Cloud-based technologies have quickly become the norm in the tech world of today. But how safe are cloud networks when it comes to protecting sensitive legal data? In this month’s roundtable, our panel of technology and legal experts discuss the risks law firms face when storing data in the cloud, and the steps firms can take to protect themselves and their clients.
Nicholas Gaffney (NG) is a veteran public relations practitioner in San Francisco and is a member of the Law Practice Today Editorial Board.
|Andy Wilson (AW) is chief executive officer and cofounder of Logikcull. He is the visionary behind Logikcull’s product and marketing strategy, which focuses on simplifying and democratizing the processes associated with revealing what’s in data to three simple steps: upload, search, download.|
|Anne P. Mitchell (APM) was one of the first Internet policy attorneys in the United States. A graduate of Stanford, she is the author of part of the U.S. federal anti-spam law, CAN-SPAM, and is a legislative consultant on Internet law and policy, with an emphasis on email law and policy. She is also CEO of the ISIPP SuretyMail email reputation certification service.|
|Doug Lane (DL) is the vice president of product strategy at Vaultive, a cloud data security company providing advanced cloud access security broker (CASB) solutions. He has more than 20 years of experience in technology, security and cloud networking.|
|Michael Gold (MG) is CEO of Intermedia, a one-stop shop provider of a broad and tightly integrated business applications suite. Mr. Gold joined Intermedia in May 2011 as president, and transitioned to CEO in May 2015.|
|Todd A. Spodek (TAS) is the managing partner of Spodek Law Group P.C., a boutique criminal defense and family/divorce law firm in New York City. In managing the firm’s three offices, Mr. Spodek relies on a number of cloud service providers to share the firm’s resources and data.|
|David Hansen (DH) leads NetDocuments’ Security Compliance department, including management of annual ISO 27001 certifications and Type 2 SOC 2 audits, development of policies, implementation of procedures, and auditing operational and security compliance. He has more than 25 years of experience in finance, HR, marketing, IT operations, and federal legislation.|
NG: Generally speaking, are law firms and legal departments more or less secure using cloud-based services than they are using traditional on-premises IT infrastructure?
AW: Well, it depends. If you’re the legal department of Google—to use a paradoxical example—and you prefer to use on-premises solutions, then you probably have the capacity and expertise to deploy those solutions in a manner that secures company data. If you’re a law firm whose primary focus is servicing its clients and delivering legal advice—not technology or data security—than you’re probably better off going with a cloud provider that has expertise in that area.
But, at the end of the day, it all boils down to the levels of security and access that are built into your system, whether it’s on premises or in the cloud. And beyond that, cloud platforms have inherent characteristics that are naturally more secure than those of on-prem alternatives. For one, cloud-based systems act as centralized repositories for data. As a rule of thumb, law firms should always be able to answer the question: where is my client’s data right now? If you’re relying on legacy systems and processes, the answer to that question might be, “on my servers, and on the laptops of three partners, and in a thumb drive I left in the back of a cab,” and so forth. If you’re using a cloud-based platform, the answer is, “It’s in the cloud.”
I’ll also point out that most cloud systems are secured with data tokenization: swapping out highly sensitive information with a non-sensitive stand-in value, aka a “token.” This configuration is far more secure than, say, logging a username and password against an on-premises database.
APM: That really depends (such a lawyer answer!)… a better question would be, “Generally speaking, does law firm and legal department data have the potential to be more or less secure using cloud-based services rather than using traditional on-premises IT infrastructure?” and the answer is unquestionably using on-premises IT infrastructure rather than cloud-based data, because “the cloud” is just another term for “someone else’s computer.” The only way to reduce risk and ensure that sensitive data is at least 98% secure is by having it local, and not stored anywhere else. I say 98%, because so long as people can access the data, even locally, there is still some small risk (such as someone copying it to a thumb drive and taking it off-premises).
