Cloud concerns and data safety in the legal profession

Please note that this post is from 2011. Evaluate with care and in light of later events.

Note: this post is from 2011. While much of the information remains true today, when it comes to these matters, remember that law and technology are both always changing. I recommend Surveillance Self-Defense from the Electronic Frontier Foundation as a beginning.

More than many other professions, lawyers deal with confidential data. This data is often entrusted to them by others under the guise of attorney-client privilege, and clients rely and expect it to remain secure.

In the old days, safes and locks kept client data secure. More recently, attorneys stored their data on local PCs and backed up to disk or tape, which is then stored under lock and key (preferably offsite).

Stealing data required physical access, Accessing data, though, could conceivably occur via legal means, including via subpoena and search warrant. The real protection from this was the existence of evidentiary privilege, which excluded legally protected materials regardless of how they were acquired.

Now on to Dropbox, Google, and so on. According to PC Magazine,

The updated terms specify that Dropbox will turn over data: to comply with the law; protect someone’s safety; prevent fraud or abuse on Dropbox; or protect Dropbox’s property rights. If Dropbox agrees to hand over data, the company will decrypt it before doing so. If you have encrypted it before storing it on Dropbox, though, it will remain encrypted.

…

Dropbox said it receives about one government request per month for its 25 million users. It also stressed that it doesn’t just hand over information when asked.

“Our legal team vets all of these requests before we take any action. The small number of requests we have received have all been targeted to specific individuals under criminal investigation,” Dropbox said in a blog post. “If we were to receive a government request that was too broad or didn’t comply with the law, we would stand up for our users and fight for their privacy rights.”

via Dropbox Defends Privacy, Law Enforcement Policies | News & Opinion | PCMag.com.

So what does this mean for lawyers storing client data? Well, if it’s protected under attorney-client privilege, it means that–as long as you trust Dropbox not to make a mistake–then such legal access is no more of a problem than with traditional files (and plenty of screw-ups occurred with traditional paper!). Trusting Dropbox is likely not much different from trusting any third party to store your data, paper or otherwise–and that’s pretty standard.

If, on the other hand, you are more concerned with non-privileged materials (trade secrets, perhaps, or other material that might be excluded at trial but still cause harm), then you likely should not trust your data to Dropbox or any other cloud-based or third-party solution of any kind. If you don’t want to go quite that far, try a system that fully encrypts your data first, before it goes across the wire and before it hits the remote server.

TrueCrypt then Dropbox meets these criteria, or a Dropbox-like service such as SpiderOak. Note: As of 2016, I recommend you consider other options than TrueCrype, like VeraCrypt, as TrueCrypt has been discontinued.

So the fact that Dropbox allows legal access to your data is not the end of the world for use of the cloud, even for lawyers. But for truly secure offsite storage, likely more secure than even old-fashioned paper storage, consider solutions that provide end-to-end encryption.

Related articles

• TrueCrypt is discontinued, try these free alternatives (comparitech.com)
• Dropbox Lied to Users about Data Security, Complaint to FTC Alleges (wired.com)
• Why Dropbox’s Privacy Policy Is OK (Just Proceed Carefully) (pcworld.com)