January 8, 2016
Editor’s Note: This series, Firm Resolutions, is written by small law firm consultant Jared Correia. For a jumpstart on your resolutions, request a free trial of Firm Central, Thomson Reuters’ practice management software.
Law firms have, perhaps unsurprisingly, taken a very lawyerly view of data security. For years, the typical response of a law firm respecting email security has been to combat unauthorized disclosure after the fact, by publishing a very stern disclaimer — sometimes even ahead of the text of the email.
Of course, this is backwards. The main thrust of a data security program should be to prevent the unauthorized breach before it occurs. Law firms’ generic concern over the end result of a data breach dangerously removes the focus from the continuing protection of the underlying data. Rather than reacting with heavily-worded disclaimers, lawyers should spend more of their time proactively engaging solutions to secure their data — in the case of email, that may mean applying an email encryption program.
Recently, the American Bar Association’s Model Rules of Professional Conduct were revised, in large part to reflect certain of the changes that modern technology has wrought in the legal field. To this point, 20 states have issued ethics opinions on the use of cloud-based technologies; all of those states have come to the conclusion that law firms may use cloud-based technology, so long as the law firms exercise reasonable care in doing so. Reasonable use does not mean that breach must be prevented in all instances; in fact, most businesses will experience a data breach; reasonableness is judged by the effort taken to prevent the breach and the effort made to reduce the negative effects if a breach occurs. In most jurisdictions, reasonable care includes appropriate vetting of specific cloud-based solutions.
Narrowing down vendors is often a significant-enough challenge for lawyers; figuring out how to vet selected vendors at an appropriate depth can be seen as a further complication. The trick is knowing the right questions to ask. Three major points of inquiry:
- Server location and security. Recall that ‘the cloud’ is not some ephemeral notion; when you access the cloud, you’re still relying on physical servers — they’re just somebody else’s So, it makes sense to inquire of vendors respecting their server locations, to determine that geographic redundancy exists (are both coasts covered, just in case the Eastern seaboard gets taken out) and that appropriate security measures are in place to guard the physical drives that your vendor relies upon.
- Perhaps the most relevant question for a cloud vendor respects its encryption practices. When is data encrypted, where and at what level? (Fun fact: Thomson Reuters’ Firm Central is the only case management system carrying an SOC 2 security certification.) The repository for your clients’ data should not represent a shaky encryption solution; if your potential provider does not resemble a virtual Fort Knox, you can move along.
- Data backup. Naturally, if you’re going to go through all of that trouble to secure your data, you’ll want to make sure that the security extends to recovery. Vetting a cloud provider means exploring that provider’s data backup protocols. If you don’t believe they’ll get it back for you… Back up, don’t sign up.
For a comprehensive list of security features to look for in your next cloud provider, download this security checklist!