Here is my recent Daily Record column. My past Daily Record articles can be accessed here.
****
The Real Risk Isn’t the Cloud—It’s Premises-Based Software
When my book Cloud Computing for Lawyers was published by the American Bar Association in 2012, the idea that cloud computing was secure—let alone more secure than on-premises software—was controversial.
At the time, most lawyers associated physical proximity with control and, by extension, safety. They thought that even if data lived on a server down the hall in a closet next to the copier, it was somehow inherently better protected than if it were stored “somewhere else” in the cloud.
That belief was grounded in emotion rather than technical reality. Even so, it was reinforced by legal technology consultants and in-house IT departments, both of which had a vested interest in maintaining the status quo.
For consultants, the most lucrative part of their business has always been managing physical servers, installing annual software updates, and resolving the inevitable conflicts and errors those updates introduced. In-house IT teams have faced a similar dynamic: moving to the cloud would have significantly reduced the need for large numbers of internal support staff and required a complete reimagining of their roles and responsibilities.
Despite significant resistance over the last decade, the cloud has increasingly become the default in most businesses. However, even today, not all organizations are on board. Many professional firms in both the accounting and legal spaces have stubbornly clung to server-based tools like Microsoft SharePoint for document-sharing with clients rather than moving to cloud-based tools.
It turns out that for many of those businesses, this reticence is their undoing. Case in point: earlier this year, a regional New York accounting firm with offices in Rochester suffered a significant security breach. Their clients’ entire tax organizers, along with all supporting documentation, were compromised. Client notification only just occurred in July, even though the breach occurred in February.
The cause? A server-based version of Microsoft SharePoint. Not SharePoint Online. Not Microsoft 365. The attack exploited a server-side vulnerability specific to the on-premises version of the software.
This wasn’t an isolated incident. It was part of a broader wave of breaches affecting server-based SharePoint software installed in businesses and government offices.
On July 21st, Microsoft confirmed multiple worldwide breaches impacting over 400 businesses and government agencies, including U.S. nuclear facilities, the Department for Education, the Department of Homeland Security, and governments across Europe and the Middle East. Hackers exploited a vulnerability in the software and obtained access to confidential SharePoint files stored on premises-based servers.
These breaches have one thing in common: they are reliant on aging, server-based infrastructure that lacks the built-in protections of modern cloud platforms.
In the cloud, software is updated automatically. Patches are deployed system-wide in real time. Monitoring is continuous and proactive. Cloud providers operate massive, distributed systems that are built from the ground up with security and redundancy in mind.
Server-based systems, on the other hand, rely on local IT staff to monitor security patches, manage threats, and recover from disruptions.
That’s why, for more than a decade, I’ve argued that cloud computing is more secure than traditional server-based data storage options.
Today, the security advantages of cloud-based platforms are well-documented. Experts in cybersecurity, data privacy, and compliance routinely recommend cloud solutions over on-premises software.
The standard of care has evolved accordingly in many industries, including ours. Bar entities in the majority of jurisdictions have issued ethics opinions greenlighting the cloud and have offered guidance to ensure ethical compliance.
In light of these new breaches, the legal profession is once again at a crossroads. It’s no longer a question of whether the cloud is safe, but whether your reliance on outdated systems is putting data at risk.
Cloud computing is no longer a convenience. It’s no longer a future consideration. It’s the most secure and ethically responsible choice available for legal professionals handling sensitive client information. If you haven’t made the switch yet, the real question is: what are you waiting for?
Nicole Black is a Rochester, New York attorney, author, journalist, and Principal Legal Insight Strategist at MyCase, CASEpeer, Docketwise, and LawPay, practice management and payment processing tools for lawyers (AffiniPay companies). She is the nationally-recognized author of “Cloud Computing for Lawyers” (2012) and co-authors “Social Media for Lawyers: The Next Frontier” (2010), both published by the American Bar Association. She also co-authors “Criminal Law in New York,” a Thomson Reuters treatise. She writes regular columns for Above the Law, ABA Journal, and The Daily Record, has authored hundreds of articles for other publications, and regularly speaks at conferences regarding the intersection of law and emerging technologies. She is an ABA Legal Rebel, and is listed on the Fastcase 50 and ABA LTRC Women in Legal Tech. She can be contacted at niki.black@mycase.com.