1.1 Who should read this practice note?
All solicitors, practice managers or law firm IT staff using or planning to use cloud computing services.
1.2 What is the issue?
Legal practices are increasingly using cloud computing as an alternative to 'traditional' IT provision. Cloud computing has a number of advantages, but it also carries risks which your firm should navigate carefully.
2 What is cloud computing?
2.1 Characteristics of cloud computing
Cloud computing is computing as a service: someone else owns and runs the hardware, and often the software, which you access and operate via the internet.
Cloud computing services normally have the following characteristics:
- you only pay for the computing resources you use and you have immediate control over the amount you use, scaling up or down quickly (and sometimes automatically)
- costs and prices are kept down because you're making use of shared resources
- to maximise efficiency, your applications and your data are likely to be automatically moved around within and between data centres, so the location of your data at any one time can be uncertain
- cloud services are highly standardised at both a technical level and in the terms and conditions that they offer to users.
2.2 Types of cloud service
Cloud services can generally be classified into three types:
- software as a service (SaaS): ready-made applications like word processing, customer relationship management, data storage or email
- platform as a service (PaaS): a development platform which customers can use to develop and run their own applications
- infrastructure as a service (IaaS): basic infrastructure (eg servers in a data centre) on which users can load their own applications
IaaS and PaaS products tend to offer more control and flexibility to the user, but normally demand much more technical expertise. SaaS products usually require little knowledge on the part of the user, but offer less scope for customisation as a result.
2.3 Examples of cloud computing
- Amazon pioneered cloud computing when they made the spare capacity of their private data centres publicly available. They offer a range of services, which allow users to operate databases and virtual servers. These are examples of IaaS and PaaS.
- Google Drive is a suite of ready-made applications – word processing, spreadsheets, databases and file storage. Data is stored in Google's data centres, and the service is free within a certain storage limit. This is an example of SaaS.
- There are also numerous specialist cloud services. Salesforce.com, for example, pioneered a cloud-based customer relationship management suite for businesses which has been running since 1999 and now has over one million users.
2.4 Deployment models
Cloud services can be deployed in different ways:
- A public cloud is the most common deployment type. A public cloud provider offers cloud based services to external customers. The characteristics listed in 2.1 generally apply to public clouds.
- A private cloud is owned and deployed by an organisation for its own exclusive use. Private clouds can potentially offer you greater security and knowledge of where your data is being held, but costs will be higher and there may be limited scalability. Many of the characteristics of cloud computing identified in 2.1 will not apply to private clouds, so some commentators argue that a private cloud is not really cloud computing.
- Hybrid clouds integrate private networks or data centres with a public cloud so that the latter can act as a backup to provide additional capacity to meet exceptional demand.
- Finally, community clouds are established by organisations who have a common requirement for certain standards of service, particular software or levels of security. For example, a group of law firms could establish a community cloud.
A variety of more detailed and informal definitions and descriptions of cloud computing – including an outline of the public, private and hybrid deployment models - can be found under Further Information below.
2.5 Defining cloud computing from a regulatory perspective
In most cloud computing setups, data, including personal data, is processed on a third-party server or application. This is significant from a professional conduct and regulatory compliance perspective.
Data controllers processing personal data on a third-party's cloud computing system must comply with the Data Protection Act, including its security provisions (see Section 4). Practices are also subject to professional conduct obligations to maintain client confidentiality, properly manage their practices and facilitate SRA access to data (see Section 5).
3 What are the risks and benefits of cloud computing?
Cloud computing has the potential to offer a rich mix of benefits and risks which your firm should evaluate in the light of its own circumstances.
A 2011 survey of legal firms identified the following potential benefits and risks of cloud computing:
- improved backup/disaster recovery
- increased storage capacity
- increased data handling capacity
- reduced infrastructure costs
- avoiding frequent updates to software
- reduced internal IT staff costs
- security, data confidentiality and location of data
- service reliability and stability
- lack of control over customisation and integration
- service response time, and enforcing SLAs
- speed and bandwidth
- danger of supplier lock-in
- difficulty of achieving executive buy-in
3.3 Analysing risks and benefits
Some issues, like information security, can potentially be a risk or a benefit to your firm, depending on a number of factors.
You should understand prospective cloud service offerings fully, to make sure that:
- they meet your business requirements
- they are procured under a robust business case
- they have been subjected to a full risk and compliance analysis
If you don't have relevant expertise in-house, you can obtain independent expert advice.
4 Data protection and information security
4.1 Your existing data protection policies
The starting point for evaluating cloud services should be your practice's existing data protection, information security and business continuity management frameworks and policies.
Your data protection and information security leads should be involved from the outset. Guidance is available in the Law Society practice notes on data protection, information security and business continuity.
4.2 Information Commissioner's guidance
You should read the Information Commissioner's Office (ICO) guidance on the use of cloud computing in order to ensure that your cloud deployment complies with the Data Protection Act 1998.
The ICO defines three roles involved in cloud computing:
- the cloud provider
- the cloud customer - the organisation that commissions a cloud service
- the cloud user - the end user of the service
In most cloud deployments, practices will be both the cloud customer and the cloud user. For example, you might commission a customer relationship management system from a public cloud provider in order to manage your relationships with clients.
However, the separation between provider, customer and user will not always hold. A cloud-based CRM could be deployed as a private cloud, managed and controlled by your practice. Alternatively, you could commission a cloud service that offers services directly to your clients (as with certain online legal services).
Most cloud deployments by practices will involve the processing of personal data which relates to clients, staff or third parties. These deployments must comply with the Data Protection Act 1998.
Deployments that simply process non-personal data - for example, some knowledge management tools - are not covered by the Data Protection Act, but the law uses a broad definition for 'personal data', so you should look carefully at the ICO's guidance on determining what constitutes personal data.
4.3 Distinguishing data controllers and data processors
Data controllers are responsible for ensuring that data processing complies with the requirements of the Data Protection Act.
As practices are usually cloud customers, they will normally also be data controllers, because they decide the purpose and the manner in which personal data are processed.
The cloud provider will usually be the data processor. However, the issue is not a straightforward one, and the Article 29 Working Party in the EU has said that in some cases cloud providers will be the data controller for the cloud customer's data.
Ultimately, a determination will depend on the precise service being offered. If a cloud provider processes personal data for its own purposes, then it will definitely be a data controller for that data.
Your practice must understand and distinguish the roles of data controller and data processor in relation to their cloud deployments. ICO has issued guidance on identifying data controllers and data processors.
Your practice should understand the relationships between sub-contractors in the provision of cloud services when applying this guidance.
Cloud services are often made up of different layers, owned and managed by different cloud providers - for example, the owner of the software service will frequently be different from the owner of the servers that it is running on. In order to comply with the Data Protection Act, your practice must understand these relationships. This is also likely to make good business sense.
5 Other professional conduct matters
5.1 Confidentiality and outsourcing
Outcome 4.1 of the Code of Conduct states that you keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents.
Outcome 4.5 requires you have effective systems and controls in place to enable you to identify risks to client confidentiality and to mitigate those risks.
Indicative Behaviour 4.3 is that you only outsource services when you are satisfied that the provider has taken all appropriate steps to ensure that your clients' confidential information will be protected.
These outcomes and the indicative behaviour reinforce your obligations in respect of data protection and information security but they also go further in that they do not just apply to personal data.
5.2 Access to outsourced data by the SRA
Outcome 7.10 of the Code of Conduct states that where you outsource legal activities or any operational functions that are critical to the delivery of any legal activities, you ensure that the outsourcing:
(a) does not adversely affect your ability to comply with, or the SRA's ability to monitor your compliance with, your obligations in the Handbook;
(b) is subject to contractual arrangements that enable the SRA or its agent to obtain information from, inspect the records (including electronic records) of, or enter the premises of, the third party, in relation to the outsourced activities or functions;
(c) does not alter your obligations towards your clients, and
(d) does not cause you to breach the conditions with which you must comply in order to be authorised and to remain so.
Adopting a third-party cloud computing platform is likely to constitute outsourcing an operational function that is critical to the delivery of your legal activities.
It follows that you should seek a contractual terms from your cloud supplier that would enable you to satisfy the outcome as set out in paragraph (b) above.
You should understand the different layers of ownership and management in the arrangements you sign up to (see section 4.3 above).
5.3 Lawful access to data
There may be circumstances in which police or intelligence agencies at home or abroad can
lawfully obtain access to your data via your cloud service provider. The Information
Commissioner's guidance on the use of cloud computing makes clear (paragraph 88.) that where this occurs enforcement under the DPA against a data controller is unlikely.
