Online Storage For Lawyers?

alharaka writes "I have a relative that has been a lawyer for over two decades. In passing conversation, he revealed to me that he has a great deal of his data stored on floppies. Naturally, as an IT guy, I lost it on him, telling him that a one-dimensional storage strategy of floppies was unacceptable. If he lost those files, his clients would be enraged. Since I do not know much about online data storage for lawyers, I read a few articles I found on Google. A lot of people appear to recommend CoreVault, since a few bar associations, including Oklahoma, officially endorsed them. That is not enough for me. Do any Slashdotters have info on this topic? Do you have any companies you would recommend for online data storage specifically for lawyers? My relative is a lawyer with recognition in NJ, NY, CA, and DC; are there any rules and regulations you know of regarding such online storage he must comply with? I know IT and not law. I am aware this is not a forum for legal advice, but do any IT professionals who work for law firms know about such rules and regulations?"

A Few Helpful Lists

[eldavojohn]

Well, there's a list of online backup services on Wikipedia that's probably only half of what's available so if you feel you are lacking options and would like to help your friend out, you can do a thorough comparison matrix containing his priorities and rate each of them. You might be able to find viable options in the list of file hosting services as they use encryption.

As a lawyer with recognition in NJ, NY, CA, and DC, are there any rules and regulations you know of regarding such online storage he must comply with?

Ahahahahaha, you are asking Slashdot for advice on legal rules and standards to assist a lawyer?

Look, you're probably going above and beyond what a normal lawyer did back in the day: throw a piece of paper in a filing cabinet in his office. Subject to fire and theft, sure, but I doubt the law has changed enough to make that illegal. CoreVault looks good, you can also visit each of the state bar association pages you listed and find things like NY State Bar Association offering a discount at VENYU for offsite data storage which is probably as close as you'll get to an endorsement. Have you thought about calling each state bar association office and asking them what they use/recommend?

Re:A Few Helpful Lists

IAAL and using any of these services is suicide.
Store your documents IN A FIREPROOF SAFE or VAULT ON PAPER.
Use a document scanner for retrieving them if you lose the electronic originals.
Disclosure to a 3rd party is suicide as your atty-client confidentiality could be lost (what happens if the 3rd party gets subpoenas?). Losing data is suicide because it shows a lack of due diligence.
Use paper. It works. or burn to 2X archival CDR and THEN use paper. whatever floats your boat.
   

Re:A Few Helpful Lists

[Captain+Splendid]

Speaking as someone who runs a small law firm, parent has it mostly right, especially in regards to the document scanner. We live and die on paper, so we make a lot of effort to keep the physical and digital versions safe. As for online storage, HDs are cheap, and even several million pages of text documents won't break anyone's bank.

I've never understood the online storage appeal for just about any commercial entity, but for a law firm, that just ain't gonna happen.

Re:A Few Helpful Lists

[anagama]

IAAL too, and I wouldn't feel comfortable with any particular service in which the service owner could have access to my files or the keys/passwords for decryption. I simply won't entrust my data to a third party, not even my calendar to Google Calendar. I do however perform nightly automated backups to a remote server.

My system works like this:
- in my office, tar the data into a single file, encoding the date into the filename.
- mcrypt that tar file.
- transfer the encrypted tar to a virtual private server via ssh. (*)
- on the VPS, I have a script that keeps a set of my backup files: the last 7 days are kept, and then mondays for the previous 7 weeks.

The risk is that my VPS or another VPS on the remote machine might be hacked and my data files exposed. However, because the data files are encrypted as well as can be by present standards, it is highly unlikely that the actual data will be exposed even if my account was hacked. The person would simply get a set of encrypted files. I suppose it would be possible for a person to grab my files, and 20 years later decrypt them. I think that worry starts to get a bit foil-hatish in that I don't work with terribly sensitive information -- at least not the kind that someone will wait decades to be able to decrypt.

