Law is big business. The legal service market is valued at $901 billion worldwide, with over a third of that in the United States alone, and that market is expected to grow by 5% annually for the next decade. Knowing this it’s easy to see why the legal tech industry is itself in a boom, valued at $28 billion and expected to grow by 8.9% annually through 2032. In a market this poised for disruption the competition is only going to grow fiercer. Whether you’re developing a new start up or you’re working for one of the biggest players in legal technology, the pressure is on to build functionality that delights customers and maximizes retention.
Commercially available Files APIs provide developers with a powerful shortcut to bringing one of the most essential parts of legal operations, file management, and bringing it into their platform. But as a product manager or developer working in legal tech the question you have to ask is: does your Files API provider offer the level of security that legal customers need and require?
Files API features enable users to collaborate on important work documents within an application via the use of an API. With a good implementation of a files API, users should be able not only to upload documents, but sync, share, and even preview them securely without ever having to navigate away from the app. With a great implementation things like sharing and permissions should be automated, so that no one ever has to ask a colleague for permission to view a document or send an email with an attachment ever again.
Files APIs function by connecting your application to the API provider’s infrastructure, which has been configured specifically for executing the required file handling functionality. Though there’s a possibility that some Files API providers use their own servers to host this infrastructure, it’s much more likely that Files API providers run their infrastructure via a cloud services provider like AWS. Weavy, for example, host all environments on Microsoft Azure, the same cloud services provider that is utilized by PwC’s legal cloud data lakes.
The first job I ever had was as a “junior file clerk” for a small law firm. The work was as simple as it was tedious. Every day it was my job to gather all the no longer in use file copies and return them to their proper file cabinet. If there were unnecessary duplicates it was my job to shred them. If any of the attorneys needed to see a file, it was my responsibility to make a copy. As I said: tedious.
The most exciting part of my job was when I had to work with the original version of the documents. When this happened I had to check out two keys: one for the fireproof file locker, and one for the room that contained it, a small shredder, and a copier that had no internet connection. When an attorney is hired by a client, they’re not just hired to give advice, conduct negotiations, or draft documents, they’re hired to be good stewards of the client’s records.
Since cloud storage has overtaken conventional onsite storage as the primary way businesses store files and data, there has been an ongoing discussion within the legal community about the safety and security of using cloud providers for legal documents. Unlike banking or medicine, there is little by way of regulation for how legal documents are stored. In lieu of that, lawyers must look to their own licensing bodies for guidance.
In the United States, the American Bar Association and the local Bar associations of 30 states have now issued opinions on the subject of using cloud computing and cloud storage for legal purposes. Having read all of them I can say the main throughline is that major commercial cloud services like AWS, Google Cloud, Oracle Cloud Services, and Microsoft Azure should be adequately safe and secure for storing private legal documents. However, they do note that in the instance of a data breach, it is the lawyer who is liable for the breach, not the cloud provider.
With that in mind, most Bar associations offer advice and best practices for firms to try and adhere to. These are the same best practices that legal tech developers and project managers should ask of their Files API provider. Some, like the Connecticut Bar Association, recommend that legal teams use private or baremetal cloud storage in order to keep the legal data separate and inaccessible by unauthorized parties. This is also helps provide a bulwark against hyperjacking, a method by which hackers gain access to a cloud server’s hypervisor, thereby gaining access to all virtual environments governed by the hypervisor.
Others, like the State Bar Association of North Dakota, believe it incumbent to ensure the safe and secure transmission of the data. In this case, that means a legal tech developer must be sure that any API they utilize offers some means of encrypted transmission. At HTTPS has become a prerequisite of any service operating on the modern web, end-to-end data encryption is all but assured.
But perhaps more important than the data being breached via a man-in-the middle attack is the breach of authentication credentials. With access to an unencrypted credential token, it may be be possible for a bad actor to gain access to the server utilizing the credentials. Most authentication is passed from app to API provider by means of a token, but not all tokens are created equally. When examining Files API providers, I recommend using one that utilizes an opaque token such as a bearer token. This means credentials are just as encrypted as the data they accompany.
If you’re developing a legal tech app then you’re already more than familiar operational security best practices. You’ve likely already taken all the necessary steps and precautions your customers require to keep their client’s data safe. If you’re concerned about what happens to your customers’ data once it leaves your servers for that of your service provider, then why not make it unnecessary for that to happen in the first place? Some File API providers, like Weavy, allow legal tech developers to deploy Weavy environments on the same servers where the legal tech platform is hosted. This means legal data need not ever leave the safe confines of your tried and true cloud solution.
If you’re interested in using Weavy’s Files API to improve your legal tech platform, reach out to our developer success team here: