You know the cloud. As Rachi Messing, senior program manager at Microsoft, says, “For most of the people in our industry, we've been dealing with the cloud for 15 years. It's nothing new.”

But does everyone know the cloud? Perhaps not. According to one recent American Bar Association survey cited by Doug Austin, vice president at CloudNine, only 38 percent said they use the cloud, likely not realizing that even legal research platforms such as LexisNexis and Thomson Reuters' Westlaw are cloud-based. Ari Kaplan of Ari Kaplan Advisors echoed those sentiments, quoting one law firm CIO as saying, “Many people are working in the cloud, and don't even know if they are.”

The “E-Discovery in the Cloud” panel on the second day of Relativity Fest 2017 aimed to clear up common cloud misconceptions. The panel featured Austin, Kaplan and Messing, alongside Kelly Twigger, principal at ESI Attorneys, and moderator David Horrigan, legal content director at Relativity.

The panel broke its cloud deep dive into a few categories: defining the cloud, using the cloud, and security in the cloud.

Defining the Cloud

According to the panel, common definitions of the cloud revolve around three different types: public, private and hybrid. The first two are easy to define—public clouds involve shared resources, where the company is kept separate but operates on a public infrastructure that many other companies also use. Think Microsoft Azure or Amazon Web Services. Private clouds involve keeping data within your environment, with your own hardware and design. These are often supplied by smaller companies, such as Austin's CloudNine.

The third category of “hybrid,” though, is harder to define. “Hybrid cloud is really a marketing term, and that's pretty much the agreement I found across the board. Hybrid cloud is for any other scenario where you're doing something on private, something on public,” Messing said.

Twigger agreed. “I don't know that people make these distinctions, the way that they define them,” she said. Twigger's law firm, ESI Attorneys, is virtual and uses 53 different cloud applications. Ultimately, what matters to many of her colleagues isn't necessarily how the data is stored, but rather that it's safe and works. “If you can think it is what it is you want to do, chances are someone's built something somewhere that you can plug into via an API,” she explained.

Messing echoed this point, adding that at Microsoft, scale, rather than distinction between public and private, has been the game changer. He explained, “We can now introduce things that were never possible with private clouds or on premise centers.”

Using the Cloud

It usually takes some sort of trigger to encourage cloud adoption. Kaplan said that his research indicated that for law firms, that driver is usually corporate clients. “The cloud is a funny discussion. If it's secure, all things being equal, they don't really care where they get the information. The clients are driving the discussion,” he explained.

Kaplan said that many CIOs have followed their clients' lead, especially recently. He noted that 74 percent of legal operations directors use cloud-based e-billing, 44 percent use cloud-based contract management, 51 percent rated their cloud use at a four or five out of five.

But this is a recent shift, Messing noted—he said that when he started with Microsoft just three years ago, “I'd talk to 10 clients, and maybe two of them were already in the cloud.”

“Like anything it comes down to costs,” Messing added. “They're looking at it, and the problem is, they're not looking at it from a legal and compliance standpoint initially.” Instead, IT is initially driving the discussion. And that can be an issue, especially when it comes to security.

Securing the Cloud

One of the main questions from the audience had to do with the IT/legal tug of war: Who is responsible for making sure the environment is up to the right security standards?

Messing said that ultimately IT and legal should work together, but in his experience, that's not typically how things play out.

“We still see that with IT security and legal compliance, even as far as it's come in the past couple years, when it comes to migration and planning out the cloud, legal is coming in late,” Messing said. Many attorneys don't realize that a move to the cloud gives them “an opportunity to re-evaluate the policies and procedures they have in place. … Generally there is a huge disconnect there, and we see the need for education.”

Austin noted that “whether you're a pubic or a private cloud provider, there are certain things you want to look for.” These include ISO 27001 and other security certifications, multifactor authentication, and industry-specific guidelines such as Health Insurance Portability and Accountability Act for health care. He also suggested perusing EDRM's security audit questionnaire as an additional guideline. These, taken in tandem, can help spur the IT/legal conversation.

Twigger also suggested a checklist of what needs to get done. “The thing that I find with most of my clients, if there is a good liaison relationship between IT and legal, those issues get addressed,” she explained. She added that “a lot of those [issues] will depend on the clients you have, the locations you are, if there is data overseas.”

And finally, Kaplan warned not to forget to not only vet third parties, but also the outside companies and individuals that those third parties work with. He said these so-called “fourth parties” are the biggest security issue facing legal organizations today.

“From a practical standpoint, are you doing enough due diligence? Nobody is making the step of asking that additional question,” Kaplan said. “Whether it's legal or IT, right now that distinction is blurred.”