Who’s Afraid of the Big Bad Cloud?

Photo by Klearchos Kapoutis (Flickr/ Creative Commons)

No one doubts the benefits of cloud computing, but considering the unique ethical obligations of law practice, and the frightening cyber-security headlines, a firm might wonder whether a client’s information should be anywhere but locked up in a warehouse.

The state bar ethics committees that have taken up the issue of cloud computing have certainly been cautious. Although all 19 committees that have issued formal opinions on cloud computing have given the green light, they have done so with, in some cases, a laundry list of qualifications.

Nerino Petro, chief information officer at Holmstrom & Kennedy in Illinois, and a lecturer on data security for the American Bar Association, thinks that while there are legitimate risks, the legal community is, at times, unjustifiably afraid of the cloud.

“Attorneys have this innate fear of cloud,” Petro said, “but it isn’t justifiable anymore. Things have changed.”

The ethics opinion issued by the Pennsylvania State Bar, for example, includes no less than 33 factors for deciding whether an attorney’s use of the cloud meets ethical standards. The opinion suggests implementing basic security measures, like encrypting and backing up data, but also requires an attorney to negotiate favorable terms of service with a cloud provider.

Daniel Siegel, the principal author of the Pennsylvania opinion, acknowledged that firms don’t always have leverage to negotiate terms of use with cloud service provider, but rejected the notion that the ethical requirements were too onerous, or that requirements like these show an undue nervousness.

“While the cloud is in many ways safer than it used to be, you still need to take appropriate measures,” Siegel said. “Data encryption, strong passwords—these are reasonable requirements for storing client data in the cloud. Otherwise, you don’t have to use the cloud.”

Merri Baldwin, vice-chair of the California State Bar’s ethics committee, agreed with Siegel. “Attorney fears aren’t overblown,” Baldwin said. “There are some real concerns. We’re talking about protecting the confidentiality of a client’s information.”

But if you ask Petro, cloud security comes down to only two things: multi-factor authentication and retention of the encryption key that allows access to encrypted files.

Petro said that although it’s standard practice for a lot of cloud providers to keep the encryption key, there are likewise a number of services, like Spideroak and Sookasa, that can provide the user with such a key.

“Here’s the reality,” Petro said. “Who’s going do a better job of securing your data? A small firm, or somebody like Google or Dropbox who’s doing business with major companies? The reality is, from a security perspective, they’ll do a better job than most firms can afford to do.”

Of course, for firms that were already nervous about cyber-security, 2014 probably didn’t help. The year saw one of the biggest data security breaches in history, the private photos of multiple celebrities posted online, and an attack on a movie studio that sparked a diplomatic dispute.

“Look,” Petro said. “If I were Coca-Cola I wouldn’t put the recipe for Coke in the cloud. But if you have two-factor authentication, and you hold the encryption key, your data is safe.”