Storing data on remote servers in a vendor's data center and accessing it via the Internet through various forms of "cloud computing" or Software as a Service (SaaS) can be a cost-effective solution for companies that don't want to invest in their own technical infrastructure. A SaaS vendor owns and maintains the infrastructure while the customer pays a periodic fee for that use.
But critics concerned about the security of data stored in vendors' data centers have thrown a curve ball at the North Carolina Bar's attempt to establish an ethical roadmap for attorneys interested in employing SaaS solutions. The setback comes even as the popularity of cloud computing grows.
Cloud-based vendor Mimecast released a survey in July, revealing that 51 percent of U.S. and U.K. organizations surveyed are now using some form of cloud computing service. Of those businesses using these services, 74 percent say that cloud computing has alleviated internal resource pressures, and 72 percent report an improved end-user experience, according to the survey.
But security holes in some systems make them vulnerable to cyber attacks and well-publicized online data breaches continue to occur periodically. Security flaws have raised questions about the ethics of storing clients' information in the cloud, given a lawyer's obligation to protect confidential client information from disclosure.
Addressing questions on this point, the Ethics Committee of the North Carolina State Bar in April published for comment a proposed, first-of-its-kind ethical opinion that would give lawyers in that state the green light to employ cloud computing solutions, while suggesting the importance of due diligence in hiring a vendor. It also provides an extensive set of questions that corporate law departments nationwide can adopt to determine if they've exercised due diligence.Many legal technology experts heralded the proposed opinion for providing guidance on the evaluation of SaaS vendors while opening the door to using the cost saving technology. But after receiving comments questioning the security of SaaS-based solutions, the committee in July decided to re-evaluate its position.
In its proposed opinion, the Ethics Committee concludes that lawyers "may contract with a SaaS vendor, provided the risks that confidential client information may be disclosed or lost are effectively minimized."
An accompanying proposed opinion provides a roadmap for effectively protecting against the risk of a data breach when contracting with a SaaS vendor. It lists 23 questions that "a lawyer should be able to answer sufficiently to conclude that the risk has been minimized." The questions examine whether the SaaS vendor has satisfactorily addressed the security issues implicit in cloud computing and whether the lawyers have probed sufficiently into the security systems.
The questions include whether the agreement with the vendor addresses confidentiality, how the data is protected and who has access to the data.
After meeting again in July, the ethics committee sent the proposed opinion to a subcommittee to study based on some comments received about the security of SaaS, according to Alice Mine, assistant executive director and ethics counsel of the North Carolina Bar. "The subcommittee was instructed to obtain input from IT-savvy lawyers about the security of confidential client information when a law firm uses SaaS," Mine says.
Among the comments published on the state bar website is one from a South Carolina bank network/LAN administrator who wrote about problems with a large SaaS provider. "They were SAS 70 certified and had a major security breach. ... [We] had a lot of explaining to do to our customers. [Some] cloud lovers assume, 'Since they're big, they're safe.'"
The subcommittee will study not only the "best practices" part of the opinion but also whether there is such a substantial risk to confidential client info that the proposed opinion should be changed to prohibit use of SaaS. "I do not think that the bar should dictate a particular mode for handling client information," Mine says. The subcommittee will make a recommendation to the full ethics committee at a meeting in October.
Cloud vendors contacted said they support the proposed ethics opinion and already take extensive steps to secure customer data.
Such companies now commonly complete a SAS 70 Level II security certification, providing a security report to clients based on the accepted auditing standard. The North Carolina Ethics Committee recommendations go a bit further in suggesting that a potential SaaS customer obtain a copy of a vendor's security audits.
"Plainly, the better practice is to obtain the audit," says Wayne Matus, a partner at Pillsbury Winthrop Shaw Pittman. If the vendor will not release the audit, Matus recommends learning as much as you can, "such as who conducted the audit, what did it find specifically as to weaknesses, the methodology, and what was excluded and included in the scope."
The North Carolina proposal recommends additional evaluation including inquiring about firewalls, encryption techniques, socket security features and intrusion-detection systems. And some experts suggest that this level of diligent inquiry be an ongoing process.
"Ensuring data security doesn't end after the initial due diligence review," says Jeff Davis, a shareholder at Vedder Price. He recommends regular professional reviews of vendor data security procedures.
Several SaaS providers said they are aware of customer concerns and provide extensive security information to current and potential customers.
CT TyMetrix, for example, "provides details of its security program, system security and audit results to prospective and current customers signing a NDA [nondisclosure agreement]," according to David Gardner, chief technology officer.
Sarah Brown, communications manager for Exterro, says her company provides similar information to clients and prospects. Exterro also offers a training and implementation program to ensure users know how to get data into and out of the system securely, she says.
Not all legal technology companies use SaaS, however, and they contend they can, as a result, offer a higher level of security. For example, Rashad Porter, product strategy and services manager of DataCert, says his company, which maintains a non-SaaS hosting model, can offer a higher degree of data security by continuing to maintain individual firewalls for its customers rather than sharing databases, common with some SaaS solutions.
But George Tziahanas, vice president-compliance for cloud service provider Autonomy, says his company doesn't share customer databases. Autonomy provides specific data center locations for its customers as well as a backup data center for each client at least 500 miles away from its primary data center.
"Our clients don't have to think 'It's 5 o'clock. Where is my data?'" says Deborah Baron, vice president, legal and information governance for Autonomy.