Although a recent survey puts cloud adoption at 90% industry-wide, law firms are understandably cautious when it comes to the cloud. With ethical and conduct responsibilities to protect client confidentiality in addition to the usual financial and data protection concerns faced by all businesses, the cloud poses a relatively unknown area of risk.
In 2013 a Legal Week Benchmarker survey indicated that 80% of partners and IT directors in legal firms believe that they are likely to be the subject of a cyber-attack. Some cautious law firms therefore shy away from the perceived risks posed by cloud. However, many are acutely aware that technological innovation offers a competitive advantage in a landscape that now consists of one-stop shops, contract lawyers and online legal services.
Cloud can offer technological innovation that can improve client satisfaction, keep employees engaged and costs low, yet the question remains: is cloud secure enough for law firms?
In brief: yes. However, the cloud will only meet the Data Protection Act and professional ethic regulations if suitable risk assessments and precautions are taken.
The SRA Code of Conduct Outcomes and data protection
Law firms need to consider the relevant Solicitors Regulation Authority (SRA) Code of Conduct Outcomes, including:
- protecting client confidentiality (4.1);
- ensuring systems and controls are in place to identify and mitigate risks to client confidentiality (4.5) and your firm’s financial stability and money assets (7.4); and
- ensuring that any outsourced activities do not affect your firm’s ability to comply with the Handbook obligations to clients and the SRA’s monitoring abilities.
Firms also need to consider that, under the Data Protection Act 1998, personal data must not be sent out of the European Economic Area unless the country offers a sufficient level of protection.
Cloud computing passes on the task of data processing and storage to an outsourced provider, and it was identified as a potential risk by the Solicitors Regulation Authority (SRA) in their 2013 Risk Outlook.
Law firms should therefore conduct a suitable risk assessment and ensure that their systems and outsourcing partners can adequately meet their data protection and Handbook responsibilities.
How to ensure your cloud solutions are secure
In considering and mitigating the risks of cloud computing, the SRA’s risk resource Silver linings: Cloud computing, law firms and risk recommends taking the following steps:
- taking references from other companies using the proposed provider,
- checking service level agreements carefully to ensure that the proposed service can offer at least full Safe Harbour compliance if data is stored outside the EEA,
- checking that the provider can offer audited information security that at a minimum is compliant with ISO27001 2005,
- checking that the provider can offer a level of guaranteed uptime and continuity protection that is acceptable to the firm,
- ensuring, where staff will be working on the move, that they have properly secured communication channels to protect security, and
- ensuring that their contract with the provider includes the requirements of Outcome 7.10 of the SRA Code of Conduct.
Security can also be improved by:
- using a private cloud, or private area of a hybrid cloud, for client confidential material,
- using software to automatically encrypt documents at the law firm's end, using security keys that are not known to the provider, and
- using only providers that are based in EEA countries or countries offering equivalent or greater data protection laws, and that can guarantee that data will not be held in jurisdictions that do not offer such protections.
Not all cloud solutions are created equal
The SRA’s initial precautionary steps are those that they recommend as a minimum. However, they rightly highlight further steps that law firms should look for when considering a cloud provider.
These underpin a common issue that a move to the cloud can present with security risks. Leading cloud providers like Microsoft, and their Office 365 service, adhere to word-class industry standards - such as ISO 27001, EU Model clauses, HIPAA BAA, and FISMA – and includes essential features such as regular software updates, permissions, versioning control, eDiscovery, and records management. However, an IT support company can help you add extra layers of security to the cloud, such as email document encryption and a remote mobile device wipe if phones or laptops are lost.
Find out more about how law firms can adopt the cloud in a secure and effective way by downloading our free whitepaper: A guide to cloud for legal professionals.