Posted on: January 27, 2015in Blog
How to Ensure Data Security with a Third-Party Cloud Storage Provider
In August 2014 the NYSBA Committee on Professional Ethics issued Ethics Opinion 1019, which relates to confidentiality and remote access to a firm’s electronic files. The question posed to the committee was: “… (m)ay a law firm provide its lawyers with remote access to its electronic files, so that they may work from home?”
The conclusion was “a law firm may use a system that allows its lawyers to access the firm's document system remotely, as long as it takes reasonable steps to ensure that confidentiality of information is maintained.”
“Takes reasonable steps” sounds a bit subjective, so surely some clear lines must have been drawn by the committee to ensure attorneys follow the proper path. Think again. The committee stated that due to the fast-moving and evolving nature of technology, it cannot offer or “recommend particular steps that constitute reasonable precautions to prevent confidential information from coming into the hands of unintended recipients.”
This may sound like punting to most, but had the opinion not been written this way, the committee would have had to revisit this opinion daily to ensure its recommendations still held true in the ever-evolving world of technology. However, additional guidance did exist in the form of go ask the client if you are not sure. “If the firm cannot conclude that its security precautions are reasonable, then it may request the informed consent of the client to its security precautions, as long as the firm discloses the risks that the system does not provide reasonable assurance of confidentiality, so that the consent is "informed" within the meaning of Rule 1.0(j).”
In the past, the committee has provided guidance on reasonableness related to technology and cloud storage, which certainly could be used to access a firm’s electronic files. If they can provide such guidance in that area, which is clearly related, then why not in this situation?
8 Tips to Secure Client Data Stored in the Cloud
Steps Recommended by the Committee
Below are some of the steps recommended by the committee to ensure “reasonable care” for sensitive client data stored at a third-party cloud storage provider:
- Ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information;
- Investigating the online data storage provider's security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances;
- Employing available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored; and/or
- Investigating the storage provider's ability to purge and wipe any copies of the data, and to move the data to a different host, if the lawyer becomes dissatisfied with the storage provider or for other reasons changes storage providers.”
The above four suggestions are not only great guidelines for vetting a cloud storage provider such as “Dropbox,” but for electronic discovery vendors as well.
Data Security Steps from an eDiscovery Expert
If your client’s sensitive data will be handled and hosted by a vendor, you have an ethical obligation to vet that provider thoroughly. In addition to the above guidelines, here are a few more.
- Visit the vendor’s data center and ask to see the servers where your client’s data will reside. Will your data be stored in a commercial data center, or is it owned and operated by the vendor? What physical security measures exist within the facility?
- If the vendor hosts the data offsite it is still critical to visit the office where your client’s data will be handled and processed prior to hosting. Ask to see the security policies of the organization. Do they run background checks on employees who are handling your client’s data?
- Ask if the organization employs a certified security professional whose role is to ensure the company is adhering to, and employing, best practices for data security.
- Find out which application will be used to host the data and whether the vendor has conducted any penetration testing.
There are dozens of other examples of addressing the reasonableness of data security and measures that one should take to protect data. Again, just like in discovery, it comes down to that one magic word—reasonable.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted November 16, 2017
5 Workflow Tips for Conducting a Foreign Language Review
Posted November 10, 2017
What You Need to Know About Managed Review and the eDiscovery Process
Posted November 02, 2017
7 Steps to Help You Defensibly Migrate eDiscovery Data
Posted October 27, 2017
CLE Webinar with Lewis Brisbois: How to Do Social Media Collection and Presentation Right
Posted October 26, 2017
Despite Clawback, Defendant’s Reckless Abandon of Rule 502 Bites Back
Posted October 20, 2017
How to Use the eDiscovery PST Export Tool in Office 365 E3
Posted October 12, 2017
Recent eDiscovery Cases for Mobile Phones and Social Media
Posted October 05, 2017
Raising Objections to the Format of ESI Productions: Do it Early and Do it Clearly
Posted September 27, 2017
5 Reasons eDiscovery Alternative Fee Models Make Sense for You
Posted September 22, 2017
Why it's Crucial to Have a Corporate Mobile Device Policy