February 24, 2020
Clouded Judgment - Lawyers and the Cloud
In the early days of network design, engineers would spend a lot of effort mapping and visualising the networks of the devices they were developing. Some of these networks, however, were connected to a larger network known as the internet. This network was unknown terrain: a domain outside their domain of knowledge, since it consisted of an undefined amount of nodes. So how do you visualise that? You draw a cloud, obviously.
A cloud requires very little skill to draw and it works as the perfect symbol for something intangible and ethereal. At least, that is how the story goes of how the cloud became the dominant metaphor for the internet.
On the surface, the cloud is the perfect metaphor for the internet - denoting a global system of great power and energy, something impossible to grasp. Something we experience all the time without really understanding what it is or how it works. Something weightless, amorphous and invisible.
The problem is that the internet is, in fact, no such thing. It is a very physical network of wires and computers that could and should be understood and governed. A consequence of this misunderstanding might even be a counterproductive skepticism around the cloud concept. Because, if it is not the cloudy metaphor, why else is the legal profession so reluctant to use it? Why are we continuing to have discussions about the use of cloud technologies in the legal profession? Like this one. Or this? And even this?
What is the cloud?
The cloud is a very physical infrastructure consisting of phone lines, fibre optics, satellites, cables on the ocean floor and vast warehouses filled with computers, which reside within national and legal jurisdictions. It is a collection of external computers, servers and databases that can be accessed by users to utilize their combined power.
By using the cloud, legal professionals can take advantage of this highly specialised and complex infrastructure that cloud service providers invest in, along with the IT staff that maintain it. In reality, lawyers are regularly using the cloud in their practices, whether they are cognisant of it or not. Lawyers commonly use email services such as Gmail or Outlook, both cloud-based services. And legal research tools such as WestLaw, LexisNexis and FastCase, are also cloud-based services.
The advantages of cloud computing for law firms are numerous. It means lawyers are able to access documents from anywhere, anytime; they need not worry about network crashes; they gain real-time data storage that prevents document loss; and achieve more effective team collaboration, including with remote members.
And lawyers need pay only for the services they use which makes it easy to scale. They get the expertise, specialisation and cutting-edge technology from the cloud provider, while remaining competitive without the prohibitive investment of capital to buy new local servers, switch data centres and retain in-house staff. In other words, it is very cost-saving.
Furthermore, cloud computing provides improved disaster-preparedness and increased adaptability. For example, cloud services were credited with helping expedite government and business recovery after Japan was hit with three consecutive, severe natural disasters in 2011.
The ethics of the thing
Certainly, the idea of storing data and software on servers owned and maintained by third parties is never going to sit comfortably with lawyers. Ethical duties to maintain the confidentiality and security of client information, often subject to legal professional privilege, informs all legal practice.
But many ethical committees around the world have wrestled with this ethical dilemma and concluded it does not make sense that lawyers cannot make use of the cloud. In the U.S., for example, the American Bar Association and 19 state ethics committees have given cloud computing their blessing. So long as lawyers take reasonable steps to ensure their confidential data is protected from unauthorised third party access. And so long as they exercise due diligence in vetting their cloud computing provider of choice.
So, if the various codes of ethics and conduct are sanctioning use of the cloud, why are lawyers still hesitant in transitioning to it? Is it because they don't understand the cloud and are therefore fearful of it?
The misconception: the cloud is insecure
Central to the lawyer's reluctance to move to the cloud is its perceived insecurity. But this myth ought to be debunked because today the cloud could actually be safer than some of its on-premise counterparts.
This is simply because providers who regularly work in storing sensitive information have invested significant money and resources in security. Microsoft and Amazon, for example, spend over $1 billion a year on security research and development and have huge teams dedicated to ensuring network security.
On top of this investment, providers protect their data centres at a military-style level. They employ sophisticated alarms, biometric entry systems, security guards, video surveillance, shatter-proof walls, concrete barriers, fire and leak detection, redundant power supply and redundant cooling. The most security-focused law firm cannot hope to match that investment or level of protection.
Further still, many cloud systems are secured with data tokenisation, a configuration more secure than logging a username and password against on-site systems. They also now include a two-factor authenticated SSO.
Finally, cloud providers offer encryption services in which the law firm can retain exclusive control of their encryption keys. This security architecture can include separate encryption keys for each data file and allows the legal practice to hold and control specific encryption keys, control user permissions and access levels internally. And if any firm is concerned that their cloud provider might become the recipient of a blind subpoena, they can use third-party security controls and end-to-end encryption techniques on top of the security features offered by the cloud provider.
Let's not forget, cloud-based services are in the business of providing a safe, encrypted and secure service to their clients. Their entire business model and reputation depends on safeguarding security and confidentiality.
What is the alternative anyway?
The question legal practices need to ask themselves is how secure are their in-house IT programmes, data storages and firewalls anyway?
Certainly, they have failed to prevent some substantial security breaches. Take the two merger-advising New York law firms that were hacked to obtain information about deals in the works. In both cases, three men entered the law firm’s servers after unlawfully obtaining employee credentials and were able to install malware on the servers to obtain information about the deals. Or the randsomware that paralysed Danish shipping giant, Mærsk. It had to install over 4,000 new servers, 45,000 new PCs and 2500 applications as a result, and incurred damages estimated at $250-$300 million.
In practice, lawyers entrust confidential data to third parties all the time. Whether it's process servers, court employees, building cleaning staff, summer interns, document processing companies, external copy centres, legal document delivery services or letters in the post. Yet these customary legal services have never required absolute security - probably because absolute security is impossible. What has been required is due diligence, lawyers taking reasonable steps to ensure that confidential client data remains safe and secure. The management of digital data is no different.
So while the cloud might seem... clouded, it is not some metaphysical force that cannot be handled or governed. If lawyers apply common sense and proper due diligence procedures to using it, there is not reason to hold back in the cloud because the advantages are massive.
Chances are lawyers are already using the cloud anyway... They just have not done their due diligence.