Even if my data was somehow decrypted, I feel that I have performed sufficient due diligence under the rules in my state (**). In fact, there is no data existing anywhere that cannot through some highly contrived set of circumstances, cannot be revealed. I do feel I'm doing a better job than if I merely stored the files in a locked storage closet. Taking a bolt cutter to a masterlock and then trundling off CDs, papers, or thumb drives is way easier than decrypting my files. Any safe I can afford can probably be picked in 30 seconds by some 13 year old kid looking for cred on YouTube. Lastly, I have no doubt my encrypted files on the VPS are more secure than files located on a computer through which the internet is accessed by a web browser.

Anyway, I do feel I'm going beyond what most lawyers do with backup security. Of course there are certain unlikely possible breaches -- but I'm not required to protect against all of them. For example, I don't need to personally hand deliver all paper documents because I'm allowed to use the mail. What could be less secure than documents protected by a paper envelope?

As an added bonus, because my backups are nearly 3000 miles away (I'm on the Pacific, my VPS is on the Atlantic), even a devastating regional disaster will not cause me to lose data. If a disaster is so bad as to stretch from sea to shining sea -- my files will be the least of anyone's concern.

(*) I only get 15gb of space, but it only costs $10/month. It's running CentOS 5, no webserver or anything else, just ssh.

(**) Comment to WA State RPC 1.6 (confidentiality and information):
[17] When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the
reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule.

Mozy.com, you can provide your own encryption key

I have used Mozy for several law offices, primarily because you can specify your own 256-bit AES encryption key. Not even Mozy has access to your data.
In California the bar association regulations require that a law firm takes "reasonable care" of client data. That's it. Kinda Scary.

Online backup - Mozy

[Bill+Dimm]

Mozy (owned by EMC) has some sort of deal with the ABA to give members a discount, so I would take that to be somewhat of an endorsement for use by lawyers. I'm not affiliated with them in any way -- I just know about them because their booth was across from ours at the ABA TechShow.

Re:Why online?

[TheRaven64]

I've worked with a couple of companies that had the same kind of requirements:

• They can't afford to lose the data.
• They can't take if off-site without some additional constraints (e.g. stored in a safe, encrypted).
• The users don't want to have to understand the technology.

A lot of these companies currently use a third-party warehouse with locked cages and transfer photocopies of court documents there for off-site storage, and want something a bit more high-tech.

The best solution I've come across is an on-site RAID-5 NAS with hourly snapshots. If they can store their data on floppies now, it is almost certainly less than 1GB. Put this on a three or four 250GB disks in a RAID-1 array (no point in RAID-5 when you've got that little data - go for the extra redundancy) which takes (volume-level) snapshots every hour (something like GEOM or ZFS snapshots). Every work night, burn the latest snapshot to a DVD and give it to the boss to take home and put in his safe. He should store the most recent 5 backups there and, n week-end backups. If you're not using ZFS on the server then make sure you're using something else to check for single-sector corruption.

Note: This is not legal advice. I know some law firms one accountancy firm who use this system, but I am probably not in your jurisdiction and you may have additional regulatory / legal requirements. Fortunately, if you are a law firm, you can probably consult a lawyer and get some legal advice cheaply...

Average attorney salary ~$60k/yr

[ahbi]

The average attorney salary is ~$60k per year. And that is with $300k+/yr equity partners pulling the average up.
I was in my 1st year of law school when I found out that I was making more as an engineer (BSEE) than most lawyers were making. (Fortunately, my company was paying for school & guaranteeing me a job upon graduation that involved a pay-grade jump every year for 4 years.)

The truth is, there are just too many lawyers.
Most of them can't find a job in a "real" law firm. So, instead they have to hang-up their own shingle and become sole practitioners.
Sole practitioners usually take DUI cases or other minor disputes, often for clients that decide they're unhappy with the outcome and refuse to pay.
Sole practitioners also get to be taxed on both halves of self-employment taxes, pay their own benefits and business insurance.
Good times.

Add on top of that law school is ~$100k, which most people take out loans for.
So, if you go to law school chances are high you'll graduate with the equivalent of a mortgage and no job.

