Legal professionals are by their nature a skeptical and cautious lot, but the sharp rise in cloud-based applications being used by enterprises and law firms, as well as recent high-profile law firm security breaches, has many legal professionals reticent about entering cloud engagements.
"The buck stops with the lawyer," says Michael R. Overly, a partner and intellectual property lawyer focusing on technology at Foley & Lardner LLP in Los Angeles. "You're trusting the [cloud provider] with how they manage security," and yet their contract language excuses them from almost all responsibility if a security or confidentiality breach occurs, he says. "One can't simply go to clients or the state bar association and say the third party caused a breach, so it's really not our responsibility."
This year's high-profile breaches at Panamanian law firm Mossack Fonseca and New York-basedCravath Swaine & Moore have raised alert levels even higher. Law firms and legal departments have been warned by the Federal Bureau of Investigation that cyber thieves consider them low-hanging fruit from a risk perspective because of their potential treasure troves of trade secrets and undisclosed deal information that could be exploited.
"The balance that was struck even a year ago that would have been appropriate as to 'reasonable security' I think is no longer a reasonable balance," Overly says. "It has to be tilted a little more, further toward security than usability."
Many legal professionals share Overly's concern. Some 64 percent of legal technology professionals surveyed by Consilio, a global eDiscovery and document service, cited "inadvertent disclosure of sensitive data" as the biggest risk of using cloud-based applications. At the same time, more than half of respondents at law firms and in-house law departments revealed that workplace data stored on cloud applications is "often" or "almost always" considered in legal or investigatory matters, so knowing what information is in the cloud and how it's being secured is a real challenge.
Legal professionals surveyed also cited intellectual property theft (39 percent), regulatory compliance failures (26 percent) and inability to adequately identify relevant data for eDiscovery (25 percent) as concerns with cloud applications.
At the same time, cloud-use has outpaced the risk and compliance measures needed to adequately manage risks for the protection of intellectual property, compliance, data privacy, records retention, among others, according to Consilio.
A Ponemon Institute survey estimates that every 1 percent increase in the use of cloud services will result in a 3 percent higher probability of a data breach. An organization using 100 cloud services, for instance, would need to add 25 more to increase the likelihood of a data breach by 75%.
Sign up for CIO Asia eNewsletters.