Safe in the Cloud? Online Service Risks Need Care and Coverage
Document security, always a law practice issue, has come to the forefront as law firms and their clients consider using online-based software for business uses. Most often called cloud computing or software as a service, the process involves using the Internet to access useful applications. Rather than purchasing and installing the necessary software for a firm’s private computer system, users upload information onto the Internet—“the cloud”—where it is stored with a software service.
“Certain levels of security will depend on the company you are dealing with and on the underlying cloud provider,” says Arlen Tanner, an attorney at Shook, Hardy & Bacon in Kansas City, Mo., who specializes in business records management. “Most cloud-based services are small startup companies leasing space on a large cloud, such as from Google, Amazon, Microsoft or IBM. Cloud service providers like Dropbox, for example, store your data on storage they lease from a major cloud provider.”
Dropbox, an online document-sharing service growing popular with law firms, suffered a problem this year. In June, a “programmer’s error had enabled any password to access any Dropbox site,” Tanner says. “While Dropbox stated it fixed the problem, if an internal programmer’s error could create that vulnerability, a disgruntled insider or one with an agenda could do similar damage to data stored for a law firm using a service like Dropbox.”
SUIT DANGER
Lawyers whose security measures prove inadequate for protecting client confidences are vulnerable to malpractice lawsuits. Liability depends on whether a lawyer has reasonable practices in place to protect against a breach of client confidences.
A firm’s current malpractice insurance coverage for “errors and omission could cover some aspects of damages arising from a data breach depending on the factual circumstances, but it most likely doesn’t cover the type of expenses that can arise in the aftermath,” says Brant Weidner, a claims manager for Beazley Group in Chicago, a Lloyd’s of London syndicate offering lawyers’ professional liability insurance, including specialty lines for cyber- and data-related losses. “The fixes that clients demand or the law requires when a breach occurs are very specific and expensive.”
Weidner advises asking insurers what losses are covered for cyberattacks. “Lawyers should have coverage specifically designed to deal with the losses that can arise in the event of a data breach: That means notifying clients that data has been disclosed, credit monitoring if necessary, and hiring a computer security expert to figure out why there was a breach. There is also the possibility of civil fines for violations. All of these costs can have not only financial but also professional consequences,” he says.
“Beyond the costs,” Weidner says, “firms also need to consider whether they have exercised reasonable care, and they need to know what reasonable care looks like.”
Weidner recommends that law firms ensure that their IT person works closely with a firm lawyer who understands the ethical guidance on what constitutes reasonable care in this arena. If the lawyer doubles as the IT person, carefully review the firm’s professional liability coverage contract and the jurisdiction’s reasonable standards. If no such standards exist for a given jurisdiction, firms would be prudent to follow the guidance of jurisdictions that have adopted standards.
“Delegation of responsibility for this analysis to a vendor or an IT person isn’t best practice,” Weidner says.
CHANGE MAY COME
Tanner expects that other insurers will watch to see what happens. “If firms and other companies start buying policies with few big claims filed, then more insurers will offer coverage.”
For best “in the cloud” practices, Tanner suggests researching both the service provider and the company leasing the space to determine whether the underlying cloud is stable. “Then encrypt your own data,” he says. “Adding your own encryption to data gives another layer of security, especially from internal risks. … The service’s on-site encryption is intended to prevent outsiders from getting to your data, but the internal IT staffers have access to the site’s encryption key files. By adding your second layer of encryption, you have more control over who can access your data.”
But amending contracts so liability is solely borne by the service provider brings difficulties.
“Most big cloud providers are limited as to how much they will change contractually because law firms are small potatoes for them,” says Tanner. “Even if the cloud company is willing to change the contract … the underlying provider may not be willing to make contractual adjustments unless you are a huge customer.”
While cloud computing involves a real risk, it may be a risk that’s unavoidable.
“Cloud computing is here now, and is the future; we just have to learn how to manage risks,” Tanner says.
Susan A. Berson is a partner with the Banking & Tax Law Group of Leawood, Kan. An author of several finance books for lawyers, she may be reached at [email protected].