Should lawyers be wary of cloud computing and SaaS?

Your article is great except for a crux one-liner in the middle: “In my opinion, the data security and confidentiality concerns regarding cloud computing are exaggerated and overblown.”

Woah.

Data security and confidentiality concerns are not exaggerated and aren’t overblown. They are exactly what they are – CONCERNS. Putting your data into the cloud and not keeping it locally adds a layer of complexity and an extra amount of opportunity for someone to have access to, and take, that data.

If, however, you pay attention to those concerns and have proper contract language in your agreements to mitigate those concerns, then they will simply stay concerns. On the other hand, if you ignore them, treat them as non-important, or dismiss them as exaggerated or overblown, they will eventually be forgotten (it breeds complacency) – which is EXACTLY when you end up with a data security or confidentiality problem.

I’m biased because I’ve seen too many large companies leak hundreds of thousands of people’s data dozens and dozens of times… with almost nothing other than an “oops… sorry” among them. I’m also biased because I read thousands of contracts every year for these types of services where there is very little by way of “industry standard”, and almost nothing of “conventional privacy policies” such as you suggest. Rather, most vendors put in as much liability limiting language as they possibly can, knowing full well that merely the transmission of the data from the client to their facility, unless encrypted (which is almost never the case), is open to exploit.

So please, don’t down-play the importance of data security and confidentiality in a cloud computing environment. Play it UP. Make it continuously important. It is manageable – but you can’t ignore it hoping that everyone’s playing by the same rules.

Security of information is a critical component to cloud computing which is why making this decision to go this route should be equally as great as the credibility of the firm offering it.
Accessibility, reliability and cost effectiveness are three things that come to mind when I think of this offering. A good provider will offer a complete package of software that will help law firms “run a business” and account for all that is involved. This is of great importance for start-ups and small firms that primarily focus more on their area of expertise which is practicing law rather than the business end of it.
There are countless statistics related to money lost in hours that have not been account for. There is also a component to inefficient use of time related to managing your in-house system. Hosted solutions with integrated software packages that work seamlessly together can be a great option for firms looking to better manage time, information and cash flow.

Hi Niki:

This is an extremely important topic and one that a lot of folks are trying to get their heads around. As a SaaS provider and engineer myself, I’m only too aware that not all SaaS providers are created equal.

SaaS, in my opinion, is inevitable. It’s hard for me to imagine that in 10 or 20 years desktop versions of software will be the norm. So I think it’s very important for lawyers to know some of the basics about security and what this all means.

I recommend that anyone considering a SaaS solution understand many factors, including but not limited to 1) physical security of the actual servers and data 2) code security and protection against attacks 3) confidentiality policy of the SaaS provider 3) encryption used to protect traffic (128 bit or greater and coverage of sensitive traffic).

I also encourage people to stop by eff.org, the electronic frontier foundation, to see an in-depth exploration of some of the issues to think about as we move to an increasingly online world.

Niki:

My real concern isn’t with the lawyers, it’s with the vendors.

I would challenge your supposition that this is “emerging technology” – in fact, it’s decades-old technology. It’s been repackaged, rebranded and redesigned for the 21st century obviously… but the core is the same: Your data on “somebody else’s drive (to quote Tom Smith).

And the confidentiality issues are similar, too… only this time, it’s not just giving them your financials or customer information that you WANT to keep secret… it’s giving them client information you have to keep secret as a matter of law.

Having reviewed and negotiated literally thousands of contracts with confidentiality, data use/disclosure policies, HIPAA documents regarding private health information, etc provisions… yet still finding violations, unexpected leaks, etc… I’m simply not convinced that many SaaS vendors have geared up sufficiently to handle information of this type of sensitivity.

Additionally, I would even argue that while asking your vendors where they’re keeping their data is nice from a due-diligence perspective, few customers know how to engage a contracts professional to adequately modify the contract to prevent future migration of that data to somewhere else. That’s also not even addressing the issue of your data in your home country, with technical support people somewhere else with virtual access to that data.

All in all, for lawyers (and healthcare providers) to be truly comfortable with using SaaS vendors where client information is involved, I believe we’re still several years away from the lawsuits and/or legislation that will have to happen in order to make those professions able to fully enjoy the benefits of a SaaS environment. Until then, I advocate for EXTREMELY strong contract negotiations to appropriately allocate risk based on data access.

