BigLaw “may not be able to access O365 for years”

Big law firms could be years away from a full move to Microsoft Office 365 – despite the fact that much of Microsoft’s investment is focussed on its cloud-hosted suite of services and that most BigLaw firms have the move on their roadmap – because Microsoft is continuing to refuse to hand over the encryption keys.

Microsoft for the past two years has been engaged in conversations with many, if not most of the Global 100 firms, including Linklaters, where global chief operating officer Matt Peers said: “The issue for us and other large law firms is that, as things currently stand, Microsoft can access our clients’ data without our prior authorisation. While we see the huge benefits for both us and our clients of moving to O365, Microsoft’s refusal to hand over the encryption keys or to introduce technical controls that stop Microsoft’s administrative support staff accessing the keys means that big firms with highly confidential client work may not be able to access O365 for years.”

While much of BigLaw is using parts of the Office 365 suite, email is a particular problem for law firms and Rick Howell, chief information officer at Perkins Coie, said: “Several small firms are using Exchange online and Office 365. The issue that BigLaw has is that we are bound by client outside counsel guidelines, which means we can put some material in Office 365, in OneDrive, Box, and use Excel and PowerPoint. An acceptable use policy controls what we can and can’t put in. With email, you can’t untangle it.”

Microsoft told us: “For security reasons, we do not share the encryption keys to data on our service, however we do provide Customer Keys. These enable a customer to provision and manage the keys used to encrypt data at rest in Office 365 whilst meeting compliance requirements. Microsoft engineers do not have default access to cloud customer data, instead, they are granted access, under management oversight, only when necessary. Microsoft personnel will use customer data only for purposes compatible with providing contracted services, such as troubleshooting and improving features, such as protection from malware.”

However, this doesn’t get over the fact that if a government were to demand access to client data, Microsoft could hand it over unencrypted and without the law firm’s prior authorisation or even knowledge. While law firms may ultimately have to hand over the information themselves, they want to be in control of the disclosure process and have the opportunity to mount a legal challenge, rather than leaving it in the hands of Microsoft’s back office.

Howell said: “It can be solved because Amazon has solved it and Cisco has solved it. The key management system that Amazon uses means we get to own the encryption keys, which solves the problem. Yes, it’s very difficult to prevent the admin side of Microsoft touching the data and they do have Lockbox that requires us to give them permission to access it. But the fact is that if there was a subpoena they can get to our clients’ data and turn it over and when they turn it over it won’t be encrypted.”

Microsoft has in the UK been building up a team dedicated to serving law firm clients but across the G100 and beyond there is a huge concern that the legal sector, which is governed by regulations and practices that don’t apply to other sectors, still barely features on the software giant’s radar. That is despite the fact that in 2017, the legal services market worldwide was valued at $849bn. See https://www. services-market/

One option being looked at now by law firms is third party digital rights management tools such as Vaultive, which encrypt all email data before it goes to Office 365, meaning that Microsoft has zero visibility of a firm’s data.

However, as law firms and legal market vendors increasingly back the Microsoft stack, it is incumbent on Microsoft to demonstrate that its product team is aware of and prepared to meet the needs of the legal vertical.