DL: While many law firms are reluctant to move sensitive data to the public cloud, most would be more secure in the cloud with the right precautions in place. Keeping on-premises servers up to date with the latest security patches is a major challenge for IT teams. For example, following the Panama Papers leak at Mossack Fonseca, security experts found that the firm’s servers were running software with known security vulnerabilities.
Generally speaking, cloud providers are in a better position to handle things like software updates and day-to-day intrusion prevention. The problem is that by moving to the cloud, law firms are opening themselves up to new risks like blind subpoenas to cloud providers and a general inability to demonstrate to clients that they have complete control over confidential data. However, this is solvable by layering third-party security controls and encryption techniques on top of the security features offered by the cloud provider.
MG: Law firms should expect higher security from cloud services because vendors can make much more significant investments in security teams and technology than most firms can reasonably afford for on-premises systems. For example, Intermedia has a dedicated security team with certified experts and real-time intrusion prevention systems, in addition to 24/7 physical security protecting access to our servers and network hardware. We regularly obtain independent reviews and testing of our security infrastructure and services, including penetration testing and annual SOC 2 audits, and we use SOC 2-audited data centers. On the product side, we offer comprehensive security features, including two-factor authentication, IP white listing, granular password policies, encryption, and remote wiping. This level of security and range of product features are generally not going to be available through an on-premises system—but cloud providers like Intermedia can offer them due to the deep expertise of our product and network architects and the regular security testing and monitoring that we perform across our cloud.
TAS: The online cloud-based services are in the business of providing this service to their clients. Their entire business model and/or reputation depends on it. The cloud providers are facing tougher standards; they have to build and/or use secure data centers that are independently audited and adhere to much tougher standards because they have a number of tenants rather than one standalone server. I believe that law firms and legal departments are much better suited using online service providers.
DH: Law firms and legal departments are definitely more secure using cloud-based services. The reasons for this include the focused effort cloud-based services put into keeping systems up-to-date with the latest patches and releases, deploying current security measures and controls, and the economies of scale in implementing and maintaining network-wide infrastructure to protect data. Case in point, according to NetDocuments’ 2016 customer CIO survey, 95% of firms agree that an enterprise-grade cloud platform is better equipped to provide comprehensive security and compliance measures than a typical firm could provide and maintain on its own.
NG: A number of high-profile cases have occurred of cloud email accounts being hacked and their contents leaked to the public—the most recent of which was John Podesta, Hillary Clinton’s campaign chairman. How do these types of hacks generally occur, and what basic steps can legal professionals and IT teams take to prevent them from happening?
AW: In the case of the Podesta email breach, and the recent DNC leak, hackers appear to have used a common attack called spear phishing to deliver malware. Spear phishing involves sending a communication that appears to be from a trusted source—for instance, a colleague or vendor partner with whom the recipient works. The sender then asks for sensitive information, which recipients are more likely to turn over because the sender appears to be a trusted source.
There are many steps professionals can take to guard against these attacks, but the most powerful and effective is educating your team to make them aware of the risks that exist and to alert them to telltale signs. Some organizations go so far as to conduct test drills where a fake email is sent out, and then learn from the autopsy—who clicked on it, why, how you can tell it is not legitimate, and so forth.
APM: There are a myriad of ways that these can happen, from brute force attacks to utilizing malware to social engineering. Again (yeah, I sound like a broken record), if you think of the cloud as just someone else’s computer, then asking “how these occur” is basically asking, “how does any computer system get hacked?” The best prevention is not using a cloud service. If you have to (but why would you?), be sure they have a good track record of security—but, realize that even that means that they may not have been hacked yet, but you can be pretty sure that they will be at some point in the future.
DL: When individual email accounts are hacked, it is commonly the result of the user’s login credentials being compromised. This type of breach can happen in many ways, but the two most common causes are phishing attacks and users sharing the same credentials across multiple services.
Phishing attacks use convincingly disguised emails to trick users into entering their credentials into a fraudulent site that puts them, and their data, into the hands of an attacker. The attacker then uses those credentials to log onto the user’s actual cloud service. This approach is how hackers compromised the Gmail account of John Podesta.
