by Jonathan Baker
The issue of this article is this: What can a law office do to reduce the risks of improper access to its clients’ confidential information when that information is stored via cloud computing?
But first, what is cloud computing? Cloud computing is best described as connecting your home to the electricity of a power plant instead of using one’s own candles.1 Put another way, cloud computing is analogous to connecting a home to a city water supply when previously that home drew its water from a private, individual well.2 In cloud storage, a user receives a product by a common grid to which all the other users in the city (cloud) might have access.3 However, in cloud computing, a neighbor can effectively travel through the pipes and arrive in your kitchen. Such a person could be anyone with access to the Internet, from a person in a nearby coffee shop to an overseas criminal organization.
Technically speaking, cloud storage is the keeping of one’s information on another entity’s server. Of course, that server is located in a different physical location. In addition, such a system is designated a “cloud” because it consists of a lump of every customer’s information, whoever those customers may be. Yet there are no technical barriers separating the information of the various customers.4 Information can be placed on a particular cloud server from any computer with Internet access; the user does not need a computer equipped with a hard drive. Thus, when a lawyer wishes to access the information previously stored via cloud computing, he or she merely goes to the website of the cloud service provider with the proper username and password.
Similarly, cloud computing allows firms to equip their office computers with the bare minimum software because the server and database of the cloud service provider does the heavy lifting elsewhere. For example, Gmail, Google Docs, and Yahoo!Mail are some common examples of cloud computing. No hard drives are needed to access these applications.
The benefits of having another person bear the energy and space costs of digital storage are stupendous. Cloud technology allows many persons to work on the same document, saving their changes to a master copy, which is stored via cloud computing. This avoids the hassle of multiple copies being exchanged during the revision stage.
What are the risks of cloud computing? Simply put, they stem from breaches in a client’s confidential information entrusted to the attorney. Of course, the purest risk is that an unknown party may gain access to a lawyer’s digital information while that information is stored on a third party’s cloud servers, whoever or wherever that infiltrator may be. Such unauthorized access could be granted either by the negligent or intentional act of a cloud service provider’s employee. “Even if a user . . . knows that data is stored in the cloud, it might not be clear exactly where the data is stored.”5 This statement by Professor Felton of Princeton University expresses the first risk that a lawyer may face when using cloud computing: There is little traceability of the location at which one’s documents are stored. Specifically, cloud computing generates many backups of any document stored on the cloud system. This can be a blessing and a curse as we shall see. Therefore, one document might be stored in 16 different locations, some of which may be politically unstable nations.6 The international nature of security breaches is indeed real. Even a U.S. congressman recently noted that foreign governments such as China at times have breached the digital security of the House of Representatives.7
A further risk is that the license agreement may allow the cloud service provider to share a specific document with anyone who collaborated with your office to produce it.
In that case, why ever store information by cloud computing? Cost savings is the answer. The federal government projected that employing cloud computing could save 2 to 99 percent of its computing costs in 2010.8 Likewise, David Barratt, a digital media graduate from the University of Central Florida and head of the web development team at Relevant Media Group in Orlando states: “Cloud storage services are usually more reliable than . . . a server in your office[.] . . . Most offices do not keep off-site backups. This can lead to huge problems if an office hard drive fails. . . . Most cloud services keep off-site backups.”9
To attempt to answer our issue, the following ideas suggest technical and practical ways for a law office to reduce the chances that an intruder may access confidential cloud data. Some of these suggestions are novel, while some are merely extensions of current procedures.
First, firms should leverage market reputation. In other words, they should perform research on the various cloud computing service providers and choose the one with the best record of security. Cloud service providers are like law firms; they need good reputations to stay in business. Since a cloud service provider likely does not owe many contractual duties to a customer, one way to make providers change their standards might be to purchase their competitor’s product. A more unified approach to this suggestion would be for The Florida Bar to provide a list of the most proven and secure cloud service providers as confirmed by the law firms who use them. Even Barratt agrees when he says, “A secure cloud is possible if a company is willing to have the title of being the most secure. It is a free market economy that keeps our data private.”10 On top of this, a ranking officer of Salesforce.com stated before the U.S. House of Representatives that his organization hosts a website that daily expresses its cloud system’s performance along with the trust its users have grown to feel.11 Any positive business characteristics like these will likely motivate cloud service providers to create new security measures.
