Confidentiality and Consumer Cloud Services Used in the Practice of Law
The following was forwarded by John Denney from Bench & Bar, LLC, (which has a very interesting Jury Selection App. We will be reviewing it). Thanks John
The term “Cloud” storage is not new; “cloud” is a re-branding of the Web to emphasize offsite storage of information. This re-branding of the Internet began approximately in 2006 when large companies such as Google and Amazon began using “cloud computing” and “cloud storage” to describe the technological environment in which people access software and files over the internet instead of on their desktops or company servers.
There are many options for lawyers and law firms to make use of the “cloud.” For example, several companies, including Clio, Amicus Attorney, and MyCase, offer “cloud-based” SaaS (software as a service) practice management solutions. Additionally, there are several popular “cloud” services, such as Dropbox, Box, Google Drive, and Microsoft SkyDrive, that store and synchronize files across multiple devices (smartphones, tablets, and computers) and across multiple platforms (iOS, Android, Windows, and Mac). The popularity of services such as Dropbox continues to grow with the proliferation of iPhones and iPads. Because iPhones and iPads have no USB connectivity to storage devices such as thumb drives, services such as Dropbox have become an indispensable means of transferring and accessing files on iDevices. Moreover, many popular apps allow the user to link the app to Dropbox and other “cloud” storage accounts.
State bar associations continue to weigh in on the ethics surrounding the “cloud.” The ABA has an excellent online overview/summary of these states which can be found here. Thus far, the general consensus appears to be that lawyers may make use of the cloud provided they take “reasonable care” to protect their clients’ confidences. So, are you exercising “reasonable care” if you use services such as Dropbox, Box, etc. to store confidential documents and files in the cloud? Assuming you do not encrypt your files before uploading them to the cloud, then answer to this question is buried in the provider’s Terms of Service (a/k/a “The Fine Print”):
TERMS OF SERVICE FOR POPULAR CLOUD SERVICES
Terms of Service – According to Dropbox’s Terms of Service, Dropbox and certain “trusted third party companies and individuals” may access your information to “provide, analyze, and improve the Service . . . .”
Reasonable Care? – No. Dropbox and unidentified “trusted third party companies and individuals” can examine any file uploaded to Dropbox. Hence, there is a lack of “reasonable care” regarding the safeguarding of confidential information.
Terms of Service – “You hereby grant Box and its contractors the right, to use, modify, adapt, reproduce, distribute, display and disclose Content posted on the Service solely to the extent necessary to provide the Service or as otherwise permitted by these Terms.”
Reasonable Care? – No. Not only are users allowing Box unfettered access to confidential information, but users are permitting Box to “reproduce, distribute, display, and disclose” any confidential information stored with Box.
Terms of Service – “When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.”
Reasonable Care? – No. Like Dropbox and Box, users give Google unfettered access to confidential information.
Terms of Service – “When you upload your content to the services, you agree that it may be used, modified, adapted, saved, reproduced, distributed, and displayed to the extent necessary to protect you and to provide, protect and improve Microsoft products and services. For example, we may occasionally use automated means to isolate information from email, chats, or photos in order to help detect and protect against spam and malware, or to improve the services with new features that makes them easier to use.”
Reasonable Care? – No. Same problems as Dropbox, Box, and Google Drive.
EXERCISING REASONABLE CARE IN THE CLOUD
Before you completely give up on cloud storage and synchronization, here a few apps/services that encrypt information stored in the cloud thereby ensuring that you have exercised “reasonable care” in protecting your clients’ confidential information:
Spideroak – 2 GB’s free plus $100 per year for 100 GB increments. Spideroak is a cloud storage and synchronization service that has a ”zero-knowledge” privacy environment. Essentially, Spideroak ensures that no one, including Spideroak, can see your data. Additionally, files uploaded to Spideroak are encrypted. Unfortunately, the pricing scheme described is for noncommercial use. Commercial users pay $600 per month for each TB of storage hosted on Spideroak’s servers. Spideroak also offers a “private cloud” service for $5 per month per user. However, this private service resides on the user’s own firewall protected server.
Viivo – Free for personal or commercial use. Viivo is not a cloud-based storage service such as Dropbox. Instead, Viivo enhances Dropbox by adding seamless encryption to files stored on Dropbox. On your desktop (PC or Mac), Viivo will encrypt any files placed in your Viivo folder to your Viivo Encrypted Dropbox Folder to automatically sync them to the cloud. Viivo only works with Dropbox.
Boxcryptor – Free for personal use, single fee of $99.99 for business use. Boxcryptor is designed to work with any cloud service such as Dropbox, Skydrive, and Google Drive. Similar to Viivo, BoxCryptor offers client-side encryption in a special folder where you can very simply drag files you want to encrypt and store securely on your Dropbox account. Like Viivo, BoxCryptor encrypts on the fly and decrypts them in real-time.
If you are using any of the popular cloud storage solutions such as Dropbox, Box, SkyDrive, or Google Drive without any encryption, then you are not likely using “reasonable care” to safeguard your clients’ confidential information. If you intend to store client information in the cloud, then Spideroak, Viivo, or Boxcryptor are all viable solutions. Out of these three, Spideroak is costly. Although the “private” cloud service is affordable, it requires you to set up a cloud using your own server which seems counter-intuitive. Of all three services, Viivo’s stability exceeded Spideroak’s and Boxcryptor’s on both PC’s and iPad’s. In other words, considering its price tag (free), easy-of-use, and stability, we chose Viivo overall.