Posted on: January 27, 2015in Blog
How to Ensure Data Security with a Third-Party Cloud Storage Provider
To ensure the confidentiality of sensitive data is maintained, follow these recommended steps from data experts and the NYSBA Committee on Professional Ethics.
In August 2014 the NYSBA Committee on Professional Ethics issued Ethics Opinion 1019, which relates to confidentiality and remote access to a firm’s electronic files.
The question posed to the committee was: “… (m)ay a law firm provide its lawyers with remote access to its electronic files, so that they may work from home?”
The conclusion was “a law firm may use a system that allows its lawyers to access the firm's document system remotely, as long as it takes reasonable steps to ensure that confidentiality of information is maintained.”
“Takes reasonable steps” sounds a bit subjective, so surely some clear lines must have been drawn by the committee to ensure attorneys follow the proper path. Think again. The committee stated that due to the fast-moving and evolving nature of technology, it cannot offer or “recommend particular steps that constitute reasonable precautions to prevent confidential information from coming into the hands of unintended recipients.”
This may sound like punting to most, but had the opinion not been written this way, the committee would have had to revisit this opinion daily to ensure its recommendations still held true in the ever-evolving world of technology.
However, additional guidance did exist in the form of go ask the client if you are not sure.
“If the firm cannot conclude that its security precautions are reasonable, then it may request the informed consent of the client to its security precautions, as long as the firm discloses the risks that the system does not provide reasonable assurance of confidentiality, so that the consent is "informed" within the meaning of Rule 1.0(j).”
In the past, the committee has provided guidance on reasonableness related to technology and cloud storage, which certainly could be used to access a firm’s electronic files. If they can provide such guidance in that area, which is clearly related, then why not in this situation?
Data Security Steps Recommended by the Committee
Below are some of the steps recommended by the committee to ensure “reasonable care” for sensitive client data stored at a third-party cloud storage provider:
- Ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information;
- Investigating the online data storage provider's security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances;
- Employing available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored; and/or
- Investigating the storage provider's ability to purge and wipe any copies of the data, and to move the data to a different host, if the lawyer becomes dissatisfied with the storage provider or for other reasons changes storage providers.”
The above four suggestions are not only great guidelines for vetting a cloud storage provider such as “Dropbox,” but for electronic discovery vendors as well.
Data Security Steps from an eDiscovery Expert
If your client’s sensitive data will be handled and hosted by a vendor, you have an ethical obligation to vet that provider thoroughly. In addition to the above guidelines, here are a few more.
- Visit the vendor’s data center and ask to see the servers where your client’s data will reside. Will your data be stored in a commercial data center, or is it owned and operated by the vendor? What physical security measures exist within the facility?
- If the vendor hosts the data offsite it is still critical to visit the office where your client’s data will be handled and processed prior to hosting. Ask to see the security policies of the organization. Do they run background checks on employees who are handling your client’s data?
- Ask if the organization employs a certified security professional whose role is to ensure the company is adhering to, and employing, best practices for data security.
- Find out which application will be used to host the data and whether the vendor has conducted any penetration testing.
There are dozens of other examples of addressing the reasonableness of data security and measures that one should take to protect data. Again, just like in discovery, it comes down to that one magic word—reasonable.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted May 17, 2017
How to Comply with 21 CFR and HIPAA Data Retention Requirements
Posted May 11, 2017
4 Key Advantages of Conducting Remote Depositions
Posted May 03, 2017
eDiscovery in International Dispute Resolution: What Experts Want You to Know
Posted April 27, 2017
China Expands Data Transfer Requirements for its Cybersecurity Law
Posted April 26, 2017
How to Use Office 365 Advanced eDiscovery to Prioritize Your Review
Posted April 21, 2017
American Bar Association Section of International Law | 2017 Spring Meeting in Washington DC
Posted April 19, 2017
Office 365 Enterprise E5: 6 Features That Could Benefit Your Business
Posted April 12, 2017
Data Reuse in eDiscovery: 4 Questions to Help Start Your Policy
Posted April 05, 2017
ESI Data Mapping Basics for eDiscovery
Posted March 30, 2017
China’s Cybersecurity Law: Objectives, Compliance and Business Recommendations