The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/163881
•The attorney's obligation to ensure any work product is filed correctly back into the document or records management system •The attorney's obligation to prevent unauthorized personnel from using the device •The consent of the attorney to allow the firm to configure the device securely, including shutting off synchronization to the cloud •The attorney's obligation to keep the device up-to-date with all the latest patches •The attorney's obligation to use only firm-approved cloud services This last point raises the question, how should a firm vet and approve cloud services? CLOUD CONTRACT TERMS The firm should have a well-planned approval process for cloud services. The process must include asking the obvious questions about physical security, data security, user access control, confidentiality, encryption and similar issues. However, many risks inherent in a cloud service can best — or in some cases, only — be mitigated via contract terms. While the firm might not get all the terms it desires, talking about them ensures awareness of the potential risk exposure. The most common issues to be aware of include: • Unilateral Agreements: Many cloud providers offer agreements with no opportunity to negotiate terms. Often, these agreements will allow the cloud provider to change the terms of the agreement whenever they like, with the firm's only recourse being to stop using the service. Avoid any provider who insists on the right to unilaterally change the agreement. • Incident Response and Breach Notification: If potentially sensitive documents could be held in the cloud, then the cloud provider becomes an important part of the incident response chain. Various regulations require timely notice to individuals if a breach occurs, and it is possible the firm has agreed to notify clients of a suspected breach in a specific time frame. Therefore, it is important the cloud provider give timely notification when a breach may have occurred. In addition, the firm may want the option to be involved in the breach investigation. • Litigation Holds: Work product held outside the firm could be subject to a litigation hold. It is important your cloud provider specify what preservation services they offer and at what cost. For example, if a breach occurs, how long do they keep firewall and server logs? If a litigation hold requires backup media preservation, what is their backup retention? What is the fee for such services? 58 Peer to Peer • Third-Party Access: If the cloud provider employs third parties with access to sensitive information, the third party should be bound by the same confidentiality obligations as the provider. For some clients, access by foreign nationals will be prohibited. If your firm has specific policies about how third parties can access data (for example, prohibiting the storage of sensitive documents on unencrypted media), you should obtain an agreement that both the cloud provider and their third parties will honor the same policies. • Insurance: Most firms will want some sort of indemnification against potential damages. To ensure the cloud provider has the money to cover such damages, require that they carry cyberinsurance with limits sufficient to cover a potential loss. • Testing/Auditing: The cloud provider should engage in thirdparty audits regularly, including policy audits, vulnerability scanning, and social engineering and penetration testing. The results of these audits should be available for the firm's inspection, and the provider should have limited time to correct critical audit items. • Data Ownership, Retrieval and Destruction: Find out whether information stored with the cloud provider will remain the sole property of the firm. When the relationship is terminated, will the firm have the ability to retrieve their information in a useful format? Will the cloud provider agree to destroy any copies of firm documents in a satisfactory method after the active copy is deleted and after termination of the service? • Composite Services: It is common for multiple providers to be involved in delivering the end cloud product. For example, a document storage service might use Amazon Web Services for their servers and storage. Therefore, the firm should verify that the company agreeing to terms can actually honor those terms. For example, if your cloud provider agrees that it will notify you of a suspected breach within 48 hours, but they use a third party to host their security infrastructure, the third party must agree to the same terms or provide another way for your provider to respond within the agreed-upon time frame. If your firm currently supports mobile devices and cloud services, take a fresh look and see if there are new questions to ask. If you're not already supporting these devices and services, you probably will be soon. Armed with more knowledge about regulations, points of possible risk and how to manage it all, you will now be better positioned to approve any flashy new device that lands on your desk.