Blog
← Back to Blog
July 14, 2017 legal

Cloud Storage for Law Firms: Security and Ethics Considerations

Dropbox, Google Drive, OneDrive, Box. Cloud storage services are ubiquitous in 2017, and they offer obvious benefits: access files from anywhere, easy collaboration, automatic backup, lower costs than on-premise file servers.

For law firms, though, cloud storage isn't just an IT decision. It's an ethics question. You're dealing with client confidential information, attorney-client privilege, and state bar rules about data protection. Let's talk about what law firms need to consider.

The Ethics Framework

Most states have adopted some version of ABA Model Rule 1.6, which requires lawyers to make reasonable efforts to prevent unauthorized disclosure of client information. When you put client data in the cloud, you're trusting a third party to protect that data.

ABA Formal Opinion 477R (revised 2017) provides guidance: lawyers may use cloud storage as long as they take reasonable steps to ensure the service protects confidentiality. What counts as "reasonable" depends on several factors.

Evaluating Cloud Storage Providers

Encryption

Data should be encrypted both in transit (while uploading/downloading) and at rest (while stored on the provider's servers).

Most major providers do this now, but verify:

Some firms want "zero-knowledge" encryption where only the firm has the keys, not the provider. This adds security but makes password recovery harder.

Data Location

Where are your files physically stored? Some foreign jurisdictions have laws that could require data disclosure under circumstances that wouldn't apply in the US.

If this matters for your practice, look for providers that allow you to specify data center locations or guarantee US-only storage.

Access Controls

Can you control who accesses what? Do you get logging of file access and changes? Can you require multi-factor authentication for your users?

Enterprise plans from major providers usually include these features. Consumer plans often don't.

Data Retention and Deletion

What happens to your data if you cancel service? How long does the provider retain deleted files? Can you permanently purge data when needed?

For law firms with data retention requirements or conflicts of interest concerns, this matters.

Business Associate Agreements and Vendor Contracts

Get a written agreement from your cloud storage provider that addresses:

Major business-focused providers (Box, Dropbox Business, OneDrive for Business, etc.) will provide these agreements. Consumer services often won't.

Common Cloud Storage Options

Dropbox Business

Popular, user-friendly, good collaboration features. Offers business plans with admin controls, audit logs, and compliance documentation.

Downsides: Has had security issues in the past, though they've improved. Some firms uncomfortable with Dropbox's history.

Box

Enterprise-focused from the start. Strong security features, good compliance documentation, designed for regulated industries.

Downsides: More expensive than some alternatives. Interface less intuitive than Dropbox for some users.

Microsoft OneDrive for Business

Integrates well with Office 365 (which many firms already use). Good security, admin controls included with business plans.

Downsides: Sharing with external users (clients, co-counsel) can be clunky compared to other options.

Google Drive for Work (G Suite)

Part of G Suite package. Works well if you're already using Gmail, Google Calendar, etc.

Downsides: Some firms uncomfortable with Google's business model around data. File format conversion issues if you're heavily invested in Microsoft Office.

NetDocuments

Built specifically for law firms. Designed around legal workflows and document management.

Downsides: More expensive. Steeper learning curve. Probably overkill for very small firms.

Features Law Firms Actually Need

Version History

Track changes to documents over time. See who made what changes when. Restore previous versions if needed.

This is essential for legal work where document evolution matters and mistakes need to be recoverable.

Granular Permissions

Control access at the folder and file level. Different people need access to different matters. Your system should make this manageable.

External Sharing Controls

You need to share files with clients, opposing counsel, experts, etc. But you need to control and track these shares.

Look for ability to set expiration dates on shares, require passwords, get notifications when files are accessed, and revoke access later.

Compliance and Audit Features

eDiscovery support, legal holds, audit trails. Not every firm needs these, but larger firms or those handling complex litigation often do.

Security Best Practices

Multi-Factor Authentication

Require it. No exceptions. Your cloud storage password might get compromised through a phishing attack or data breach somewhere else. MFA prevents account takeover.

Strong Password Policy

Require long, complex passwords. Consider using a password manager firm-wide to make this manageable.

Device Management

If lawyers access cloud files from personal devices (laptops, phones, tablets), you need policies about device security, lost device procedures, and data wiping capabilities.

User Training

The most secure cloud storage system won't help if users click phishing links, share passwords, or accidentally set files to public access.

Train your staff on secure file sharing practices, recognizing phishing attempts, and proper use of cloud storage features.

What Could Go Wrong

Accidental Public Sharing

User accidentally sets a folder containing privileged client documents to "anyone with the link can view." Document links get indexed by search engines. Client data is now publicly accessible.

Prevent this with: admin controls that disable public sharing, user training, periodic audits of sharing permissions.

Account Compromise

Attacker gets a user's password and accesses or downloads client files. Might not be detected for days or weeks.

Prevent this with: MFA, unusual activity monitoring, access logging, regular review of who's accessing what.

Insider Threats

Departing employee downloads client files before leaving. Or current employee inappropriately accesses files for matters they're not working on.

Prevent this with: access controls, audit logging, exit procedures that include access revocation, periodic review of who has access to sensitive matters.

Hybrid Approaches

Some firms use cloud storage for some things but not others:

This can work but adds complexity. Make sure the boundaries are clear and consistently followed.

State Bar Guidance

Some state bars have issued specific guidance on cloud storage. Check with your state bar for any Arizona-specific requirements or recommendations.

Generally, state bars have acknowledged that cloud storage is acceptable if proper precautions are taken, but the specifics of what's "proper" can vary.

Our Take

Cloud storage makes sense for most law firms in 2017. The technology has matured, major providers take security seriously, and the practical benefits are significant.

But you can't just sign up for Dropbox and start uploading client files. You need to:

If you need help evaluating cloud storage options for your firm or want to make sure your current setup meets ethical obligations, we can help. We've worked with Arizona law firms since 1991 and understand both the technical requirements and the professional responsibility aspects.

Cloud storage is a tool. Like any tool, it works well when used properly and causes problems when used carelessly. Let's make sure your firm is using it properly.