Moving into the cloud should be a key objective in the digital transformation strategy of any law firm. Providing a remote infrastructure can free up the time of in-house IT staff to focus on product innovation and makes it easier to roll out agile working for fee earners. Furthermore, hosted services can reduce overall IT costs and improve infrastructure resilience and data security and compliance.
What are the key compliance issues for law firms working in the cloud?
Data protection and cybersecurity
If using cloud services to process client data, law firms must abide by the Data Protection Act (DPA) which is based around eight principles of good information handling. Of particular relevance to cloud computing is the fifth principle which states that data controllers take "appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data and against accidental
loss or destruction of, or damage to, personal data.” Under the seventh principle, firms must have a written contract in place which requires that the “data processor is to act only on instructions from the data controller” and “the data processor will comply with security obligations equivalent to those imposed on
the data controller itself.” Furthermore, it is incumbent upon the firm to ensure that their provider has sufficient cybersecurity measures in place to protect their client data, in accordance with outcome 7.3 of the SRA Code of Conduct which requires firms to “identify, monitor and manage risks to compliance … and take steps to address issues identified”.
According to CenturyLink research from September 2017, 20% of law firms experienced an attempted cyberattack over the last month, rising to 44% over the last year. In theory, hosted servers should provide enhanced security compared to in-house infrastructure, but credentials should always be checked. Data protection will become even more critical once the GDPR comes into effect (see below).
Confidentiality and the SRA rules
All businesses must abide by data protection regulation but law firms have an additional obligation related to their client data: confidentiality. The obligation to keep client information confidential is enshrined in Rule 4 of the SRA handbook. Although the practical considerations surrounding client confidentiality are similar to data protection concerns, this provides a further reason for firms to check the integrity and credentials of their chosen cloud provider.
It is worth noting that the SRA has itself stated that the “use of cloud computing can improve general data security” in its report: Silver Linings: cloud computing, law firms and risk. However, it goes on to warn: “Given the importance of legal privilege and client confidentiality, law firms should exclusively use established, known and well-regarded cloud providers.”
Data ownership, SLAs and jurisdiction
In order to minimise the risk on non-compliance with Principles 4 and 5 of the SRA Handbook, firms should ensure that they can retrieve client data (in a usable format) on demand and that their contract with the cloud provider allows them to retain full ownership of the data stored on the hosted servers. Furthermore, any server downtime can cause compliance issues, so an appropriate service level agreement (SLA) should be agreed with the provider.
Principle 8 of the DPA states that: “Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection”. But the geographical location of a cloud provider’s offices may be different from that of their servers, so it can be quite tricky to find a provider that meets this objective.
It is also worth noting that, under outcome 7.10 of the SRA Code of Conduct, solicitors must ensure that outsourcing of “any operational functions that are critical to the delivery of any legal activities” is “subject to contractual arrangements that enable the SRA or its agent to obtain information from, inspect the records (including electronic records) of, or enter the premises of, the third party, in relation to the outsourced activities or functions”. In practice, this means that it’s vital to reach an agreement with the cloud provider that they will release any data requested to the SRA on demand.
How will GDPR affect law firms working in the cloud?
The General Data Protection Regulation (GDPR) comes into force across the EU from 25th May 2018. It increases maximum fines for data breaches to €20 million or 4% of annual global turnover and introduces a variety of new data protection rules. Aside from tightening up the data protection regime, one of the most interesting aspects of GDPR for purposes of cloud computing is that data processors will also be covered by the rules. Because the onus will no longer just be on data controllers to protect data, cloud providers will automatically need to tighten up their data protection processes; as such it should be easier for law firms to find a provider who meets their requirements.
What can law firms do to stay compliant with their duties when using the cloud and what should be expected from IT service providers?
Law firms should ensure that their IT service and cloud computing providers are aware of any specific obligations under the DPA, GDPR and SRA Rules, and that they take measures to comply with all of the relevant requirements. Some of the key expectations law firms should have of service providers include:
- Compliance with DPA – and planning for GDPR
- Understanding of SRA Rules (eg confidentiality)
- Written agreement regarding data processing and ownership – including that data will be provided to SRA on demand
- SLA specifying uptime – which protect the interests of the firm’s clients
- Clarity regarding geographical location of data
- Flexibility in terms of contracting, to take account of specific client requirements
- Termination rights – including return of data and deletion of any records
- Transparency regarding any potential jurisdictional issues (eg if servers are located in a country with different data protection laws to those of the contracting parties)