The risks for lawyers of exchanging documents via email or the cloud

It has become commonplace to exchange documents with clients via email, but times are changing.

With the size and volume of documents exchanged increasing, it is often the case that email alone cannot manage the magnitude of documents being shared, so clients are increasingly turning to new, free and easy-to-use internet file-sharing tools. Examples include Dropbox, iCloud, Google Drive, Microsoft SkyDrive, Box.net and Google Docs.

These services use the internet to send and synchronise files and deposit digital copies of documents in 'the cloud' for access by third parties. Although convenient, these services are not without their risks.

So, what are the risks?

• The UK's Data Protection Act 1998 (DPA) requires all personal data to be stored within the EEA. However, most cloud services are based in the US. Putting a potential breach of the DPA to one side, the US Patriot Act allows all documents uploaded onto cloud systems based in the US (or falling under Washington DC's jurisdiction) to be accessed and analysed by American security agencies without a warrant.

• It is unlikely that any of these services will be an approved supplier to your organisation. There will be no confidentiality undertaking or contract in place and the majority specifically exclude any liability for any loss of confidential information in their terms of service.

• Few firms will have carried out due diligence on these third-party systems or their processes. However, clients expect their lawyers to conduct significant due diligence on any services or suppliers used for the storage of their documents or data.

• You have no control over these systems, their services or availability (or downtime).

• The files stored by these services may not be encrypted (they are encrypted as they are transferred, but unencrypted on the servers).

• As cloud storage utilities, any files stored on their servers may be vulnerable to attack.

• Filenames and other metadata may not be encrypted as you send and synchronise them (thereby revealing a client name or matter).

Increasing data security

A number of these services have experienced security breaches (for example, type "Dropbox security breaches" into Google), which have resulted in information being exposed freely on the internet.

If publicly sharing photographs of your family summer holiday along with your personal documents on the internet concerns you, then you can be certain that your clients will not want their legal affairs exposed to the world.

You may be requested or invited to use these tools by a client, a situation you may have little or no control over, but you should always consider the risks carefully, advising clients of the risks and encouraging all parties to use a more secure file transfer or storage method.

Law firms are increasingly implementing their own secure corporate file-exchange systems which have passed vigorous technical security tests and have been approved from a contractual perspective. If your firm has such a system, then it should be your first choice.

Although they are easy to use and convenient on the face of it, free file-sharing systems are not secure and you risk compromising client confidentiality and, in turn, the Solicitors Regulation Authority's Code of Conduct. Beware!

As a member of the Legal IT Innovators Group (www.litig.org), we recently completed a project looking at the risks and issues around file-sharing tools; this article is pulled together from its findings and guidance.