Cloud computing is becoming more widely used than ever before by corporate legal departments and law firms, mainly because of the flexibility and lower cost such technology affords. But some haven't fully jumped on the bandwagon just yet, slowed by concerns over security and data access.

To be sure, most lawyers are using cloud computing platforms for their practice. Specifically, 55% of lawyer respondents to the American Bar Association's 2018 TechReport said they used cloud computing technology for work-related tasks, an increase from 52% the year before. Of those, 60% said they used file-sharing website Dropbox, with Google Docs (36%) and iCloud (22%) rounding out the top three programs.

But while the cloud is finding a home in legal, some lawyers are still hesitant to place sensitive client data on cloud-based programs. A lot of this apprehension stems from concerns over data access, specifically cloud providers' ability to hand over client data to government or law enforcement agencies upon request.

In response, big-name cloud computing service providers are moving to give users more control over their own data's encryption keys. But it's an open question whether this is enough, with some law firms calling for deeper changes.

The ability and willingness of cloud providers to address these concerns will likely be watched closely by many legal professionals. After all, the cloud, in one form or another, is an unavoidable piece of technology in many law firms' and legal departments' day-to-day operations.

"There's still a lot of holdouts that don't want to put their practice data or client data on the cloud," says Eric Buhrendorf, CEO of EverNet, an IT consultancy firm for legal and other industries. "But when I meet those people, my challenge is explaining to them they've been exposing their clients to the cloud since they've been using email."

|

Cloudy Skies

For some firms and corporate legal departments, cloud computing companies deliver services that their organization couldn't otherwise provide.

Susanna McDonald, vice president and chief legal officer of the Association of Corporate Counsel, says it makes sense for her organization to use third-party cloud vendors.

"I understand there are organizations [for whom] migration to the cloud has risks associated with it—it does—but if we had servers on premises we would have risk," she says. "We are not a big enough organization to support the type of personnel to maintain that system."

Still, some are limiting their exposure to cloud services. Kirkland & Ellis chief information officer Dan Nottke, whose firm placed its human resources and expense data on the cloud 10 years ago, hasn't stored any client data on the cloud because of two main privacy concerns.

"The first one is to get full functionality out of systems, [cloud providers] have to have full access" to your data stored on the cloud, he says.

This situation leads to the second concern, namely "the ability for a cloud vendor to have access to your data and take your data away without you knowing it," Nottke adds.

Nottke explains that to mitigate these concerns, law firms would need to work with vendors to run cloud systems through their firms' own on-premises servers. Other improvements include contingency plans if a cloud computing service provider is acquired or dissolves.

In a bid to better understand law firms' concerns with cloud services, a collection of GCs from the largest law firms convened in April to discuss the risks the cloud poses for them, Nottke says. During the meeting, the GCs created a framework to explain to the largest cloud providers' senior management the specific and unique challenges law firms face in adopting their solutions.

The group showed its framework to one cloud computing service provider in May and plans to show it to two others this summer. The framework is tentatively scheduled to be shared publicly in August during the International Legal Technology Association (ILTA) annual conference.

"My view is that [cloud providers] now understand the issues that are preventing law firms from generally going to their cloud. Now they are trying to figure out the business opportunity to put in this extra security," Nottke says.

|

Encryption Keys to the Rescue?

Some cloud providers are already trying to  meet legal's needs by offering security controls around client data, but it may not be enough.

To be sure, law firms and corporate legal departments typically deploy cybersecurity measures routinely found in any organization, such as firewalls and access controls, says HBR Consulting chief technology officer Matt Coatney.

However, encryption keys, which can encrypt or decrypt data stored on the cloud, are "very top of mind for law firms," Coatney says.

"Keys are the 21st century equivalent of the locked door to the law office file room," he explains. "It requires the firm's knowledge and involvement to get to client data, which meets their stringent privacy and client confidentiality obligations."

For some law firms, such as Kelley Drye & Warren, the use of encryption keys is requested directly by clients.

"We have just recently implemented [NetDocuments'] client-customer encryption key capabilities to address the requirements of some of our financial institution clients," says Kelley Drye chief information officer Judith Flournoy. She adds that the firm is confident in NetDocuments' security policy and procedures.

To mitigate concerns over data access, some cloud providers are giving clients sole control over encryption keys. But could owning encryption keys be the answer to legal's privacy and security apprehensions? Not quite. Opinions vary on the hackability of encryption keys, with some saying they're nearly impenetrable and others suggesting their security could be bypassed.

Coatney thinks encryption keys are unhackable because of the lengthy time needed to undermine their security protections.

"The time it takes to break modern cryptography is in the tens or even hundreds of years for a single key, and standard practice is to regularly rotate keys once a quarter or year," he says.

But not all in legal are convinced that the ownership and security of encryption keys are all they're cracked up to be.

"Encryption keys by themselves—no matter who has them or manages them—won't prevent a cloud vendor who receives a silent government warrant or subpoena [from responding to] any entity that requests it," Nottke says. He notes that the cloud provider typically needs access to clients' encryption keys to provide services around the data, such as indexing.

Buhrendorf, the IT consultant, also insists that sophisticated hackers and significant government pressure pose a danger to data secured by encryption keys.

"While the sheer computational aspect of the highest level of encryption could take years of processing to brute force through it, it's much easier to simply attack—or compel through government action—the company or agents which invented the encryption standard," Buhrendorf says. He adds, "I always tell my clients, don't operate with any sense of false security that these tech companies won't reveal your data if they are under enough government pressure."

|

The Key to Government Access

To be sure, encryption keys can also be privy to a law enforcement warrant or subpoena. But trying to get access to an encryption key owned by a law firm isn't a straightforward process.

"If an organization decided to use a key, the government could serve them a search warrant to get the encryption key, and then the question would be whether anything prevents them [from providing the data]," says Aravind Swaminathan, an Orrick, Herrington & Sutcliffe partner and cyber, privacy and data innovation team co-chair. "[There are ] no regulations that apply directly to that question."

Indeed, Alexander Southwell, a Gibson, Dunn & Crutcher partner and former assistant U.S. attorney in the Southern District of New York, notes that the U.S. Department of Justice's policy is to request cloud data from the data's owner. But he also says the DOJ has provided U.S. attorneys with a protocol for demanding encrypted data from law firms.

"There's a separate issue when data is encrypted and the government may seek to compel an owner to unencrypt data," Southwell says. While "the government on occasion can force disclosure of an encryption key in special circumstances, I don't think [that] would come up with a law firm because the Department of Justice is sensitive to, and cautious about, the potential effects on an attorney-client relationship from seeking evidence from lawyers."

He cited the U.S. Attorneys' Manual 9-13.410 as the DOJ's guidelines for issuing subpoenas to attorneys for information relating to the representation of clients. The guidance says, in part, "When determining whether to issue a subpoena to an attorney for information relating to the attorney's representation of a client, department personnel must strike a balance between an individual's right to the effective assistance of counsel and the public's interest in the fair administration of justice and effective law enforcement."

Where the law is clearer is with data stored overseas. In March 2018, Congress passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act, an amendment to the Stored Communications Act that compels U.S. providers of "electronic communication service or remote computing" to comply with a government agency's request to disclose information belonging to U.S. entities but stored outside of the country.

Such legislation will likely give law firms and legal departments some pause in placing critical data on cloud services that use servers in other countries. But, ultimately, lawyers say, legal departments and law firms will have to assess if the benefits of storing data on the cloud outweigh the risks for their organization.

"Everybody has to make a business decision over what type of system [they] gain the most protection from," McDonald, the ACC general counsel, says. "You have to balance the risk based on what type of company you are."