Staying Secure in the Cloud Age

Ten things your law firm must do to stay secure in the cloud.

Cloud computing is rapidly transforming the way we do business, and law firms are no exception. The cloud brings a plethora of benefits to law firms, including better system reliability, less IT headaches, better mobility, better accessibility across multiple locations, and (in most cases) a more predictable cost structure.

But what about security?

Data security is (obviously) important to every kind of business or organizations. But law firms, perhaps more than any other industry, have a significant obligation to keep their firm data and their client data safe. Safe from bad actors (hackers) and safe from software threats (such as viruses and ransomware).

Ostensibly, the cloud is a positive change for law firms, many of which kept highly-sensitive client data on an on-premise server, sitting unmonitored, unmanaged in a coat closet. By contrast, a (capable) cloud provider, whether it be a Software-as-a-Service (Saas) provider or a private cloud, is in the business of building and maintaining secure cloud environments, and spend considerable resources keeping data secure.

But there’s a catch.

Not all clouds are created equal.

Many cloud providers do a very good job of providing a secure computing environment for your applications and data. Many, however, do not. Some providers cut corners to offer a lower price. Others simply are new to cloud computing, and haven’t learned the intricate nuances of cybersecurity (this tends to be small, local IT firms that make a run at developing their own cloud offering).

When it comes to law firm cloud solutions, its still a bit of the Wild West. There is a shocking range of cloud providers ranging from fly-by-night riffraff to world-class, capable cloud platforms.

To help you separate the former from the latter, in this article we’ll cover the ten most important things to ensure that your client data remains secure in the cloud.

Let’s get started.

Related:

One: Use a Well-Recognized Provider

Unfortunately, many cloud service providers are upstarts, new side ventures for existing companies, or otherwise fly-by-night. Law firms simply cannot afford to gamble with their data on an untested, lesser-known provider.

Sometimes the allure of these fly-by-night operations is a lower price than their gold-standard counterparts. Other times it’s the comfort of your incumbent, local IT provider (who may say, “Hey, we do cloud now too!”) Keep these folks around to handle local IT issues (cabling, desktop support, etc.) if you must, but don’t automatically assume that because they’ve been capable, friendly IT support that they’re up to the task of building and managing a sophisticated cloud infrastructure.

In general, make sure you ultimately go with a cloud provider that is well-recognized, including:

  • Recognized by the American Bar Association and various state bars.
  • Recognized within the business community, such as the Inc. 5000 list.
  • Recognized (and friendly) with the publisher of your chosen legal software.

Two: Read the Contract, Ensure Your Data is Yours, Forever

It may seem like a reasonable assumption that data you store in the cloud is yours, but don’t assume this is the case, even if the provider is well-known and reputable. Several years ago, Google Drive came under fire for claiming the rights to anything a user uploaded, in perpetuity.

Other than this notable exception, cloud providers rarely state that the data you upload becomes their property. However, if you read the fine print in many cloud services (cloud-based software, storage and private cloud services), you may be surprised by how ambiguous the subject of data ownership is.

  • Who truly owns the data once it’s stored in the cloud?
  • How will you get it back should you decide to change services?
  • Who, within the cloud provider’s company, will have access to your data?

These are important questions to not only ask, but to make sure are clearly answred in the provider’s service agreement.

If you are using or plan to use a cloud provider make sure that the fine print includes unambiguous, perpetual ownership of any data you store on their cloud. For best results we recommend using a legal-centric cloud service provider that is familiar with lawyers’ ethical obligations and the legal issues around data confidentiality and disclosure.

Three: Demand Bank-Grade Security

The legal industry doesn’t have an official regulatory body like the financial and healthcare industries. The nearest thing would be your local state bar, which offers (sometimes vague) guidance on your obligations regarding client data.

Ultimately, the onus is on each practitioner to ensure the IT systems they use, whether they’re on-premise or in the cloud, are secure and make every effort protect their client’s sensitive data. Any business, including and especially a law firm, should require that their cloud service provider employ the following security standards.

