Technologist - The FindLaw Legal Technology Blog

Is It Time for a Law Firm Cloud Computing Security Standard?

Cloud computing is becoming increasingly common in the legal world. A recent survey found that 68 percent of corporate legal departments are using cloud-based tools, with 80 percent open to adopting more in the next year. The cloud is becoming increasingly popular among private firms as well, with almost a third of attorneys turning to cloud services for law-related tasks.

But the "cloud" is just a convenient metaphor: your information is really being stored on someone else's computer, raising security and ethics risks for attorneys. To help mitigate those risks, a legal association is proposing new standards for cloud computing security.

Establishing a Reasonable Standard of Care

The new security doctrine is being advanced by the Legal Cloud Computing Association, "an organization whose purpose is to facilitate adoption of cloud computing technology within the legal profession, consistent with the highest standards of professionalism and ethical and legal obligations." Founded in 2010, the LCAA pushes for greater adoption of cloud computing in the legal industry and works to define industry standards and best practices.

Part of that means establishing a "reasonable standard of care." As Clio CEO Jack Newton notes in Legaltech News, that's the standard cited in pretty much every ethics opinion to address attorney cloud computing. But those opinions all leave it to the lawyer to determine what that standard is. LCCA's new security guidelines do much of the security work lawyers would otherwise have to figure out on their own.

21 New Standards for Your Cloud Security Needs

The 21 standards are broad in scope, covering everything from the location of data to user tracking to data recovery in case of natural disasters. For example, in terms of encryption, the LCCA standards state that LCCA SaaS providers should "maintain data encryption protocols" covering both data stored at the data center and data transmitted to and from the center. When it comes to data breaches, the standards require provider to notify users in accordance to a "clearly stated" policy covering time and notification method.

For lawyers turning to the cloud, the new guidelines should provide a bit of direct and reassurance.

Related Resources: