Are you considering moving your data to the cloud?
The NC State Bar ethics opinion 2011 FEO 6 provides questions and factors (discussed in this article), but most resources stop short of listing minimum attributes that would meet your ethical obligations for security. The reasoning for this is that what was reasonable 5-10 years ago may not apply now, and what is reasonable as a minimum standard now may not be so in another 5-10 years.
The Main Issues to be Addressed
Encryption: The provider encrypts your data both at rest (while it is stored in the cloud) and in transit (while being accessed/uploaded/downloaded). With the current state of technology, 256-bit encryption will be the best option offered and should be used if available. 128-bit encryption was the standard previously and while it could be sufficient in some circumstances, many services have switched to 256-bit already and if given the option, 256-bit would be the preferred route. 512-bit encryption has begun to be available in some circumstances and is even better from a security standpoint, but it is not yet widely available. 512-bit significantly slows performance for a relatively small benefit given today’s state of technology, limiting its current practicality.
To explain this further: ###-bit refers to the number of characters in the encryption key, so 256-bit has double the number of characters in the key as 128-bit, making it significantly harder for an unauthorized person to decode it without your login credentials.
Physical security: The location of the provider’s servers, storage facilities, and backup facilities have physical security in place to protect against unauthorized access to the locations. This may include barriers, key-card access, biometrics, etc. Along with access security, they should implement protective measures against risks such as fire or flood that could destroy your data.
Cybersecurity: The provider will hopefully have systems in place to monitor cyber threats, denial of service attacks, etc. and be able to respond to those quickly. You may inquire about whether they have experienced any incidents or breaches, how they responded, and what has been done to reduce the risk of a future occurrence. Finally, inquire about whether they carry cyber insurance and what it covers.
Location: Where are the provider’s servers, storage facilities, and backup facilities physically located? You should ensure they are located in countries that have similar privacy and data protection regulations as we have in the United States. Ideally you would have a provider that keeps your data within the United States.
Also, the primary location and the backup locations should be in different disaster areas. For example, an earthquake in California may disrupt a facility, but their backup in North Dakota would be unaffected – contrast that with a facility in Florida and a backup in North Carolina that could be affected by the same hurricane.
Public v. Private Cloud: Most firms would be ok with a public cloud – which just means that the provider hosts multiple companies’ platforms on the same machines in their datacenter – but segmented off so data does not cross between the different clients/subscribers.
A private cloud would mean you have your own machines either in your own datacenter or your provider’s datacenter and they only contain your information. Usually that would be very expensive to do and would be over-kill for law firms. But again, times can change. So if you have the secret formula for Cheerwine, a private cloud may be the way to go. (Actually, in that case, it may not be wise to store such a formula on any electronic system.)
In either instance, verify with the provider that their processes, procedures, and access levels applicable to those machines and to your data are consistent with your obligations of client confidentiality.
Ownership and return of data: You should ensure that you own your data and that upon request and upon the termination of your relationship with the provider, that you are able to have all your data returned to you and the provider destroys any copies on their systems.
Your access to your cloud: I would strongly recommend that whatever platform you use, you include multi-factor authentication (MFA) for access to that platform. Strong passwords will help, but many times people will use things like “Winter2019!” or “P@ssw0rd” which are easy to break even though they meet the rules of 8 characters, upper case, lower case, number, and special character.
MFA adds an extra step to the login process, be it a text (ok but not as secure as other methods), an email (also could be intercepted), an authenticator application (ex: Google Authenticator, MS Authenticator, Duo, Okta), an authenticator key (ex: YubiKey, Titan Key), or even biometrics (but some like facial recognition can be easily fooled – this will likely change as the technology advances). Thus, by requiring some extra item or step, MFA makes it more difficult for an unauthorized party to gain access to your system.
Regardless of whether your provider disclosed security incidents or breaches to you, take a moment to search the provider’s history online to see if there have been breaches or other issues in the past and verify that they effectively remediated the situation that led to them.
There is not an accepted “law firm” standard of security at this time. However, a good starting point would be to look for services that are HIPAA compliant as these will likely offer security measures and safeguards that would satisfy the tests the State Bar has put forth. It is worth emphasizing that the inquiry does not end upon verifying that a provider is HIPAA compliant. You should still run through the factors and inquiries to make sure you are satisfied that they meet all the requirements, but it is likely that such a provider will meet those tests as well.
While not directly related to the ethical inquiry in 2011 FEO 6, there are now a number of state and national/international privacy and data protection laws that may impose additional obligations if you possess any personal information for their citizens/residents/data subjects (ex: the European Union or California). Likewise, if you use a cloud provider that stores data in another country, you may need to comply with cross-border transmission regulations, and your provider should be able to explain how they handle those situations if they apply.
As a final note to circle back to the beginning of this article, what is acceptable now may not be secure enough in 5-10 years, so it is important to keep reviewing these issues and evaluating your vendors/providers. Preferably this would be done on an annual basis but could be longer or shorter depending on the technologies used, your particular risk factors, and any emerging risks or new vulnerabilities discovered. Or, to quote from Opinion #2 of 2011 FEO 6: “due diligence and frequent and regular education are required.”
About the Author
Patrick is the Vice President of Enterprise and Operational Risk Management at Lawyers Mutual as well as filling the roles of Corporate Secretary and Director of Information Security. He is an NCSB board certified specialist in Privacy & Information Security Law and has been designated a Fellow of Information Privacy and a Privacy Law Specialist by the IAPP. He is always happy to talk about his collection of tinfoil hats or to discuss risk management advice and resources that you may find helpful - you may reach him at 800.662.8843 or firstname.lastname@example.org.