The issue with sharing passwords across multiple cloud accounts is that if any one of your cloud providers’ password databases is hacked, the first thing the attackers will do is try the same logins and passwords on other common sites looking for hits.
Two-factor authentication is a powerful tool to protect against compromised credentials. It augments your password with a one-time code that comes to the authorized user in a trusted manner—commonly either a text message or an authenticator app on the user’s phone or computer. This way, just accessing the user’s password isn’t enough for an attacker to compromise their account. Many cloud providers offer built-in two-factor authentication, or firms can subscribe to more sophisticated identity and access management tools.
MG: Certainly, the first thing you want to do is make sure that your cloud email provider maintains a strong security infrastructure designed to keep hackers out of the provider’s environment. However, when an email account is hacked, it is usually hacked from outside, not from within the cloud provider. In those cases, the attacker somehow obtains the victim’s password, and then logs into the victim’s email account, impersonating the victim. The attacker typically targets the victim with phishing emails, social engineering, or malware which compromises their computer and, ultimately, their password. Educating users on warning signs for these types of attacks is the most effective way to prevent anyone from clicking on a link or opening an email attachment containing malware, which ultimately leads to accounts being compromised. Use of paid-phishing services, which train users what to look for and prepares them by simulating attacks, can be an extremely effective way for companies to protect themselves.
TAS: I think the firm has to have a system in place to manage the firm’s devices and computers. At our firm, we require all staff to routinely change their passwords and require them to have unique passwords with a combination of letters and digits. Also, the firm’s phones and Chromebooks are managed in-house with the Google Suite so we can remotely wipe the devices.
DH: While we often do not know the specific way the accounts were compromised, what we do know is that the vast majority of these exploitation happened on the user-side of the equation. The service was not “compromised;” rather in some way the hackers were able to gain user credentials from the user or the user’s computer which then allowed them to access the account. Even the strongest security is only as secure as its weakest point, and often that weakest point is the individual user. This means basic steps to prevent these types of hacks include educating users regarding secure best practices, enforcing policies and procedures for regular password changes, two-factor authentication, and education and awareness training around how to identify phishing attacks or suspicious email that may contain malware.
NG: How important is encryption when uploading or downloading data to/from cloud-based services?
AW: There’s nothing more important. Your data needs to be encrypted at all times—both when it is in transit and when it is in rest—period. Encrypting data at rest is a security step, unfortunately, that very few organizations take, but which ensures data can’t be accessed by unauthorized parties even if they were to gain physical access to it.
In regards to data in transit, Transport Layer Security, or TLS, is the security mechanism by which data is secured when moving between applications. The TLS protocol limits unauthorized access to, and ensures the integrity of, the data.
APM: Very. Because it gives the hackers one more thing to have to hack before being able to read your data. But keep in mind that encryption can be broken.
DL: Encrypting data is critical, but it’s also not a black and white topic. All cloud providers perform baseline encryption of data in transit and at rest. The problem is that by default the cloud provider holds the encryption keys and can decrypt a firm’s data at will. It’s in the cloud provider’s interest to respect customer privacy, but malicious insiders and law enforcement demands are just a couple of examples of new possible points of exposure. The best practice is for firms to encrypt data independently of their cloud provider in a manner where they retain exclusive control of their encryption keys.
MG: It’s extremely important. Encrypted communication is essential for accessing cloud services securely. In fact, it’s now industry standard for cloud-based services to use secure transfer protocols (TLS, SSL) to encrypt data in transit. You should make sure that your cloud provider is employing complex encryption techniques whenever data is being uploaded or downloaded to its services, and we strongly recommend mobile device (laptop, phone) encryption as well.
TAS: I think encryption is critical since it is the next step in the breach. One is access, and two is the end result if the data is compromised. Strong encryption is crucial considering the sensitive data that law firms often house. All sensitive data should be encrypted both on the transmission, and when it’s stored to disk.
DH: From one perspective, it depends on what is being uploaded or downloaded. The more sensitive the information, the more critical it is for it to be encrypted. So there is a judgement call involved. From another perspective, all uploads and downloads should be encrypted to foil any attempts to gain information through intercepting transmissions. The argument is that even if a hacker gets something unimportant now, the process of obtaining it and the understanding it may give, regarding patterns and procedures, will increase the likelihood of future hacks. There is also the underlying principle of the right to privacy. Put together, these different perspectives build a strong case for always securing all upload and download transmissions.
NG: Yahoo! was in the news recently over a revelation that it cooperated with the U.S. government to provide a broad scale surveillance “backdoor” into its cloud infrastructure. How big of an issue is government access to cloud data, and what, if any, steps can law practices take to gain visibility and control over these types of requests?
AW: The answer to the first question is, “it depends”—on the cloud services law practices are using and how they’re using them. The bigger consideration for legal professionals is how surveillance impacts their legal obligation to clients to protect attorney-client confidentiality. Lawyers have a duty to protect privileged information from unauthorized parties, and that includes the government.
Many cloud providers make information about government requests and compelled disclosures publicly available. But, even so, law practices should be aware of their providers’ terms of service. Generally, those terms will include language about how the company will handle government requests, and should contain a clause stating that the provider must make “reasonable efforts” to provide the client with prior notice so that it can seek a protective order.
APM: It’s a pretty big issue. Data that is stored in the cloud can be accessed without a warrant if it has been there for more than 180 days.
The Electronics Communication Privacy Act (ECPA), says, specifically, that “a governmental entity may require the disclosure by a provider of electronic communications services of the contents of an electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days …with prior notice from the governmental entity to the subscriber or customer if the governmental entity … uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury subpoena…”
So, all the government agency needs is a subpoena, there is no warrant and so no notice of the type that would come with a request for a warrant.
The best way to control these types of requests? Don’t use cloud storage, which I refer to as the high-fructose corn syrup of the Internet: Everybody uses it, and it’s in everything, but that doesn’t mean it’s good for you.
DL: Government data access to cloud data is a bigger issue than many realize. Many cloud industry stakeholders are concerned that the United States Intelligence Surveillance Court or FISA Court that was created by the Foreign Intelligence Surveillance Act of 1978 has been broadening its interpretation of FISA to expand U.S. government surveillance powers. Just last month the ACLU and Yale Law School’s Media Freedom Clinic filed a motion with the FISA Court requesting that 23 of their secret legal opinions written be made public to shed more light on what powers the government has in this area.
There is substantial evidence that this is a major source of tension between the government and cloud providers. In addition to high-profile revelations like the Yahoo backdoor, Microsoft has two active lawsuits against the U.S. government concerning customer data privacy issues. In an April 2016 blog post, Microsoft Chief Legal Officer Brad Smith noted that during the preceding 18 months, the U.S. government required Microsoft to maintain secrecy regarding 2,576 legal demands. The data owners had no idea that their information was being turned over to the government. 68% of these secrecy orders had no end date.
These types of legal data access incidents are another positive proof point for creating clear segregation of duties between the encryption of data and the operation of cloud infrastructure. Law firms or their clients may still need to comply with government data requests, but control over the cloud data encryption process ensures visibility and control over the process in all cases rather than leaving it in the hands of the cloud provider.
MG: Government access to data is a significant issue in the cloud services industry. Law enforcement agencies in the United States, both federal and state, have broad legal rights to obtain subpoenas and search warrants that permit them to not only obtain access to data, but also to prohibit the service provider from notifying the customer of the request. Law firms should request that their cloud provider provide notification, whenever legally permissible, if their account data is the subject of a subpoena or search warrant. Ultimately, though, the cloud provider must abide by the law. So, perhaps the most important step a law firm can take is making sure that the cloud service provider they choose has a well-considered, customer-protective stance on how they handle government requests to access customer data.
