An interesting debate recently arose on LTI about the use of cloud computing services in the legal sector. You can read the online discussion here. While the LTI forum thread was specifically about Microsoft Office 365, the principles apply to any cloud service.
The main concerns were around whether legal sector professionals could guarantee compliance with the Solicitors Regulation Authority (SRA) and UK data regulations, when storage was outsourced to third parties. Many cloud computing suppliers store data internationally, and thus this data is subject to a different regulatory framework.
This blog post looks at some of the issues. I’d be interested to hear what others in the industry think about this topic and what others are doing to ensure compliance.
What is cloud computing and why is it becoming a popular data storage platform?
People and businesses are generating huge amounts of data. This Data Never Sleeps 2.0 infographic by DOMO shows just how much online data is being created every single minute in 2014.
Businesses, too, are required to keep and maintain large amounts of data. Many are now turning to “the cloud” to store this data. Cloud computing involves outsourcing data processing and storage to an external provider.
Cloud Industry Forum estimated up to 75% of UK-based organisation to be using at least one type of cloud service in 2013. By 2016, Gartner estimates that over 50% of emails will be accessed with a mobile device instead of on a desktop computer.
But there has recently been significant debate around where data should be hosted, and whether it should be hosted in the cloud. This is of particular concern to the legal profession, as data hosted abroad is often subject to different legislation, potentially leading to non-compliance with UK rules.
What are the benefits of cloud computing?
There are many benefits to cloud computing services. The most significant is the cost saving to be made from hosting data online. Cloud computing reduces the cost of provision, for example of specific software, and thus negates the associated maintenance costs. It allows for mobile access on the move, and gives greater access to technology through online platforms. It also gives organisations flexibility to change services, which is often not possible when investment in expensive servers and other hardware has been made.
Should law firms use cloud computing? What are the risks?
SRA identified the risk of “firms failing to exercise due diligence in controlling the risks of such outsourcing systems” in its 2013 Risk Outlook. The SRA Code of Conduct identifies a number of risk factors. These are:
- Confidentiality
- Loss of data control
- Availability of the system
- Client care
- Data Protection Act
For example, with regard to the Data Protection Act: the data centres for many cloud computing service providers are based in the United States. If your data is hosted in America, US data rules allow the US government access to the data at any time. However, the British legal system stipulates that your data should be secure, and that nobody can read it without your permission.
The SRA stipulates that “use of cloud systems must comply with the terms of the Data Protection Act 1998. These terms require a written contract between user and provider and restrict the sending of data out of the European Economic Area (“EEA”).
Potential users must familiarise themselves with the requirements of the Eighth Principle to the Act before committing to a provider.”
Conversely, there are also concerns around access to data by the data owner, as part of UK requirements in respect of the Freedom of Information Act. It is your responsibility to ensure that FOI requests can be responded to in a timely manner.
How can cloud computing risks be mitigated?
General guidance on sending personal data outside the European Economic Area (EEA) is available on the Information Commissioners Office website. This document: Data Protection Good Practice Note – Outsourcing – a guide for small and medium sized businesses may be useful.
The SRA has published a guidance document Silver Linings: cloud computing, law firms and risk, which details the main risks for law firms around cloud computing, along with best practice guidelines for mitigating these risks.
Putting the risks into perspective
The SRA also notes that no system is perfect. It states that the cloud “permits true mobile working with no need for data sticks or email transmission of files, both of which are key risks for data loss” and goes on to point out that “email is not inherently secure, while data sticks are easily lost and provide ready systems access for virus programs”
Firms are obliged to keep client information confidential. This does not bar them from using cloud systems, but they do have to ensure that the system that they choose provides sufficient protection.
What do you think?
I’m interested to hear whether other legal industry professionals use cloud computing services. Do you think the benefits outweigh the risks? How do you ensure your cloud storage data is secure and compliant? What supplier do you use?
Those on Twitter can tweet their thoughts to @KatchrData
Or contact us direct by email or call 03333 010 766
Find out more about our Katchr management information software.