Blogs

Is the cloud safe?  I haven’t taken a poll, but I suspect that question has been asked more than once lately. Since there are so many uses of the “cloud” this blog post will focus on using cloud based file sharing services such as GoogleDrive and Dropbox of storing and sharing electronic files in the “cloud.”  Since these types of services have been introduced to the public, vulnerabilities have been found and exploited.

So what are users to do? The features of these file sharing services like Dropbox are their ease of use, convenience, and mobility capabilities. The good news is most cloud-based providers have tightened their data security in the wake of breaches. However, do the benefits of using the cloud outweigh the risks associated with client data potentially being compromised?

From a legal ethics perspective, New York Op. 842 concluded that a lawyer may store client data on a server controlled by a third party, provided that the lawyer “takes reasonable care to ensure that the system is secure and that client confidentiality will be maintained.” The opinion identified the following steps necessary to fulfill that duty:

1. Make sure that the storage provider has enforceable obligations to preserve confidentiality and security, and to notify the lawyer if the production of client information is required;
2. Investigate the storage provider’s security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances;
3. Employ available technology to guard against attempts to infiltrate the stored data; and
4. Investigate the storage provider’s ability to purge any copies of the data, and to move the data to a different host, if the lawyer decides to change storage providers.

Cloud-based applications and storing of data in the cloud will always have risk, but is it really a bad idea to use cloud-based services to store client files? The answer is it depends. Before storing any data in the cloud one needs to perform research on the best, most secure offering.

First and foremost, nothing in life is free. One should never use the free versions of any cloud storage provider unless it doesn’t matter if the information you are storing gets compromised. Free versions of any application, cloud based or not, typically lack the full features and functionality of the paid versions. If you have an information technology (IT) department, use them as your internal consultant. Based on your requirements, their knowledge of cloud-based solutions, and any research they perform, they should be able to make a recommendation of a cloud storage provider.

If you work for a small firm or company with no IT department, then as New York ethical Opinion 842 identified, you will need to perform your own diligence. Either way, the “devil’s in the details” of your research and subsequent decision.

The following provides a few practices and recommendations to follow when deciding on a cloud-based file storage provider.  

1. Receive client permission. If using the cloud to share files with a client make sure to receive written, informed consent from the client.
2. Subscribe to the paid version of cloud storage. Ensure that a contract is provided that covers service levels, where your data will be physically located, how passwords are stored, how your data will secured, to name a few.
3. Take extra care with regulated data. For example, HIPAA requires any third party with access to protected health information to sign a business associate agreement. In other instances, it is a good idea to have a vendor confidentiality agreement signed.
4. Ensure that data in motion and at rest is encrypted. You will want to be 100% certain that as you are uploading and downloading data, as well as while being stored within the cloud provider’s data centers, data is being encrypted using the highest level of data encryption.
5. Take an extra security step. Password-protect your documents. This will typically have an additional safeguard of also encrypting your data. For example, in the latest versions of Microsoft Office, you can protect your document by encrypting it with a password. Just don’t forget the password!
6. Use the cloud for the temporary storage of data. If the primary reason for using the cloud is to upload and download documents to share with someone, create an automatic deletion policy after seven days.
7. Implement a private cloud solution. In most cases, the safest place to store data is behind your firm or company’s firewall, in your datacenter. There are several private cloud data storage solutions that can be implemented within your datacenter that work identically to a Dropbox or GoogleDrive offering.
8. Read and negotiate the terms of the agreement.  Be sure to include terms relating to the ownership of data, access to data, what happens if the vendor goes out of business and indemnification in the event of a data breach.
9. Know where your data will be stored.  Make sure your data is not transmitted or stored outside of the U.S., where the federal government has no jurisdiction to help if there is a problem with the vendor.

At Nixon Peabody, we utilize both NetDocuments and Hightail to securely share files with clients and others outside the firm.   

According to a 2014 cloud survey of 1068 technical professionals conducted by RightScale, almost 90% of respondents have adopted some form of a public cloud solution.  The “cloud” is here to stay, at least until the next technological breakthrough is announced. The bottom line is everyone needs to use common sense related to what they place in the cloud.