Technology

Cybersecurity And Best Practices For Lawyers

With cloud computing, solo and small-firm attorneys are able to increase efficiencies in their practices and compete with large firms in ways never before seen.

By Nicole Black on November 03, 2016 6:03 pm

privacy online privacy cyber privacy keyboard in chainsAs lawyers increasingly use cloud computing software in their practices, understanding best practices for cybersecurity is a must. Cloud-based legal software offers a host of benefits, whether it’s 24/7 access to law firm data, convenient data backup, mobility, or secure client communication. But with those benefits come risks that must be understood and evaluated. For many lawyers, the process of evaluating cybersecurity issues can seem daunting.

But it doesn’t need to be. As we discussed last week during the panel I moderated at Above the Law’s Academy for Private Practice, an annual conference for solo, small-firm, and boutique-firm lawyers, education, best practices, and common sense are all that’s required to keep law firm data safe in the digital age.

Panelists Jeff Bennion and Denver Edwards offered a host of tips and advice for lawyers to help them navigate cybersecurity and maintain confidentiality. They covered the basics, including the importance of firewalls, two-factor authentication, and the use of secure and varied passwords across all devices.

For example, one suggestion was to use password managers such as 1Password or LastPass (just yesterday it was announced that use of Lastpass across all devices is now free). Another tip offered was to use a tool such as Kroll’s Identity Monitoring Service to protect the online identity of both you and members of your law firm.

Moving on to ensuring the security of a firm’s data in the cloud, members of the panel emphasized that there’s no such thing as absolute security with client data. Paper documents are susceptible to destruction as are servers based in law firms, something that many larger law firms in New York City were rudely reminded of following Hurricane Sandy. And, importantly, lawyers have always outsourced confidential data to third parties. Using cloud computing to store client data is similar in many ways, since regardless of who is handling your firm’s data, you have an ethical obligation to thoroughly vet that third party.

Of course, as the panelists discussed, with cloud-computing providers, the questions that you ask the provider are different than what you might ask of other third-party providers. And, since some cloud-computing providers offer a slew of third-party integrations, you have to likewise vet each and every company that integrates with your primary cloud-computing software platform. In fact, some ethics opinions even suggest you have a continuing duty to re-visit each provider who hosts your client’s data on a regular basis to verify their responses to your questions.

That’s why many firm choose to limit the number of integrations with their primary cloud-computing platform. That way, the number of third parties that have access to your law firm’s data is reduced and it’s easier to maintain your ethical obligation to ensure that confidential client data remains secure.

Next, the panelists turned to the issues lawyers need to consider when choosing a cloud-computing service for their law firm. What follows is a list that includes of many of the questions that the panelists suggested should be asked of each and every cloud-computer provider that will have access to your law firm’s data.

The questions center around determining where your firm’s data will be stored, what security procedures are in place, how often the data is backed up, and who will have access to it.

  • How long has the company been around? Is it well-funded or has it been acquired by an established company?
  • What type of facility will host your law firm’s data?
  • Who else has access to the cloud facility, the servers, and the data? What mechanisms are in place to ensure that only authorized personnel will be able to access your data?
  • How does the vendor screen its employees? If the vendor doesn’t own the data center, how does the data center screen its employees?
  • Is the data accessible by the vendor’s employees limited to only those situations where you request assistance?
  • If there are integrations with the company’s product, how does the company screen the security processes of the other vendors and of the product that integrates with the software?
  • If there is a problem with a product that integrates with the vendor’s software, which company will be responsible for addressing the issue?
  • Does the contract with the vendor address confidentiality?
  • How often are backups performed? Is data backed up to more than one server?
  • Where are the servers located? Will all of your firm’s data always stay within the boundaries of the United States?
  • What type of security is used at the data centers where the servers are located?
  • What types of encryption methods are used? Is your data encrypted while in transit and while at rest?
  • Are there redundant power supplies for the servers where your data is stored?
  • If a natural disaster strikes one geographic region, would all data be lost or are there geo-redundant backups?
  • If there is a data breach, will you be notified? How are costs for remedying the breach allocated?
  • Does the contract include a guarantee regarding uptime?
  • What remedies does the contract provide?
  • Does the agreement with the provider contain a forum selection clause or a mandatory arbitration clause?
  • What rights do you have upon termination of the contract?
  • How do you retrieve a copy of your law firm’s data and in what format will it be provided?
  • What rights do you have in the event of a billing or similar dispute with the vendor?

Finally, the panel closed with Denver concluding that, especially for solo and small-firm attorneys, cloud computing is the great leveler. It provides them with affordable access to powerful software that was previously only available to large law firms with in-house IT staff and sizable IT budgets. But with cloud computing, solo and small-firm attorneys are able to increase efficiencies in their practices and compete in ways never before seen, and for that reason alone, any perceived risks are outweighed by the numerous benefits.

Niki BlackNicole Black is a Rochester, New York attorney and the Legal Technology Evangelist at MyCase, web-based law practice management software. She’s been blogging since 2005, has written a weekly column for the Daily Record since 2007, is the author of Cloud Computing for Lawyers, co-authors Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York. She’s easily distracted by the potential of bright and shiny tech gadgets, along with good food and wine. You can follow her on Twitter at@nikiblack and she can be reached at [email protected].