It really doesn't make financial sense to get a law degree unless you have a lucrative specialty (e.g., patent or admiralty law), go to a cheap state school (e.g., ASU), or feel a moral duty akin to the priesthood.

Re:Mozy.com, you can provide your own encryption k

[xcut]

I have also used Mozy, specifically MozyPro, for my company, for more than a year.
I had a terrible experience with it, the client initially worked well, but is so badly written that as you get to multi-gigabyte volumes, the incremental scanning kills completely stalls the OS.
So: whatever you choose, test it for a while. And, most online storage services have encryption, including DriveHQ, which I switched to. Works fine so far (6 months).

Wikileaks

[Tokolosh]

Please give some good advice, which is to use the latest and best system, endorsed by important entities everywhere.

It is called "Wikileaks", and can be found using any search engine.

Have you looked at....

[s0litaire]

...Spideroak.com

I currently use it for backups. Some of it's coding is OSS. you get 2Gb free storage (which should be enough for you to test out the system.

Online != Insecure. Options exist.

[alanfairless]

There's no reason online can't be secure. Online means it's automatically offsite and that a 3rd party has the time and incentive to be sure it's actually working.

2 years ago I founded https://spideroak.com/ for this exact situation -- wanting a zero-knowledge approach to encryption. We explicitly don't know anything about your data. We just see boring sequentially numbered data blocks on the server. Instead of a EULA, we have a "remember your password" agreement.

You can combine data from unlimited devices and it de-duplicates, and can automatically sync folders for you. Storage is perpetual (unless you explicitly remove things.) FWIW, it's written in Python and we have always supported Linux.

Re:TrueCrypt?

[kasperd]

Before anybody starts using TrueCrypt for encrypting data to be stored online, let me warn you, that TrueCrypt was not designed for that. Several years ago TrueCrypt switched to LRW because the encryption mode used before that was vulnerable to some watermarking attacks. However the LRW encryption was even more vulnerable in case an adversary is able to get a copy of the encrypted data from two different points in time. What that means is, that if you just have the encrypted container stored online using some networking file system, then whoever operates the server will have access to the encrypted data from any point in time. By comparing the data from different points in time, you can perform watermarking attacks. The same applies if you store your encrypted container locally but periodically put a backup of it on a server not directly controlled by you.

I mentioned above vulnerability to the TrueCrypt authors, but they didn't consider it a problem. However I think they did switch to a different mode later for other (less severe) reasons. I don't know if the new mode is better, but I doubt it. I have not yet seen any storage encryption specifically designed to handle this use case. Anything I have seen operating at the block layer TrueCrypt, cryptoloop, GBDE, etc. have been designed without considering the possibility that an adversary would have access to the encrypted data from two different points in time, in other words they are not suitable for storing online.

If you do intend to use an encrypted container and store backup copies of it online, then encrypt it again before storing it online. One approach would be to encrypt the container using a gpg key. Keep only the public key on your computer. Print out the private key along with the passphrase and store it in a safe.

Amazon S3 + duplicity + gpg + cron

[Alives]

I setup a backup system for a lawyer last year. Its basically a cron job that runs a script every night. It uses duplicity + gpg and stores everything on amazon s3. Its incredibly cheap. I store 6 months of revisions, with a full backup on the first weekend of every month, then incrementals after that. I perform regular restores and run a big md5sum job to ensure that the restores are working. I havent automated that stage of it yet, but so far so good. I'd be happy to send you the scripts if you want. PM me if youre interested.

Re:Encryption

[MrKaos]

And it would be smart to store the key/passphrase on paper in a safe, in case you get hit by a bus and your partner/assistant urgently needs a client's file. IANAL.

The banks (I worked in) did it by storing half of a key in two safes, two different managers have access to their particular safe. Each is asked to enter their half of the key when it's required (get's them involved in the data's ownership too). No one actually knows the entire key.

It's a function of the role to have appropriate access. YMMV