What is cloud computing? The National Institute for Science and Technology defines cloud computing in richly technical NIST-speak. For reference: “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” That’s all pretty inaccessible. What it reduces to, essentially, are the principles of “scaled economics” – that is, law firms outsourcing their data storage needs to avoid expensive hardware upgrades and skim a little from their IT budgets.  One such public warehouse is DropBox; more on Dropbox later.

There it is, then. Law firms have adopted this as a fit cost-cutting strategy and they have done so en masse. The purposes range from e-mail archiving and document management (NetDocuments) to, among other things, payroll processing (ADP). The snowball has been tossed and has already gained formidable velocity. So much for tradition and so much for excess preoccupation with ABA/federal rules; now it’s okay for all to play ball. In a certain respect, law firms are just doing as businesses do. They only think about security in the context of security breach – when a golden laptop goes conspicuously missing, when a staff attorney discovers a keystroke logger, when server data gets compromised and there’s glaring signs of data leakage.  Then, we talk security.

DropBox was highly, highly touted as recently as last year; folks with technical know-how said DropBox was safe for use by law firms handling sensitive legal data. A year ago, this lawyer gave thunderous support for integrating DropBox into legal work. As did this guy: Why DropBox Rocks for Legal Offices. And then, on June 19^th 2011, there was a security breach. For four hours on that fateful Sunday, anyone with a modem could access DropBox-hosted documents; the systems would accept any password. Let that digest for a moment.

A well-credentialed acquaintance of mine once approached me for idea leads on a talk he scheduled to do at a conference entitled “Security in the Cloud.” I was speechless. After having done a bit of diligence, here’s what I’ve got. There is no security—none. The 1s and 0s are tossed off haplessly along in cyberspace. And beyond security, there is additional concern:

• there is, first and foremost, the worst case scenario of the loss of client data, which in turn would damage a firm’s professional reputation and expose it to malpractice liability;
• the bare inability to see or touch documents on a piece of hardware you own;
• the mere fact of having to interface with a third party at all, which represents a barrier between attorneys and their IT department;
• the indirect (and often) limited control of available bandwidth;
• the risk of becoming inadvertently subject to the laws of a foreign jurisdiction, where document storage might be ultimately maintained;
• and finally, waiving the privilege.

What do YOU think? In the humble view of this post’s author: the same principles of “scaled economics” that compel firms to outsource administrative responsibilities are what compel further outsourcing (and cost-cutting) on behalf of these third parties, with little additional accountability. Institutional inertia is a two-way process, and I feel firms ought to be vigilant of ongoing trends in the realm of cloud security – and withhold. At a minimum, whatever auditing standards a firm applies to its policy in-house ought to be extended and applied out-of-house as
well.

In terms of understanding the cloud’s topology, cumulonimbus may just as well be cumulo-“nebulous.” And if DropBox repeats itself soon – you’ll pardon the forced pun – the size of the fallout will just as well be a computational disaster.

• As it launches its cloud computing platform, Azure, Microsoft calls for federal regulation to clarify many of the open legal questions surrounding cloud computing, says the MTTLR Blog.

• Ten years after it applies, TiVo is granted patent for season pass subscriptions, writes Gizmodo (see our recent post on TiVo’s patent battle with Microsoft here).

• INFO/LAW recommends a Paul Ohm paper arguing that statistical techniques are eroding the effectiveness of anonymization of data, with great implications for privacy law.

• The Third Circuit revives the hopes of Mr. and Mrs. Boring, who sued Google in trespass after a Google Street View car drove down their private driveway, writes Eric Goldman.

• Ephemerallaw reports on the looming compliance deadline for the Massachusetts Data Security Law.

• Rob Tiller of Red Hat argues for calling a troll a troll at Opensource.com’s law channel.

• Mashable reports that the U.S. Department of Justice and the European Commission have given the go-ahead to the Microsoft-Yahoo deal that will see Yahoo’s search engine powered by Bing technology.

• The controversy surrounding Google’s Buzz is not confined to the U.S. (see our post): the Canadian Office of the Privacy Commissioner is also taking a look, says CBC News.

• Further afield, Indian IP blog Spicy IP considers whether the Indian Reprographic Rights Organisation (IRRO) might challenge the Google Books settlement, on the basis on India’s stricter “fair use” standard.

• It’s not just China: European security and rights watchdog, the Organization for Security and Co-Operation in Europe, calls on Turkey to reform or abolish its restrictive internet law.

• And also in Europe, Out-Law gives a round-up of just-decided and upcoming litigation involving trademarks and keywords.