How do you know whether your cloud software is sufficiently secure to meet your obligation to protect your clients’ information? Right now, there is no easy answer. You just have to educate yourself and then make up your own mind.
That could change as a result of the draft security standards that the Legal Cloud Computing Association released today at LegalTech. The standards are basically a sensible checklist of things you should expect to know about the software you use, like:
- How is your data stored, and where?
- When and how is it encrypted?
- Who can access your data?
- Can you control who has access to your data?
- Who owns your data?
- Can you get your data out?
- What happens if something breaks?
Plus, the standards set the expectation that you should be told all of these things, up front, by any cloud software provider that wants your business. The standards themselves make it clear that a company shouldn’t be able to earn your trust just by advertising that they comply. Compliance, in this case, would have to mean providing clear disclosures.
It’s possible to be cynical about this since all the members of the LCCA (Clio, DirectLaw, Rocket Matter, NetDocuments, CalendarRules, NextPoint, and Onit) sell cloud software to lawyers. But lawyers make their own rules, so why not cloud software providers? Besides, the LCCA has reached out to bar associations and hopes to work with them to help clarify what reasonable care looks like in the cloud.
The LCCA draft security standards for cloud computing are a pretty important step in setting expectations among lawyers, cloud software providers, attorney regulators, and clients.