Cloudy Skies: Cloud Providers Step up to Relieve Legal's Apprehensions
Cloud computing is becoming more widely used than ever before by corporate legal departments and law firms, mainly because of the flexibility and lower cost such technology affords. Yet some haven't fully jumped on the bandwagon just yet, slowed by concerns over security and data access.
June 28, 2019 at 08:00 AM
9 minute read
This article first appeared in the July print editions of Corporate Counsel and The American Lawyer magazines.
Cloud computing is becoming more widely used than ever before by corporate legal departments and law firms, mainly because of the flexibility and lower cost such technology affords. Yet some haven't fully jumped on the bandwagon just yet, slowed by concerns over security and data access.
To be sure, most lawyers are using cloud computing platforms for their practice. Specifically, 55% of lawyer respondents to the American Bar Association's 2018 TechReport said they used cloud computing technology for work-related tasks, an increase from 2017's 52%. Of those, 60% said they used file-sharing website Dropbox, with Google Docs (36%) and iCloud (22%) rounding out the top three programs.
But while the cloud is finding a home in legal, some lawyers are still hesitant to place sensitive client data on cloud-based programs. A lot of this apprehension stems from concerns over data access, specifically cloud providers' ability to hand over client data to government or law enforcement agencies upon request.
In response, big-name cloud computing service providers are moving to give users more control over their own data's encryption keys. But it's an open question whether this is enough, with some law firms calling for deeper changes.
The ability and willingness of cloud providers to address these concerns will likely be watched closely by many legal professionals. After all, the cloud, in one form or another, is an unavoidable piece of technology in many law firms' and legal departments' day-to-day operations.
“There's still a lot of holdouts that don't want to put their practice data or client data on the cloud,” says Eric Buhrendorf, CEO of EverNet, an IT consultancy firm for legal and other industries. “But when I meet those people, my challenge is explaining to them they've been exposing their clients to the cloud since they've been using email.”
|Give and Take
For some firms and corporate legal departments, cloud computing companies deliver services that their organization couldn't otherwise provide.
Susanna McDonald, vice president and chief legal officer of the Association of Corporate Counsel, says it makes sense for her organization to use third-party cloud vendors. “I understand there are organizations [for whom] migration to the cloud has risks associated with it—it does—but, if we had servers on premises, we would have risk,” she says. “We are not a big enough organization to support that type of personnel to maintain that system.”
Still, some are limiting their exposure to cloud services. Kirkland & Ellis Chief Information Officer Dan Nottke, whose firm placed its HR and expense data on the cloud 10 years ago, hasn't stored any client data on the cloud because of two main privacy concerns.
“The first one is, to get full functionality out of systems, [cloud providers] have to have full access” to your data stored on the cloud, he says.
This situation leads to the second concern, namely “the ability for a cloud vendor to have access to your data and take your data away without you knowing it,” Nottke adds.
Nottke explains that to mitigate these concerns, law firms would need to work with vendors to run cloud systems through their own on-premises servers. Other improvements include contingency plans if a cloud computing service provider is acquired or dissolves.
In a bid to better understand law firms' concerns with cloud services, a collection of GCs from the largest law firms convened in April to discuss the risks the cloud poses for them, Nottke says. During the meeting, the GCs also created a framework to explain to the largest cloud providers' senior management the specific and unique challenges law firms face in adopting their solutions.
The group showed its framework to one cloud computing service provider in May and planned to show it to two others over the summer. The framework is tentatively scheduled to be shared publicly in August during the International Legal Technology Association annual conference. “My view is that [cloud providers] now understand the issues that are preventing law firms from generally going to their cloud. Now they are trying to figure out the business opportunity to put in this extra security,” Nottke says.
|Encryption Keys to the Rescue?
Some cloud providers are already trying to meet legal's needs by offering security controls around client data, but it may not be enough.
To be sure, law firms and corporate legal departments typically deploy cybersecurity measures routinely found in any organization, such as firewalls and access controls, says HBR Consulting Chief Technology Officer Matt Coatney.
However, encryption keys, which can encrypt or decrypt data stored on the cloud, are “very top-of-mind for law firms,” Coatney says.
“Keys are the 21st-century equivalent of the locked door to the law office file room,” he explains. “It requires the firm's knowledge and involvement to get to client data, which meets their stringent privacy and client confidentiality obligations.”