Yet, the market is never perfect. If an office learns its confidential data was breached, the firm should lock its computers so that they cannot be further used to store data on the cloud servers.12 After confirming that security is regained, the firm can reauthorize its computers to store data in the cloud.13 During this lockdown, office workers can use hard drives or flash drives for storage.14 This suggestion is feasible because cloud service providers record the time at which a document is accessed from the cloud server. In parallel to the free market concept, cloud service providers are likely to tell the consumer when its document is infiltrated because keeping a watchful eye on a customer’s data is likely a coveted market characteristic. Incidentally, this lockdown procedure is based on a template of the U.S. government’s system of digital security, which is known as the Federal Risk and Authorization Management Program (FedRAMP).15
Another such FedRAMP procedure consists of password protection.16 FedRAMP recommends a specific document be password-protected and made known to only certain employees based on their positions within the office.17 In our case, this may include roles such as partner or primary case worker. In addition, all the data stored on the cloud should be encrypted as a security measure.18 According to Barratt, even the connection between the firm’s computers and the cloud service should be encrypted; this should be done with a 128-bit secure socket layer.19
An extended feature of password protection includes password difficulty. An employee who has access to cloud computing, like any other sensitive matter, should have a rock-solid password.20 It is recommended that passwords be changed monthly and that they include numbers, symbols, and capital and lower case letters.21
The more complexity, the better the security. Recently, the U.S. chief information officer suggested by its endorsement of FedRAMP that an employee be required to input specific characteristics of the machine that he or she uses in order to access a document.22 For example, these input requirements could include the machine’s name, owner, serial number, manufacturer, geographic location, software license, network address, or model.23
Obviously, the more often cloud activities are monitored, the more secure they are. Barratt suggested based on the current practice of some banks, namely whenever a user from an outside location attempts to access the office’s cloud account, the owner of the account is sent a text message.24 Then the owner must respond with a text message containing a code or password in order for the requesting user to even access the cloud account. In this way, a person in Venezuela cannot access confidential documents without confirmation from home base in Florida.25
On the bright side, redundancy may be a firm’s friend. Sometimes in an office, security clearances can overlap. For example, Department A creates a spreadsheet and imposes one form of general security in order to view the document while Department B of the same office later inserts a specific authorization requirement in order to view a certain cell of that document. Whereas usually the more security procedures an office employs, the less efficient it becomes, when authorization requests are compounded in the same document, cloud computing security can increase. For this reason, the U.S. Office of Citizen Services and Innovative Technology considers prior authorizations imposed into a document to be positive leverage for cloud security.26 In this way, security can be increased when many departments contribute to the same document, each imposing its own form of authorization for the section that it contributed.
Beyond the technicalities, the practical suggestion is this: An office should train its staff to securely navigate within the cloud. Once an office has formed a cloud-savvy staff, regular audits are a wise way to ensure the office’s internal compliance.27 Likewise, office security would be more efficient if a cloud computing specialist were appointed within the firm’s department of office management, given that the office possesses this level of sophistication. For instance, a cloud computing specialist could recognize the potential security issues posed by the habits of employees. A specialist on staff could also be the innovator on behalf of the office who saves the partners the time of having to read articles such as these.
On top of this, all members of an office must act in unison regarding the policy on cloud security. In assessing cloud computing risks, the U.S. General Services Administration stresses that an office should act as a unit when handling issues of cloud security.28 Of course, teamwork itself is not novel. Yet, because an office is one body made of several parts, it is advisable to express to employees the expectation that they communicate together by encouraging each other to avoid the risks. The good news is that many new employees may also be young and technologically astute and, therefore, already attentive to the risks of cloud computing. If so, the costs of implementing a policy through a specific cloud computing division will likely be absorbed more quickly.
The point of these practical suggestions — appointing a specialist, auditing, and actively encouraging teamwork — is simply to say that the risks of cloud computing are best vaccinated when they are met deliberately. Consider it as valuable as the proper accounting of taxes, trust accounts, and other risk management in the practice of law.
In conclusion, your office may find that cloud computing presents benefits that are too large to forego simply because of the risks. Thus, the risks can and should be addressed by a law firm via an information technology expert. That person would do well to employ a progressive strategy that includes some of the suggestions mentioned here, both technical and practical. The progressive nature of technology, as well as the economic impulse of persons who would breach the security of cloud computing, compels a proactive approach. Surely a sophisticated wrongdoer does not have his head in the clouds, and neither should a contemporary law office.
1 Cloud Computing: Benefits and Risks of Moving Federal IT Into the Cloud: Hearing Before the Subcomm. on Government Management, Organization, and Procurement of the H. Comm. on Oversight and Government Reform, 111th Cong. 11 (2010) (statement of Vivek Kundra, Fed. Chief Information Officer for E-Government and Information Technology, Office of Management and Budget).
