The importance of data privacy is becoming increasingly understood across several industries, and the data breaches that occur and grab headlines serve as an ongoing reminder of how critical it is to protect all data.
In the legal industry, there is no room for risk or vulnerabilities — the consequences are too great. Benjamin Franklin once said there were only two things certain in life: death and taxes. If you are a legal firm considering cloud storage technology, you can add two more certainties to your list: i) lots of sensitive case and client data being created; and ii) this data being stored in the cloud, eventually.
The legal profession sees data disclosure and privacy as a very important part of the discovery process, attorney-client privilege and protecting clients. There are many processes in place at law firms to protect such data and information, and this protection and privacy are critical to many aspects of a law firm, including the outcomes of litigation and relationships with clients. This historic value of data may explain why legal firms have shown hesitation to embrace cloud computing.
According to the 2016 Legal Technology Survey Report (available for purchase only) by the American Bar Association, 42% of firms planned to hold off on cloud usage this year. The hesitation identified in the survey may come from concerns with the law and regulations and also from concerns about data security and the risk of a breach or disclosure. However, with the tremendous cost savings and operational advantages that arise from cloud adoption, it is increasingly difficult for firms not to consider these benefits.
The good news is that law firms can rest assured that risk regarding compliance and regulatory issues and the risk of their data being breached or stolen could both be addressed with encryption and policies for data access.
When data is encrypted and controls are placed on how and where that data is accessed, many regulatory concerns can be resolved.
While it is true that laws and regulations regarding handling data may vary state to state and even vary country to country, many of the regulations place constraints on the location of the data or the protection required (or notification of a lack of protection in the case of breach disclosure laws). Firms pursuing cloud providers can require encryption and ask providers to disclose and limit where their data in the cloud is being stored geographically and be able to restrict its movement so that it remains within a particular country.
When data is encrypted and controls are placed on how and where that data is accessed, many regulatory concerns can be resolved. For example, when data is stored in the cloud, it is also possible to ensure that not only is it fully encrypted, but that access policies are in place to control which users can actually access the encryption keys that protect the data. This way, a policy can be enforced to ensure that the data that “Joe” has access to read, can only be read when “Joe” is in the United States. If “Joe” moves the virtual machine and its data out of the cloud data center in the United States and tries to access it in on servers in Germany, for example, the virtual machine and data are inaccessible to Joe because even though he is an authorized user, he is in an unauthorized location.
When data encryption is combined with geo-fencing or boundary-based policy enforcement, not only is data protected with encryption but its movements can also be controlled.
The availability of strong encryption, key management and access policy for data residing in cloud services makes it possible for law firms to embrace cloud services while at the same time pursuing advanced data security strategies. All of which would likely be a tremendous relief to clients who count on law firms protecting their sensitive data in the strongest, most efficient and cost-effective way possible.