For some law firms, such as Kelley Drye & Warren, the use of encryption keys is requested directly by clients.
“We have just recently implemented [NetDocuments'] client-customer encryption key capabilities to address the requirements of some of our financial institution clients,” says Kelley Drye CIO Judith Flournoy. She adds the firm is confident in NetDocuments' security policy and procedures.
To mitigate concerns over data access, some cloud providers are giving clients sole control over encryption keys. But could owning encryption keys be the answer to legal's privacy and security apprehensions? Not quite. Opinions vary on the hackability of encryption keys, with some saying they're nearly impenetrable, while others suggest their security could be bypassed. Coatney, for instance, sees encryption keys as unhackable because of the lengthy time needed to undermine their security protections.
“The time it takes to break modern cryptography is in the tens or even hundreds of years for a single key, and standard practice is to regularly rotates keys once a quarter or year,” he says. Yet not all in legal are convinced that the ownership and security of encryption keys are all it's cracked up to be.
“Encryption keys by themselves—no matter who has them or manages them—won't prevent a cloud vendor who receives a silent government warrant or subpoena [from responding to] any entity that requests it,” CIO Nottke says. He notes the cloud provider typically needs access to clients encryption keys to provide services around the data, such as indexing.
EverNet's Buhrendorf also insists sophisticated hackers and significant government pressure pose a danger to data secured by encryption keys.
“While the sheer computational aspect of the highest level of encryption could take years of processing to brute force through it, it's much easier to simply attack—or compel through government action—the company or agents which invented the encryption standard,” Buhrendorf says. He adds, “I always tell my clients, don't operate with any sense of false security that these tech companies won't reveal your data if they are under enough government pressure.”
|The Key to Government Access
To be sure, encryption keys can also be privy to a law enforcement warrant or subpoena. But trying to get access to encryption key owned by law firm isn't a straightforward process. “If an organization decided to use a key, the government could serve them a search warrant to get the encryption key, and then the question would be whether anything prevents them [from providing the data],” says Aravind Swaminathan, an Orrick Herrington & Sutcliffe partner and cyber, privacy and data innovation team co-chair. “[There are] no regulations that apply directly to that question.”
Indeed, Alexander Southwell, a Gibson, Dunn & Crutcher partner and former assistant attorney for the U.S. Attorney's Office for the Southern District of New York, notes the U.S. Department of Justice's policy is to request cloud data from the data's owner. But he also notes the DOJ has provided U.S. attorneys with a protocol for demanding encrypted data specifically from law firms, Southwell explains.
“There's a separate issue when data is encrypted, and the government may seek to compel an owner to unencrypt data,” he says. “[While] the government on occasion can force disclosure of an encryption key in special circumstances, I don't think [that] would come up with a law firm because the Department of Justice is sensitive to, and cautious about, the potential effects on an attorney-client relationship from seeking evidence from lawyers.”
He cited the U.S. Attorneys' Manual 9-13.410 as the DOJ's guidelines for issuing subpoenas to attorneys for information relating to the representation of clients. The guidance reads in part, “When determining whether to issue a subpoena to an attorney for information relating to the attorney's representation of a client, department personnel must strike a balance between an individual's right to the effective assistance of counsel and the public's interest in the fair administration of justice and effective law enforcement.”
Where the law is clearer is with data stored overseas. In March 2018, the U.S. Congress passed the Clarifying Lawful Overseas Use of Data Act, an amendment to the Stored Communications Act that compels U.S. providers of “electronic communication service or remote computing” to comply with a government agency's request to disclose information belonging to U.S. entities but stored outside of the country.
Such legislation will likely give law firms and legal departments some pause in placing critical data on cloud services that use servers in other countries. But ultimately, lawyers say, legal departments and law firms will have to assess if the benefits of storing data on the cloud outweigh the risks for their organization.
“Everybody has to make a business decision over what type of system [they] gain the most protection from,” ACC general counsel McDonald says. “You have to balance the risk based on what type of company you are.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllHow Marsh McLennan's Small But Mighty Legal Innovation Team Builds Solutions That Bring Joy
Aggressive FTC May Force Merging Companies to Bolster Legal Defenses
4 minute readBest Legal Departments: How Blackstone's Legal and Compliance Team Got the All-Clear to Grow Business
CEOs Want Data-Based Risk Management; GCs Lack the Tech to Do So.
Trending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250