What lawyers and partners need to know about cloud-based legal software before implementing it in their practices.
The term “cloud” can be confusing. The notion of cloud computing might conjure up a sense of some nebulous entity out in the ether, accessible by anyone at any time. Or it might be conflated with peer-to-peer filesharing networks and hacking.
But the truth of what the cloud is and how it works isn’t anywhere near as exotic, mysterious, or controversial as some might think. Cloud computing and cloud-based data storage is a longstanding practice in businesses of all kinds; it’s so ubiquitous that your law firm might even be using cloud solutions right now and not even know it.
So what exactly is “the cloud”? What do law firms need to know about how it works? And is “the cloud” actually secure enough to store your law firm’s most sensitive documents?
Let’s explore these questions in a common-sense, plain-language way that takes into consideration the legal industry’s unique privacy and data security needs.
At its core, “cloud storage” is just another term for off-site data storage. And unless your law firm has its own on-site data server in your office, then you’re probably already using off-site data storage.
Unless you’ve changed some fairly advanced settings, every email you send is probably stored off-site at your Internet service provider’s office. If your law firm has a website, that website and all of the data associated with it is stored on an off-site server as well. And if you’ve ever done case research in LexisNexis, you’ve used cloud-based software. Your law firm is already using “the cloud”; you just may not have known it.
“The cloud” isn’t some murky, shapeless void in the sky hanging just out of reach. The term “cloud” refers to any kind of data files or pieces of software that are hosted on an off-site server and accessed through an Internet browser or computer program.
Cloud-based software consists of three major components:
When you register for cloud-based software, your computer receives a key (in the form of a username and password) that you use to unlock the connection to the host computer and access the software and/or data. Logging out of the software locks the connection to the host computer again.
The host computer that stores your data is usually located in a data center — a warehouse full of computers — operated or leased by the software provider.
The only significant technical difference between cloud computing and local computing is the location of the data you are accessing.
The term “cloud” is often used colloquially in a way that can imply all cloud-based software lives in the same place. But this isn’t an accurate description of how cloud-based software works. Instead, software providers lease server space at data centers operated by cloud services providers like Microsoft, Amazon, Google, and IBM. The data you send through these cloud-based services is then hosted by these companies.
Appara, for instance, is built on the Microsoft Azure platform and securely hosts data at two of Microsoft’s Canadian data centers. When you access Appara through your web browser, your data is transmitted from your computer to Microsoft’s data servers. The platform we use, Microsoft Azure, has been independently certified to meet several data security standards, including the SOC 1, SOC 2, PCI-DSS, and EU-US Privacy Shield standards.
Canadian law firms have unique data security needs. In provinces like Ontario, where the Law Society has been granted the authority to regulate law firms as well as individual legal professionals; lawyers and paralegals owe clients a duty of care regarding sensitive client information. In Ontario, Rule 3.3 of the Rules of Professional Conduct states that lawyers and paralegals must maintain the confidentiality of client information regardless of where that information is stored.
In other industries, a security breach is a PR scandal or fuel for a lawsuit; in law, a security breach is both of these things and possible grounds for regulatory action.
So: Is the cloud secure enough for law firms?
The short answer is, “yes, if certain conditions are met.”
The slightly longer answer is that no two cloud software solutions are exactly the same, and it’s important to understand how different providers treat your data.
Some cloud software is secure enough for government use (the Government of Canada began laying the groundwork for a cloud-first software strategy in 2014), while other cloud software is unsuitable even for consumers.
All software has potential vulnerabilities, cloud-based or not; but that isn’t a reason to not use any software whatsoever. What determines whether or not cloud software is secure are the security protocols your software provider has put in place.
That’s why all cloud-based software cannot be painted with the same brush; every software provider is going to have slightly different security features and protocols, and each different piece of software will have its own strategy for addressing potential or actual vulnerabilities.
If your law firm has thoroughly vetted your software vendors and verified their security credentials and certifications, then the cloud is plenty secure. The best and most reputable providers will freely volunteer information about their security protocols and certifications.
For example, Appara’s software has been independently audited by a third party for compliance with the International Organization for Standardization’s ISO/IEC 27001:2013 Information Security Management Standards and ISO/IEC 27018:2014 Code of Practice for Protecting Personal Data in the Cloud. (ISO is a global independent non-governmental organization that was founded in 1947 and publishes technical standards for over 24,000 products and services). Our product undergoes annual security audits to maintain our ISO security certification; Appara is the only legal records management software on the market with ISO security accreditation.
But it isn’t just enough to consider digital security. Physical security breaches can cause as much trouble as digital ones, if not more so. Hackers don’t always use Internet connections to access systems remotely; sometimes, they use physical infiltration methods to gain in-person access to a server.
If your law firm were to have an on-site server in your office, you and your team would be responsible for ensuring its physical security and monitoring for unauthorized access. That means installing video cameras. It means hiring security personnel to sit outside your server room 24 hours a day, 7 days a week. It means buying highly specialized and expensive security equipment, like a Faraday cage — a cage made of electroconductive metal that blocks incoming and outgoing signals. If your organization isn’t prepared to spend time and money procuring these and other solutions, then your on-site server will never be as secure as a professionally-operated data center.
One of the strengths of cloud computing is that providers’ on-site physical security measures are among the most stringent anywhere. Large technology companies like Microsoft and Amazon have the resources and the know-how to police their data centers 24/7 and to implement a wide array of security protocols that a law firm can only dream of.
The bottom line? Unless your firm can match Microsoft or Amazon’s security budget, cloud computing will always be more secure than storing sensitive data on-site.
Most reputable cloud-based software already have a full suite of robust, enterprise-level security safeguards in place to prevent unauthorized access. You can greatly increase your firm’s data security by understanding which security measures to look for in a provider.
First, always look for a provider with ISO security accreditation.
Second, always investigate what other security credentials your software provider has gone to the effort of obtaining — and what security practices they use to keep your data secure. Appara, for instance, works with leading cybersecurity experts to conduct regular penetration testing.
(In layman’s terms: We hire white-hat “good guy” hackers to identify and then fix the weak points in our armor, before the black-hat “bad guy” hackers ever have the chance to attack.)
Finally, ask your provider what kind of Internet security training and security-oriented HR policies their employees are subject to. At Appara, company-wide personal electronic device policies, office access policies, criminal background checks, and an ongoing Security Awareness Training program are in place to reduce the likelihood of a human-caused security breach.
There are also several steps your firm can take as a software user that will increase cloud security even further. We discussed some of these steps in a previous article on the Appara blog, but as a brief refresher, you should ensure your team knows to:
Cloud-based software offers several key advantages for law firms:
It enables your team to work remotely, which makes you a more attractive employer to new job applicants. The 2021 labour shortage means today’s firms are struggling to attract new hires. This is a reversal of fortunes from the 2007 recession; today, it’s job applicants who hold the power. It’s job applicants who are calling the shots. Implementing a cloud-based records management and collaboration solution can enable your firm to offer remote working arrangements, which might be the key to landing talented new hires before your competitors do.
Cloud software also enables you to instantly create automatic off-site backups of all of your important data, with little to no effort on your part. With a cloud-based records management solution, your records are kept safe and secure in a remote data center. That means they cannot be damaged, stolen, or lost in the event of a break-in at your office, a fire or flood, or a catastrophic computer failure (i.e. “Blue Screen of Death”).
Cloud-based software solutions can seem intimidating if you’ve never used them before. But “the cloud” is much more secure than most people think, and it offers several key advantages for law firms that want to stay competitive. With a cloud-based records management system, your firm can enjoy a variety of benefits like the ability to offer remote work arrangements to your team, instant data backups, and more effective communication and collaboration with clients and other stakeholders.
Want to know how Appara’s cloud-based record-keeping software can save your firm time and money? Check out our case studies to learn more.
Engaging insights and the latest news, designed for legal professionals.