Cloud computing, virtually nonexistent 15 years ago, is now verging on being the rule rather than the exception in the business world. According to the Gartner technology research firm, by 2019, more than 30 percent of the 100 largest vendors’ new software investments will have shifted from cloud-first to cloud-only, and by the year 2020, a corporate “no-cloud” policy will be as rare as a “no-internet” policy is today. It is more critical than ever that lawyers and their clients become familiar with the data security and compliance pitfalls potentially associated with cloud computing and acquire the knowledge and tools to avoid them.
Cloud Is Different
The National Institute for Standards and Technology (NIST) defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resourcesthat can be rapidly provisioned and released with minimal management effort or service provider interaction.” In laypersons’ terms, the cloud is a model of computing that utilizes shared computer processing and storage resources, usually provided by a third party, which are accessible via the internet on demand from anywhere; examples to many consumers include Dropbox, Gmail and Apple’s iCloud. Convenience, ubiquity, and on-demand availability and scalability are built in to the very concept. While this is, generally speaking, a feature rather than a bug—and no doubt has contributed to the rise of the cloud as a standard approach to business computing—it carries with it certain risks that are new or heightened in the cloud age.
The most concerning of these dangers from a compliance and risk-mitigation perspective stem from the facts that: unsophisticated individuals, including employees and staff of a law firm or its client, can put data in the cloud completely unbeknownst to those in the organization with responsibility for managing information related risk; and using a cloud services provider can create the temptation to let down one’s guard, believing that the third-party provider is handling the “hard stuff,” including data security and compliance.
This article was originally published by The Legal Intelligencer. Click here to continue reading.