The legal industry has been in full embrace mode when it comes to cloud computing. Data from the American Bar Association and reported in 2023 for example showed cloud usage among lawyers jumped from 60% to 70% overall, with solo practitioners leading the charge, going from 52% to 84% adoption in just one year. The legal tech press has been enthusiastically covering this “digital transformation,” with publications like Legal Futures touting how “cloud-first strategy” is proving particularly popular among law firms.
The narrative has been almost universally positive. Cloud computing offers flexibility, cost savings, remote access — what’s not to love? The ABA’s 2023 Cloud Computing TechReport reads like a love letter, noting that cloud computing eliminates the need for substantial upfront capital investment in “hardware, software and support services” and provides “robust data backup” if there is a disaster. It’s become almost axiomatic in legal tech circles that the cloud is better than on-premises solutions.
The assumption seems to be that by moving to the cloud, firms are automatically more secure, more efficient, and more disaster-proof. But while the move to the cloud from on-prem for law firms is considered a no-brainer, law firms may mistakenly believe that it’s foolproof, that someone else is taking on the total responsibility to watching after and secure your data. And you need do nothing more. They miss the fact that according to cloud vendors, security is a shared responsibility.
But, Wait
I read an interesting and perhaps scary Report from Vanson Bourne and HYCU. Vanson Bourne is an IT research firm. HYCU is a SaaS data protection platform.
The Report was entitled Rethinking SaaS Resilience In the Legal Sector and it came out on August 11th. The Report confirms that like the US, firms in the UK are increasingly using the cloud. Usage jumped from 60% in 2021 to 75% in 2024. Most firms believe their core business systems will run entirely in the cloud by 2027. It goes on to note that law firms have moved to the cloud for convenience and remote access
But, the gist of the Report is that law firms are mistakenly relying on cloud providers for recoverability and data protection. The Report implies that firms that rely on cloud providers are unknowingly vulnerable to cyberattacks, insider threats, accidental deletion, and supply chain disruptions. Indeed, according to the Report, 85% of business and professional services IT personnel surveyed are not aware that they, not the cloud providers, are responsible for their own data.
The Report further notes firms are unaware that if there is a deletion, corruption, or attack, “the responsibility for protecting or restoring data rests squarely with the firm themselves.”
The Report cites other statistics suggesting that it will take until 2028 for most enterprises to make SaaS a requirement and most firms believe moving to the cloud improved security. The Report quotes Microsoft Policy as follows: “for all cloud deployment types, you own your data and identities. You’re responsible for protecting the security of your data and identities, on premises resources and the cloud components you control.” The Report states that some 72% of the firms surveyed use Microsoft and 54% use Dropbox.
Vinsan Bourne puts it this way: The Shared Responsibility Model compounds this risk
by dividing responsibility between provider and customer, creating a dangerous data protection gap if customers do not take data protection into their own hands.
Similarly, Google protects the infrastructure, but customers are responsible for recovery of deleted or corrupted files and for implementing retention polices. Security is a shared responsibility says Google.
And the risks do seem to be growing according to Vanson Bourne. Cyberattacks against UK law firms grew by 77% in just one year. Sixty-three percent of the business leaders surveyed experienced a SaaS data security breach last year. In the US, according to the Report, ransomware attacks surged some 30% in the first quarter of 2024, with the average demand exceeding $500k. In 2024, 36% of the reported data breaches were linked to third party vendors.
So?
What does all this mean? If your firm gets hit with ransomware and your Microsoft 365 data is corrupted, Microsoft will restore the service but according to its own statement, restoring your files is on you. And if you have no backup? You may be screwed.
Don’t Forget Ethics
Clearly, when firms lose client data, it’s not just an IT problem. It’s also an ethical and even malpractice nightmare.
ABA Formal Opinion 477 makes clear that lawyers have an ethical duty to conduct due diligence on technology vendors — which necessarily includes understanding who’s responsible for what when things go wrong. And when they do go wrong, ABA Formal Opinion 483 requires lawyers to promptly notify clients of any data breach involving material confidential information.
One More Thing
And consider this: if there is a breach and you can’t access data, you can’t do work. You can’t bill. Profitability takes a hit even if you somehow manage to keep your clients.
But Is it Right?
So, if the Report is correct, there could be some significant problems ahead. But when I first read it, I wondered whether this was just another vendor trying to drum up business for services it offers.
But as it turns out, the responsibility for backup and recovery lying with the firms is well documented. For example Gartner, a major technology consulting and research firm, states in an overview, “Customers are still responsible for backup policies and performing recovery tasks.” And perhaps even more importantly, the ABA’s Cybersecurity Handbook provides that law firms using SaaS must implement independent backup strategies since SaaS vendors “provide availability but not resistance.”
I talked to one large firm CIO about the issue. He told me that among larger law firms, there’s an awareness that they remain responsible for securing their own data, and there are ongoing discussions about backup solutions. His firm has implemented backup procedures. But he suspects many smaller firms may not understand the scope of their responsibilities.
So, while the methodology may be a little suspect (a 40 law firm survey is hardly a comprehensive legal industry study), and of course HYCU is in the business of SaaS protection, the conclusions seem sound.
Conclusion
The bottom line? If your firm moved to the cloud without implementing independent backup and recovery procedures, you’re not just vulnerable, you may be gambling with client data, professional liability, and the ability to practice law if and when things go sideways. The cloud isn’t magic. It’s just someone else’s computer, and the providers have been pretty clear about who’s responsible when it breaks.
Stephen Embry is a lawyer, speaker, blogger, and writer. He publishes TechLaw Crossroads, a blog devoted to the examination of the tension between technology, the law, and the practice of law.
The post Law Firms And The Cloud: Is Your Data As Safe As You Think? appeared first on Above the Law.