It is now generally accepted that lawyers may use cloud-computing platforms without violating legal ethics rules. Even so, however, many states say that lawyers who use the cloud have a duty to make reasonable efforts to ensure that the cloud services are provided in a manner that is compatible with the professional obligations of the lawyer. First and foremost, that means ensuring that the security and confidentiality of client matters will be protected.
But how is a lawyer to know whether a cloud provider meets acceptable standards of security and adheres to best practices for handling client data?
Hoping to provide a sort-of industry seal of approval, the Legal Cloud Computing Association (LCCA), a consortium of companies that sell cloud-computing products to the legal profession, has published a draft set of standards designed to help legal vendors work together to implement best practices for cloud security.
The LCCA plans to solicit feedback on the draft security standards from bar associations, law
societies, legal professionals and others over the coming weeks, with the goal of publishing the final standards at ABA Techshow, which takes place March 16-19 in Chicago.
Companies that belong to LCCA will commit to using the standards within their own companies and in the cloud services they provide. LCCA hopes that this will serve as a signal to lawyers that these companies meet legal-industry standards.
“The legal profession has unique security and confidentiality requirements that differ from
many other businesses,” LCCA President Jack Newton, CEO of Clio, said in a statement. “The LCCA’s
security standards give the legal profession certainty as to the specific steps taken by their technology vendors in keeping their data private and, we hope, provide the basis for a common set of standards that bar associations and law societies will support.”
The draft guidelines incorporate industry best practices, data privacy guidance from North
American and European governments, and legal‐specific requirements recommended by bar
associations and courts. The guidelines address:
- Geographic data residency location and disclosure requirements.
- Encryption and data integrity best practices.
- Restricting access to cloud‐stored data by third parties.
- Data loss prevention measures.
- Terms of service and other contractual obligations.
Many of the guidelines would be considered standard data-security protocols for any industry. But the guidelines also cover issues uniquely important to lawyers, including requiring providers to:
- Preserve users’ confidentiality and security of user data.
- Explicitly recognize the user’s ownership of the data.
- Notify users of demands for their information by third parties as soon as possible.
- Notify users of a data breach.
- Ensure that when data is deleted from the cloud provider’s environment, it is no longer available to anyone.
- Enable users to retrieve data in a usable non-proprietary format, and restore data inadvertently deleted within a reasonable period of time.