Managing your own passwords is a challenge. When you add hundreds of users into the mix it seems like an insurmountable task. Password managers are the answer.
By Lawton Brown
As an attorney, there are 11 things that you must, at a minimum, do if you are going to, or have implemented any part of a cloud-based solution for your law firm. These items are mandated by your state bar association rules, industry standards and best practices, some insurance policies, and other guidelines. They are items you should be doing regarding Cloud Computing, even if they were not mandated by someone else. Let’s get started.
1. Make sure your cloud is private
The first rule of Cloud Computing of every state bar that has an opinion is that a lawyer must use reasonable care to safeguard confidential client information. There is a lot packed into that statement. Let’s start with the confidential part. The questions you need to be asking your vendor are:
- Is my data private?
- Is any part of my information shared with anyone else?
- Do I have the ability to share my information with anyone else?
- Do I have the ability to audit my data to see if it has been shared with anyone?
- Am I on a shared server?
Just because you’re on a shared server doesn’t mean that your data is being shared with anyone else. But it’s a good question to ask, because you need to hear the answer to weigh the risks. Many cloud providers offer several options and will likely be able to segregate your data from everyone else’s.
2. Use document management software
We use Microsoft Office 365 SharePoint, and we love it. First, if you’re using Microsoft Word (and you should be), it fully integrates with Microsoft Office 365 SharePoint. SharePoint handles versioning. Every time a new version of the document is saved, SharePoint creates a new version of it with the same name. This allows you to compare with previous versions, or recover files that have been overwritten, without having to have your IT company intervene. Anything that is deleted from SharePoint goes into a recycle bin that can be recovered within 90 days without IT help. Where SharePoint really excels is searching documents. It’s like Google (actually more like Bing) for all your documents. If you know a word inside of a document SharePoint can find it. Usually in a fraction of a second.
Sharing documents is another huge benefit. Instead of sending around an actual file that has to go back and forth over email, a link to the file can be sent so the document being worked on stays in the same location. You can even give someone outside of your organization a link to a read-only version of the file for their review. If you do utilize that feature, you should occasionally review your member directory and remove sharing from older documents on a regular basis.
3. Do not use the free version
Many cloud providers offer a free version of their software to entice users to sign up, then offer a premium version with all the features for monthly subscription fee. Don’t get me wrong, I love the free version. As long as I’m willing to lose all the data. Many of the providers that offer a free version have separate terms and conditions for the free version than the premium version. The free version usually offers no support, and more importantly, no responsibility if they lose all of your data. Some even state in their terms and conditions that the free version does not include any data redundancy. The premium versions, however, usually have a service level agreement (SLA) that includes data redundancy, credits for downtime, and a statement about the provider using their best effort. Nobody wants to read the terms and conditions, but they are important. If you don’t want to read them, at least make someone else.
4. Have a security strategy
They can be one page, or an entire manual, but you need some sort of security strategy. Password expirations, regular security audits, and minimum password standards should be a requirement of your security strategy. You must write it down. Everybody in your organization needs to know that they will have to change their password every 90 days. It’s not negotiable. If you use a Mac, you have a great built-in tool called Keychain. You can store all your passwords in an encrypted vault, and can even recommend safe passwords for you to use on all websites. The PC has similar tools. If your users have trouble remembering passwords, consider implementing a similar software. Your users also need to know that they cannot use the same password for every website or service. Just recently, almost every user name and password for the MySpace service was published to the Internet. So if your password was the same for all websites. The entire Internet would have access to everything you own and you'd spend days trying to update passwords. Don’t let it happen to your firm.
5. Make sure your data stays in the U.S.
If you think it’s difficult dealing with an entity in another state, try filing your claim in another country. First, the rules that apply to providers in the United States maybe different than those that apply in other countries. And you have to ask yourself, “am I really safeguarding my client’s information if it resides in another country?” Another good question to ask is whether the data is in more than one location. If there were ever a natural disaster in another state, or country, you want to make sure that your data will still be accessible.
6. Implement an encrypted email solution
It’s 2017. By now you should understand that the NSA is reading your email. If it’s not encrypted, it’s incredibly easy. Not just for the NSA. Most cloud email providers offer encrypted email as a premium feature. Use it.
7. Read the terms and conditions
I know you don’t want to. They are terrible. And they read like Dostoyevsky in the original Russian. I’ve had to write several of them, so I can sympathize. You need to read them, however, because whether you like it or not, they will apply to you. So you need to make sure that you’re okay bringing your lawsuit in the Northern District of Maine, or using the law of Guam. Almost every set of terms and conditions will include venue and choice of law provisions. If you’re not okay with those choices, then don’t sign up. I have yet to meet a provider that allows those provisions to be changed. Know the risks.
8. Know who owns your data
Most of the popular cloud providers have provisions that state that the data you’re hosting with them is your data. Most of them also state, however, that while the data is yours, it is your responsibility to maintain and retrieve that data prior to terminating your agreement. That means that if you haven’t exported your data to another service, or back onto your own server prior to terminating your agreement, your data could be deleted by the provider. Some other services also state that by using their service you’re granting them a perpetual license for your data. Be careful!
9. Read the rules
Many cloud providers also have rules, and behavioral standards. Some do not. Some providers may also require communication between you and the provider remain confidential. While most providers are fairly reasonable about their rules and standards, it’s easy to get into trouble if you don’t know about certain provisions.
10. Always have another way
By far the most important thing to know when setting up a cloud strategy, or making sure that your existing strategy meets state bar requirements, is making sure that you can always access your data. Almost every provider offers 24/7 uptime for their services. That’s great, but that’s not enough. Most of the states that have written rules require you to have another method, or another way to get your client data. The idea behind this is that if a provider goes out of business, or you don’t pay your bill, the result is the same - you lose access to your clients’ data, and therefore violate bar rules. There are several services that back up data hosted in SharePoint online, and other SaaS software, to another provider. They are, for the most part, cost-effective. Some SaaS software also allows you to escrow your data with a third-party provider. You can usually contact them to find out how all that works. If they can’t escrow your data, or there's no way to have a secondary backup, you should probably keep looking.
11. You Need to Know
Lastly, you need to know how your provider is handling the security of your data. If you don’t feel comfortable with the level of security, then keep looking. Many firms that need tighter security, often end up using infrastructure as a service (IaaS) rather than SaaS, since it can be locked down as tight as required.
This is only meant to be a primer, and is not a full guide to cloud services. Check your local state bar association for more information about the specific requirements that apply to your firm. A link to the ABA website regarding cloud computing can be found here.
Hopefully you found this helpful. If you have any questions, or have a suggestion, please reply in the comments section, or email me directly. Good luck!
About the Author
Lawton Brown is a graduate of Georgia Institute of Technology and Atlanta's John Marshall Law School. He is licensed to practice law in TX and GA. Lawton is the current president of XOGENT and has been in the software development and IT service industry for over 24 years.