Law Firms Transitioning to The Cloud: Answering Concerns About Security and Compliance

Everlaw understands how essential it is for law firms to keep data and documents secure. We’re often asked about the security of working with an ediscovery vendor in the cloud. We make the discovery process more efficient, and we want our customers to feel confident in the cloud.

Here are answers to the 5 most frequent concerns:

1. Why use the cloud when our internal infrastructure is more secure?

As the saying goes, control doesn’t imply security. In fact, contrary to common belief, the cloud is generally more secure than internal IT. Securing IT requires budget, bandwidth, and experience that few firms possess—a point driven home by a recent cluster of breaches at Am Law 100 firms. Instead of diverting energy away from pursuing cases and serving clients, consider auditing vendor systems against your security standards instead. Web applications are often hosted on public cloud service providers with dedicated security resources that are hard, if not impossible, to match in-house.  

2. Isn’t a firewall the most secure option against external threats?

A firewall is just one part of a strong security posture. The best firewall can be compromised by new exploits and human error from within. According to IBM’s 2017 X-Force Threat Intelligence Index, 60% of all attacks on the finance industry and 71% of those on the healthcare industry were carried out by insiders—most maliciously, but many inadvertently. The reality is that internal security measures may be far less secure than those of dedicated third-party cloud services.

3. Is it risky to expose client data on devices that are not owned by our company?

Keeping data in the cloud is actually one of the best ways to minimize risk. On a true cloud platform, once you log out, nothing is left on your device to get stolen. The trouble comes with ediscovery technology that claims to run in the cloud but in practice encourages you to download data to get around compatibility issues, view documents in native format, or just get easier access to your work. The important thing to look for is a platform that makes data securely accessible anywhere, that provides in-platform viewers for all kinds of data types, including Excel, audio and video (so you don’t have to download files), and that makes controls and access rights easy to manage. It should also provide two-factor authentication to ensure thieves can’t log in with stored credentials. Mobile device management software, like Google Mobile Management Security, and BYOD policies requiring screen locks can provide an extra layer of security.

4. Given the sensitivity of data exposed in litigation, how can we safely share that data with a third party?

When reviewing platform options for your litigation team, you may refer to one of the national and/or international certifying bodies whose standards are accepted for information and data security. Two industry-leading options are a SOC 2 Type II certification or an ISO 27001 certification from an accredited provider. These demonstrate that an independent party has reviewed the security infrastructure and determined it complies with the selected framework. These certifications are voluntary, which means the vendor has opted in and exposed their security practices and procedures to third-party review. You should also verify that the certification applies to the vendor itself, not just its cloud provider. Many vendors point to providers’ certifications as evidence of strong security, without addressing the security of their own IT systems, where sensitive information like NDAs and contracts may be stored.   

It is also important to determine whether the vendor complies with relevant regulations of information that triggers compliance, such as protected health information (PHI) under HIPAA. If you are dealing with PHI, you will need to execute a Business Associate Agreement (BAA) with the vendor. It’s important to obtain their assurance that they comply with the HIPAA Security and Privacy rules. While there is no certification recognized by the U.S. Department of Health & Human Services (HHS), security-savvy vendors complete either a HIPAA self-evaluation or invite a third party to complete a HIPAA compliance evaluation.

5. What questions should we be asking to determine whether a cloud provider is secure?

Ask these questions of any outside vendor:

  • What are the vendor’s policies and procedures on information security? Does the vendor perform security risk assessments to identify and measure risks, and if so, how often?
  • Does the vendor have a dedicated team responsible for information security and compliance?
  • Does the vendor enforce use of strong multifactor authentication (MFA/2FA) for all elevated or privileged administrator accounts?
  • What are the vendor’s practices for third-party auditing, vulnerability scanning, and penetration testing?
  • How does the vendor encrypt data at rest and in transit, and what kinds of controls and processes does it have in place for intrusion detection, monitoring, and threat detection?
  • How does the vendor delete client data?
  • How does the vendor respond to security incidents, and how does it work with clients if an incident occurs?