How to protect your client data and yourself when storing files in the cloud

October 17, 2013

Man using digital tabletBack in March, I wrote a piece on how solo and small law firms could leverage technology to its fullest in their practices.

The majority of these tips were means to make the law practice more mobile.  For example, having a mobile phone dedicated for business use, obtaining a high-performance scanner to make electronic backups of all of your documents, using a tablet, and subscribing to an Internet fax service.

In making a practice more mobile, however, most of these proposals require using the Internet to varying degrees – whether to simply communicate with clients or other attorneys, or to store all of your electronic document backups.

This can become a problem for attorneys because of ethical requirements mandating the exercise of due diligence to keep client information safe and confidential.  Releasing client information into the ether of the Internet invariably creates the possibility of a security breach.

Such a breach may be due to malicious actions by third-parties, negligence on the part of the data storage service, or simple human error on the part of the user.

Clearly, the latter of these causes is the easiest for the attorney to control.

“Human error” on the attorney’s end means that the attorney hasn’t taken proper measures to ensure that the client data is sufficiently secure.  This entails more than simple mistakes such as making cloud-stored client files publicly accessible or setting a password to “password.”  It can also be a failure to encrypt your client files before uploading onto the remote server.

There are plenty of encryption methods available that do the job, but the most cost-efficient means to encrypt your files is to password-protect a compressed file archive, such as a .ZIP or .RAR file.

While I’m on passwords, though, there are a few points of which to be aware.  First, your passwords should be complex, containing a combination of upper- and lower-case letters, numbers, and symbols.

Notice how I stated password in the plural form in the previous sentence?  That’s because you should use a different password for each client’s data.  That may seem like a significant undertaking, but it’s necessary to ensure that anyone who has permissible access to one client’s files does not impermissibly gain access to another’s files.

Unless you only have one or two clients, you are going to need to write down the passwords to remember them.  And it probably isn’t a good idea to just write them on a piece of paper in your office or even to store them in a document on your computer (even if that document never leaves your computer).

Instead, use password management software of some kind.  They are generally very easy to use, and, if it’s worth its salt, quite secure.  In addition, there are a variety of low-cost and free options available, so expense needn’t be a concern here.

Even if you take all reasonable steps on your end to ensure data security for your client files, though, the risk of breach is still present because of, as noted above, the actions or negligence of other parties involved.

Although there’s no way of guaranteeing to an absolute certainty that a remote server won’t get hacked, or that the service provider won’t drop the ball on its security, you can minimize these risks as much as reasonably possible by selecting a service provider that has a particularly high level of security.

Admittedly, I’m not an expert on network security – much like, as I’m sure, the majority of other attorneys.  So how does an attorney recognize a cloud storage service provider with especially high security credentials?

Well, because the service providers will very likely advertise this feature.  Security is a major concern of anyone using the cloud to store files, and thus it is a major selling point for any cloud-based data storage services.

Any provider that is confident is its data security capabilities will tell the world as much – and in as many specifics as possible.

A good example of what you should look for in cloud-based data security is on the Thomson Reuters Firm Central page describing the security measures in place protecting its hosted data. 

In addition to the technical security specs describing its different data encryption measures, it also touts nightly data backups and restricted employee access – the latter of which is especially important in light of how many data breaches are due to service provider employees.

There’s no question that data breaches can still occur, even with the best security available.  However, you limit your own liability by doing everything in your power to reasonably secure your client files as best as possible.