Lets be honest, many people were completely shocked by the revelations from Edward Snowden’s release of classified NSA documents last year about the width and breadth of the NSA’s spying. Unless you had seen the Will Smith movie Enemy of the State. From 1997. Which basically was a movie about how the NSA did EXACTLY what Edward Snowden said they did. And that movie came out before things like the Patriot Act.
Amazingly, people were still shocked, shocked I say, to discover that the NSA was spying on, well… everyone.
Newsflash: electronic data is not totally secure. Never will be. If you are able to access the information, someone else can too. It’s pretty basic. That’s why I was so surprised to read this article from the Lawyerist, by one of my favorite legal bloggers, Sam Glover, discussing how he’s re-thinking his use of the cloud for his legal files. In other words, he’s “shocked, shocked I say” to learn that the cloud isn’t totally secure.
Sam talks at length about ways that attorneys can use various cloud-based systems to accomplish particular tasks, such as email communication, calendar and to-do list updates, and document storage, while maintaining some security. He also talks about which of these items are more or less appropriate for cloud-based systems. Yet, at the end, he still says that although he’s not abandoning the cloud for his law practice (that he decided would be his default storage only a year ago), but he’s only using it for things he absolutely needs to.
I want to be clear, I’m not criticizing Sam’s decision. What puzzles me is the logic behind first, his decision to put everything in the cloud, and second, to largely abandon the cloud based on security flaws exposed by the Snowden leaks. Like many people in our profession do, Sam innocently presumed use of cloud-based services to be considerably more secure than even their developers would suggest. Then, upon learning that cloud-based services are just as secure as other digital systems, he overreacts.
Cloud-based security is a balance between convenience and strength.
Just like everything else in the history of all things, the more convenient something is, the less secure it is. Why would this not be the case with cloud-based storage systems? Particularly systems that rely on the same single-factor authentication systems as your email or credit cards. I really don’t understand where this utopian vision of digital storage came from.
Despite his new revelation, Sam does an excellent job of identifying some excellent ways to keep your law firm as secure as possible when performing certain tasks. The trouble is, due to many attorneys’ ability to pretend everything they’re using is secure until it’s proven not to be, these tools should have been utilized in the first place! As I discuss in another article, seriously, why aren’t you encrypting everything?
The Snowden Revelations mean very little to your use of cloud-based systems.
As an attorney, one of your greatest ethical concerns is keeping your client’s confidential information protected. Every state has adopted some form of the ABA Model Rule that says attorneys must take reasonable steps to keep that information protected (California, which does not follow the Model Rules, still has a very similar one).
Does that mean that you have to make sure your client data is locked up tighter than Fort Knox? Of course not. Just as with everything else, attorneys need to balance the need for client information to be convenient enough for regular use while being secure. It’s unlikely that an attorney would be in ethical trouble if a client’s were stolen from the attorney’s office one night, unless the attorney had no door locks or other security measures.
The exact same logic needs to be utilized concerning the Snowden Revelations. While attorneys should be concerned that the NSA is so vastly overreaching their authority, it has little impact on the practice of law. No judge is going to admit privileged communications into evidence simply because the NSA’s hacking program allowed them access to the secure emails. It also seems unfathomable that an ethics charge would stick if Dropbox allowed the NSA access to an attorney’s files without disclosing the access (as may be happening).
More importantly, looking at the NSA may be taking your attention from the true threats. A recent survey of top IT professionals conducted by PC World found that only 5% considered government-initiated hacking as their top security threat. 56% listed external, non-government hackers, and just over 30% listed unintentional leaks by employees as the top threat.
Secure wisely, react proportionally
The best way to guard against an overreaction is to have a better understanding of the situation up-front. No attorney who was aware of the federal government’s spying capabilities (which should have been all of us, in case you missed my first paragraph) should have been surprised that it was being used. More importantly, no attorney should have been relying on cloud-based digital storage and email systems without understanding how secure they actually are.
I have a lot of respect for Sam Glover, and I absolutely love the Lawyerist. However, in this case, I’m genuinely shocked, shocked I say, that he really thought the cloud was totally secure.
Pingback: The Anthem Hack: 5 Critical Lessons for Your Law Firm()