You should have regard to the possibility of lawful access by a foreign law enforcement or intelligence agency when selecting a cloud service, and select a provider who will offer appropriate contractual commitments and operational practices in relation to managing the risks of your data being subject to such lawful access.
You should also consider a range of other factors that may have a bearing on whether or not you should entrust them with client data.
- their reputation
- their ownership and control (including foreign ownership and control)
- their financial stability, and
- their independent certifications.
Section 6 below discusses procurement and contract issues further. You should also have regard to the Information Commissioner's checklist in his guidance on the use of cloud computing.
6 Procurement and contract
Cloud computing contracts vary. Whether you are choosing a standardised 'click-wrap' offer (clicking an 'I agree' button to terms and conditions), or negotiating a sophisticated and multi-layered agreement, you should consider the following issues.
6.1 Pre-contract: internal approval
In addition to a review of business requirements, a robust business case and proper risk and compliance analysis (see section 3), you should ensure that you have an internal approvals process which you follow.
There is a risk that staff at any level will circumvent your official procurement and approvals processes, particularly with 'click-wrap' and 'free' services.
'Free' services may involve payment for extras, or generate income from processing data about you. They can pose serious data protection, client confidentiality and information security risks. Everyone in your practice should be alerted to these risks, and be made aware of the need to follow your formal approvals process.
6.2 Pre-contract: scope for negotiation
It may not be possible to negotiate standard terms and conditions: many cloud service providers offer take-it-or-leave-it contracts. In other negotiations, your relative bargaining power will be insufficient.
This may not be a problem, particularly if your intended deployment of cloud services is non-strategic.
However, if you do need to negotiate, then you should be aware that many 'integrators' – sub-contractors re-selling primary cloud services – should have greater bargaining power with cloud service providers. As discussed in section 4.3 it is important to understand the basic relationships in your cloud services supply chain.
6.3 Key commercial and legal issues
You should critically question and fully understand any cloud contract you enter into. Some of the matters you may wish to consider include the following:
6.3.1. Liability for service failure
Cloud providers frequently exclude contractual liability for their customers' direct losses and even more frequently, indirect losses, as a result of service failure.
It may not be possible to re-negotiate these terms. In practice the solution may be to choose a cloud provider with
- a good track record
- commitment to remain in the cloud computing market
- a strong reputation to protect
6.3.2. Service levels and service credits
Service levels should be objective, quantifiable, repeatable measures of matters within your cloud provider's responsibility. You should agree the service levels that are important to your firm.
Service availability is likely to be a key measure for most firms. You should consider various aspects of service availability including:
- point of measurement: availability of service provision or availability at the point of user consumption
- service measurement period: even if a service boasts high availability 24/7, this could translate into relatively high downtime during normal working hours)
- application availability: availability of particular applications may be just as important to you as general availability of a service
Cloud providers commonly offer service credit if they fail to meet their service level agreement. You should weigh up the relative merits of this regime against damages at common law.
In general, service credit regimes are advantageous to cloud customers and cloud providers as they offer certainty and keep risk to identifiable and manageable levels.
You should be careful before accepting that service credits are your sole and exclusive remedy. This will limit your right to sue for damages at large or terminate the contract.
6.3.3. Regulation and professional conduct
You should satisfy yourself that the following obligations are, where appropriate, addressed in the terms and conditions you agree with your cloud computing service provider:
- data protection
- client confidentiality
- business continuity
- your other regulatory and professional conduct obligations
You should read and follow other relevant Law Society practice notes, including:
- data protection
- information security
- business continuity
6.3.4. Disengagement and transition
Before entering a cloud computing contract, you should think about what will happen if you need to terminate it.
You should ensure that if you need to migrate services to another cloud provider, or back to you, it can take place with minimal disruption.
You should therefore define your requirements for exit at an early stage in negotiations, and ensure that the contract provides a clear exit strategy.
You should consider removing contractual provisions permitting the cloud provider the right to exercise lien over your data and client data.
6.4 Other contractual issues
You should critically question and fully understand any cloud contract you enter into. Some of the matters you may wish to consider include the following:
6.4.1. Jurisdiction and governing law
Cloud providers and their customers are commonly located in different jurisdictions. Where this is the case, two separate issues need to be considered: applicable governing law and jurisdiction.
