How Law Firms Can Fix the 'Dropbox Problem'

Most law firms have worked diligently to institute encryption, firewalls and other security measures for files sent to and from the firm's e-mail accounts and intranets. Problems tend to arise when attorneys and staff decide to work outside of these official channels.

There are a variety of reasons why attorneys and staff decide to ignore security guidelines. In order to manage data and the proliferation of e-mail, some firms have limited mailbox storage and place restrictions on the size of files that can be sent from firm e-mail addresses. Law firms must also remain in compliance with laws, regulations and clients' preferences, which can hamper the ease of sending e-mails and large files. Tight IT budgets and limited resources at many law firms have also restricted hardware and software upgrades.

Frustrated by these restrictions, some attorneys and staff are creating their own workarounds by using personal e-mail and large-file transfer systems like Dropbox. Some attorneys and staff may also have easier access and greater connectivity to their personal e-mail accounts. A tendency toward bring-your-own-device (BYOD) exacerbates the situation when attorneys increasingly use their own smartphones and tablets to combine work and personal communications. Non-secure collaboration tools are also often easier to use than those that reside behind firewalls.

Even when law firm employees carefully abide by all the rules and always follow security protocols, some others may not. Data breaches can occur when clients and colleagues at other law firms use Dropbox and their personal e-mail accounts to send sensitive information.

Problems and Perceptions

As easy as Dropbox and other personal communication methods may be to use, they can present multiple problems when used to transfer client files. These include:

• Ownership: Many accounts are personal to the user, and the firm has no knowledge of them or the data that flows through them.
• Control: This type of technology may not be procured, provisioned or managed by IT. When problems arise, the firm has no way to provide assistance or back up the information.
• Visibility: Dropbox offers no audit trail that shows the file history, which can complicate litigation and regulatory investigations.
• Security: The Dropbox consumer model, which many attorneys turn to, is not suitable for sensitive data since there are no thorough security protocols in place to protect files and information. Many users are also not aware that Dropbox sells its subscribers' lists, further compromising security.
• Compliance: Using these types of services, which rely on a public cloud, means that it is unclear where data is stored. Firms cannot be sure they are following all the relevant laws and regulations, as well as their own records retention programs.
• Client perception: In-house counsel and their clients are increasingly becoming concerned about the security of their data when it resides at law firms. When outside counsel use a program like Dropbox, this further heightens the perception among clients that law firms may not be as careful as they should be.

Attorneys also need to consider the Model Professional Rules of Conduct. The ABA House of Delegates has approved amendments to the rules that include language to address lawyers' use of technology and confidentiality requirements. With the addition of a new subsection (c), MRPC 1.6 now explicitly provides that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” See, http://bit.ly/KWicqJ.

The revisions also supplemented the comments to Rule 1.1 around competence to expressly address the need for lawyers to keep abreast of the benefits and risks of technology relevant to the practice of law. While these changes do not establish new obligations for lawyers, they better communicate existing ethical obligations and emphasize the importance of ethical considerations in the use of technology.

The ABA specifically lists Dropbox among the more popular cloud services for lawyers, while declining to recommend Dropbox because of security concerns.

Finding Better Solutions

When attorneys and staff send important documents, they can typically take one of three approaches: use a public cloud like Dropbox (which is not as secure and should be avoided); allow access through a service provider that uses a private cloud; or host the solution on premise. Some firms choose to adopt a blend of the second and third options.

Several solutions have emerged for law firms seeking to avoid the Dropbox problem. Along with secure file transfers, some firms are also looking to integrate electronic communications with approaches that address other communication and storage issues, such as: file synchronization; file sharing, comparison and collaboration; store and search functionalities; and document management system (DMS) integration.

Some of the more well-known providers among law firms, and some of the features they offer, include:

• Accellion, Inc., which provides full support for secure file transfer and partial support for file synchronization and file sharing, comparison and collaboration.
• Autonomy LinkSite, an HP company, which offers full support for file synchronization, store and search functionalities and DMS integration. Autonomy also provides support for secure file transfer and file sharing, comparison and collaboration.
• Biscom Delivery Server provides full support for secure file transfer, store and search and DMS integration, and partial support for file sharing, comparison and collaboration.
• Citrix ShareFile offers full support for secure file transfer and partial support for file synchronization and file sharing, comparison and collaboration.
• MimeCast offers full support for secure file transfer and partial support for file sharing, comparison and collaboration.
• Workshare offers full support for secure file transfer, file synchronization, file sharing, comparison and collaboration, store and search and DMS integration.
• Other common options for law firms that represent alternatives to Dropbox include YouSendIt Hightail'and Huddle.

When considering different providers, firms must carefully balance the need for simplicity, speed, cost-effectiveness and accessibility with their requirements to maintain a professional approach, a full audit trail and client security. Firms also need to consider how to integrate their different communications approaches so that documents do not reside in multiple places.

Luring attorneys and staff away from Dropbox and similar systems will take education and effort. Everyone at the firm needs to understand the dangers of non-secure file transfer services. Law firms also need to provide attractive alternatives that attorneys will actually use. If lawyers find themselves hampered by the firm's e-mail policies, procedures and interfaces, they will continue to ignore them and use other, non-secure alternatives.

Sue Keno is the vice president of Keno Kozie Associates, a national IT integration and support consultancy that has provided integration and help desk services to law firms for over 20 years. She specializes in client management, document management and application services within the law firm environment.

Maintaining client confidentiality has always been a core responsibility of the legal profession, yet keeping sensitive, confidential information secure has never been more complicated, thanks to the emerging “Dropbox problem.” Ranging from Dropbox to e-mail to instant messaging and beyond, attorneys have a variety of easy ways to communicate with colleagues and clients. Unfortunately, many of these methods also leave data susceptible to deliberate and accidental breaches during transfer.