4 Telephone interview with David Barratt, head of web development team, Relevant Media Group (May 29, 2011).
5 ECPA Reform and the Revolution in Cloud Computing: Hearing Before the Subcomm. on the Constitution, Civil Rights, and Civil Liberties of the H. Comm. on the Judiciary, 111th Cong. 15 (2010) (statement of Edward W. Felten, professor of computer science and public affairs, Princeton University).
6 Jonathan Strickland, How Cloud Computing Works, http://computer.howstuffworks.com/cloud-computing.htm (play audio file “The Dark Side of Cloud Computing”).
7 Cloud Computing: Benefits and Risks of Moving Federal IT Into the Cloud: Hearing Before the Subcomm. on Government Management, Organization, and Procurement of the H. Comm. on Oversight and Government Reform, 111th Cong. 6 (2010) (statement of Rep. Darrell Issa, member, H. Comm. on Oversight and Government Reform).
8 Cloud Computing: Benefits and Risks of Moving Federal IT Into the Cloud: Hearing Before the Subcomm. on Government Management, Organization, and Procurement of the H. Comm. on Oversight and Government Reform, 111th Cong. 5 (2010) (statement of Rep. Edolphus Towns, chair, H. Comm. on Oversight and Government Reform).
9 Email from David Barratt, head of web development team, Relevant Media Group to author (May 18, 2011) (on file with author).
11 ECPA Reform and the Revolution in Cloud Computing: Hearing Before the Subcomm. on the Constitution, Civil Rights, and Civil Liberties of the H. Comm. on the Judiciary, 111th Cong. 39 (statement of David Schellhase, executive vice president and general counsel, Salesforce.com).
12 FedRAMP: Control Tailoring Workbook, 1-4 (Oct. 18, 2010) (FedRAMP_Control_Tailoring_Workbook_Template.pdf available within https://info.apps.gov/sites/default/files/FedRAMP-Templates.zip).
15 CIO.GOV — Federal Risk and Authorization Management Program (FedRamp): Introduction, http://www.cio.gov/pages-nonnews.cfm/page/Federal-Risk-and-Authorization-Management-Program-FedRAMP.
16 FedRAMP: Control Tailoring Workbook, 4 (Oct. 18, 2010) (FedRAMP_Control_Tailoring_Workbook_Template.pdf available within https://info.apps.gov/sites/default/files/FedRAMP-Templates.zip).
18 See email from David Barratt to author, note 9.
22 FedRAMP: Control Tailoring Workbook, 10 (Oct. 18, 2010) (FedRAMP_Control_Tailoring_Workbook_Template.pdf available within https://info.apps.gov/sites/default/files/FedRAMP-Templates.zip).
24 See email from David Barratt to author, note 9.
25 See telephone interview with David Barratt, note 4.
26 Cloud Computing: Benefits and Risks of Moving Federal IT Into the Cloud: Hearing Before the Subcomm. on Government Management, Organization, and Procurement of the H. Comm. on Oversight and Government Reform, 111th Cong. 32 (2010) (statement of David McClure, associate administrator, Office of Citizen Services and Innovative Technologies, U.S. General Services Administration).
27 FedRAMP: Control Tailoring Workbook, 10 (Oct. 18, 2010) (FedRAMP_Control_Tailoring_Workbook_Template.pdf available within https://info.apps.gov/sites/default/files/FedRAMP-Templates.zip).
28 Cloud Computing: Benefits and Risks of Moving Federal IT Into the Cloud: Hearing Before the Subcomm. on Government Management, Organization, and Procurement of the H. Comm. on Oversight and Government Reform, 111th Cong. 24 (2010) (statement of David McClure, associate administrator, Office of Citizen Services and Innovative Technologies, U.S. General Services Administration).
Jonathan Baker is a third-year law student at the Florida State University College of Law. He is the winner of the 2011 essay writing contest for Florida law students sponsored by Florida Lawyers Mutual Insurance Company and the Young Lawyers Division of The Florida Bar. The contest topic was “best practices for a law office in the age of cloud computing.”
This article was originally printed in the Florida Lawyers Mutual Insurance Company’s newletter, Advisor, and is reprinted with permission.
This column is submitted on behalf of the Young Lawyers Division, Sean Timothy Desmond, president. William E. Loucks, president of FLMIC, Judge Bob LeBlanc, and Renee E. Thompson were judges of the contest.