The
legal
industry
has
been
in
full
embrace
mode
when
it
comes
to
cloud
computing.
Data
from
the
American
Bar
Association
and
reported
in
2023
for
example
showed
cloud
usage
among
lawyers
jumped
from
60%
to
70%
overall,
with
solo
practitioners
leading
the
charge,
going
from
52%
to
84%
adoption
in
just
one
year.
The
legal
tech
press
has
been
enthusiastically
covering
this
“digital
transformation,”
with
publications
like
Legal
Futures
touting
how
“cloud-first
strategy”
is
proving
particularly
popular
among
law
firms.
The
narrative
has
been
almost
universally
positive.
Cloud
computing
offers
flexibility,
cost
savings,
remote
access
—
what’s
not
to
love?
The
ABA’s
2023
Cloud
Computing
TechReport
reads
like
a
love
letter,
noting
that
cloud
computing
eliminates
the
need
for
substantial
upfront
capital
investment
in
“hardware,
software
and
support
services”
and
provides
“robust
data
backup”
if
there
is
a
disaster.
It’s
become
almost
axiomatic
in
legal
tech
circles
that
the
cloud
is
better
than
on-premises
solutions.
The
assumption
seems
to
be
that
by
moving
to
the
cloud,
firms
are
automatically
more
secure,
more
efficient,
and
more
disaster-proof.
But
while
the
move
to
the
cloud
from
on-prem
for
law
firms
is
considered
a
no-brainer,
law
firms
may
mistakenly
believe
that
it’s
foolproof,
that
someone
else
is
taking
on
the
total
responsibility
to
watching
after
and
secure
your
data.
And
you
need
do
nothing
more.
They
miss
the
fact
that
according
to
cloud
vendors,
security
is
a
shared
responsibility.
But,
Wait
I
read
an
interesting
and
perhaps
scary
Report
from
Vanson
Bourne
and
HYCU.
Vanson
Bourne
is
an
IT
research
firm.
HYCU
is
a
SaaS
data
protection
platform.
The
Report
was
entitled
Rethinking
SaaS
Resilience
In
the
Legal
Sector
and
it
came
out
on
August
11th.
The
Report
confirms
that
like
the
US,
firms
in
the
UK
are
increasingly
using
the
cloud.
Usage
jumped
from
60%
in
2021
to
75%
in
2024.
Most
firms
believe
their
core
business
systems
will
run
entirely
in
the
cloud
by
2027.
It
goes
on
to
note
that
law
firms
have
moved
to
the
cloud
for
convenience
and
remote
access
But,
the
gist
of
the
Report
is
that
law
firms
are
mistakenly
relying
on
cloud
providers
for
recoverability
and
data
protection.
The
Report
implies
that
firms
that
rely
on
cloud
providers
are
unknowingly
vulnerable
to
cyberattacks,
insider
threats,
accidental
deletion,
and
supply
chain
disruptions.
Indeed,
according
to
the
Report,
85%
of
business
and
professional
services
IT
personnel
surveyed
are
not
aware
that
they,
not
the
cloud
providers,
are
responsible
for
their
own
data.
The
Report
further
notes
firms
are
unaware
that
if
there
is
a
deletion,
corruption,
or
attack,
“the
responsibility
for
protecting
or
restoring
data
rests
squarely
with
the
firm
themselves.”
The
Report
cites
other
statistics
suggesting
that
it
will
take
until
2028
for
most
enterprises
to
make
SaaS
a
requirement
and
most
firms
believe
moving
to
the
cloud
improved
security.
The
Report
quotes
Microsoft
Policy
as
follows:
“for
all
cloud
deployment
types,
you
own
your
data
and
identities.
You’re
responsible
for
protecting
the
security
of
your
data
and
identities,
on
premises
resources
and
the
cloud
components
you
control.”
The
Report
states
that
some
72%
of
the
firms
surveyed
use
Microsoft
and
54%
use
Dropbox.
Vinsan
Bourne
puts
it
this
way:
The
Shared
Responsibility
Model
compounds
this
risk
by
dividing
responsibility
between
provider
and
customer,
creating
a
dangerous
data
protection
gap
if
customers
do
not
take
data
protection
into
their
own
hands.
Similarly,
Google
protects
the
infrastructure,
but
customers
are
responsible
for
recovery
of
deleted
or
corrupted
files
and
for
implementing
retention
polices.
Security
is
a
shared
responsibility
says
Google.
And
the
risks
do
seem
to
be
growing
according
to
Vanson
Bourne.
Cyberattacks
against
UK
law
firms
grew
by
77%
in
just
one
year.
Sixty-three
percent
of
the
business
leaders
surveyed
experienced
a
SaaS
data
security
breach
last
year.
In
the
US,
according
to
the
Report,
ransomware
attacks
surged
some
30%
in
the
first
quarter
of
2024,
with
the
average
demand
exceeding
$500k.
In
2024,
36%
of
the
reported
data
breaches
were
linked
to
third
party
vendors.
So?
What
does
all
this
mean?
If
your
firm
gets
hit
with
ransomware
and
your
Microsoft
365
data
is
corrupted,
Microsoft
will
restore
the
service
but
according
to
its
own
statement,
restoring
your
files
is
on
you.
And
if
you
have
no
backup?
You
may
be
screwed.
Don’t
Forget
Ethics
Clearly,
when
firms
lose
client
data,
it’s
not
just
an
IT
problem.
It’s
also
an
ethical
and
even
malpractice
nightmare.
ABA
Formal
Opinion
477
makes
clear
that
lawyers
have
an
ethical
duty
to
conduct
due
diligence
on
technology
vendors
—
which
necessarily
includes
understanding
who’s
responsible
for
what
when
things
go
wrong.
And
when
they
do
go
wrong,
ABA
Formal
Opinion
483
requires
lawyers
to
promptly
notify
clients
of
any
data
breach
involving
material
confidential
information.
One
More
Thing
And
consider
this:
if
there
is
a
breach
and
you
can’t
access
data,
you
can’t
do
work.
You
can’t
bill.
Profitability
takes
a
hit
even
if
you
somehow
manage
to
keep
your
clients.
But
Is
it
Right?
So,
if
the
Report
is
correct,
there
could
be
some
significant
problems
ahead.
But
when
I
first
read
it,
I
wondered
whether
this
was
just
another
vendor
trying
to
drum
up
business
for
services
it
offers.
But
as
it
turns
out,
the
responsibility
for
backup
and
recovery
lying
with
the
firms
is
well
documented.
For
example
Gartner,
a
major
technology
consulting
and
research
firm,
states
in
an
overview,
“Customers
are
still
responsible
for
backup
policies
and
performing
recovery
tasks.”
And
perhaps
even
more
importantly,
the
ABA’s
Cybersecurity
Handbook
provides
that
law
firms
using
SaaS
must
implement
independent
backup
strategies
since
SaaS
vendors
“provide
availability
but
not
resistance.”
I
talked
to
one
large
firm
CIO
about
the
issue.
He
told
me
that
among
larger
law
firms,
there’s
an
awareness
that
they
remain
responsible
for
securing
their
own
data,
and
there
are
ongoing
discussions
about
backup
solutions.
His
firm
has
implemented
backup
procedures.
But
he
suspects
many
smaller
firms
may
not
understand
the
scope
of
their
responsibilities.
So,
while
the
methodology
may
be
a
little
suspect
(a
40
law
firm
survey
is
hardly
a
comprehensive
legal
industry
study),
and
of
course
HYCU
is
in
the
business
of
SaaS
protection,
the
conclusions
seem
sound.
Conclusion
The
bottom
line?
If
your
firm
moved
to
the
cloud
without
implementing
independent
backup
and
recovery
procedures,
you’re
not
just
vulnerable,
you
may
be
gambling
with
client
data,
professional
liability,
and
the
ability
to
practice
law
if
and
when
things
go
sideways.
The
cloud
isn’t
magic.
It’s
just
someone
else’s
computer,
and
the
providers
have
been
pretty
clear
about
who’s
responsible
when
it
breaks.
Stephen
Embry
is
a
lawyer,
speaker,
blogger,
and
writer.
He
publishes TechLaw
Crossroads,
a
blog
devoted
to
the
examination
of
the
tension
between
technology,
the
law,
and
the
practice
of
law.