Governing law relates to the law that governs the contract. Jurisdiction relates to courts of the country which is to resolve any dispute.
In each case, the cloud computing contract may stipulate the choice of law and jurisdiction. However, there may also be separate rules on applicable law and jurisdiction which apply irrespective of provisions in the contract. For example data protection has its own free-standing rules on applicable law and jurisdiction.
6.4.2. Minimum terms, renewals and notice periods
Cloud computing contracts frequently have a fixed term, which sometimes renews automatically unless terminated. As these contracts require notice of non-renewal within a set period before expiry, you should be careful not to miss the window.
6.4.3. Acceptable use policies
In cloud computing contracts, the customer has an obligation to comply with the cloud provider's acceptable use policy. This policy protects the cloud provider from liability arising out of the conduct of their customers.
The vast majority of policies prohibit a consistent set of activities that cloud providers consider to be improper or illegal uses of their service.
In most cases, the prohibition of activities referred above may be acceptable. However, in a law firm context, they need to be considered carefully. For example, if a law firm is acting for a client who is defending a defamation claim, materials which are hosted by the cloud provider could be defamatory.
Consequently, you should review the acceptable use policy carefully and seek to revise any restrictions which you may inadvertently breach.
6.4.4. Introduction of harmful code
In the cloud computing environment, the introduction of harmful code like viruses and other malicious code is a potential threat to your systems and data.
You will need to rely on the cloud provider applying sufficient protection against the introduction of harmful code in hosted data and systems as well as via any communication with the customer's local systems.
To manage this risk, you should consider the potential risks posed by harmful code and the relevant obligations that should be imposed on the cloud provider to ensure that your systems and data are protected.
6.4.5. Change of control and assignment / novation
You should consider the risks associated with another entity obtaining control of your chosen cloud provider.
Contractual approaches to managing this risk include:
- requiring the cloud provider to inform you in advance (subject to any listing rules of a relevant stock exchange) of any proposed change in control of the cloud provider
- having the right to terminate the contract if a change of control has occurred
- ensuring that any transfer of the cloud provider's rights and obligations under the contract to another entity (commonly referred to as 'assignment' in the case of rights and 'novation' in relation to rights and obligations) is subject to the prior written approval of the customer
Understanding the supply chain has already been covered in sections 4.2 and 4.3, but it has consequences beyond data protection compliance. When determining your contractual approach to supply chain risk management, you should also consider:
- Should subcontracting be permitted at all?
- If subcontracting is permitted, should it be permitted in respect of the whole or part of the subject matter of the contract?
- If subcontracting is permitted, on what basis can you withhold your consent?
- Do you have the right to review the terms of the subcontract?
You should also consider the various mechanisms you can use to allocate, manage or transfer the risks associated with subcontracting - for example, by ensuring that the cloud provider is fully liable for the performance of sub-contractors.
6.4.7. Suspension of services
Cloud computing contracts frequently contain a right for the cloud provider to suspend services at its discretion. You should resist this. Consider, for example,
Outcome 7.10 of the Code of Conduct (shown in section 5.2).
Alternative approaches include:
- not permitting suspension except with prior notice and agreement
- not allowing suspension for any reason other than non-payment, unless prior notice was given, including reasons for suspension
- not allowing suspension without prior written notice of non-payment, with an obligation on the provider to give a final notice, and a commitment to restore services within a certain number of days after payment
- allowing suspension for material breach, but only after reasonable prior notice and good-faith consultation with you.
You should always have effective business continuity arrangements in place.
6.4.8. Change of terms at discretion of the cloud provider
Some cloud computing contracts include clauses allowing the cloud provider to change the terms of the contract at any time without agreement by the customer. You should consider:
- deleting the right or making the right subject to your agreement to any change
- placing an obligation on your cloud provider to notify you in advance of any changes and give you the right to terminate the contract if you do not agree to the changes.
7 Further information
7.1 Law Society
7.2 Law Society Consulting
If you require further support, Law Society Consulting can help. We offer expert and confidential support and guidance, including face-to-face consultancy on risk and compliance and finance and accounting. Please contact us on 020 7316 5655, or email firstname.lastname@example.org.
Find out more about our consultancy services