  • Own their own server equipment – The only way to reliably ensure security standards.
  • Have and maintain enterprise-grade firewalls that perform application-layer intrusion prevention.
  • Use 24 x 7 x 365 security monitoring, watching for threats including:
    • Failed login attempts
    • Potential virus activity
    • Attempted ransomware attacks
    • Potential Trojan and other malware attacks
  • Have strict, documented physical access requirements to their data center.
  • Offers an encrypted/secure email service
  • Has remote-wipe capabilities for all end-user mobile devices
  • Passes annual SSAE16 audits and posts each annual audit publicly.
  • Employ military-grade encryption – more on this below.
  • Support Two-Factor authentication – more on this below.

Four: Absolutely Confirm Your Data Will be Stored in the US

One thing every state bar agrees on is that all client and confidential data should be stored within the continental United States. This applies to cloud-based backups of your on-premise server as well, an area often overlooked by small law firms.

Surprisingly, the locality of where your data will be stored is ambiguous or simply not defined by many cloud service providers. Microsoft’s own Office 365 states that your data may be stored or backed up to countries outside the US. (Just one reason of many to use a cloud service provider that is legal-centric, and only services the legal industry.) If your firm’s data is stored or backed up to a country outside of US legal jurisdiction it will create a whole host of potential ethical issues.

For many types of businesses, data sovereignty just isn’t a big issue. For law firms: It’s vital. Which is just one of the reasons we always advise that law firms who are moving to the cloud go with a law-firm-centric provider; a company that (preferably: elusively) works with law firms, and understates the obligations and ramifications facing law firms.

Five: Clearly Understand What the Provider Will Do if Served a Subpoena

Read the contract carefully and question the process that occurs in the event of a subpoena of data and records. Check to make sure your service provider will provide you with adequate notice if records have been requested, or if they receive any request for information pertaining to your firm.

Many cloud service providers, especially those without legal savvy, are woefully unprepared and have no formal process for dealing with a subpoena. Small companies, such as local IT companies, may panic when served with a subpoena, and promptly hand over your data without informing you.

By way of example: What does Uptime Legal do if served with a subpoena to provide client data to a third party?

Within our terms and conditions you’ll find language that outlines our obligations to you in the unlikely event we are served with a subpoena regarding your data. We will immediately notify you of such service, giving you ample time to respond. We will not answer the subpoena until its imposed deadline, providing you maximum time to respond.

Six: Employ Two-Factor Authentication (2FA)

Most security standards, like the aforementioned NIST, require Two-Factor Authentication. With 2FA, users will be required to authenticate by a second means before they can log into your firm’s cloud environment.

How it works:

  • You log in to an account using your regular username and password;
  • To confirm that it’s you, your mobile phone requests confirmation.

This prevents hackers from accessing your accounts because not only would they need access to your username/password combination, but your mobile phone as well.

Passwords being compromised represents one of the top reasons for data breaches across the world. TFA largely thwarts this threat, because a would-be attacker needs more than just your password to log into your account.

A security-conscious private cloud provider will offer 2FA, and will accomplish it painlessly with a smartphone app that verifies the authenticity of each user logging into your private cloud.

TFA can be thought of as low-hanging-fruit when it comes to boosting your cybersecurity. It’s relatively easy to implement, and significantly increases your firm’s data security. It’s a quick and easy win, so we recommend every law firm require this of their cloud-based software or private cloud providers.

Seven: Implement Secure (Encrypted) Email

Email is inherently unencrypted (and unencryptable).

The fundamental nature of the Internet protocols used to transport email (namely: SMTP) precludes the ability to encrypt email messages. Theoretically, emails can be intercepted in transit, creating a serious problem for the privacy and security of email messages sent and received by law firm personnel.

Think of the kinds of email you send to clients, law clerks, colleagues, and other parties. Full of sensitive information, in the email body and in attachments. Natively, email is fundamentally not encrypted, insecure and ripe for a security incident.

Email Encryption is a system where sensitive email sent by the law firm is encrypted before being sent to the recipient.

But didn’t we just state that email is unencryptable?

Yes–so to get around this limitation, Email Encryption solutions essentially bypass regular email transit altogether.

