Software as a service (SaaS), cloud servers, security, encryption, oh my! It’s a lexicon jungle out there, and what’s a solo or small law firm to do when they’re navigating terrain using an outsourced IT department, boot-strapped budget, or knowledge earned from blood, sweat, and tears?
Let’s clarify some of the many terms used in computing and security so attorneys can become as familiar as possible with the language spoken in the cloud. The intent is to remove the deer-in-the-headlights feeling and ease anxiety enough to be conversant with confidence.
Knowing the Basics
Is “the cloud” the same as the “ethernet?” These terms are pretty darn close: an ethernet is a family of computer networks that communicate together, while the cloud hosts, stores, and transmits data from a variety of servers in unknown sites. Simply put, the ethernet is a network of computers you hook up to enable intra-network communication; while the cloud is a network of servers you can’t physically see.
Your firm is already in the cloud with SaaS subscriptions and software, social media and data storage, for example. Your data could be stored in repositories offered by cloud storage providers like DropBox, Apple, Google Drive, Hightail, Resilio, and many more. Your files are uploaded and downloaded at will in an account you maintain that has space for rent in highly secure cloud servers.
Many small law firms fully rely on SaaS to run their law practices. Do you have a sense of where the servers reside and whether they are redundant? Before signing on to buy practice management software like Firm Central, ask about redundancy. If a bank of servers is damaged in a hurricane in Texas, is your data duplicated on a server in Illinois to ensure its safety and security?
Physical Security Critical to Data Safety
Don’t forget to inquire about the physical security of these data centers that store and transmit your firm’s goldmine. Are these servers protected by multilevel access controls and monitors? How about by third-party security firms that monitor the server banks day in and day out?
Some terms you might watch for include N+1 redundancy design to ensure uninterruptible power supply (UPS). Thinking about that hurricane in Texas again. What happens to your data in the cloud when power fluctuates? A generator can be described as “2-MW diesel” which describes two megawatts of power in a diesel engine. This may be getting into the weeds a bit, but when your office blacks out due to Mother Nature’s storms, your first question should not be, “Is my data safe?”
Data Security Begins with Encryption
Did you know that encryption stems from the ancient form of cryptography? World War II saw cryptographers tasked with manually breaking the Nazi Enigma code, and technology has advanced at breakneck speed ever since. Today, your data needs to be encrypted with algorithms that scramble sensitive information as it travels to a secure server and sits in storage until pulled out or appropriately managed.
The encryption key is a collection of algorithms that scramble and unscramble data. Someone in charge of your encryption key can share it with others at your firm who can then unlock the key and deliver access to your legal team. You’re likely to see a term like 256-bit encryption. This encryption technique uses 256 binary combinations of zero and one to scramble and unscramble data. If you have an affinity for math, think of the complexity of this number as 2256 power.
Encryption is a highly fascinating topic, and too much for this article to detail. If you’d like to learn more, take a look at this TechWorld.com article on how encryption works.
When you engage with data in the cloud, whether it’s software, online data storage and even purchases you make from a third-party site, take note of the URL with which you’re transacting business. You should see https at the very front of the domain name, which stands for hypertext transfer protocol encryption.
Even your own firm website should have this SSL certificate. The https protocol activates a padlock to allow secure connections between a web server at GoDaddy and a browser like Firefox. All Internet sites will eventually be required to have this designation; yet, many sites are still catching up.
Certification is a Stamp of Approval
It’s definitely hard to know whether a software provider legitimately offers data security. That’s why certification by industry authorities is an important data security measure. Understanding the basics about certification will help you confirm whether a software provider is qualified to earn your business.
The American Institute for Certified Public Accountants (AICPA) offers three tiers of SOC privacy compliance standards. This designation, which could be SOC, SOC 2, or SOC 3, is a trust services criterion by the AICPA for service organizations relevant to security, availability, processing integrity, confidentiality, and privacy to process users’ data. Often, organizations use these controls internally to ensure compliance with governance and risk management processes.
You’ve probably seen the ISO 9001 mark and perhaps the ISO 27001 certification on software. These are issued by the International Organization for Standardization. Not to get too technical here, but when you see ISO 27001, that’s a positive. This specifies information security management systems consisting of a framework of policies and procedures oriented to risk management and a six-part security planning process.
Also, ISO 9000 refers to a family of standards; however, ISO 9001 is the only standard requiring certification. This standard evaluates whether a quality management system is appropriate and effective while forcing implementation of improvements to the system.
In a Thomson Reuters survey, “2017 State of U.S. Small Law Firms: Foresight to Drive your Firm Forward,” law firms with up to 29 attorneys report concerns about keeping up with increasing complexity of technology and staff management. It goes without saying that the larger a firm, the more technology is required to secure data with the expertise that goes along with it. All segments of small law firms regardless of attorney size indicated in the survey that technology/infrastructure is an area targeted for investment in the next 12 months. One three-attorney law firm indicated it would move its files to the cloud to provide 24-hour access to attorneys to work outside the office.
As more firms look at ways to streamline productivity with cloud computing and mobile offices, it’s important to heed the American Bar Association’s Formal Opinion 477. This requires law firms to protect information with a variety of security controls. Understanding much of the complex vernacular surrounding information security, cloud computing, and your data is the first step in mitigating the risk of a data breach for your clients’ confidential information.
About the Author
Firm Central is a secure, user-friendly, cloud-based practice management tool that helps lawyers and staff manage the business side of a law firm to be able to dedicate more time to client needs. Learn more about Firm Central and how we keep your valuable data safe with industry leading security standards here.