud tool like Tonido, could leave their files and data on their internal computers and access them from outside their office,” he says. “Cloud computing shifts the responsibilities. If a law firm is enabling remote access to internal computers and files, then they bear the responsibility of ensuring that the technology is implemented to limit unauthorized access. If they put it in the cloud, that technology obligation shifts to the cloud provider. In either case, the lawyer needs strong passwords, needs to understand what those implementing the technology/security are doing, and, of course, continues to have his professional obligations.”
A number of professional organizations have explored these issues. The Florida Bar Board of Governors’ professional ethics committee is the latest, having released its opinion in late January. The concern there is the use of a third party as a provider of services and involving the storage and use of data at a remote location that is also used by others. The primary worry is confidentiality.
Cloud computing involves the use of an outside service provider accessed through the Internet. Lawyers are ethically bound to ensure client confidentiality is maintained and the Florida committee believes lawyers ought to be up to date with the technology that could affect their practice. “Lawyers who use cloud computing therefore have an ethical obligation to understand the technology they are using and how it potentially impacts confidentiality of information relating to client matters, so that the lawyers may take appropriate steps to comply with their ethical obligations,” the committee states.
It observes that a number of jurisdictions, including Alabama, Arizona, Iowa, Nevada, New York, and Pennsylvania, have concluded cloud computing is fine for lawyers if they take reasonable, precautionary steps. Florida is following suit as long as lawyers address the potential risks.
The Canadian Bar Association pointed out in its Guidelines for Practising Ethically with New Information Technologies in September 2008 that “lawyers must be able to recognize when the use of a technology may be necessary to perform a legal service on the client’s behalf, and must use the technology responsibly and ethically.” They must, therefore, be aware and have an understanding of the technology that exists. It is also their responsibility to ensure electronic communications are secure, confidentiality can be maintained, and assess the situation from different perspectives to minimize risks.
For firms exploring cloud computing, the service provider is key, says Martin Kratz, who heads up the intellectual property group with Bennett Jones LLP in Calgary and chairs the non-profit Canadian Cloud Council. “It requires trust and confidence. So you don’t just use anyone,” he says. “Like choosing a babysitter…. You no longer have physical control over the data itself.”
Lawyers must do their due diligence for service providers working with law firms. Kratz suggests a lawyer or firm shopping for cloud computing services explore the following issues with a service provider:
• Audits: Many cloud vendors have audit reports available, offering a great deal of detail.
• Physical security: Security needs to be continuous and access to data should be limited to authorized personnel.
• Network security: Firewalls that are continually monitored and updated.
• Software security audits: Updates and patches should be installed promptly and encryption needs to be in place to protect data during transmission.
• Back-up arrangements: The provider should have a data back-up site, in a location distant from the original centre, so the information is always accessible, even in the event of a blackout.
• Service level agreements: Ensure the agreement includes penalties for failure to meet the agreed level of service.
• Data: The information is the property of the lawyer, is portable, and should be available continuously.
The issue of privilege also needs to be explored. What happens when police show up asking for information? The jurisdiction the data is being kept in and the rules governing that jurisdiction are important. “Can government agencies get access to information that is privileged?” asks Kratz. Encryption provides that extra level of security.
Cloud computing, however, is not necessarily a one-size-fits-all proposition, says Stephen Perciballi, director of security for Softchoice Corp., an IT solutions provider. “More and more organizations are moving toward cloud-centric service,” he says. “That kind of facility might not be up to speed for all needs.”
He points to software-as-a-service as popular platform because there’s not a lot of configuration required beyond the user’s data. But there are other options. The desire is to have ubiquitous data so no matter how it’s accessed, through the laptop, tablet, or phone to a prescribed number of users, it’s available and updated. Therein lies the problem. Access through multiple devices by multiple users adds up to increased risk. Authentication and authorization therefore become important so there’s a level of control and not everyone has access to all files.
A common form of abuse occurs through stolen credentials and passwords that could lead to “drive-by downloads” and the theft of data. The infiltration might occur when users are online or visiting social media sites. Web filtering at the end point then becomes mandatory. The final key, adds Perciballi, is protecting the data through tools like data-loss-protection software, “which works like an information firewall.”
But there’s an additional complication for law firms, which are typically already equipped with firewalls, intrusion protection, and protected against malware. What happens with that investment if you then go to a service provider? Leverage it, suggests Perciballi. It isn’t necessary to abandon what you’ve already built. Instead, it can be used in the development of an off-site service.
The bottom line, says Whelan, is having strong passwords and using encryption to secure files, whether they are stored internally at a firm or in the cloud. For information stored in the cloud, users will need to trust the provider to enable the necessary level of encryption. “Beyond that, lawyers should be concentrating on access control (which staff have access to which files), where their information can be moved to (uploaded/downloaded to other computers, sent as e-mail attachments, placed on USB keys) all of which move them outside the password-protected, encrypted environment.”
He does warn, however, there are situations when cloud computing should not be used, including jurisdictional restrictions. The sensitivity of the information itself may call for specific restrictions.