The Oklahoma Bar Journal December 2024

and the infrastructure that stores it, potentially higher security for sensi tive legal information and, in some circumstances, the ability to access data and operate without internet connectivity. However, on-premises storage can be pricey and requires continuous maintenance, monitoring and security management, which can be resource intensive. For this reason, some lawyers choose to use cloud-based storage, wherein an outside service provider hosts their data. In this scenario, the cloud provider identifies, installs and maintains the infrastructure necessary to store the data, which may provide for cost savings and take some of the burden off the law yer to monitor potential risks to the data and to identify and implement some of the updates necessary to secure the data. Nevertheless, there are numerous considerations asso ciated with the use of third-party vendors, like cloud storage provid ers. Lawyers considering transition ing their data from on-premises to off-premises storage should conduct appropriate due diligence with respect to each third-party vendor under consideration. While the level of diligence required var ies depending upon the sensitivity of the data being processed by these vendors, the vetting process may include requesting third-party cybersecurity and/or compliance certifications or audit reports; reviewing the vendor’s policies, procedures, internal controls and training materials; and reviewing their privacy and data security his tory, including regulatory actions, litigation and data breaches. Ultimately, any vendor selected should have a clear technical and procedural ability to protect the data in its possession and a demon strated history of doing so.

Once a vendor has been identi fied, lawyers will want to carefully review and, if necessary, incorpo rate risk-mitigating terms into their agreements with the vendor. This may include provisions requiring the vendor to provide annual proof of appropriate cybersecurity insurance coverage as well as terms requiring the vendor to indemnify and/or reimburse the lawyer for cybersecu rity and other related violations. To the extent the lawyer is subject to one of the comprehensive state privacy laws discussed earlier, they may also wish to ensure the contract contains the requisite “processor” or “service provider” contractual restrictions on data processing and data use, as well as specific and enumerated data safeguards as may be required by applicable data privacy laws. After retaining a cloud-storage vendor, lawyers should also be careful not to become complacent and should consider performing annual reviews of their vendor’s practices, such as by requesting the results of any annual third-party audits or compliance certifications obtained by the vendor. Regardless of where the data is stored, there are additional steps all lawyers should take to protect the client data in their posses sion. For example, lawyers should consider restricting access to client data on the system. This entails ensuring all system users have unique accounts and are authenti cated (including through the use of multi-factor authentication) before they access client information on any device or application on which it is stored. They also should conduct regular security audits and risk assessments, including penetration testing and security control audits, to identify new risks and vulnerabilities to their sys tems and the data stored therein.

obligations have been reiterated by numerous American Bar Association (ABA) ethics opinions, including Formal Opinion 477R 1 and Formal Opinion 483. 2 The reasonableness of the precau tions a lawyer takes will generally be determined in connection with the sensitivity of the information involved, the likelihood of the dis closure in the absence of the safe guards, the cost of the safeguards, the difficulty of their implementa tion and the degree to which the use of the safeguards negatively impacts the lawyer’s ability to represent their clients. With respect to communica tions and other intentional disclo sures of client data, lawyers should also consider whether the commu nication is subject to statutory or regulatory privacy standards or another confidentiality agreement. Although the sufficiency of a law yer’s safeguards should be assessed on a case-by-case basis, there are several broadly applicable effective approaches all lawyers can employ. PRACTICAL CONSIDERATIONS FOR STORING AND MANAGING CLIENT DATA Regardless of the nature of their practice, all lawyers receive confiden tial client data. As such, careful con sideration should be given to how, where and for how long this data will be stored. In practice, this means lawyers should carefully weigh the risks and benefits of on-premises and off-premises (cloud-based) data storage. In general, storing data on premises means storing data on a server hosted within the law firm’s infrastructure and controlled, administered and maintained by the firm or its IT partner. This often means storing the data onsite at the firm itself. On-premises storage can offer greater control over client data

Statements or opinions expressed in the Oklahoma Bar Journal are those of the authors and do not necessarily reflect those of the Oklahoma Bar Association, its officers, Board of Governors, Board of Editors or staff.

34 | DECEMBER 2024

THE OKLAHOMA BAR JOURNAL