Posted on: January 27, 2015in Blog
How to Ensure Data Security with a Third-Party Cloud Storage Provider
In August 2014 the NYSBA Committee on Professional Ethics issued Ethics Opinion 1019, which relates to confidentiality and remote access to a firm’s electronic files. The question posed to the committee was: “… (m)ay a law firm provide its lawyers with remote access to its electronic files, so that they may work from home?”
The conclusion was “a law firm may use a system that allows its lawyers to access the firm's document system remotely, as long as it takes reasonable steps to ensure that confidentiality of information is maintained.”
“Takes reasonable steps” sounds a bit subjective, so surely some clear lines must have been drawn by the committee to ensure attorneys follow the proper path. Think again. The committee stated that due to the fast-moving and evolving nature of technology, it cannot offer or “recommend particular steps that constitute reasonable precautions to prevent confidential information from coming into the hands of unintended recipients.”
This may sound like punting to most, but had the opinion not been written this way, the committee would have had to revisit this opinion daily to ensure its recommendations still held true in the ever-evolving world of technology. However, additional guidance did exist in the form of go ask the client if you are not sure. “If the firm cannot conclude that its security precautions are reasonable, then it may request the informed consent of the client to its security precautions, as long as the firm discloses the risks that the system does not provide reasonable assurance of confidentiality, so that the consent is "informed" within the meaning of Rule 1.0(j).”
In the past, the committee has provided guidance on reasonableness related to technology and cloud storage, which certainly could be used to access a firm’s electronic files. If they can provide such guidance in that area, which is clearly related, then why not in this situation?
8 Tips to Secure Client Data Stored in the Cloud
Steps Recommended by the Committee
Below are some of the steps recommended by the committee to ensure “reasonable care” for sensitive client data stored at a third-party cloud storage provider:
- Ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information;
- Investigating the online data storage provider's security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances;
- Employing available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored; and/or
- Investigating the storage provider's ability to purge and wipe any copies of the data, and to move the data to a different host, if the lawyer becomes dissatisfied with the storage provider or for other reasons changes storage providers.”
The above four suggestions are not only great guidelines for vetting a cloud storage provider such as “Dropbox,” but for electronic discovery vendors as well.
Data Security Steps from an eDiscovery Expert
If your client’s sensitive data will be handled and hosted by a vendor, you have an ethical obligation to vet that provider thoroughly. In addition to the above guidelines, here are a few more.
- Visit the vendor’s data center and ask to see the servers where your client’s data will reside. Will your data be stored in a commercial data center, or is it owned and operated by the vendor? What physical security measures exist within the facility?
- If the vendor hosts the data offsite it is still critical to visit the office where your client’s data will be handled and processed prior to hosting. Ask to see the security policies of the organization. Do they run background checks on employees who are handling your client’s data?
- Ask if the organization employs a certified security professional whose role is to ensure the company is adhering to, and employing, best practices for data security.
- Find out which application will be used to host the data and whether the vendor has conducted any penetration testing.
There are dozens of other examples of addressing the reasonableness of data security and measures that one should take to protect data. Again, just like in discovery, it comes down to that one magic word—reasonable.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted January 18, 2018
5 Expert Predictions for the eDiscovery Industry in 2018
Posted January 17, 2018
Get Your Passport to GDPR Success - LegalTech New York 2018
Posted January 11, 2018
Is Your Organization Vulnerable to a Cyber Attack? 3 Steps to Put Your Mind at Ease
Posted January 04, 2018
How the EU and China Plan to Deal with Multinational Data
Posted December 28, 2017
How to Navigate International Data Privacy Laws for eDiscovery
Posted December 21, 2017
Cross-Border eDiscovery: An Introduction to Cultural and Legal Obstacles
Posted December 14, 2017
Webinar Q&A Featuring Panelists from Special Counsel and Brainspace
Posted November 30, 2017
Help Your Employees Find the Information They Need with Machine Learning
Posted November 22, 2017
How to Use Managed and Prioritized Workflows to Reduce the Cost of Review [On-Demand Webinar]
Posted November 16, 2017
5 Workflow Tips for Conducting a Foreign Language Review