In the Cloud

26/11/2013


Earlier this month the SRA published a paper about the risks involved in using cloud systems. You can find it here, but I’ve summarised and commented on the main points below.

What is cloud computing?

In a nutshell, it’s using the internet to provide software, infrastructure and storage, rather than a user’s own server. So for instance instead of saving this article to my hard drive or a USB stick, I could save it to a folder on the internet using my preferred cloud provider. This would mean that I could then access it from any computer or hand held device, and that if my PC crashes or is stolen, all would not be lost.

Can law firms use cloud systems?

Yes, but you should keep your wits about you and choose a system that will provide the protection you need to keep client information confidential. Some systems are better than others, and you should always conduct due diligence on your systems of choice, not least because using the cloud will be seen as outsourcing – the practice note for which can be found here.

Your use of the cloud must also comply with the Data Protection Act 1998 – and with Safe Harbour if the data is being sent/stored outside of the EEA. If the provider is US based or uses US servers you’ll also need to take surveillance laws into account.

At the very least, the cloud provider should offer audited information security that is ISO 27001 compliant. And there must always be a service level agreement because you’ll want to avoid being caught up in situations such as this one, where a cloud system company went bust and quickly had to try and find a new home for all the data.

 

It sounds expensive

It needn't be. It’ll offer more security and better encryption services than smaller firms would be able to provide locally. There are also flexible pricing arrangements so that you’re not tied in to lengthy and expensive contracts, and you save money by not having to invest in the processing power that you’d otherwise need.

The audit trail

To comply with the SRA Code of Conduct, make sure that the agreement with the cloud provider would allow them to provide usable data to the SRA on demand, should the SRA request it. The security measures should also be specified in the agreement, and at least an annual audit of these measures undertaken by the provider. You’ll also want to ensure that you retain full ownership of the information, that you’re satisfied with how often the data is backed up, and that it will be safe should the provider’s business fail. These requirements will mean that a free public cloud service will probably not be suitable for the needs of a UK law firm. So if you’re using one now to stored confidential information, you may want to think again.

No internet access

Make sure that you’re satisfied with the provider’s definition of ‘up’ time. Get references from other users, and ask to see evidence of previous downtime events and what the provider did to avoid future problems. If you’re unable to access your data for any length of time this could cause serious problems for your firm and clients, so discuss redress with the provider before you sign on the dotted line, and put it in the agreement.

Consent

If you do start using the cloud, amend your terms and conditions to say this, and consider asking for informed and explicit consent from the client to use the cloud where a client’s matter is unusually sensitive or high profile.

Password protection

As you are still very much responsible for preventing data leaks, ensure that users regularly change passwords (at least every 3 months), and don’t write them down on sticky notes. Users should also never use unsecured wi-fi to access the cloud, for instance in hotels and cafes, so you’ll need to provide access to security bubbles for ipads and other devices, and to train your staff in the importance of using them when they travel or use public transport. It goes without saying that if they log in from home, other users shouldn’t be able to park up outside the house and log in to their wi-fi too. Make sure that everyone is using secure wi-fi wherever they are.

Encryption

You could also consider encrypting sensitive files before storing them, so that if they are leaked or corrupted, you're not completely up the creek. This isn’t nearly as difficult as it sounds and your IT team should be able to find an automated system to do the job for you.

Conclusion

Whilst the range of providers you can choose from may be limited because of your professional and statutory obligations, cloud systems can actually reduce the risk of data loss provided that downtime is minimal. Ensure that the provider has comprehensive continuity plans in place, that security is high, and that your clients interests are protected.

About the author

Hayley Crawshaw is an independent Risk and Compliance Consulant for Law Firms. Her contact details can be found at www.celticcompliance.com

 

The SRAs paper on cloud security risk can be downloaded below.

Contact us for more information


Share this article