LexisNexis® Legal Newsroom

June 2013

Home – Cloud Storage: The Promise and Threat of Efficiency

Cloud Storage: The Promise and Threat of Efficiency

 As with many innovations, the allure of shiny new objects and the promise of a better life can be irresistible even for the wisest among us.  Sometimes those shiny new objects deliver all they promise and make you wonder how you lived without them.  Others will leave you wondering how you could have been so gullible.  Still others deliver all they promise but with unexpected downsides and risks. 

 

Aren’t cell phones incredible?  Does anyone remember waiting for a pay phone or searching for change to make a call?  Now you can call from anywhere without a dime in your pocket.  But some of you may not get a strong signal from your own backyard.  And some of you may forget that, while engaged in a passionate exchange about the NFL or Congress or your idiot co-worker, you’re driving a 4,000-pound sedan through Mrs. Kravitz’s living room.  Her Davenport will never be the same.

 

Today, one of those shiny objects is “the cloud.”  So, what’s it all about?  We asked EDRM co-founder and ED thought-leader George Socha to assemble and join four other experts in the field of e-discovery and virtual storage for a presentation at LegalTech New York in January 2013.  We were privileged to have Socha and these four attorneys on our panel, titled E-Discovery Demystified:  Getting Ahead of The Cloud:   Martin T. Tully., Chair of Katten Muchin Rosenman’s E-Discovery Practice Group, Litigation Partner of their Chicago Office and National Chair of E-Discovery Practice Group; Michael J. McGuire, Shareholder, Littler Mendelson Minneapolis Office, Exclusively Labor & Employment – Manager Side, one of six dedicated to e-discovery and Chief Info Security Officer;  Steven Berrent, Managing Director, Wilmer Hale Discovery Solutions, Document Review and Technology; and Christopher Wolf, Director, Hogan Lovells Privacy & Information Management Practice Group, Founder & Co-Chair of the Future in Privacy Forum, a Think Tank on Privacy.

 

Defining the Cloud.  The group started with the basics, explaining that -- despite the ethereal quality its name suggests -- the cloud simply is data storage provided by a third-party vendor on a remote server.  The server can be anywhere in the world.  The amount of data that can be stored is limited only by your storage needs and your budget.  Data can be in any format.  Documents, video, audio files, applications, and more.  Tully compared the cloud to a utility, like an electric company, which “stores” the electricity for you.  You use it as you need it.  Wolf described the cloud as “outsourcing on steroids.”  Berrent likened the cloud to a bank.  He noted how your money is in a big pot somewhere, shared with other savings account holders.   The bank does what it pleases with the money and, for your trouble, you get interest.  The savings account is like a huge shared server.  If you wish to store valuables apart from other customers, you can get a safety deposit box or, in cloud terms, your own personal server.  Just as a customer makes deposits and withdrawals from an account, information is uploaded to or downloaded from the cloud, be it shared or private, and information is transmitted two ways -- data in and data out. 

 

Safety, Security and Storage of Data.  Berrent said that whenever you trust your data to a third-party vendor there is always some element of risk.  That is true whether information is in hard copy storage or virtual storage.  (Of course, there is a risk of storing it yourself, too.)  Off-site virtual storage is beneficial because connectivity problems you experience at your office caused by loss of power, for example, the server should remain operational because it has not been compromised by whatever affected you. Since disaster can strike anywhere and anytime, McGuire said it is imperative that your cloud provider has a disaster recovery plan. 

 

Why should you care whether or not your data is stored in the United States? an audience member asked.  The clients care, Berrent said, and it is important that they are comfortable with where the data is physically located.  Wolf stressed the importance of having a discussion with your malpractice carrier as to whether there is a need for storage redundancy and whether you can get a break on your business interruption insurance premiums as a result.

 

Ethical Considerations.  According to model rules, Wolf said lawyers must take reasonable precautions to maintain client confidentiality and attorney-client privilege.  They must be assured, and assure clients, that no one can access information stored in the cloud.  Wolf shared his own experience with client communications over Gmail.  He noticed he began receiving advertisements for attorneys after he had an email exchange with a client.   He learned how Gmail uses a computer to “read” emails as a way of matching ads with email subjects. Is this a breach of confidentiality?  Wolf said the New York Bar held in this type of situation that because a “thing” is reading the information, it does not count as a breach of attorney/client privilege.  However, who is behind the computer?  Should there be concerns if there is a human pairing search ads with email content?   Wolf said attorneys must exercise due diligence in evaluating cloud provider practices as these new threats to attorney-client privilege evolve.

 

Note:  The Gmail ads Wolf described are meeting resistance from Google users around the country.  There are six proposed class actions pending which say Google’s email scanning practices violate state and federal wiretapping and interception laws.  According to LexisNexis’ Law 360, Google is trying to centralize these actions in California as a Multidistrict Litigation in U.S. District Court.

 

Intrusion Prevention & Detection.  McGuire suggested the use of managed security services.  The capability of a specialized cyber security company far surpasses a law firm’s technology in blocking nefarious activity, he said.  How does it work?  An appliance is placed on your network at each point of ingress and egress.  This appliance copies routing information (although usually not the substance of traffic), then collects and routes the information to the security company.

 

Tully said that when it comes to assessing your cloud provider’s capabilities to protect client confidentiality, state bar opinions concur that attorneys must understand how data is being handled, they must have reasonable assurance that confidentiality and security will be maintained, and they must stay abreast of best practices.  For more information about the state bar opinions, visit www.lawtechnology.org.  McGuire urges law firms to secure enforceable contracts with cloud vendors, and get in writing the confidentiality privilege protections and security you are promised.

 

Encryption.  McGuire went on to say that encryption can be an effective way of preventing prying eyes from reading confidential material.  You can choose whether your vendor encrypts or you encrypt before sending it off to the vendor for storage, he said.  However, it may be more important to encrypt the data before you upload it to prevent the vendor’s encryption from being hacked, he said.  “One of the big risks is that if you encrypt all the stuff and lose the key,” McGuire warned, “you’re not getting your stuff back.”  “If you encrypt,” Wolf added, “then you avoid having to have the negotiation over who’s responsible in the event of a data breach, which often is part of the negotiation with a cloud provider.”

 

Insolvency of Provider.  What happens if your cloud provider goes under?  How will you get your data back?  It bears repeating that you will want to make sure your cloud provider backs up data, McGuire said, adding, too, that there may be a problem with bandwidth if you need to retrieve your information quickly.  Also, make sure your data is no longer retrievable by others, regardless of the insolvency of company or if your relationship with the company ends, he said.  Make sure you own those tapes, CDs, and hard drives and that you can go to the storage facility to retrieve the hardware.  Berrent said it’s important that you know who owns the hardware.  Also, if it’s your hardware, how do you get back to work the next day?  Will you be able to drive a truck to the data center, load up the servers and drive away?   If you own the hardware, he said, there is no question of personal property ownership.  It all goes back to the agreement you sign with the provider. 


Key Takeaways

 

  • Understand how data is being handled.  Be skeptical.  Document your expectations and test them.
  • Be certain you understand how confidentiality is being secured and maintained, and make that protection requirement part of an enforceable contract with your vendor.
  • Stay abreast of best practices, as well as evolving uses and potential abuses of data held in cloud storage.
  • Make sure you own the data storage backups and can retrieve them in the event of natural or financial disasters.