Concerned About Confidentiality in the Cloud? You Can Make it Safe!
If you are anyone who uses cloud-based services and storage and deals with confidential information such as attorney-client and doctor-patient information, then you should be aware of whether you are securely storing information in the Cloud.What Do I Mean By the Cloud?
The term “Cloud” storage isn't new; “cloud” is a re-branding of the Web to emphasize offsite storage of information. This re-branding of the Internet began approximately in 2006 when large companies such as Google and Amazon began using “cloud computing” and “cloud storage” to describe an environment where people access software and files over the internet instead of on their desktops or company servers.
There are many options for lawyers and law firms to make use of the “cloud.” For example, several companies, including Clio, Amicus Attorney, and +Rocket Matter
offer “cloud-based” SaaS (software as a service) practice management solutions.
Additionally, there are several popular “cloud” services, such as Dropbox, Box, Google Drive, and Microsoft SkyDrive, that store and synchronize files across multiple devices (smartphones, tablets, and computers) and across multiple platforms (iOS, Android, Windows, and Mac).Reasonable Care is the Litmus Test
State bar associations continue to weigh in on the ethics surrounding the “cloud.” So far, the general consensus appears to be that lawyers may make use of the cloud provided they take “reasonable care” to protect their clients’ confidences. So, are you exercising “reasonable care” if you use services such as Dropbox, Box, etc. to store confidential documents and files in the cloud? Assuming you do not encrypt your files before uploading them to the cloud, then answer to this question is buried in the provider’s Terms of Service (a/k/a “The Fine Print”):Terms of Service for Popular Cloud Services
Terms of Service – According to Dropbox’s Terms of Service, Dropbox and certain “trusted third party companies and individuals” may access your information to “provide, analyze, and improve the Service . . . .”
Reasonable Care? – That's questionable. Dropbox and unidentified “trusted third party companies and individuals” can examine any file uploaded to Dropbox. Hence, there is a lack of “reasonable care” regarding the safeguarding of confidential information. Additionally, Dropbox has suffered from some fairly significant lapses in security over the past few years (Google It!).
Terms of Service – “You hereby grant Box and its contractors the right, to use, modify, adapt, reproduce, distribute, display and disclose Content posted on the Service solely to the extent necessary to provide the Service or as otherwise permitted by these Terms.”
Reasonable Care? – Not exactly. Not only are users allowing Box unfettered access to confidential information, but users are permitting Box to “reproduce, distribute, display, and disclose” any confidential information stored with Box.
Terms of Service – “When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.”
Reasonable Care? – Probably not. Like Dropbox and Box, users give Google unfettered access to confidential information.
Terms of Service – “When you upload your content to the services, you agree that it may be used, modified, adapted, saved, reproduced, distributed, and displayed to the extent necessary to protect you and to provide, protect and improve Microsoft products and services. For example, we may occasionally use automated means to isolate information from email, chats, or photos in order to help detect and protect against spam and malware, or to improve the services with new features that makes them easier to use.”
Reasonable Care? – Same problems as Dropbox, Box, and Google Drive.Exercising Reasonable Care in the Cloud
Before you completely give up on cloud storage and synchronization, here a few apps/services that encrypt information stored in the cloud thereby ensuring that you have exercised “reasonable care” in protecting your clients’ confidential information:
Spideroak – 2 GB’s free plus $100 per year for 100 GB increments. Spideroak is a cloud storage and synchronization service that has a ”zero-knowledge” privacy environment. Essentially, Spideroak ensures that no one, including Spideroak, can see your data. Additionally, files uploaded to Spideroak are encrypted. Unfortunately, the pricing scheme described is for noncommercial use. Commercial users pay $600 per month for each TB of storage hosted on Spideroak’s servers. Spideroak also offers a “private cloud” service for $5 per month per user. However, this private service resides on the user’s own firewall protected server.
Viivo – Free for personal or commercial use (although they are now rolling out a paid service). Viivo is not a cloud-based storage service such as Dropbox. Instead, Viivo enhances Dropbox by adding seamless encryption to files stored on Dropbox. On your desktop (PC or Mac), Viivo will encrypt any files placed in your Viivo folder to your Viivo Encrypted Dropbox Folder to automatically sync them to the cloud. Viivo only works with Dropbox.
Boxcryptor – Free for personal use, single fee of $99.99 for business use. Boxcryptor is designed to work with any cloud service such as Dropbox, Skydrive, and Google Drive. Similar to Viivo, BoxCryptor offers client-side encryption in a special folder where you can very simply drag files you want to encrypt and store securely on your Dropbox account. Like Viivo, BoxCryptor encrypts on the fly and decrypts them in real-time.Wrap Up
If you are using any of the popular cloud storage solutions such as Dropbox, Box, SkyDrive, or Google Drive without any encryption, then you may not be using “reasonable care” to safeguard your clients’ confidential information. If you intend to store client information in the cloud, then Spideroak, Viivo, or Boxcryptor are all viable solutions. Out of these three, Spideroak is costly.
Without using additional services such as Viivo, here is a simple solution to whatever concerns you have about privacy. Encrypt your documents, such as Word docs and PDF's with a password. When creating the password, make sure and use a combination of Alphanumerics, special characters, and upper and lower case combinations.