Oh, and I think that the NY State Bar Opinion 820-2/08/08 is a little premature in terms of understanding the technology at hand (an obvious discussion of Gmail’s system and Google’s auto-generated content-related advertising mechanisms). The issue isn’t just whether a person has access to the e-mails themselves, but whether the content is determinable by review of the advertising presented to the end-user. I think it’s incredibly short-sighted to think that just because Google promises that (today) no one is reading the text of each message to: 1) believe that they’ll continue not reading tomorrow; and 2) believe that you can’t discern both the client and the subject matter simply by review of the associated advertising.

I suppose it comes down to trust (as I’ve been discussing on <a href="http://www.licensinghandbook.com/2009/08/25/more-on-trust/"my blog today). The truth is that SaaS vendors should have to go above and beyond to prove trustworthiness for this type of data. And they don’t (some would even say won’t).

Thanks, Leigh, for saying better and more succinctly than I was able to do in many paragraphs. You conveyed what I was trying to point out quite well.

Wes: Sorry for the length of my responses – these aren’t easy topics and require some depth of explanation.

SaaS is repackaged distributed computing (around since the 1960s). Centralized apps and storage. The difference is distance and bandwidth. Now we can have these things centralized on one continent and used on another with 100% GUI. So, it’s not new, it’s just the flavor-du-jour of application availability. Of course vendors like this model – they always have – it gives them absolute control over the app AND the data. So I don’t doubt that it will be the delivery method for a long time to come.

Notwithstanding, and respectfully, my issue is that I do not believe that the security and privacy issues have been worked out sufficiently. Let’s go for a period of a few years without a data breach (I’ll even forgive ones due to hackers and only go with those that are due to stupidity). After that, I’ll feel a lot better. I mean really, when was the last time that you heard about some lawyer’s office being ransacked with client files taken? It doesn’t happen that often because it’s hard on multiple levels:

1. Buildings are difficult to locate to know where the data is stored.
2. Files are even harder to find and are usually in additionally-locked cabinets/rooms/etc (or stored off-site completely).
3. PC’s not connected to the internet are a little harder to hack simply from an availability perspective.
4. Online databases are complete representations of ALL of the data. Maybe someone needs to come up with a way to secure individual records inside each database, so even if all of the data is stolen, each record is sealed individually?

SaaS is in many ways analogous to a VAX mainframe, and those have been around longer than I have. I think the debate between SaaS, distributed computing and ASPs is a red herring.

For me, the more critical issues center around the inherent paradox in what we’re trying to achieve with cloud computing solutions – ubiquitous access to centralized data, all with super strict access control. We want to get to our data from anywhere – our desks, cars, vacation spots – and we want it to be protected by military-grade security.

That’s a tall order, but not impossible.

I struggle with imagining (and affording) a workable solution to our demands.

I’m very excited to see what develops in the coming months/years to meet our requirements.

As for portability via XML, I agree that it is cumbersome, but at least I can make sense of it with a plain text reader, which is more than I can say for formats like DOC, XLS, PPT or PST. And most apps can import XML files.

Hello to Niki and all others,

First let me congratulate this great and needed article. In my opinion, the comments are all pertinent also, despite some aparent blurring here and there.

All concerns are understandable and lawyers should not take for granted their concerns are being taken care of by all software vendors.
Lawyers must do their homework and read carefully the Terms of Service, Security Policy and Privacy Policy of the vendor at hand, in order to be sure it’s a company worth their trust – which should never be a blind trust, even then.

The move to web-based software is completely inevitable, and today the security can be as military-grade as ever before, in the “analog world” – or more so.
When the company does apply a high-level of security (servers in datacenters with military-grade protection and bank-grade communication encryption), the main source of insecurity still lays elsewhere, like the use of an uncrypted web-based e-mail service like Hotmail, the password written in a piece of paper in an unlocked drawer or the computer logged on during a coffee break.

As for local copies of all data, they’re a must. But I too believe to have XML is far more critical than other formats, just because it’s an open standard. From Wikipedia: “XML (Extensible Markup Language) is a set of rules for encoding documents electronically”; link: http://en.wikipedia.org/wiki/Xml.

Ah, my xml snippets were eliminated in my post. Alas. If you wanna follow up with me, just send me an email and I’ll explain there.

Great comments folks:

As both a SaaS and traditional secure email vendor myself, I’ve seen both sides of the arguments…and the major stumbling blocks I find (especially with the legal industry), is the lack of education around security (or lack thereof) of email, and the natural struggle between convenience and security.

But agreeing with most comments made so far, we also have to be congizent of the fact that State Privacy laws may dictate what lawyers will have to do. For those of you that are not aware yet, both Nevada and Mass have new Privacy laws that forces business users to encrypt their emails should they contain any Private Identifiable Information (PII). This includes even if the client happens to be in either of those States.

And folks,…the other States are following closely behind.

Nice topic!