TAS: From a criminal defense point of view the problem starts with the user. If you have sensitive information that you don’t want to risk ever getting leaked 1) don’t put it in writing, and 2) if you are going to use a cloud service, make sure it has end-to-end encryption. The first thing I tell my clients who are under investigation or indictment is that you need to act from this point on and assume that all communication outside of my office is being recorded and will be used against you. Outside of the lawyers and law firm staff, you cannot trust anyone.
From a security point of view on a global scale, I think managing partners need to stay abreast of the law as it develops. A good starting point is tracking the Apple case in the Central District of California and the friend of the court briefs that were filed in support of Apple. They are updated on Apple’s homepage here.
DH: Because these types of surveillance activities are done under gag orders, it is hard to know how big the issue is, but the recent revelations by Snowden and others suggest this type of activity is more prevalent than the public originally thought. If entities deal with information which is sensitive, then they need to work with their cloud providers to implement appropriate alerting and logging controls. Adding additional protocols such as separation of duties and dual access control (ensuring no single person or department has unmonitored access to data) will all add to more stringent and secure information governance practices. Law firms can also explore strong encryption solutions where law firms control some part of the encryption process, greatly reducing the risk of their data being compromised.
NG: In regards to cloud services, what are some factors that law firms should consider when operating in—or advising clients who operate in—international markets?
AW: Above all, they should be aware of the international patchwork of data laws and what the specific laws are in the countries in which they are dealing. The European Union, for example, has very strict policies around how their citizens’ personal information is collected and processed, and demands that “reasonable and appropriate” measures be taken to secure that data. For law firms using cloud services to handle client data, they must be familiar with what their obligations are in regards to foreign laws, but also know where the physical servers of their cloud providers reside and what implications this on how that data must be handled and who could potentially have access to it.
APM: In addition to all of the issues above, once you start operating in international markets you are then dealing with myriad—and often conflicting—laws. Privacy laws, in particular, vary from country to country, and generally speaking U.S. laws dealing with internet issues are among the laxest, meaning that you can be in compliance with U.S. law and easily breaching the laws of another country in which you are doing business.
DL: There are a growing number of international data privacy regulations that globally operating enterprises must consider. A notable example in the new EU General Data Protection Regulation (GDPR). The regulation takes effect in May 2018 and has penalties of up to greater than 20 million Euros or 4% of an organization’s annual revenue for non-compliance.
Numerous countries also have data residency laws that require certain types of data to be stored in-country. Using cloud services adds complexity to compliance with data residency laws, since the firm has limited, if any, visibility into where their data is being stored by the cloud provider. One step that some organizations take is to encrypt cloud-bound data with country-specific keys. This way, the organization can demonstrate that data cannot be accessed out of country regardless of where their cloud provider actually stores the data.
Going beyond the minimum requirements with encryption can provide other benefits as well. For example, under GDPR organizations employing strong encryption have less burden to notify customers in the case of a security breach.
MG: Data privacy and data residency are the two factors that immediately come to mind when you think about operating a cloud service in an international market. As most people are aware, data privacy laws vary widely from country to country, so a law firm will need to make sure that their cloud service provider is equipped to facilitate the firm’s compliance with local law. For example, privacy laws in the EU are generally more stringent than those of the U.S., so a service provider should be able to offer its customers a model contract, demonstrate compliance with the EU-US Privacy Shield or take other steps to show that they comply with those laws. Also, law firms may find that their clients have concerns regarding data residency, meaning that they want their data stored within a particular region or jurisdiction. Again, it’s important to understand where your service provider can store your data—and what options you’ll be able to provide to your clients.
TAS: All of the online cloud providers have a level of security, and it appears that more and more are matching each other both domestically and internationally. Also, outside of the servers being in a physical location that is vulnerable, there are no more borders. Sophisticated hackers can access data worldwide from anywhere.
