How do you know whether your cloud software is sufficiently secure to meet your obligation to protect your clients’ information? Right now, there is no easy answer. You just have to educate yourself and then make up your own mind.

That could change as a result of the draft security standards that the Legal Cloud Computing Association released today at LegalTech. The standards are basically a sensible checklist of things you should expect to know about the software you use, like:

  1. How is your data stored, and where?
  2. When and how is it encrypted?
  3. Who can access your data?
  4. Can you control who has access to your data?
  5. Who owns your data?
  6. Can you get your data out?
  7. What happens if something breaks?

Plus, the standards set the expectation that you should be told all of these things, up front, by any cloud software provider that wants your business. The standards themselves make it clear that a company shouldn’t be able to earn your trust just by advertising that they comply. Compliance, in this case, would have to mean providing clear disclosures.

It’s possible to be cynical about this since all the members of the LCCA (Clio, DirectLaw, Rocket Matter, NetDocuments, CalendarRules, NextPoint, and Onit) sell cloud software to lawyers. But lawyers make their own rules, so why not cloud software providers? Besides, the LCCA has reached out to bar associations and hopes to work with them to help clarify what reasonable care looks like in the cloud.

The LCCA draft security standards for cloud computing are a pretty important step in setting expectations among lawyers, cloud software providers, attorney regulators, and clients.


  1. Ric Gruder says:

    As a solo I would appreciate such standards. While I understand that each attorney must make his/her/its own assessment for his/her/its own practice, it does seem to me that there are some base line standards that apply to all. I am particularly concerned about cloud storage in general-dropbox vs box vs onedrive vs whomever.

  2. Rodney A. Hampton says:

    While this LCCA standard is not bad, a lot more heavy lifting has been done by the Cloud Security Alliance. I understand the desire to craft standards to address the particular perspective on client confidentiality, but it seems like vendor self interest has overshadowed progress.

Leave a Reply