Hi-tech technological background

 

If your law firm is thinking about adopting cloud-based workflows, one of the first questions you are probably asking is, “How will I get my documents into the cloud quickly and securely?” That's a good start, and we've worked with many Am Law 100 firms and managed service providers in the legal industry to help make sure that even huge amounts of document and video data get where they need to go quickly and securely.

But in doing so we have seen another key question that is often overlooked: “Where is my data?” This question does not just apply to cloud workflows. Even if your firm is not officially using any cloud services, the odds are very good that sensitive client documents are in cloud storage right now. Figuring out where your data is, and how to keep it from going places it shouldn't, is critical to maintaining client security and confidence regardless of your cloud plans.

The legal industry, in particular, tends to involve a lot of ad-hoc data movement and personal devices. Documents frequently move between attorneys, assistants, clients, and all their various devices with little or no formal control over methods or services. This can lead to unintentional data leaks which can be difficult to predict and impossible to track. Even when data is being handled by well-regarded service providers, poor planning or a lack of user awareness can lead to serious breaches from seemingly secure systems.

Here are a few areas where data leaks can hide:

Email: Email is the most popular way to exchange legal documents, especially between attorneys and clients. Obviously, there are concerns about the security of the email servers and systems themselves. Every time an email passes through a server or device, a copy is left behind at least temporarily. But a much more common source of email leaks is user error. One wrong key-stroke can instantly turn a sensitive document into a public document. Worse, email tends to be persistent and accessed from multiple devices, meaning that a leak can easily occur months or years after a document was last handled.

Automated Backups: Everyone knows they should frequently backup every computing device they own. Many of these backups occur automatically, sometimes within minutes of new data appearing on a device. Most find their way into cloud computing systems. If, for example, an attorney views a document on their desktop, phone, and laptop, then not only are there copies on those devices, but also copies on all of those devices' backup systems. Backups from personal devices may place sensitive data on insecure or poorly regulated systems.

Legacy Backups: Once a document has been backed up, it may be nearly impossible to delete it. Depending on the service or media, snapshots of a system may persist for years. Cloud systems have their own internal backups and redundancies, creating further copies. Deleting a file may remove the most immediate version from some backups, but earlier versions may persist without a concerted effort to purge them. Even then, the best backups are kept offline where they may persist indefinitely. Once a document moves into a consumer cloud service like Google Docs or iCloud, you can never really be sure you've deleted it.

Geographic Redundancy: Whether as a backup or part of an information service, once a document leaves your device it could be going anywhere in the world. This can create jurisdictional problems, since the data may end up being stored in regions that are subject to governmental intrusion or simply lax controls. As a direct customer of a cloud service vendor, you are likely to have disclosure and control over where the data you explicitly store is located. But data that leaks into other systems may propagate around the world, making it impossible for you to certify which jurisdictions actually have access to any given document.

Hardware Disposal or Theft: A stolen laptop is an obvious problem, but what happens when a service provider simply upgrades their equipment? Are those hard-drives securely wiped, or do they end up in a used-equipment sale on eBay with your sensitive documents included? Here again, the good practices and intentions of reputable providers may be defeated by unintentional leaks through personal devices and media. For example, what ever happened to that USB thumb-drive that your assistant used to carry scanned documents between the office copier and your desktop?

Each time a document is stored somewhere, even briefly, it may be subject to all these forms of replication. For example, a temporary copy of an email copy might be backed up to a sub-contracted cloud provider and then replicated to a foreign jurisdiction where a decommissioned hard-drive could be resold to anyone in the world. None of those steps should happen, even in a well-controlled environment, but there is nothing to prevent any or all of them from happening.

If you are getting the idea that you might as well assume any data that leaves your physical control could end up anywhere in the world, you are absolutely correct. Awareness of these problems, strong user education, and clear policies for document handling can help. But information systems exist to make communicating data easy, and that means policies alone can't keep your documents under control.

Fortunately, there is one way to keep sensitive data safe: encryption. Storage encryption is often overlooked or poorly considered. It is not like transport encryption, which is mostly just on or off thanks to standards like TLS and IPsec. Encryption of documents at rest requires careful key management, and a solid document tracking and management system. Combined with knowledge of the leak vectors above, such a system can ensure that even if data leaks, it is still secure because the data itself is worthless without the keys that are much simpler to control than the documents themselves.

Most cloud vendors offer a variety of encryption options, but keep in mind that if the vendor is managing your keys, then you are only protected against compromise of their physical storage media not against compromise of the account credentials or applications. For comprehensive security, seek out document management systems capable of addressing the entire list of potential data leaks. For help getting your data quickly and securely into those systems, the cloud, or anywhere else, seek out data transport acceleration software that is capable of working within document management workflows.

 

Seth Noble, PhD, is Founder and President of Data Expedition, Inc. and the creator of the patented Multipurpose Transaction Protocol (MTP) technology. He has a dual BS-MS degree from Caltech, and a doctorate in computer science from the University of Oklahoma for work developing MTP.