When the law firm sends a sensitive email, the Email Encryption system intercepts the message before it enters the public Internet, and in its place, sends an email message to the recipient, informing him of a secure message that he must click a (secure) link to read. The link takes the recipients to a web page via HTTPS (which is encrypted), once authenticated by some means (often a password or CAPTCHA code).

Email Encryption systems are typically policy-based, which means the system will intelligently deduce which emails should be considered sensitive (based on their content), including credit card numbers, social security numbers, healthcare/HIPAA related information, and so forth.

This kind of policy-based email encryption is required or strongly recommended by some third-party regulators, as we discussed earlier. We believe that law firms, regardless of a regulatory mandate, have the obligation to implement legal-grade email, with encryption, across the board.

Eight: Implement Real Security & Password Policies

Let’s not overlook the basics. As prescribed in the NIST security framework, it’s important to have some basic computer security settings applied across your firm, from your firm’s servers, to its private cloud to its desktops and laptops.

These aren’t rocket science, but are unfortunately often overlooked, or not put into practice.

We recommend the following settings be applied universally and consistently across your entire firm. These simple settings can be centrally defined, applied and administered with a tool built-in to Microsoft Windows Server, something called a Group Policy.

A Group Policy is where you (or your IT professional) can define universal settings, from password requirements to what the user’s desktop looks like, in one place that will be uniformly applied to all computers within the law firm.

These settings will enforce basic security measures: Settings like password length, how unattended computers will automatically lock and how often users should change passwords. They’re easy-to-implement but go a long way to securing your law firm. (More low-hanging fruit of cybersecurity.)

Have your IT consultant or manager configure, apply and document these settings for your computer network. Or—if your firm uses a private cloud instead of owning and managing servers—have your cloud service provider put these settings into place. (A security-competent cloud service provider will already have done this by default.)

Nine: Setup Restricted Access

One of the primary benefits of cloud computing is the ability to work from anywhere. But what if you don’t want everyone in your firm being able to log into your cloud from outside of your office?

Setting up Restricted Access (not an official term) means limiting who or where people can log into your system and access your firm’s data. For instance, you may want to allow access to your private cloud service, but only from your main (physical) office location. And you may want to permit people logging in from outside the office (that is, after all, one of the benefits of the cloud), but only after passing an additional security measure, such as passing through Two-Factor Authentication or establishing a secure VPN connection.

Make sure your chosen Cloud Service Provider has an option for Restricted Access, where you can limit or restrict which employees staff members can work from home (or elsewhere), and which firms can only log into your cloud and access your data from within your office.

Ten: Encrypt Data In Transit and At-Rest

Data encryption is an important factor when it comes to your firm and client data. If you’re using any cloud service, including web-based software, cloud-based storage or a private cloud: Make sure your data is, and stays, encrypted. Encryption happens at two different levels: Data in-transit and data at-rest.

Here’s what that means.

Encryption In-Transit means that your data will be encrypted while traversing the public Internet. Picture using a web-based application such as QuickBooks Online or LegalWorks. As you move around from screen to screen, enter and view data–all of that data (your data) is moving across the public Internet, where it could be intercepted and compromised. Encryption in-transit does what it sounds like: Encrypts the data while it’s on the Internet, only decryption it at each secure end.

If you’re using web-based software, for instance, seeing the SSL (lock icon) or the HTTPS:// in your address bar means that the data is encrypted in-transit.

Encryption At-Rest refers to the state of your data while it’s “at-rest,” or as it’s stored on the servers where it ultimately resides. Some large financial institutions, including insurance carriers, require that they, and all of their key business partners (including law firms) require all data to be encrypted at-rest.

The Verdict

As with an on-premise server environment, security in the cloud is of critical importance. This is especially true for law firms, who have an ethical obligation to keep their client’s data secure. By moving all or part of your practice to the cloud, your firm is shifting much of this responsibility to your cloud provider.

Make sure they are up to the task.

Learn More:

Want to learn more? Have a cybersecurity initiative for your law firm? Learn more about cybersecurity for Law firms with our free eBook.

View Ebook