The “cloud” has been the topic of many conversation threads on the Solo and Small Practice Section’s listserv. The Section will certainly include it in our consideration of topics for both the next annual CLE and for our quarterly brown bag seminars. A frequent question on the listserv has been, “How secure is the cloud and how much security should I give my client’s documents in the cloud (or the Internet)?”
A little introduction to start: “the cloud” is a term for storing your electronic data over the Internet on somebody’s servers (hard drives). You could create your own cloud simply by setting up a computer in a remote location, connecting to it through the Internet — perhaps with a virtual private network (VPN) — and storing your data there. Cloud computing is the use of computing resources that are delivered over a network (typically the Internet).
It’s All About Security
Your concern is primarily a matter of security. What kind of security do you have for the paper files in your office? Do you keep your office locked? Do you store your files in locking file cabinets? Do you store your files in file safes, or your file cabinets in a room that is hardened against break-ins? (I use to do classified document security when I was in the Army — before computers.) I ask the question because you should apply a similar standard in your concern about your electronic data. My point is that someone who wanted your documents can break into your office and into your file cabinets physically without much effort. Your goal should be to keep the walk-by eyes off your clients’ material; you cannot prevent a direct attack on your files at your level of security.
For electronic security, do you password-protect your computer and your in-office network? Do you encrypt your files? Do you lock up your computer, or at least your hard drive, at night, or when your office is unattended? Where do you keep that backup external drive? A password-protected computer will keep those wandering eyes out, but would not prevent someone who deliberately sought your information. Encrypting your files would be a greater barrier to a deliberate attempt to steal your data. Physical security of your electronic data would protect it even more.
How do you communicate with your clients? Do you worry that someone can tap your landline phone calls or eavesdrop on your cell phone calls? Do you send documents by regular mail or certified and registered mail, by FedEx or UPS? Do you email your clients? Do you encrypt your communications with your clients? Do you encrypt attachments that you send with your emails? A post office employee can open and read your mail more easily than an employee at a cloud storage company can open and read your electronic data.
All of these questions are to make you think about the level of security you apply to your other practices of storing and communicating data. There is no reason to apply a greater level of security to your electronic use of the cloud than what you apply to the data in your office, or in your communications with your clients. With a large data storage company like Dropbox or Microsoft’s Skydrive, your data is stored along with hundreds of thousands or millions of others’ data, in byte storage so large I don’t know the name for it. So the likelihood of those wandering eyes looking at your document among the millions of other documents is extremely small. In fact, as far as a deliberate effort to find your document among the others, it would be easier to find that proverbial needle in the haystack.
My concerns with using the cloud are more about protection against the loss of my electronic data than theft. Is the company I am trusting with my data reliable? What kind of downtime protection do they offer? Do they use multiple sites to protect against natural disasters? Are they going to still be in business next month or next year? Do I store the folders both on my office computer and in the cloud? These are the same questions you would ask if you use an Internet backup for your computer. Since I am not capable of fully understanding all the processes and terms that might be used to describe the security of a particular program or data storage system, I have to rely upon reading the literature and the reviews and ratings of others (who, I hope, know more than I do). I do not believe the average attorney can determine if the security statements provided by a cloud company give “enough” security to their clients’ data (let alone the truth of the statements), so I think the only reasonable thing you can do is to deal with a major company that is highly rated by a number of reviewers in industry publications. On the opposite side, you may be able to determine if there are reasons not to use a particular company — either by poor ratings and reviews, or by a rejection in the business world.
The Solo and Small Practice Section helps solo and small practice attorneys to ethically conduct a profitable, satisfying business by acting as a clearinghouse for qualified law practice management and technology information.