Firms are committing to cloud storage big time. What are the dangers?
With tech innovations such as digital document management increasingly the choice for firms keen to improve efficiency and flexibility, it might seem we have at last arrived in the future. Hover-boards, spacesuits and weekend trips on lunar stations remain a distant dream – but there was a time when the phrase ‘paperless office’ seemed almost as remote and fantastic a possibility.
These days, we take it for granted that we carry in our pockets little shining screens that can bear whole shelves of books, or that briefs which would once have made the heart of any court porter sink can be conveyed at the touch of a button.
But with great power, as they say, comes great responsibility – and the digital age is not without considerable risk. Law firms revelling in the ease and efficiency of digital document management, 24-hour access document storage, eDisclosure and eDiscovery must ensure their risk management processes are every bit as up-to-date as their IT.
There are a number of innovations in IT which more and more lawyers are embracing as part of the daily grind, perhaps most importantly the Cloud. Not, of course, the cumulonimbus of our GCSE textbooks, but the outsourcing of data to be stored in an off-site system managed by a third party, and accessed via the internet.
The off-site storage ‘units’ may be fairly small, or run to the size of a warehouse. Importantly, data will be stored on more than one server and on more than one power supply, to create reliability and guaranteed 24-hour access. This is particularly crucial since some industry experts suggest that loss of access is a greater risk than security breaches.
Used effectively, use of the Cloud circumvents delay and duplication, cuts costs, and improves security. In November 2013 the SRA issued guidance to assist firms using Cloud technology, emphasising its potential for improved security: “The biggest data risk comes from lost or stolen laptops or USB drives. Cloud systems remove the need for USB drives and mean that data need not be kept on individual laptops.”
This is the greatest benefit of Cloud usage – you can slip a stolen USB drive into your pocket, but in the immortal words of the Mother Superior: how do you catch a cloud and pin it down?
Most Cloud storage providers will use a number of tools to create secure storage, including:
- Encryption, using algorithms to encode information, with users needing encryption keys to decode
- Authentication, requiring usernames and passwords, and
- Authorisation, with an approved list of those authorised to access data.
Even so, the risks are plainly apparent: one estimate puts the number of reported cases of server breaches in 2012 at over 200, resulting in the loss of about 9 million data records.
The SRA may acknowledge the Cloud’s potential for improved security, but in the same report cautioned against showing “a lack of due diligence… on their outsourcing arrangements.” It’s important for firms to ensure their digital document management practices meet the obligations set out in the Solicitors’ Code of Practice (the Law Society’s Practice Note on Information Security sets out the requirements in full).
But it’s not simply for firms to put risk management mechanisms in place. Lawyers themselves can help keep storm-clouds at bay by being alert to some of the key risks in using the Cloud. These might include:
- Individuals attempting to search for confidential information
- ‘Hacktivists’ making ideologically-motivated cyber attacks
- Consultants or sub-contracted staff working in the firm without adequate security checks, and
- Data surveillance by government agencies such as the National Security Agency.
Not, sadly, a cute name for a law-bot, but the acronym for the ‘Bring Your Own Device’ trend. In an age when the dividing line between work and personal life grows ever more slender, most will have mobile phones, laptops and tablet computers used for emailing clients one moment, and arranging social events the next.
The trend is now so firmly embedded in working life that most firms implement a BYOD policy, accepting that it’s integral both to efficient working and a good work/life balance.
As with their use of the Cloud, it’s important for lawyers to adhere to a BYOD policy that places the client at the centre of security measures – while protecting their own professional interests. See our recent piece Devices of Gloom on the benefits and risks of using your own devices at work.
Check your duties
When it comes to digital document management, the SRA – like Nate Dogg and Warren G – is going to regulate. Your firm should be well aware of its regulatory duties, and should ensure you and your fellow lawyers are equipped to balance the privileges of using IT innovations with the rights of you and your client to a safe, secure working environment.
We must continue to live in hope that robot companions might yet be a feature of office life. In the meantime, we inhabit a present beyond the wildest imaginings of our legal predecessors –and with careful risk management, can enjoy its benefits without the sci-fi dream becoming a sci-fi nightmare. SP