Got Rogue Clouds? Yes, It Does Really Matter

Photo by Eve Livesey

Photo by Eve Livesey

January 22, 2013

Rogue Clouds: the myriad of Dropbox accounts, Salesforce.com implementations, media sharing apps, etc. that various parts of your business signup for without thinking twice and definitely without consulting IT or Legal. They happen everywhere, more often in large enterprises (83%) but also in small to medium size companies (70%) according to a recent global survey of over 3000 companies commissioned by Symantec.

Should you care? Only if you are concerned about maintaining the confidentiality of your sensitive data or worry about theft and the integrity of your websites. 40% of the companies surveyed reported disclosure of confidential information through rogue clouds. Over 25% reported account takeover issues, defacement of their web properties and other stolen property and services – all through the use of rogue clouds.

The cloud hype is relentless. It’s secure, it’s cheap, it’s the best way to store data. Even when the clouds weren’t rogue (meaning they were part of the companies’ IT strategies), the survey debunked many of those claims as well. 43% of the companies reported that they had lost data in the cloud. And what’s worse, 68% said that their data recovery operations failed. Of those that did recover their data, 22% said it took over 3 days. Hope you can operate without your data for that long – or forever.

Next, the survey showed that companies didn’t take advantage of the savings they might have gotten from their cloud storage. Companies typically pay for 6 times as much storage as they need. Plus, organizations must use additional solutions to backup their cloud data, which adds cost and inefficiencies to IT operations – and apparently doesn’t work very well.

And then there are the other risks related to how and where data is stored.

One challenge for cloud data storage is eDiscovery, pulling out the required information when a company is in litigation. 34% of the surveyed companies had eDiscovery requests for cloud data in the last 12 months, so this is why lawyers ask a few specific questions. They want to know about whether data is comingled (is your data easy to separate from other customers’ data or in other ways easy to search and retrieve only specific types of data); where the servers are located (jurisdictional issues when dealing with clouds in multi-national data centers are a nightmare); and data retention (data destruction schedules for litigation related data must be suspended until the case is resolved). The vast majority (2/3) of the companies missed their court ordered deadlines to deliver the information. 41% were never able to find or deliver the requested information. Companies reported paying fines and lost advantage in their cases as a result.

Finally, the survey also asked about privacy concerns. In the last 12 months, 23% of the respondents had been fined for privacy violations related to data stored in the cloud and over half of the companies were worried about their ability to prove they meet their privacy obligations when their data was in the cloud.

So, the potential risks that IT and the lawyers bring up about the cloud are real (isn’t it nice to know we aren’t just paranoid?). On the other hand, except for a few risk areas, about half of the cloud services worked well. So doing due diligence and choosing a good vendor are still very important.

Cindy Wolf is a Colorado lawyer with more than 25 years experience representing large and small domestic and multinational companies. Her expertise is in corporate law and commercial contracting, with an emphasis on international issues,  technology licensing and the Internet. She can be reached at cindy@cindywolf.com.

This publication is provided for informational purposes only. It does not constitute legal advice. There is no implicit guarantee that this information is correct, complete, or up to date. This publication is not intended to and does not create an attorney-client relationship between you and the author.

The Cloud, Security and Legal Ethics – Whom Can I Trust?

April 12, 2012

As I’ve been looking into the issues around lawyers putting client data in the cloud, I’ve run into a fair amount of (quasi?) scholarly work on the issue. There are several organizations that have published advice on the subject, including  ILTSO, ILTA and ISACA. The primary source materials come from the ABA and various state bar Ethics Committees. So far, case law is very limited, dealing more with maintaining the attorney-client privilege with email and the discoverability of client data that someone else put in the cloud. Your malpractice insurance provider may have something to say about it. And then law practice management vendors publish “White Papers” that describe why their product is a great solution for your practice.

It’s a lot of fairly complex data and it doesn’t all agree. I’ve written a couple of articles for local Colorado legal publications on how the Ethics Committees are approaching the issue. But, so far their advice has been vague and unrealistic. Clearly the users of the many law practice management systems out there (not to mention gmail, Dropbox or Docs to Go users) haven’t been paying attention to them. And until one of them has a big security breach and clients start grieving, no one will – which doesn’t mean lawyers shouldn’t care what the Ethics Committees think. It’s just that the committees aren’t very helpful for lawyers trying to make an educated decision, or use “reasonable precautions” as the opinions require.

I’ve found that some of the organizations give more practical advice. But, the reader still needs to appreciate who is involved in giving that advice. ILTA, the International Legal Technology Association, has some informative publications. It’s important to know, however, that they are provided or sponsored by the vendors of the services they are evaluating. It’s a trade organization, or as it describes itself, a ‘networking organization’.