I think the real issue is, and the point of focus should be, what happens when there is a breach? What systems are in place at the off-site provider to protect the law firm clients? Is there a cyber insurance policy in place? Who bears the cost? How do the clients get notified? Who deals with these issues? What about identify theft monitoring post-breach?
DH: Look for vendors with international experience. Evaluate vendors to see if they keep current with national and international security and compliance standards. For example, many global law firms must navigate international data regulation and requirements around data sovereignty where data must remain in-country. Global service providers will need to have data storage and hybrid software delivery options which allow the firm to leverage cloud services while addressing specific data storage requirements.
NG: Large firms are the most at risk for a cyberattack, and, because of this, often equip themselves with the resources to prevent them. How can smaller firms, with fewer resources, make sure they are also protected?
AW: First, it’s worth noting that the risks large law firms face, such as those arising from state-funded actors, are very different from those smaller firms face. While larger law firms are generally targeted for the client data they possess—such as valuable IP or information about private business dealings—small law firms are at risk simply because they have what every hacker wants: money, including credit card information, bank account numbers, run-of-the-mill information that all businesses handle.
Firms can do many things to protect themselves, but at a minimum, they should make sure that sensitive data is encrypted in transit and at rest. There are a number of free or affordable tools available that do this. Firms should also practice sound password hygiene, where passwords are complex and changed appropriately. And finally, all firms, regardless of their size, should invest in a cyber-liability policy, paying special attention to coverage for business interruption loss and ransomware payments.
APM: I disagree that large firms are at most risk—any organization with anything controversial going on is at risk. Heck, smart lightbulbs and baby monitors are at risk.
Happily, the smaller the firm, the easier it is to get the managers to see reason (fewer partners, maybe no board, etc.), and the easier it is to not use cloud storage. And that is the best way to make sure they are protected.
DL: Assuming that a breach will eventually happen, having a clearly defined incident response plan is the best step smaller firms can take it to prepare for or prevent a cyberattack. Numerous third-party security firms have rapid response teams that can be engaged to augment in-house staff in the case of a breach. However, the model works better with a pre-existing relationship, where the service provider has some existing familiarity with the firm’s IT environment.
MG: There can be a big advantage for smaller firms in using cloud services because the infrastructure and security services that support them are much more robust and secure than even most large-sized firms can afford. For example, Intermedia’s infrastructure is designed to provide 99.999% uptime through redundancy. This level of availability, with 24/7 security, is not affordable for most firms to provide for themselves. Paired with the talent employed by the cloud provider such as a dedicated security team and certified experts that deal in the intricacies of cybersecurity and cloud environments every day, smaller firms can still protect themselves like larger ones.
TAS: I think carefully screening any cloud provider you are considering using and joining in the local and state-level bar association cybersecurity teams will allow you to stay abreast of developments and issues.
As far as the practical small law firm solutions, I would implement the following:
- Passwords must be changed regularly.
- All access must require two-factor authentication.
- All USB drives must be encrypted.
- All cell phone and tablets must be managed in house with the ability to wipe and lock externally in the case the device is stolen or lost.
- Use email and chat programs that allow for end-to-end encryption.
- All laptops should be encrypted.
- Use laptop-tracking technology.
- Institute intrusion-detection tools.
- Institute intrusion-prevention tools.
- Have a cyber insurance plan.
- Have a breach plan in place, in case there is an issue.
DH: Cloud service providers leverage a multi-tenant software delivery model. This levels the playing field for small firms who can benefit from enterprise technology, but don’t have the capital to invest in a heavy IT infrastructure. All firms access the same ‘technology stack’ which is typically updated several times per year, so there is never the risk of being on an outdated version. This”single global instance” of software has been the great equalizer when it comes to small business being able to compete from a technology standpoint with the large firms.
NG: How important is it to regularly change account passwords, especially for cloud services? How can you ensure an effective password?
