I’m going to break with the one-topic-per-post pattern here because no responsible lawyer should leap gleefully into the cloud or be carting around client data in a laptop without taking a moment to sit down with a coffee and some biscuits and think hard about security and client confidentiality.
First up, I think that the security issues surrounding portable technology and remote data storage are actually easier to take care of than the security and confidentiality issues that competent lawyers have been grappling with for as long as there has been a system for committing private information to written form, and thus a need to secure that writing from rogues, bandits and ne’er-do-wells. But newer problems, like newer anything, are shiny and interesting to a lot of people, so you’ll hear a lot more fuss about them when they come up. I doubt that I’d be dragged before an ethics committee or made an example of in our erstwhile newspapers for any lever arch folder I lost, or had stolen from my car, or that my cleaners had a peek at in my office. But if it was a laptop, I could see a bigger fuss being made, because laptops are newer and snazzier than paper and bring to mind images of hackers in reflective glasses and leather coats doing mysterious and wicked things in a magical ethereal universe of bits and bytes. And if it was data in a cloud hosting service, well, that’s newer still and even more shiny and fascinating and frightening in the collective consciousness.
On top of that, there are a few genuinely new concerns that arise. Laptops are a valuable consumer item, so they attract a far greater range of ne’er-do-wells than a boring plastic folder. The same can be said for iPads. They can also fit a lot more in them – all of your data about all of your clients and even more. So when you carry around a laptop, you are carrying around the whole honeypot, and not only that, there are a lot more people who want to take it from you.
Then there’s cloud storage and sync. I can think of fewer more useful online services that have propagated themselves recently. For years I’ve occasionally reflected that in the event of a house fire, I would have to figure out a way of rescuing both my family members / housemates and my laptop, lest I be forced to choose between the two. Decades’ worth of personal documents sat on just one computer, or at best, backed up to a portable hard drive or CDs kept in the very same flammable house. While writing my honours thesis I would occasionally email it to myself, but mostly, I just crossed my fingers and thought, ‘I really should think about backup, but on the other hand, I really feel like a sandwich so maybe I’ll think about it some more once I’ve had my sandwich’. But there was always another sandwich. Large enterprises have always had backup solutions, but for individuals, most of us back up far too intermittently, if at all. And on top of that, cloud storage services generally allow synchronisation, so I can have an identical copy of everything at work and at home. All of this without even having to think about it. I shut down my computer in chambers, get on a train, fire up my computer at home and keep going where I left off. Seriously, there’s a reason cloud storage and sync has taken off. Because it’s awesome, and it performs not one but two very important and very useful tasks without you even having to think about it.
The thing is, lawyers deal with a lot of other people’s private stuff, and private stuff moreover that can put those people’s significant legal/financial interests at risk. We have a heavy obligation to ensure that it’s kept absolutely secret and secure. I’m not going to spell out the specifics of those legal and ethical obligations, because this is not a legal advice service for lawyers, and more importantly because I’m pretty sure that it’s all going to change not too far into the future in response to the uptake of cloud services, or in response to some high profile lost laptop or LulzSec shenanigans.
But I can say, speaking on a very general level, and as at this particular moment in time, that a significant part of the legal and ethical obligations of Australian lawyers in this area is an obligation to just use our good common sense. Some of our European counterparts have it very specifically spelled out for them, often in terms that put the kibosh on very useful technology and services by failing completely to apply the sensible and balanced principles that have been hammered out over many years for ye olde paper documents. The same may well happen here, and it may well happen soon. But for this brief moment in time, what Australian lawyers need to do is this: know the specific rules where they do exist (don’t forget the National Privacy Principles either – they may be less onerous in general than other rules that bind us, but they are also in some cases more specific – see, eg, NPP 9), and for everything else, get a good grip on the principles we are bound by and figure out how they apply to shiny new circumstances. Here are some of my thoughts.
First, the laptop. It’s a honeypot, and every scoundrel wants it, either for the data or, far more likely, to flog on eBay. Rather than staying locked up in an office, it’s carried around all day among swarming throngs of bandits, scoundrels and looters. Any lawyer carrying around a laptop should take measures to ensure at the very least that if it stolen, you can’t just fire it up and read the data. Having a Windows login password isn’t good enough. Look, it’s not my place to say ‘every lawyer is in high dereliction of their professional duties if they don’t use military grade encryption’. A lot will depend on where you take the laptop, what sort of data you are keeping in it and how much, whether you take public transport and, if so, whether your train line is frequented by an especially high number of teenagers. All I will say is that unless you are ok with becoming a cautionary tale, encrypt your data. TrueCrypt is the most popular tool for doing so. If you don’t understand how to set it up, pay someone to show you.
