Six Reasons Lawyers Should Store Data In The Cloud

Lawyers are traditionally slow to adapt to new technology.  Right now one of the biggest innovations in technology is the mass use of cloud storage.  In layman’s terms, cloud storage is a giant online data warehouse[1] or a virtual hard drive.  Data that is stored in the cloud is not in a physical location under the control of the user.  The users program interacts with the data warehouse to access the information. 

Cloud storage can be difficult to grasp for some people because it is not a tangible object that can be held.  People are often worried that they won’t be able to find what they need or their information will disappear.  Below are six advantages to using the cloud for data storage.   

(1)       Convenience

Data that is stored in the cloud is accessible anywhere with internet access.  This may be at the user’s home, office, a coffee shop, the airport, or countless other places.  A user does not have to carry around a device (or devices) to access information.  The internet, and thus the information stored in the cloud, is available anywhere with WiFi or cellular service. 

A user with information stored in the cloud will have access to literally all of the information they have stored, regardless of size.  One of the main benefits of the cloud storage is that it’s scalable.  The amount of cloud storage available is unlimited and can be increased to accommodate the changing needs of a company as it grows.  A person with hard copies of information is limited to the amount of paper they can carry.  A user with information stored on a device is limited to the size of the storage on the device.  For example, a user with a flash drive is limited to the capacity of the flash drive, which may be the equivalent of a dozen boxes of information.  One drawback to using a device such as a USB stick is that the user needs to decide before traveling what information they will need and move a copy to the USB stick.  If some data is forgotten or something unexpected is needed, once the user is traveling, that information is inaccessble.  A user with information stored in the cloud does not have to deal with these limitations. 

(2)       Cost

Users pay only for the amount of storage space they need.  The capacity grows only as the user's storage needs grow.  This is a major advantage for a small law firm.  With local (non-cloud) storage, a user must buy large capacity storage devices up front even if they don’t need all the space.  With cloud storage, the user only pays for what they use, and it grows and shrinks according to their changing needs. 

(3)       Safety

Data that is stored in the cloud cannot be lost by losing a device.  Any data that is stored on a device is lost when the device is lost.  A USB stick (a.k.a. “flash drive”) can be lost[2].  Laptops are stolen.  Often a user’s solution is to save multiple copies of the information on different devices.  For example, a user may save one copy on the laptop and another copy on a USB stick.  The problem is that this often causes confusion when copies are edited separately and different versions of the same work product have been saved.  This method also doubles the chance that a device with the information is lost.

Anyone keeping personal information on a USB stick, such as a lawyer working on a real estate transaction, must be aware that a lost USB drive or laptop is a data breach.  Files for real estate transactions contain personal information, the loss of which constitutes a data breach.  Most data breaches are the result of lost paper files or a lost device[3].  Many states have laws regarding the loss of confidential information.  In Massachusetts, for example, a data breach has occurred when the owner of the data has lost control of the data, not when it is used.  When a party has a data breach 201 C.M.R. 17.00 requires, among other things, notification to Office of Consumer Affairs and Business Regulation and the Attorney General’s Office. 

(4)       Transmitting information

A link to a secure, shared file is the most secure of the three common methods of sharing information.  The majority of information is sent typed into the body of an email, as an attachment in an email, or a link to a shared file.  Often, email exchanges are plain text, open and readable by anyone snooping on the network (e.g. public WiFi).  Cloud storage providers transmit file data in encrypted form, which is not easily intercepted and difficult to decrypt without the encryption key, which is not transmitted.  Dropbox, for example (https://www.dropbox.com/security), uses a multi-layered approach to security that involves passwords, data encryption, and file storage encryption within their own data center. 

To share information using a cloud storage provider, a storage location is set up in the cloud by a user.  The user determines who has access to the location and creates an access password.  In this sharing method, the data is never sent to the recipient.  The only information that is sent is the location of the data and the access password.  The weak link in this method is the password.  All normal password complexity rules apply[4].

Another common problem with sending information directly is the file size.  Many times large files take too long to transmit or end up in the "junk mail" folder of the recipient.  In these cases, often the recipient will never see the file.  This is not a problem when the information is stored in the cloud because the only information being sent is the location and access code to retrieve the information.

(5)       Ransomware

The principle of ransomware is that the cyber criminal locks up data and ransoms it back to the owner.  One way to negate the effect of ransomware, and eliminate the need to pay the ransom, is too have a multi-faceted back-up strategy and to store information to more than one location.  Ransomware affects your computer’s operating system.  The cloud is not part of your computer’s operating system.  Data that is stored in the cloud cannot be locked up by a ransomware attach against your operating system. 

A back up of all of your computers and mobile devices regularly to cloud-based backup services and/or external hard drives, with snapshots kept off site is an excellent way to avoid the possibility of ransomware crippling your business.  A user that has some local files (e.g. on their laptop hard drive) locked up by ransomware will be able to restore locked files from backups in the cloud without needing to pay a ransom.

(6)       You’re Probably Already Using Cloud Storage

At this point it is difficult to imagine that any practicing lawyer hasn’t been sent a link to files stored in the cloud.  You may not have set it up, but you have accessed information stored in the cloud.

[1] For a more technical definition see:  https://www.techopedia.com/definition/26535/cloud-storage “Cloud storage works through data center virtualization, providing end users and applications with a virtual storage architecture that is scalable according to application requirements.  In general, cloud storage operates through a web-based API that is remotely implemented through its interaction with the client application's in-house cloud storage infrastructure for input/output (I/O) and read/write (R/W) operations.

When delivered through a public service provider, cloud storage is known as utility storage. Private cloud storage provides the same scalability, flexibility and storage mechanism with restricted or non-public access.”

[2] See e.g.  http://www.cnn.com/2017/10/29/europe/heathrow-airport-security-usb-stick/index.html

[3] Approximately 65% of data breaches reported are the result of lost paper files and devices like laptop computers and USB sticks.  See e.g. http://www.crn.com/news/security/240164674/lost-flash-drive-at-core-of-kaiser-permanente-data-breach.htm

[4] e.g. don’t use 1234, qwert, the docket number, or file number as a password.  Obviously, the storage location and password should never be sent in the same email.  To be even more secure, they should be sent by different methods, such as the link by email and the password by telephone.

A Few Thoughts for Cyber Security Awareness Month

A few thoughts at the end of cyber security awareness month:

(1) Check with your insurance carrier about a policy for cyber fraud.  Many times a standard malpractice policy will not cover a loss from a cyber fraud scam.  Some reasons that coverage may be declined in a standard policy are: (a) wiring funds is a ministerial task; (b) wiring funds is not the practice of law; (c) it is not an act of negligence if you (or your employee) intentionally submit the wiring instructions; and (d) the lawyer did not have proper cyber security in place (e.g. outdated firewalls).  

(2) A little paranoia is healthy.  Humans are the weakest link in cyber security.

(3) Complex passwords, changed regularly, is a necessity, not an inconvenience.

(4) If you are a title insurance agent, check with your title insurance company for guidelines.  All major companies have been dealing with cyber fraud.  All major companies have procedures in place intended to prevent common errors and training events to raise awareness.

(5) Do not EVER click on a link unless you're positive that it's safe.  Most malware and ransomware is downloaded by the user.

(6) Check back here weekly for cyber security updates, tips, and reminders.  

(7) At the bottom of this blog post is a link to the FBI website.  Check in periodically for information on current scams.  You can also follow the FBI on Twitter.