Posted on: January 27, 2015in Blog
How to Ensure Data Security with a Third-Party Cloud Storage Provider
In August 2014 the NYSBA Committee on Professional Ethics issued Ethics Opinion 1019, which relates to confidentiality and remote access to a firm’s electronic files. The question posed to the committee was: “… (m)ay a law firm provide its lawyers with remote access to its electronic files, so that they may work from home?”
The conclusion was “a law firm may use a system that allows its lawyers to access the firm's document system remotely, as long as it takes reasonable steps to ensure that confidentiality of information is maintained.”
“Takes reasonable steps” sounds a bit subjective, so surely some clear lines must have been drawn by the committee to ensure attorneys follow the proper path. Think again. The committee stated that due to the fast-moving and evolving nature of technology, it cannot offer or “recommend particular steps that constitute reasonable precautions to prevent confidential information from coming into the hands of unintended recipients.”
This may sound like punting to most, but had the opinion not been written this way, the committee would have had to revisit this opinion daily to ensure its recommendations still held true in the ever-evolving world of technology. However, additional guidance did exist in the form of go ask the client if you are not sure. “If the firm cannot conclude that its security precautions are reasonable, then it may request the informed consent of the client to its security precautions, as long as the firm discloses the risks that the system does not provide reasonable assurance of confidentiality, so that the consent is "informed" within the meaning of Rule 1.0(j).”
In the past, the committee has provided guidance on reasonableness related to technology and cloud storage, which certainly could be used to access a firm’s electronic files. If they can provide such guidance in that area, which is clearly related, then why not in this situation?
8 Tips to Secure Client Data Stored in the Cloud
Steps Recommended by the Committee
Below are some of the steps recommended by the committee to ensure “reasonable care” for sensitive client data stored at a third-party cloud storage provider:
- Ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information;
- Investigating the online data storage provider's security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances;
- Employing available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored; and/or
- Investigating the storage provider's ability to purge and wipe any copies of the data, and to move the data to a different host, if the lawyer becomes dissatisfied with the storage provider or for other reasons changes storage providers.”
The above four suggestions are not only great guidelines for vetting a cloud storage provider such as “Dropbox,” but for electronic discovery vendors as well.
Data Security Steps from an eDiscovery Expert
If your client’s sensitive data will be handled and hosted by a vendor, you have an ethical obligation to vet that provider thoroughly. In addition to the above guidelines, here are a few more.
- Visit the vendor’s data center and ask to see the servers where your client’s data will reside. Will your data be stored in a commercial data center, or is it owned and operated by the vendor? What physical security measures exist within the facility?
- If the vendor hosts the data offsite it is still critical to visit the office where your client’s data will be handled and processed prior to hosting. Ask to see the security policies of the organization. Do they run background checks on employees who are handling your client’s data?
- Ask if the organization employs a certified security professional whose role is to ensure the company is adhering to, and employing, best practices for data security.
- Find out which application will be used to host the data and whether the vendor has conducted any penetration testing.
There are dozens of other examples of addressing the reasonableness of data security and measures that one should take to protect data. Again, just like in discovery, it comes down to that one magic word—reasonable.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted September 22, 2017
Why it's Crucial to Have a Corporate Mobile Device Policy
Posted September 13, 2017
Taking a Team Approach to eDiscovery Projects
Posted September 06, 2017
3 Document Review Tips from eDiscovery Project Management Experts
Posted August 31, 2017
China’s VPN Crackdown Weighs on Foreign Companies There
Posted August 30, 2017
A Simple Approach to Managing Healthcare Data and eDiscovery
Posted August 23, 2017
Why New Healthcare Technology Needs to Keep eDiscovery in Mind
Posted August 17, 2017
Healthcare and eDiscovery: Top Challenges for Providers, Counsel, and Litigation Support
Posted August 10, 2017
Webinar Q&A Featuring Panelists from Office 365 and X1
Posted August 02, 2017
PREX17 | 6th Annual Conference on Preservation Excellence
Posted August 02, 2017
ILTACON 2017 | D4 Booth #238 and Executive Roundtables