Cloud computing is increasingly ubiquitous, even in law firms, despite the view that the legal profession has a reputation for being slow to adapt. It is particularly popular among small firms and sole practitioners.
Nonetheless, confusion remains as to what cloud computing is – more lawyers will answer 'yes' when asked if they use online storage or mobile working solutions than when asked if they use software as a service (aka SaaS) or cloud computing (ABA TechReport 2016), even though all of these are in the cloud.
So if you're interested in moving to the cloud – or you're already there – how can you make sure you pick the right provider and fulfil data security and privacy requirements?
What is cloud computing?
Keep in mind that the cloud is just connected computers that aren't in your work place and are run by someone else. Cloud computing is the provision of services such as Google Docs, Microsoft OneDrive and Dropbox. These are remote services operated by a separate provider. They may be public, private or hybrid, and it is important to understand the differences between these when considering cloud services – for instance, in terms of the data security.
How can it help my business?
It can facilitate mobile working. Cloud computing allows lawyers to work anytime, anywhere, so it supports flexible working.
It can also save you money. Cloud computing expenses can be lower and more predictable than traditional IT provision, with up-front savings of up to 40 to 50 per cent (Silver Linings: cloud computing, law firms and risk). This is because IT delivered through the cloud offers economies of scale, includes maintenance and upgrades, and offers the option for bring-your-own-device policies.
Cloud computing costs are also captured as operating expenditure, rather than new capital expenditure. This flexibility, inexpensiveness, and reduced IT support burden all mean cloud computing may be particularly beneficial for smaller firms.
What are the risks?
A key risk is security. A public cloud may be cheaper but less secure. ACS Law was fined by the Information Commissioner's Office for using a public cloud service for consumers for business purposes. As it was a law firm, which should have understood its obligations as a data controller, it was held to a higher standard and the fine was commensurately higher (BBC, Law Society). In contrast, a private cloud may be more secure but also more expensive.
To minimise the risk, you need to conduct appropriate due diligence on any providers you're considering using, in order to both understand the type of cloud services available, and ensure you select reputable, well-established cloud providers. Ask potential providers, if the data they store is encrypted both while in storage and in use. This is particularly important for mobile working.
It also is prudent to ensure that there are secondary security measures, like two-factor authentication, for employees to access data off-site. While this is a concern, cloud computing can reduce the risk of lost or stolen USB drives or laptops.
Several major cloud providers now offer packages tailored to regulated professions, which are likely to be a safer choice and are more likely to provide adequate security measures.
You must also ensure that any outsourcing to a cloud provider does not adversely affect your obligations to the Solicitors Regulation Authority, including the SRA's ability to monitor compliance.
Should you tell your clients their data is in the cloud?
Another obvious risk is to client care standards and confidentiality. Law firms should consider if they need to disclose to clients that their data may be stored in the cloud. Firms must ensure that any cloud provider has adequate controls in place to meet any data protection requirements, and should check whether data will only be stored on servers within the EEA (or countries whose data protection regimes have been deemed adequate). Cloud providers should be able to offer audited information security that is compliant with ISO27001 or other relevant security standards.
Is the cloud always available?
Cloud computing does carry the risk of server downtime; it is advisable to check a cloud provider's outages record, and to check that any service level agreement with a cloud provider includes minimum uptime and adequate protections for outages. Data availability will also be vital in the event of any physical damage, such as flooding or fire, or if the cloud provider becomes insolvent or is bought or sold by another company.
One potential risk factor is a cloud service provider closing down, and then being unable to access data at all or without any further payment. Firms should ensure data is backed up frequently to a second location, and is easily accessible in a useful format. It is also important that any subcontractors are required to adhere to the same standards as the primary cloud provider.
Cloud computing can provide flexibility, enhanced security, better quality services at a lower cost, and improved mobile and collaborative working, but is not without risks. Law firms should feel confident using cloud services, so long as they do so with 'eyes open' to these risks. From a contractual perspective, the "devil is in the detail", so cloud computing contracts need to be reviewed carefully.
For further guidance, please refer to the Law Society's practice note on cloud computing.
Stay up to date with all those buzzwords and what they mean for law firms:join Sam and other speakers to explore and understand the cloud, big data, GDPR, client data security and regulation and risks in our digital world on Wednesday 27 September 9-17:00