The past several years have seen tremendous expansion in cloud solutions and cloud platforms within the legal technology landscape. We’ve seen growing adoption and interest in these solutions among law firms as well. The 2014 ILTA / Inside Legal Technology Purchasing Survey reports that 35% of surveyed firms purchased a cloud storage solution (a new category for the survey), with 17% planning purchases in the following year. Similarly, the 2013 ABA Technology Survey showed a jump to 31% of lawyers using of cloud-based solutions, a 48% increase from the prior year’s 21%.
That doesn’t mean that cloud solutions are a given for legal environments. Unsurprisingly, cloud adoption within the legal sector lags behind larger corporate trends. A 2013 study by Northbridge Venture Partners study puts use of “some sort of cloud platform” in 75% of the broader business community. The industry has some good reason to be sensitive to data security and privacy stemming from ethical obligations and practical concerns that should emerge when organizations hold a great deal of sensitive information. To this end, LexisNexis’s Cloud Technology in the Legal Industry Report (which itself tracks an increase in interest in cloud solutions among small firms and about a 39% adoption, perhaps with some bias) reports that approximately 40% of surveyed firms ranked security as the #1 most significant fear related to cloud solutions (followed by ethical concerns). Despite their fears, firms often fail to engage in the necessary due diligence required to effectively take advantage of cloud solutions. Even with cloud adoption on the rise, these factors stand to impede the growth of the legal cloud and (paradoxically) put law firms at risk.
Advantages and Risks of the Legal Cloud
Let’s start with the advantages the cloud offers. I’ve touched on this before. Cloud platforms offer flexibility, remote access, lowered costs of ownership, data backup and redundancy, and enhanced collaboration options. While advantages for any firm’s IT environment, these characteristics have made cloud deployment (in combination with SaaS models) a particularly effective (and attractive) means to offer software solutions into small and solo firms.
Source: Blue Hill Research, September 2014
For my money, the greatest of these advantages fall in the form of remote access and sharing of firm documents (something LexisNexis’s survey indicates 46% of firms agree with me on this one). The advantages that follow that aren’t just about flexibility and efficiency, but help to reduce overhead as well.
Of course, these benefits come with some attendant tradeoffs. Any solution that increases capacity for sharing and accessing data also has the potential to increase the risk of that data getting into hands that it shouldn’t. Cloud solutions should raise questions about data security, encryption, and custody in storage and in transit. Understanding these dynamics and what a cloud provider responds to them is a mandatory aspect of cloud use (both by statute and simple prudence).
Cloud Complacence & Anxiety
Blue Hill research interviews have found that firms, those using cloud solutions and those not, fail to engage sufficiently with the dynamics of the cloud. The alternatives can take two forms, which (at their extremes) are best characterized as “cloud complacence” and “cloud anxiety.”
Cloud anxiety (or the refusal to engage with cloud solutions) is potentially the more pragmatic of the two responses. A number of events of the past year, such as the Heartbleed fiasco, the NSA spying controversy, and the iCloud celebrity photo incident, have renewed concerns about data security as well as in cloud environments. Law firms themselves are undergoing a growing recognition of the “soft underbelly” that they present to their clients’ data security initiatives (not to mention an application of Willie Sutton’s attributed reason for robbing banks), which contributes some hesitance to deploy cloud solutions.
Of course, some of the concerns raised have seemed somewhat incongruous in the light of legal’s poor track record in data security investment and awareness, but this is exactly what is problematic about the cloud anxiety responses: they are typically excuses for inaction that fail to address real and present threats, regardless of the firm’s use of the cloud. At the same time, these firms also forgo the real value that cloud platforms offer.
Firms demonstrating cloud complacence take advantage of cloud solutions, but fail to engage in the necessary due diligence and actions needed to mitigate the risk that these solutions can present. I repeatedly heard from these firms state that “everything is going to the cloud,” as if ubiquity resolved the underlying risks. These firms are getting the benefits or cloud solutions, but leave themselves very much exposed. Now, it is true that cloud solution providers have an incentive to maintain the highest standards of security and that legal cloud providers, in particular, tend to focus efforts on providing for the unique needs of the profession.
However, not all solutions are good enough to permit lawyers to overlook diligence. Firms that fail to do so can end up with solutions that do not meet their needs. Cloud complacence presents a further issue in that users opt to trust “the cloud” and fail to take needed steps to address security risks. It’s not for no reason that studies have shown that 30% of data breaches are the result of human error. While this attitude has yet to produce any high profile breaches within the legal world, it is inevitable…and when it does, we can expect that firms to react by abandoning cloud offering more quickly than by renewing due diligence.
Both of these responses stem from a lack of engagement with cloud solutions. Like big data, disruption, and other effective software marketing buzzwords, “cloud” makes something that is very complex sound simple – and even friendly. For most attorneys (like most people), cloud signifies a hosted server and (very likely) a SaaS (software as a service) subscription model.
Whatever professional obligations might apply, most attorneys are not prepared to dig into the core principles underlying cloud, of the distinctions between public, private, and hybrid cloud models, or the niceties of how (or where) their data is transmitted and stored. These makes performing the needed due diligence overwhelming, making it much easier to opt to forego the cloud or rely on a vendor’s expertise. While this may be understandable, it’s increasingly problematic.
Notably, we saw these same dynamics and questions when email was rolled out to law firms. I’d argue that as acceptance has grown, we’ve seen firms fall into the “complacence” camp as much as take actions needed to secure and encrypt email…or even fully respect the tool they are using. Small firms and sole practitioners (those for whom cloud is opening up opportunities) are most at risk as they lack the dedicated IT resources to investigate and manage these issues. Large firms are not immune of course. Whatever steps their IT teams take, complacent attorneys within the firm can easily (and often) use personal cloud platforms to hold client or firm documents.
What’s Next for the Legal Cloud?
Cloud complacent and cloud anxiety attitudes present substantial risks to law firms, whether by increasing their vulnerability or by foregoing the upsides of a cloud platform. The only way to mitigate these risks is by negotiation. As the legal cloud landscape evolves, education about and engagement with these issues is mandatory. By no means is this responsibility limited to firms moving to the cloud, attorneys need to consider it a basic requirement of practice in a data-rich, online world. Failure to take these actions threatens the growth of the legal cloud, whether by capping its growth or by the backlashes following the first prominent breaches.
Of course, there’s another constituency that has a stake in the development of the legal cloud: the providers of these solutions. In our next post, I’ll take a look at how the companies that offer cloud solutions to the legal sector are taking steps to address these same issues.