Now, to the cloud. Despite what hyperventilations you’ll inevitably hear, or have heard, chances are that you should be more concerned about the data in your office, protected by one plate glass window and a crappy alarm system, than the copy of that data which is kept by Dropbox with AES-256 bit encryption, in hidden facilities with video surveillance, physical access by thrice-over two-factor authentication, and ‘military grade perimeter control beams’.
That said, there are two things about most popular cloud services that should give any lawyer pause. The first is that the boilerplate contract you get as a customer may not give you the guarantees you’d like, or possibly the guarantees you are obligated to obtain, when handing private/confidential/privileged data over to an external company – whether it be for photocopying, shredding, or storage and sync (see here, here and here). The other is that the data is going to servers overseas, and it’s hard to know what rights and assurances you can have about the local laws where those servers are. Or whether you can even easily find out just where those servers actually are. So after a lot of thought, I decided that I would only store client data with a cloud provider in either of the following two circumstances:
- My contract with the provider provided for proper commercial-standard control and security over the data, and the data was to remain in a country or countries where I could be confident that the contract would be respected. The reality is that the most popular and affordable services (like Dropbox) do not provide this; it would have to be a specialist business service. Jon Bloor at iPadLawyer is scouting out solutions in this vein.
- The data is encrypted at my end, so even the provider itself has no realistic way of reading it. There are only two major well-established services I know of that work this way out of the box: SpiderOak and Wuala. There are also a couple of services out there (BoxCryptor and SecretSync) that seamlessly encrypt your stuff before it goes off to Dropbox or wherever.
If, like me, you need also concern yourself with laptop security, you can kill two birds with one stone by putting a TrueCrypt container (or containers) in your Dropbox folder. That way, you can ensure that both the data in the laptop and the data going to Dropbox is protected not only from scoundrels, but even, incidentally, from the best and brightest at the FBI. Dropbox itself suggests this method, but there are two annoyances:
- You have to keep track of how much data is in the containers, and make new ones when they fill up.
- If you sync to more than one computer (eg. between a desktop and a laptop, or between work and home), you must make sure that only one of your synched computers has the encrypted volume open at a time, and that when you have finished with it, you dismount the volume and give it time to sync back to Dropbox.
So it kills the joy of ‘not having to think about it at all’, because you do have to think about it every day, but all things considered it may still be the simplest solution to both concerns – especially if, like me, you have just one work computer and one home computer.
While you’re at it, you should also move your email files into an encrypted container (here are instructions for Outlook and Thunderbird). If you use IMAP then there’s no need to put them in Dropbox, unless you have some particular reason for wanting to (like, say, a stingy email storage limit).
Another alternative, which is even more secure, would be to use full disk encryption on the laptop and sync with SpiderOak or Wuala. Bear in mind that if you use Dropbox with full disk encryption, the data will go to Dropbox in unencrypted form.
Another security measure worth looking at is a ‘remote wipe’, or what I like to call the doomsday button. The idea of this one is that as soon as the scoundrel who stole your precious tablet or laptop plugs in to the Internet, all the data gets wiped, and the tablet/laptop sprays acid in their face. It’s most well known on the iPad, but there are a number of other manufacturers who include it as a matter of course or by subscription, or you can install a third party option like LoJack. You can also mock one up yourself with Dropbox folders (and although it’s not mentioned, you could probably include your email files if you wished). This should not be your only security measure though, because a scoundrel could always just grab the data before they plug in to the Internet.
Well it’s been a long post. I did suggest at the beginning that you get biscuits. But it is a pretty big topic, and I’ve really only scratched the surface. Remember too, these are just options, and it’s still up to you to figure out which of all the options are consistent with the legal and ethical obligations that apply to your particular practice and jurisdiction, and what you are comfortable with. I know that there are plenty of lawyers who, for example, have thoughtfully concluded that my concerns about Dropbox are exaggerated. If you are still confused, need to know more, or just can’t get enough of talking about encryption and clouds and all that shiny, scary stuff, jump in to the comments or send me an email.
Update 24/11/11 – This post now also has a postscript.