Bar associations recommend that attorneys evaluate the security of cloud storage in the same way they evaluate the security of their paper files by taking reasonable steps needed to safeguard confidential information stored on the cloud. The following are some of the factors attorneys should consider when determining whether a cloud storage service is secure enough to store confidential client information^[1][2]:

1. Where are the company’s servers located? If the server is located in a country with looser privacy laws, your confidential data may not be as secure.^[3]
2. What [simple_tooltip content=’Physical security describes security measures that are designed for servers to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm’]physical security[/simple_tooltip] does the company have where it’s servers are located? The company should keep its servers in a building that has strong physical locks and restricts physical access to the servers only to technicians.^[4] This ensures that a thief cannot get into the server room and download your data onto a portable hard drive.
3. Does the company do [simple_tooltip content=’Penetration testing, also called pen testing or ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. Penetration testing can be automated with software applications or performed manually.’]penetration testing[/simple_tooltip]?^[2] The company should consistently test for and identify vulnerabilities that hackers can exploit to access the server and then fix those problems.
4. Does the company have [simple_tooltip content=’A backup servers is a type of server that enables the backup of data, files, applications and databases on a specialized in-house or remote server.’]backup servers[/simple_tooltip] in a different physical location than the main servers? If the company stores your data on one server only, then if anything happens to that server your service will be interrupted. If the company has backup servers in a different physical location than the main server, they will be able to ensure continuous access to your files even if a disaster or equipment failure makes the main server inaccessible.^[4]
5. Is the data encrypted on the server? If someone does gain access to the server, you want to make sure that they are not able to read the data you have stored on it.^[5]  If the data is encrypted with a strong key, then your data would be unintelligible unless the thief managed to get a hold of your encryption key.^[4] Only 9.4% of cloud providers encrypt data at rest on the server so you will need to verify that your cloud provider does so.^[6]
6. Is the data [simple_tooltip content=’Data can be exposed to risks both in transit and at rest and requires protection in both states. For protecting data in transit, enterprises often choose to encrypt sensitive data prior to moving and use encrypted connections (HTTPS, SSL, TLS, FTPS, etc) to protect the contents of data in transit.’]encrypted in transit[/simple_tooltip]? When you [simple_tooltip content=’Transmission of a file from one computer system to another, usually larger computer system. From a network user point-of-view, to upload a file is to send it to another computer that is set up to receive it.’]upload files[/simple_tooltip] to the company’s server the  information is visible to third parties unless it is encrypted during the upload process.  You should double check with the specific cloud storage company.^[7]
7. Does the company have a policy about destruction of data once you have removed it and closed your account? If you change cloud storage providers it is important to make sure that your data is completely removed and erased from the old company’s server.^[8]
8. Does the company’s agreement/terms and conditions address the ownership of the data?^[3] Your client’s data belongs to them. If the cloud storage company says that the stored data becomes the cloud storage company’s then your clients lose its rights to it, which is a violation of confidentiality among other things.
9. Does the company’s agreement/terms and conditions address the cloud storage provider’s ability to access your data stored on their servers? You want your client’s confidential data to remain confidential, so your the storage provider should not have the ability to access or decrypt your stored files. Consider using a [simple_tooltip content=’Cloud storage is a model of computer data storage in which the digital data is stored in logical pools. These cloud storage providers are responsible for keeping the data available and accessible, and the physical environment protected and running.’]zero-knowledge cloud storage[/simple_tooltip]^[9]
10. Does the company’s agreement/terms and conditions require them to notify you before the company goes out of business so that you can get your data off of the server before they shut down? If the company goes out of business without notifying you, you could lose access to all of your files and your client’s confidential data would remain on the company’s server after the company shuts down.^[10]
11. Is the company a reputable one with sufficient resources to stay in business? If the company doesn’t have sufficient resources to stay in business, it increases the risk that the company could go out of business without notifying you.^[11]
12. Does the service have sufficient log in security measures?^[12] You don’t want a hacker to [simple_tooltip content=’A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data.’]brute force[/simple_tooltip] their way into your cloud storage – use a computer program to guess at your username and password until it finds the correct combination. You also don’t want a hacker to use the password reset to gain access to your cloud storage account. So you want to find a company that uses [simple_tooltip content=’Two-factor authentication is a method of confirming a user claimed identity by utilizing something they know (password) and a second factor other than something they have or something they are.’]two-factor authentication[/simple_tooltip] and has a robust password reset process.
13. Does the company have procedures to comply with a [simple_tooltip content=’Litigation hold is a stipulation requiring a company to preserve all data that may relate to a legal action involving the company. This requirement ensures that the data in question will be available for the discovery process prior to litigation.’]litigation hold[/simple_tooltip]? Electronic records need to be preserved during discovery in the same manner that you would preserve paper records. This means that you have to identify records which cannot be modified and make sure they are sufficiently protected. Your cloud storage company should have a method for you to deal with this.^[13]
14. Does the cloud storage have [simple_tooltip content=’An audit log is a security-relevant chronological record, set of records, and destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific operation, procedure, or event.’]audit logging[/simple_tooltip] features? It is important for you to see who has accessed your cloud storage system and if they made any changes to your files.

If a law firm takes the proper care selecting a reputable cloud storage company with sufficient security and uses appropriate log on security (including two-factor authentication), then the firm may store confidential client data in the cloud.

References

1. Cloud Computing Ethics
2. Attorney Confidentiality, Cyber Security and the Cloud
3. Major Risks with Cloud Storage
4. Selecting Online Storage Provider
5. Office 365 Encryption
6. Cloud Providers Data Encryption
7. End to End Data Encryption
8. Cloud Data Destruction
9. Zero Knowledge in Cloud
10. Cloud Provider Goes Out of Business
11. Choosing a Cloud Provider
12. Password Security Guide
13. MS Exchange Policy and Compliance