AW: There is a common assumption that regularly changing passwords is a best practice, but, in fact, requiring frequent changes can weaken your security because it can lead to cutting corners—like writing your password on a sticky note—and because, when passwords must be routinely changed, people are less likely to use good, complex passwords to begin with. Users who also must regularly change passwords are likely to simply make small tweaks to existing passwords, for example, by putting an exclamation point at the beginning and end. These are not hard things for hackers to figure out.
That said, you absolutely should require passwords to be changed in certain instances, like when a password is shared or stolen, or if you have reason to believe an account has been compromised. People should also consider investing in a password management program, such as LastPass, which securely stores, remembers and updates passwords.
APM: How often to change passwords really depends on each use case. The best thing to do, if you simply can’t avoid using a cloud service, is to be sure to use only ones that offer two-factor authentication (you can find a list here). For those unfamiliar, two-factor authentication (also known as 2FA) is basically having two passwords, the second one of which is randomly generated, and is good for only a few minutes, and is delivered to you through a device, an app, or an SMS text message.
As for effective passwords, we like to use this random password generator.
DL: Changing passwords regularly is always a good practice, but many of the phishing attacks compromise user credentials, so that they will work regardless of the strength of the user’s password. This is why it’s so important to enable two-factor authentication wherever possible.
If two-factor authentication isn’t an option, another possible approach is to use password management tools. There is always some inherent risk in storing passwords anywhere besides in the user’s head. However, password tools offer a number of benefits. They allow for the creation of very lengthy and cryptic passwords that the user doesn’t need to remember. They also provide basic protection against accidentally entering credentials into a phishing site by validating the URL.
MG: We recommend using “strong passwords” for cloud services, which are the maximum length supported by the application, and unique for each service. These passwords should also be changed at least every three months. Secure password managers make it easy to use strong passwords so users don’t have to remember them. They also should be backed up with two-factor authentication so that an additional known device must be used to verify the login. Lastly, and just as important as the points above, it is strongly recommended that people use a unique password for each cloud service and that they not re-use passwords between applications or services. Unique passwords mean that, even if a hacker successfully steals a user’s password for one service, the hacker’s access will be limited to that one application.
TAS: I think this is imperative, and the easiest solution to start with. Have a policy in place where everyone has unique passwords that are changed on a monthly basis. No one should share a password even if it’s a shared inbox like an electronic fax account or general inbox. Having unique passwords can assist with accountability and access. You can go back to the data to see when an issue arose. Also, by knowing whose account was hacked, you can immediately close off any other access points.
DH: Since passwords are often the primary protection for access and resources, ensuring that the passwords are secure and regularly rotated greatly improves security. Ensuring an effective password generally means following the well-established password guidelines offered by Microsoft and other entities such as 1) using both upper and lower case characters, 2) using numbers, 3) using special characters, 4) not using words or repeating characters, and 5) having longer passwords—longer is almost always better.
NG: How tight are the cyber insurance policies of cloud service providers? Is there room for improvement?
AW: It’s hard to generalize. But the reality is, for most cloud providers, if they suffer a breach, it’s game over regardless of whether they have cyber insurance or not. The reputation hit alone is usually too much to withstand. That’s why securing customer data is a top priority for every cloud provider, because it is prerequisite to staying in business.
APM: I am unable to comment on cyber insurance policies; once the data is hacked, insurance doesn’t really make the aggrieved parties whole.
DL: Firms should be reluctant to rely solely on any cyber insurance policies carried by cloud service provider unless the protections are clearly spelled out in their service level agreements. Otherwise, it’s difficult to know whether the provider’s coverage is there to protect them, their customers, or both. A better approach is for firms to manage as much risk as they can internally by purchasing their own coverage and implementing their own security controls for cloud data that limits their exposure in the case of a service provider breach.
