The word “Cloud” can be a divisive word at law firms. Recently uttering the term during technology meetings with East Coast-based law firms with between 50 and 3,000 attorneys elicited starkly differing responses based on firm size and practice dominance.
Most of the midsized firms with whom I have met over the last year were favorable toward its use in most cases. One CIO declared it was firm negligence not to use the Cloud for data. He cited the inability for most firms to retain the expertise necessary to safeguard data inside the firm. Typically, larger law firms with clients in the financial industry explicitly forbid embracing such services outside of their network. Indeed, these clients underline this conservative firm posture by pushing for responses to 300-part questionnaires about how the law firm handles their data and outlining privacy and security practices related to the Cloud.
Despite this push from the financial industry, I would argue that we are in an interstitial period of Cloud adoption at law firms. In the not too distant future, I believe that many of the firms today which avoid or disallow its use will accept it. Law firms are risk-adverse institutions. While Cloud technology may appear laden with hazard, it might actually be the opposite. Initially when the Cloud — a rebranded name for a decades old concept — returned, early adopters encountered data breaches.
Years of security issues were thrust into the headlines, and those goaded reputable Cloud providers toward major investment around protecting their services. Now with far tighter rein of control, Cloud providers are much better positioned to court law firms of all sizes. Unless a firm has a solid technology budget and the ability to retain top-notch security experts, an argument could be made that housing data in a secure cloud would be more prudent than inside an internal firm network.
A recent New York Law Journal article by Ted Sabley on “Does Adoption of Cloud Computing Shift Cyber Liability Risk?” will give some readers pause for thought on greater adoption. Sabley mentions each of the largest Cloud providers have baked in new and surprising contract terms. They’ve shifted the liability in the End User License Agreements (EULA) to the customer. That is, if there is a breach of customer data hosted on the Cloud, the user bears the responsibility. This seems to be the case with Amazon Web Services (AWS), Google, Microsoft and Apple Cloud platforms.
Whether or not a customer shoulders the responsibility of a breach, the common practice for everyone dealing with Cloud providers should be the following:
- Understand the Cloud contract. Who is responsible when a breach happens? What happens to the data if the Cloud provider company goes under or is acquired?
- Realize which type of firm data is being placed into the Cloud. Is it loaded with Personally Identifiable Information (PII)? Is your client aware of where the data is being stored?
- Purchase Cybersecurity Insurance. Years ago this was a fairly nebulous insurance process, however, now it seems to be much more defined. Seek out expertise with all of the various components and nuances in this arena.
Currently firms of all sizes find themselves in two camps when it comes to the Cloud. Midsized firms have generally flown into the Cloud, while big firms hover between land and air, in a bit of a fog-like state. With increasing pressures of expense and the challenges of retaining network and cybersecurity expertise, the future for law firms is undoubtedly in the clouds.