How Secure Is Your Cloud Storage? A Practical Guide for Lawyers (2025 Update)
29Apr 2025

How Secure Is Your Cloud Storage? A Practical Guide for Lawyers (2025 Update)

[Note: This is an updated version of an inPractice blog post originally published in 2017.]

As lawyers continue to rely on the cloud to store, share, and sync client files, questions around data security are more important than ever. Services like OneDrive, Box, Dropbox, and Google Drive may be convenient—but are they secure enough for confidential client information?

The short answer: not always.

Before you upload a single client file, it’s essential to understand how your data is protected, the risks, and what steps you can take to keep files secure. This guide breaks it down in plain English.

Why Encryption Matters (and When It Happens)

Encryption is what scrambles your data into unreadable code—unless you have the key to unlock it. But not all encryption is equal. The best protection happens at three key stages:
 
  1. Before your data leaves your computer (client-side encryption);
  2. While your data is moving to the cloud (in-transit encryption);
  3. Once your data is stored in the cloud (server-side encryption).

Let’s look at why each of these stages matters, and what can happen if one is missing.

1. Client-Side Encryption: Lock It Before It Leaves
This is the most important stage—and the one most cloud providers skip.

With client-side encryption, your files are encrypted on your device before they’re uploaded to the cloud. You hold the only key, and the cloud provider never sees your data or your password. When the provider has no access to your encryption key, this approach is often called “zero-knowledge encryption”—because they quite literally have zero knowledge of your data.

Why it matters: Without client-side (zero-knowledge) encryption, your provider can access your data even if it is encrypted later.

2. In-Transit Encryption: Keep It Safe on the Road
Once your file is encrypted (or not), it travels to the provider’s servers. During that journey, it’s vulnerable to interception—like a letter in the mail. Good providers use secure connections (like TLS) to protect data in transit. This ensures that even if someone intercepts your data, they can’t read it.

Why it matters: This is your second line of defense against hackers or man-in-the-middle attacks.

3. Server-Side Encryption: Guard It at Rest
Finally, your data reaches the cloud server. Here, many providers encrypt the files again while storing them. But there’s a catch: they control the keys—which means they could unlock your data.

Why it matters: Server-side encryption protects against external threats, but without client-side encryption, the provider still has access to your sensitive or confidential data.

The illustration below shows these three stages and what they look like when there is no client-side encryption at stage 1.



What This Means for Lawyers

Most common cloud services only encrypt your files in transit and at rest. That means they have the technical ability to access your data.

If you’re storing sensitive or confidential client information via cloud services, that’s a risk you need to weigh carefully. Even a small data breach could lead to major consequences, including malpractice exposure.


Your Options for Safer Cloud Storage

There are two smart ways to keep your client data secure:

Option 1: Use a Zero-Knowledge Provider
These services encrypt your files before they ever leave your device and never store your password. You, and only you, can access the data.

Pros:
  • Maximum security and privacy;
  • Provider has zero access to your data.
Cons:
  • Lose your password, lose your data—there is no way to recover it;
  • Some features like sharing or previewing from the cloud may be limited;
  • Upload speeds may be slower due to encryption.

Top Zero-Knowledge Providers:
  • Tresorit (Switzerland) – Fully encrypted with zero-knowledge access;
  • Sync.com (Canada) – Zero-knowledge by default;
  • pCloud (Switzerland) – Offers optional client-side encryption;
  • Icedrive (UK) – Sleek, secure, with zero-knowledge for paid users;
  • MEGA (New Zealand) – Generous free plan with full encryption;
  • Internxt (Spain) – Open-source and privacy-focused.

Option 2: Encrypt Files Before You Upload
If you want to stick with Dropbox, Google Drive, or another mainstream provider, you can still protect your data by encrypting it yourself first. With third-party encryption tools, you lock your files on your device. Then you upload the encrypted versions—meaning the cloud provider can’t read them, even if they try.

Popular Tools for Pre-Upload Encryption:
  • Cryptomator (Germany) – Free for individuals, open-source, easy to use;
  • AxCrypt (Sweden) – Zero-knowledge encryption with password manager and other services;
  • Boxcryptor (Germany) – Very popular but acquired by Dropbox in 2022. No longer available to new customers, but existing users are still supported. Dropbox Business users now have Boxcryptor’s zero-knowledge encryption built in.


Always Vet Your Providers

No matter which provider you choose, do your homework:
  • Check how long they’ve been in business;
  • Read up on their data security policies;
  • Make sure they follow industry standards (like General Data Protection Regulation (GDPR) or HIPAA, if applicable);
  • Look for providers that work with lawyers or legal professionals;
  • Read real-world reviews from trusted tech and legal sources.


Final Thoughts

Cloud storage isn’t going away—and neither are the risks. But with the right approach, you can protect your clients and your practice:
  • Know when and how your data is encrypted;
  • Use tools that give you control over encryption keys;
  • Choose providers who take privacy seriously.

Security doesn’t have to be complicated—but it must be intentional.

Post Author: Hong Dao

Hong Dao

Read more about Hong Dao

Featured Posts

We’ve Got CLEs, Yes We Do!
20Mar 2025

We’ve Got CLEs, Yes We Do!

If this is your MCLE reporting year, the deadline to complete all credits is April 30. As we approach the deadline, remember that the PLF maintains a comprehensive library of free OSB-accredited CLEs covering a wide range of topics!

Revised PLF Books for Starting and Managing Your Law Practice!
04Jan 2025

Revised PLF Books for Starting and Managing Your Law Practice!

To support aspiring and current firm owners, we've refreshed our practice management book series, complete with our latest malpractice avoidance tips, general guidelines, and practical forms. The new design format enhances readability, while the trio of covers embraces the essence of the Pacific Northwest. Whether you're planning to start a firm or already managing one, this set from the PLF reveals valuable insights to guide your journey.