Several trends are driving attorneys and staff to use less-than-secure channels to receive and send files and e-mails. Law firms need to take assertive action to understand the root causes of this behavior and steer lawyers to methods that won't put their reputations at risk and their clients' data in jeopardy. While this will probably require changes in human behavior, hardware and software, firms owe it to their clients to take the necessary steps.

Data Transfer Challenges

Most law firms have worked diligently to institute encryption, firewalls and other security measures for files sent to and from the firm's e-mail accounts and intranets. Problems tend to arise when attorneys and staff decide to work outside of these official channels.

There are a variety of reasons why attorneys and staff decide to ignore security guidelines. In order to manage data and the proliferation of e-mail, some firms have limited mailbox storage and place restrictions on the size of files that can be sent from firm e-mail addresses. Law firms must also remain in compliance with laws, regulations and clients' preferences, which can hamper the ease of sending e-mails and large files. Tight IT budgets and limited resources at many law firms have also restricted hardware and software upgrades.

Frustrated by these restrictions, some attorneys and staff are creating their own workarounds by using personal e-mail and large-file transfer systems like Dropbox. Some attorneys and staff may also have easier access and greater connectivity to their personal e-mail accounts. A tendency toward bring-your-own-device (BYOD) exacerbates the situation when attorneys increasingly use their own smartphones and tablets to combine work and personal communications. Non-secure collaboration tools are also often easier to use than those that reside behind firewalls.

Even when law firm employees carefully abide by all the rules and always follow security protocols, some others may not. Data breaches can occur when clients and colleagues at other law firms use Dropbox and their personal e-mail accounts to send sensitive information.

Problems and Perceptions

As easy as Dropbox and other personal communication methods may be to use, they can present multiple problems when used to transfer client files. These include:

• Ownership: Many accounts are personal to the user, and the firm has no knowledge of them or the data that flows through them.
• Control: This type of technology may not be procured, provisioned or managed by IT. When problems arise, the firm has no way to provide assistance or back up the information.
• Visibility: Dropbox offers no audit trail that shows the file history, which can complicate litigation and regulatory investigations.
• Security: The Dropbox consumer model, which many attorneys turn to, is not suitable for sensitive data since there are no thorough security protocols in place to protect files and information. Many users are also not aware that Dropbox sells its subscribers' lists, further compromising security.
• Compliance: Using these types of services, which rely on a public cloud, means that it is unclear where data is stored. Firms cannot be sure they are following all the relevant laws and regulations, as well as their own records retention programs.
• Client perception: In-house counsel and their clients are increasingly becoming concerned about the security of their data when it resides at law firms. When outside counsel use a program like Dropbox, this further heightens the perception among clients that law firms may not be as careful as they should be.

Attorneys also need to consider the Model Professional Rules of Conduct. The ABA House of Delegates has approved amendments to the rules that include language to address lawyers' use of technology and confidentiality requirements. With the addition of a new subsection (c), MRPC 1.6 now explicitly provides that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” See, http://bit.ly/KWicqJ.

The revisions also supplemented the comments to Rule 1.1 around competence to expressly address the need for lawyers to keep abreast of the benefits and risks of technology relevant to the practice of law. While these changes do not establish new obligations for lawyers, they better communicate existing ethical obligations and emphasize the importance of ethical considerations in the use of technology.

The ABA specifically lists Dropbox among the more popular cloud services for lawyers, while declining to recommend Dropbox because of security concerns.

Finding Better Solutions

When attorneys and staff send important documents, they can typically take one of three approaches: use a public cloud like Dropbox (which is not as secure and should be avoided); allow access through a service provider that uses a private cloud; or host the solution on premise. Some firms choose to adopt a blend of the second and third options.

Several solutions have emerged for law firms seeking to avoid the Dropbox problem. Along with secure file transfers, some firms are also looking to integrate electronic communications with approaches that address other communication and storage issues, such as: file synchronization; file sharing, comparison and collaboration; store and search functionalities; and document management system (DMS) integration.

Some of the more well-known providers among law firms, and some of the features they offer, include:

• Accellion, Inc., which provides full support for secure file transfer and partial support for file synchronization and file sharing, comparison and collaboration.
• Autonomy LinkSite, an HP company, which offers full support for file synchronization, store and search functionalities and DMS integration. Autonomy also provides support for secure file transfer and file sharing, comparison and collaboration.
• Biscom Delivery Server provides full support for secure file transfer, store and search and DMS integration, and partial support for file sharing, comparison and collaboration.
• Citrix ShareFile offers full support for secure file transfer and partial support for file synchronization and file sharing, comparison and collaboration.
• MimeCast offers full support for secure file transfer and partial support for file sharing, comparison and collaboration.
• Workshare offers full support for secure file transfer, file synchronization, file sharing, comparison and collaboration, store and search and DMS integration.
• Other common options for law firms that represent alternatives to Dropbox include YouSendIt Hightail'and Huddle.

When considering different providers, firms must carefully balance the need for simplicity, speed, cost-effectiveness and accessibility with their requirements to maintain a professional approach, a full audit trail and client security. Firms also need to consider how to integrate their different communications approaches so that documents do not reside in multiple places.

Luring attorneys and staff away from Dropbox and similar systems will take education and effort. Everyone at the firm needs to understand the dangers of non-secure file transfer services. Law firms also need to provide attractive alternatives that attorneys will actually use. If lawyers find themselves hampered by the firm's e-mail policies, procedures and interfaces, they will continue to ignore them and use other, non-secure alternatives.

Sue Keno is the vice president of Keno Kozie Associates, a national IT integration and support consultancy that has provided integration and help desk services to law firms for over 20 years. She specializes in client management, document management and application services within the law firm environment.