Legal Cloud Security: Three Questions to Ask Vendors Today

Legal professionals have grown increasingly reliant on external partners and vendors to support their practice.  Whether it is an e-Discovery firm, an LPO firm, or the most recent craze, a legal cloud services firm, lawyers are finding cost-effective and readily available partners to help them improve efficiency and increase value.  Cloud computing’s quickly rising popularity should come as no surprise as it offers a number of clearly compelling value propositions which can both reduce cost and increase productivity.

But cloud computing, just like any type of computing platform, can introduce serious security risks when not appropriately designed and managed.  The efficiency benefits of cloud computing do not eliminate the need for high security and confidentiality.  Lawyers must avoid exposing client data to unacceptable risk or inadvertent disclosure, and to do so, lawyers must select their vendors carefully.

The ABA and many state bars have agreed, providing opinions stating that lawyers can generally use cloud services as long as they perform the appropriate security due diligence (an exception is the consent recommendation in Mass. Bar Opinion 12-03).  However, the guidance on what constitutes the appropriate level of diligence is often still vague.  The detailed guidance that is provided calls for a level of security knowledge not typically held by legal professionals.  As a result, many lawyers are not able to perform an accurate assessment of risk of many cloud services.

To help lawyers meet their ethical obligations, here are three questions people without technical backgrounds can use to evaluate a vendor’s attitude towards security.  These questions aren’t a substitute for a more thorough evaluation, but the quality and completeness of a vendor’s answers will often shed light on the extent to which they have invested in security.

How do the security features of your service offering demonstrate an understanding of a lawyer’s professional responsibility to preserve the confidentiality of client information?

As we mentioned in our discussion of the Mass. Bar Opinion 12-03, a recent study found that 69% of cloud service providers surveyed believed that the user is most responsible for securing data in their cloud service.  This means that many cloud providers may not be offering much in the way of security on the assumption the customer will supply it (for example, through client-side encryption). So, it's hardly surprising that 66% of survey respondents were ultimately unsure or not confident that customer security requirements were met. Bottom line: Get a vendor on the hook for expressing a commitment to security and at a level appropriate for legal professionals.

What a bad answer might look like:  If when questioned about the security of a product, a vendor’s response includes “Yes, we use SSL” or anything referencing SSL, you are most likely talking to a salesperson who knows less about security than you do.  Citing SSL in response to a general question about security is like asking about the advanced anti-theft features a luxury sedan offers and being told that its windows can be rolled up and its doors locked. Every legal service should have SSL on its website. The more telling question to ask is what additional security measures are taken by the vendor, other than SSL.  If they can’t provide any more specifics, be wary--there may not be much investment in protection of data.

What you hope to hear:  You want to hear from the vendor that they understand the stringent confidentiality requirements lawyers face and have dedicated resources to implementing security as a core feature of their service at every layer.  A representative should be able to provide details that demonstrate a substantial investment in security(or put you in contact with someone who can).  Some examples might include dedicated security personnel on staff, compliance with a security standard such as PCI-DSS or HIPAA, or a third-party security assessment report which evaluated the vendor’s overall security and validated it against a respected external standard.  If all they can provide are detailed technical descriptions that you are unable to understand, ask for something in writing and then find a technical resource who can help evaluate the strength of the vendor’s security claims.

Who is responsible for security in your organization?

Assigning responsibility and authority will help ensure there is accountability and motivation to implement security.  A vendor claiming to have a strong commitment to security should be able to explain how security is managed in its organization and what group or individual is responsible.  A related question may be to ask how security is budgeted within an organization, as often IT is unable to implement desired security controls due to lack of funding.

What a bad answer might sound like:  If you are told “everyone is responsible for security” then that probably really means that no one is responsible or accountable within the organization.  As a result, you will most likely receive “personality based security” where each employee’s attitude and aptitude will determine the security of his/her part of a product.  For example, the software developer may have a strong security background but the systems administrator may not, meaning part of the application could be very secure while other portions are less secure.  If no one is advocating to budget for necessary security investments, you may also receive “whatever-comes-free security” which is often inadequate to meet the confidentiality requirements of lawyers storing client data.

What you hope to hear:  You hope to hear that they have assigned security responsibilities to someone who understands security and has budget authority within the organization.  This will ensure that standard best practices are implemented and that security problems are raised to an appropriate level within the organization.  Not every available security investment needs to be made, but you want to ensure that security issues are evaluated in a risk-based manner and that unacceptable risks will be addressed through investment.  

Can you provide a complete list of all individuals and entities that will have the ability to view my data?

A growing challenge in validating vendor security stems from increased use of subcontractors. One vendor may outsource aspects of its services to several other vendors, each of which in turn uses another set of vendors. The chain of vendors involved in any given service can quickly grow quite long and may be largely opaque to the customer purchasing the service. Unfortunately, each company in the chain may have the ability to review your data. As we saw in our Dropbox analysis, you often consent to the use of subcontractors as part of the terms of service or privacy policy.

A Veracode security expert cited this as the problem in a recent McDonalds customer data breach: “In McDonald's case, they outsourced the management of their customer data to a service provider who, in turn, outsourced it to another provider. It is unlikely that McDonald's did their security due diligence for the first provider, let alone the second.”

There is nothing inherently wrong with a vendor choosing to use partners and subcontract out aspects of the service provided the vendor has also done its due diligence on everyone with access to your data.  To prove that this diligence has been performed, the vendor should be able to justify their choice of partners and explain how those partners were validated. Ultimately, we agree with the advice from Veracode: "It is important that businesses make sure their service providers have at least as good security protections around customer data as [the businesses themselves would have] and disallow further outsourcing unless the secondary outsourcer is vetted to the same degree."

What a bad answer might sound like:  If they cannot tell you who will have access to your data they may not know themselves.  They may also know who has access to the data but not be able describe how they validated the security of those vendors.  

What you hope to hear:  The vendor should ensure that any access to your data is necessary for service operations and minimized both internally and within any third party entities involved.  All reasons for access should be clearly set out  in the privacy policy. Access to customer data should be recorded in a manner that provides accountability in the event any one individual disregards policy.  The vendor should also be confident in the security of every partner who will have access to your data and be able to explain how they validated that security and demonstrate that the partner has a legally enforceable obligation to provide such security.

Security decisions are rarely black and white and just because a vendor can’t answer each of the questions above perfectly does not mean that you should immediately look elsewhere.  The most important thing is to start a dialog with the vendor and make sure they understand your security requirements and accept responsibility for meeting them.  If law firms insist on a common set of security requirements, interested vendors will have every incentive to invest in and implement the appropriate level of security.  I would prefer that all vendors maintain a high level of security and compete only on other items like functionality and user experience.  We aren’t there yet. For now, lawyers and their law firms firms must ask questions and refuse to engage with vendors whose “high security” consists only of claims about military-grade SSL and secure datacenters.

[Editor's note:  Minor language improvements made 9/13/2012]