All 17 of the states that have issued advisory opinions on cloud computing agree that lawyers must do their due diligence on the cloud services they want to use. They use different words, and some include more requirements (Massachusetts lawyers have to get clients to sign off on their software choices, for example), but the thread is clear.
You need only be reasonable, not paranoid.
So what do you need to know about the services you use? At the Clio Cloud Conference, Bob Ambrogi presented a 10-step checklist. It is not comprehensive, but it is a good start
Full disclosure: Clio wanted me to come to its conference so badly that it flew me to Chicago, put me up in a nice hotel with a tin of popcorn and a bottle of wine, and invited me to a Cubs game.
Here is what Bob thinks you need to know about your cloud software providers:
1. Do your due diligence on the company
Why do you think this company is trustworthy, when it comes to your clients’ information? Why do you think it will be around five or ten years from now?
You cannot ethically — and should not, anyway — hand over your clients’ information to a company you know nothing about. This should be obvious. Sure, you won’t find many cloud software providers who have been around for five years, much less fifteen, but you must learn what you can. If you can at least articulate a non-laughable reason why you are willing to use a certain provider, that’s a good start.
Reading the terms seems like it should be obvious, but apparently it’s not:
Only 41% of firms who use cloud computing have read the Terms of Service. Really? #cliocloud9
— Pegeen Turner (@pegeenturner) September 23, 2013
That is from the ABA Technology Survey, and it should probably read “claim to have read,” since I assume respondents were on their honor.
2. Ensure you will have unrestricted access to your data
In other words, can you get to your data when you need to? If the main server goes down or is compromised, is there a backup to keep the system up? What if something goes wrong at the service provider’s end?
Clio’s Data Escrow service is one solution worth mentioning. If you sign up for it, Clio will push all your information to an Amazon S3 bucket that you — not Clio — control. It’s all in csv or ics format so you can access it as a spreadsheet or calendar, even if Clio disappears. (Of course, you’ll want to do a bit of due diligence on Amazon S3 before you set this up.)
3. What happens when the relationship is terminated?
Let’s say the company declares bankruptcy, or you stop paying. What happens to your data and your access to it? Companies employ a variety of approaches, here, from a downloadable export to read-only access to no access at all.
Here’s my bottom line: you need to be able to get your data out of the service in a format you can use. It doesn’t have to be pretty, but it does have to be usable, by you, without special software. That usually means CSV (comma-separated values) and ICS (iCalendar) files, but some software may offer to let you download less-useful but more-readable PDFs.
4. Password protection
At a minimum, the service had better be protected by a password. Multi-factor authentication (your password plus a text message sent to your phone) is becoming standard.
Some services offer the ability to automatically log you out after a given time, and some will even monitor for suspicious activity. These are nice options to have.
5. Protecting your data’s confidentiality
Will the company actively protect the confidentiality of your information? Will it inform you if it is served with process that targets your information? How can you enforce this obligation?
This is a big one for lawyers, especially now that we know government agencies are actively and passively gathering information, and not just about illegal activities. You should at least know what to expect from your provider, so you can make an informed decision about what to store in the cloud under its care.
You need to understand encryption. When and how is your data encrypted? On your computer? In transit? SSL/TLS, or is the data itself scrambled? In the cloud? Who has access to the encryption keys for your data?
7. Data backups
How often is your data backed up? To multiple locations (it better be)? How do you get access to the backups?
8. Network security
How does the provider protect its own network, and the network on which your data will be stored? This means both network and physical security.
Security information should not be hard to find. If it is, you can probably assume the security is not good enough.
9. Physical security at data centers
Amazon has a 48-page white paper (pdf) on its security features, including a description of the physical security at its data centers:
AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two?factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to presentidentification and are signed in and continually escorted by authorized staff.
In other words, Amazon isn’t screwing around. Neither should any company you do business with (hint: most are probably using Amazon for their service).
As a shortcut, you can look for an SSAE 16 (or SAS 70, type II) certification, which means the American Institute of CPAs says the service is good enough for them.
10. Get extra security
Encrypt your hard drive. Your email, too, if you can. Use better passwords. Turn on multi-factor authentication everywhere you can. No matter what service you use, it cannot save you from yourself.
Is this enough? Well, it’s a start. Your duty of competence includes knowing when it might not enough. But in the end, Bob says, “You need only be reasonable, not paranoid.” This is a reasonably-good start on due diligence.