In contrast, ILTSO, the International Legal Technical Standards Organization, has some of the same membership as the ILTA, but is focused on providing lawyers with standards that they can use to self assess their security compliance. Their standards for client data security are specific and clear, if perhaps beyond what most lawyers are doing today.

ISACA, the Information Systems Audit and Control Association, has a broader audience than just the legal profession. And think about it, other types of businesses, including health care and financial services, have many more technical security requirements to follow than lawyers. It is an independent organization that provides certification in auditing and security. ISACA has issued guidelines on adopting cloud use that lawyers can apply to the business of practicing law which shed light on the risks and rewards of this advanced technology.

Finally, a few words about white papers. The purpose of a white paper is to help you make a decision, so the author is important. They are rarely impartial. A commercial white paper is written to persuade you to choose that vendor’s product. They aren’t false, or they would be prohibited by the FTC rules on false advertising. But they are marketing materials. Think of it like a brief. It may cite cases and ethics opinions. It may also conveniently ignore various issues. Trade associations and standards organizations also have agendas. To the extent their white papers help prod vendors and users towards better practices, I trust them more. If ethics committees considered the advice of the standards organizations when they issue their opinions (and maybe they did, but it’s not apparent), they would be more practical and helpful.

Working and Playing in the Cloud – A Review of What’s Cool, Useful and Scary Up There

March 28, 2012

Tech Issues for  Lawyers, Non-Techies and Others Who Like Their Privacy

Have you soared into the cloud? Chances are you have tried this advanced technology, whether for work or personal use. The cloud, as the term is used today, has been around for general consumption since the mid 90s – were you an early yahoo or hotmail email account user? Today, the cloud refers to anything that involves delivering hosted service over the Internet. This can include a myriad of common computer services, like email, document and photo storage, computer backup and also more specialized, work-based systems for financials, sales, law practice management, employee performance management, expense management and customer service. If you need an Internet connection to get to it, it’s most likely in the cloud.

I’m a lawyer. Many of my colleagues have barely gotten to the email age, while others have virtual practices taking advantage of many of these services. The purpose of this blog is to help lawyers and other privacy-minded individuals without technical backgrounds understand what it means to put their documents, their business, their personal lives and their trust in the cloud.

While email has been a part of life for long enough now that most people understand it, the other cloud based systems are new enough that many people don’t know anything about how they work.  One type of cloud service that is appealing to lawyers is free – or cheap – document storage. Introduced only in the last few years, there’s Google Docs (2010), iCloud (2011), Dropbox (2007), Amazon Cloud Drive (2011), SugarSync (2006), SkyDrive (2007) and Mozy (2006), just to name a few.  They all provide a certain amount of storage for free and allow access to your documents anywhere you can catch a WiFi connection. They are very attractive for solo practitioners of any profession, small businesses trying to avoid building their own network, students, travelers, you name it. They all work pretty well too, although some have more features than others. But are they a good solution for you?

As lawyers, we have ethical requirements to keep our clients’ information confidential and to preserve the attorney-client privilege. Our governing bodies are struggling with giving guidance on whether any cloud based service satisfies ethical requirements. In contrast, the medical and financial fields are way ahead of us in dictating appropriate use of electronic media. HIPAA and HITECH proscribe many rules regarding storage and security of protected patient information. Financial services are subject to a complex array of legal, regulatory, interchange and payment processing rules governing electronic financial data. Somehow lawyers have resisted regulation here – but is that a blessing or a curse?

The guidance from the ABA and various state Ethics Committees is vague and impractical. They give an initial thumbs up to the cloud but then expect a relationship with a vendor that doesn’t exist (like unlimited liability and guaranteed confidentiality). There are some practical issues too. A simple review of the terms for these omnipresent document storage offerings reveals some flaws. The providers:

  • don’t promise to keep your data confidential;
  • don’t promise reliability;
  • can shut you off at any time;
  • can discontinue the service at any time;
  • can change their terms of service at any time;
  • may send your data anywhere in the world they have a server; and
  • may disclose your data without your knowledge to third parties because they deem it necessary

If you were my client, would you want your confidential information there?

But not all cloud offerings are alike. There are other cloud offerings that meet higher security standards and which can be used by even medical and financial professions. Lawyers have more targeted cloud offerings too, including Clio, Citrix, Law Loop, Livia, Lextranet, MyCase, Nextpoint, and Rocket Matter. Their websites will tell you not to be afraid of the cloud, but will they guarantee it? That’s a topic for future posts.