Nearly half of the respondents to an SRA survey conducted last summer believed that regulatory uncertainty was the main limitation in adopting new legal tech solutions. The study conducted in cooperation with Oxford University in summer 2021 revealed that over two-thirds of law firms are already using legal tech in some form despite the uncertainty.
Solicitors and barristers both face two key data security concerns. On the one hand, they must consider GDPR, handling and protecting personal information according to its stipulations. On the other, they must also safeguard privileged client information. For example, barristers found in breach of the GDPR can expect disciplinary action from the Information Commissioner's Office (ICO) and The Bar Standards Board, as we explained in our ebook on cybersecurity for legal professionals.
It's no surprise that this landscape has left lawyers feeling at risk. Juggling complex legal matters and understanding international cybersecurity is obviously no easy feat, especially when the regulatory framework isn't clear-cut.
As a result, 45% of respondents felt that uncertainty around regulations on the use of legal tech was the critical barrier to their implementation. The most cited concerns within that 45% were those noted above: client confidentiality and the GDPR.
Cloud storage & File sharing
Cloud storage and file-sharing were the most prevalent technologies in the SRA survey. The report shows 66% of respondents were already using such a solution, while 11.5% were actively considering one.
Even when companies choose trusted global service providers, client privilege can be at risk. For example, cloud service providers based in the US, such as Apple, Microsoft, and Google, are required by the CLOUD ACT and Freedom Act to provide US law enforcement and security agencies with access to the files stored on their servers if presented with a warrant, even if the data is stored outside of the US.
Luckily, various EU and UK bodies have prepared documentation to illuminate best practices for handling private and confidential information in the cloud. For example, recommendation 01/2020 from the European Data Protection Board provides a general overview. Solicitors should also consult the Cloud Computing Guide published by The Law Society and other shorter articles. Finally, barristers can read guidance from The Information Technology Panel of The Bar Council to better understand the risks.
Security demands encryption
A common theme shared by most guidance on confidentiality in the cloud is ensuring that all personal data and privileged information is protected by encryption. But, of course, there are different types of encryption, the most common one being: encryption in transfer and at rest.
The problem with such services is that the providers hold the keys to the data that is stored encrypted on their servers. Resulting in critical risks:
- providers have access to the information and can access it at any time;
- providers parse and analyze all files uploaded to their service to offer features, e.g., full-text search;
- hackers may be able to read files stored on their service should they gain access to the keys.
The inconsistent language around encryption puts legal professionals in a difficult position. How can they tell if an encrypted service is genuinely private and secure enough to protect legal professional privilege and has the features to be GDPR compliant? Luckily, there's a shortcut: zero-knowledge end-to-end encryption.
On the other end of the spectrum, you have zero-knowledge end-to-end encryption(e2ee), which guarantees client confidentiality and complete GDPR compliance. At Tresorit, this is what we call true e2ee. No data ever leaves your device in unencrypted form: from authentication information such as passwords to the file themselves and encryption keys. When using truly end-to-end encrypted services, like Tresorit:
- all data is encrypted on the user's device before being sent to the cloud;
- the keys to decrypt files also remain on your device;
- only you and those you give access can access your files;
- the service provider will never be able to unencrypt the files you store on their server.
Data residency options offered by different service providers are also vital considerations. Not being able to store your data in a Cloud within your chosen jurisdiction would impede you from securing your data in abidance with the law.
Tresorit secure digital workspaces allow you to choose one of twelve locations where your data can be stored. As this setting can be changed for particular Tresors, you can have dedicated folders stored in different jurisdictions. This makes storing files that must remain within a specific jurisdiction easy.
The first step towards safeguarding client privilege is using zero-knowledge end-to-end encrypted services. The e2ee cloud storage and file-sharing services offered by Tresorit are the shortcuts that ensure lawyers can stay compliant and protect client information.
Zero IT knowledge required
Tresorit can be implemented and customized to your needs in less than an hour with zero IT knowledge. Learn more about how legal professionals can do more to protect their practice by reading our ebook about Safeguarding legal privilege in the cloud.