That may sound like a lot of cloud use, but in fact, many law firms and legal departments don't even know how many cloud apps are being used. New cloud apps, such as file-sharing tools show up almost monthly even daily, creating a whack-a-mole mentality where IT security staff must shut down unauthorized apps when they pop up.
The average organization uses 1,154 cloud services to upload 5.6 terabytes of data each month, according to cloud-access security broker Skyhigh Networks.
"It's happening too fast," says technologist-turned-attorney David Ray, director of information governance at Consilio, where he leads the privacy and protection consulting practice. Some 20 percent of survey respondents say they "rarely or never address" rogue cloud apps because they don't even know it's there, he adds.
Third-party cloud providers can also slow down incident response planning during data breach investigations, says David Navetta, partner and co-chair of data protection, privacy and cybersecurity at Norton Rose Fulbright US LLP. "You can't do what you would do in your own environment, such as take images of machines and get logs and react quickly. A cloud provider may worry about their own liability or may not want you to take an image of a virtualized machine that could expose all their clients' data."
Then there are the compliance and regulatory requirements that legal counsel must adhere to while employees are sending information to unauthorized cloud apps.
Making a case for the cloud
Cloud apps and services can offer many benefits to legal departments and law firms, Overly says. "You may end up with better security, lower costs and greater accessibility for your attorneys" through mobile apps, he adds. Legal professionals and cloud services can peacefully co-exist if they can find the right balance.
Build a data roadmap
Start by understanding what data you have across the enterprise and how people are using it, Ray says. It can be a costly process to build out that type of data road map, but it will uncover most of the rogue cloud use. Next, let employees know where they can and can't put data - and which cloud services are approved.
Strip identifiers or keep data grounded
Navetta works with clients on de-identification and data minimization strategies in the cloud.
"Can we strip certain identifiers from data and still have it be useful, so if data was breached it wouldn't cause as much of concern or trigger obligations or litigation? We also ask, does something really need to be in the cloud? Can we get the benefits of the cloud while minimizing our risk significantly without undermining [the benefits]?"
Encrypt data before it hits the cloud
Sign up for CIO Asia eNewsletters.