Cloud Computing: Security Issues for Lawyers
In prior posts I discussed basic cloud computing concepts and the ethical issues triggered by cloud computing. There are also security issues that lawyers must consider when deciding whether to use cloud computing products in their practice.
Two key steps lawyers can take to ensure that their data is secure are to:
- ask the right questions of cloud computing vendor and
- ensure that their contract with the vendor addresses important security issues.
- Still, the most important thing you can do is learn as much as possible about the way your data will be handled by the cloud computing provider. The security of your firm’s data is of paramount concern. Security issues to consider include:
- What type of facility will host the data?
- Who has access to the data?
- How frequently are back-ups performed?
- Is data backed up to more than one server?
- How secure are the data centers?
- What types of encryption methods are used and how are passwords stored?
- Are there redundant power supplies?
- Is there more than one server?
- Where are the servers located?
- If a natural disaster strikes one geographic region, would all data be lost?
This recent article from Law.com, A Check List for Cloud Computing Deals, is a good resource for your contract negotiations with a vendor. The article is targeted toward lawyers who negotiate cloud computing agreements on behalf of their clients, but is equally applicable to lawyers seeking to use cloud computing services in their own practice.
In the article, it is suggested that the agreement with your provider should address the following important issues:
- What's the Agreement?
- Where Does the Data Go?
- Does 'One Size Fits All' Work?
- How Reliable Is the Service?
- What Are Other Standards for the Services?
- When and How Can the Customer Get Its Data Back?
- How Safe Is the Customer's Data?
- What if There's a Data Breach?
- What if There's a Disaster?
- What if There's a Dispute?
- How Much Does the Service Cost?
- How Is Risk Allocated?
- What if the Agreement Terminates?
- Is It Really Your Vendor Holding the Data?
- How Can the Customer Review the Vendor's Performance?
Obviously, absolute security is impossible. However, lawyers have an ethical obligation to take reasonable steps to ensure that their client’s data is securely stored and remains confidential. The best way to do that is to educate yourself about your alternatives, ask the right questions, ensure that you are satisfied with your vendor’s responses, and negotiate an agreement that protects both your interests and your client’s data.