Legal professionals are by their nature a skeptical and cautious lot, but the sharp rise in cloud-based applications being used by enterprises and law firms, as well as recent high-profile law firm security breaches, has many legal professionals reticent about entering cloud engagements.
“The buck stops with the lawyer,” says Michael R. Overly, a partner and intellectual property lawyer focusing on technology at Foley & Lardner LLP in Los Angeles. “You’re trusting the [cloud provider] with how they manage security,” and yet their contract language excuses them from almost all responsibility if a security or confidentiality breach occurs, he says. “One can’t simply go to clients or the state bar association and say the third party caused a breach, so it’s really not our responsibility.”
This year’s high-profile breaches at Panamanian law firm Mossack Fonseca and New York-based Cravath Swaine & Moore have raised alert levels even higher. Law firms and legal departments have been warned by the Federal Bureau of Investigation that cyber thieves consider them low-hanging fruit from a risk perspective because of their potential treasure troves of trade secrets and undisclosed deal information that could be exploited.
[ ALSO ON CSO: 10 ways law firms can make life difficult for hackers ]
“The balance that was struck even a year ago that would have been appropriate as to ‘reasonable security’ I think is no longer a reasonable balance,” Overly says. “It has to be tilted a little more, further toward security than usability.”
Many legal professionals share Overly’s concern. Some 64 percent of legal technology professionals surveyed by Consilio, a global eDiscovery and document service, cited “inadvertent disclosure of sensitive data” as the biggest risk of using cloud-based applications. At the same time, more than half of respondents at law firms and in-house law departments revealed that workplace data stored on cloud applications is “often” or “almost always” considered in legal or investigatory matters, so knowing what information is in the cloud and how it’s being secured is a real challenge.
Legal professionals surveyed also cited intellectual property theft (39 percent), regulatory compliance failures (26 percent) and inability to adequately identify relevant data for eDiscovery (25 percent) as concerns with cloud applications.
At the same time, cloud-use has outpaced the risk and compliance measures needed to adequately manage risks for the protection of intellectual property, compliance, data privacy, records retention, among others, according to Consilio.
A Ponemon Institute survey estimates that every 1 percent increase in the use of cloud services will result in a 3 percent higher probability of a data breach. An organization using 100 cloud services, for instance, would need to add 25 more to increase the likelihood of a data breach by 75%.
That may sound like a lot of cloud use, but in fact, many law firms and legal departments don’t even know how many cloud apps are being used. New cloud apps, such as file-sharing tools show up almost monthly even daily, creating a whack-a-mole mentality where IT security staff must shut down unauthorized apps when they pop up.
The average organization uses 1,154 cloud services to upload 5.6 terabytes of data each month, according to cloud-access security broker Skyhigh Networks.
“It’s happening too fast,” says technologist-turned-attorney David Ray, director of information governance at Consilio, where he leads the privacy and protection consulting practice. Some 20 percent of survey respondents say they "rarely or never address" rogue cloud apps because they don’t even know it’s there, he adds.
Third-party cloud providers can also slow down incident response planning during data breach investigations, says David Navetta, partner and co-chair of data protection, privacy and cybersecurity at Norton Rose Fulbright US LLP. “You can’t do what you would do in your own environment, such as take images of machines and get logs and react quickly. A cloud provider may worry about their own liability or may not want you to take an image of a virtualized machine that could expose all their clients’ data.”
Then there are the compliance and regulatory requirements that legal counsel must adhere to while employees are sending information to unauthorized cloud apps.
Making a case for the cloud
Cloud apps and services can offer many benefits to legal departments and law firms, Overly says. “You may end up with better security, lower costs and greater accessibility for your attorneys” through mobile apps, he adds. Legal professionals and cloud services can peacefully co-exist if they can find the right balance.
Build a data roadmap
Start by understanding what data you have across the enterprise and how people are using it, Ray says. It can be a costly process to build out that type of data road map, but it will uncover most of the rogue cloud use. Next, let employees know where they can and can’t put data – and which cloud services are approved.
Strip identifiers or keep data grounded
Navetta works with clients on de-identification and data minimization strategies in the cloud.
“Can we strip certain identifiers from data and still have it be useful, so if data was breached it wouldn’t cause as much of concern or trigger obligations or litigation? We also ask, does something really need to be in the cloud? Can we get the benefits of the cloud while minimizing our risk significantly without undermining [the benefits]?”
Encrypt data before it hits the cloud
Cloud service providers use load balancing to make sure servers are constantly available, which means a company’s data could be anywhere in the world at any point in time, and the provider often has no obligation (or knowledge) to tell you where it is. Middleware applications are available for some cloud services that can encrypt data before it hits the cloud provider, and the provider has no access to the key. But it will likely slow the process and add costs, Overly says.
Determine your ‘real’ host
A third-party provider is often not the data transacting party, Navetta says. A startup SaaS provider, for instance, may actually be hosted on Amazon Web Services, he says. “You may be asking for them to have these obligations and getting all these rights in the contract – but who are you really going to be dealing with if there’s a breach?” Navetta says. “You may decide you’re not going to go with a provider unless the provider itself is controlling its own data and infrastructure and is able to fulfill the obligations in the contract.”
Consider higher-security cloud services
For highly sensitive data, many enterprises are gravitating toward services with higher-security options. AWS GovCloud, for instance, allows US federal, state and local government agencies, along with contractors, educational institutions and other US customers to run sensitive workloads in the cloud by addressing their specific regulatory and compliance requirements.
But higher security cloud services can get pricey, Ray says – 50 percent to 200 percent higher than traditional cloud services, depending on the vendor, size of application and the amount of data.