MG: This is a newer area for cloud providers, and many of them are not thinking much about what is covered in their policies, because they’ve never had to make a claim. The challenge with cyber policies right now is that they are so new. Unlike other types of insurance policies that have been around for decades, there isn’t standard policy language yet for cyber policies, so policies are highly customized—and there’s not much guidance as to what the terminology means if it were to ever be disputed in litigation. The coverage of some policies is worded extremely narrowly, and other policies have extremely low sublimits for things like cost of investigation. As the insurance companies get more comfortable with these policies, I expect that cyber policy language and structure will start to get standardized across providers, which will eliminate a lot of the ambiguity that surrounds those policies today.
TAS: This I believe is the one area that is overlooked in law firm security issues. The policies need to factor in a number of issues that one may not consider. If there is a data breach, it would be very difficult for the law firm to recover the goodwill they developed, and the trust their clients had with the firm. If you can’t be trusted to keep your clients’ data safe, how can they trust you to keep their secrets safe? Remember Ashley Madison? There needs to be a deductible that is manageable and a policy that will cover not only fixing the breach, but also instituting identity in their management tools, credit repair, etc.
DH: No comment.
NG: What are some of the hidden “gotchas” that might not be obvious to law firm partners and IT teams reviewing their use of cloud services?
AW: Pay close attention to how storage size is calculated if your subscription is based on amount of data used. Just because you upload, for example, 50 GB of data into the service doesn’t mean that the storage size will actually be 50 GB. It might actually be larger due to the fact that some data “explodes” when it is processed. For example, a 1 GB .zip file might contain data that is much larger when it is removed from that container. This is an issue that users of cloud-based eDiscovery services should understand.
Legal professionals should also make sure it’s clear how, when and in what format data will be returned upon the termination of service, or whether it should be destroyed. The last thing you want is to skim over some crucial language that allows your data to be held hostage, though ethical providers don’t do this.
APM: I think that the ability of agencies to gain warrantless access to any data stored in the cloud for more than 180 days is a huge hidden “gotcha,” and one that, while the average lay person doesn’t quite understand, should be a strong cautionary tale for any lawyer.
DL: One mistake that many organizations make is limiting their thinking and security planning to company-sanctioned applications. In the age of readily available consumer cloud services that are free or very low cost, many IT teams are shocked to discover how much shadow IT activity is occurring. Even if corporate policies exist that prohibit the use of consumer cloud services, users are not always mindful of these policies. In fact, as more devices and applications communicate with cloud behind the scenes to synchronize data between devices, users may not be aware that they are unwittingly transmitting sensitive data to the cloud.
MG: Cloud service providers are generally not trying to pull one over on their customers. However, there are some things that customers should carefully consider when deciding what types of solutions are right for their business. For example, many cloud providers offer high-quality services, but do the law firm and its IT team want to deal with a collection of independently administered cloud services, where each service has a separate administrator control panel? Some providers, like Intermedia, offer an assortment of essential cloud services, all controlled through a single control panel. Another important consideration is the degree of risk the law firm is willing to take with regard to security. Given the sensitivity of client data, law firms should compare the security offerings of the various cloud providers and make sure to demand the highest levels of security for their services, such as two factor authentication. If customers don’t specifically ask about security features, they won’t necessarily know what their providers are capable of offering.
TAS: What happens if you want to switch the current provider to a competitor? Will they help with the transition? How long will that process take? Is there a cost associated with it? A lot of these companies are banking on inertia and the same thing that plagued the cellular and cable TV industry: that you will get so comfortable you will be reluctant to switch.
DH: Some entities claim to be cloud providers but in reality are only offering off-site hosting of dedicated resources. Ensure potential vendors are certified against recognized standards; ensure the scope of certifications is sufficiently broad to cover all key elements of the service being considered. Ensure key infrastructure of the vendor is validated and certified (such as the use of certified co-location data centers). Additionally, there are often associations and certifications that exist to help firms navigate and validate that a cloud vendor is in fact doing everything they say they are. In the United States, successfully completing annual Type 2 SOC 2 audits demonstrates deployment of infrastructure to support availability and implementation of comprehensive security controls. Internationally, current ISO 27001 certification provides similar validation.