You are here:
  1. Home
  2. Support services
  3. Advice
  4. Practice notes
  5. Cloud computing

Cloud computing

7 April 2014

What is the issue?

  • Legal practices are increasingly using cloud computing as an alternative to 'traditional' IT provision. Cloud computing has a number of advantages, but it also carries risks which your firm should navigate carefully.

Legal status

This practice note is the Law Society's view of good practice in this area. It is not legal advice.

Practice notes are issued by the Law Society for the use and benefit of its members. They represent the Law Society's view of good practice in a particular area. They are not intended to be the only standard of good practice that solicitors can follow. You are not required to follow them, but doing so will make it easier to account to oversight bodies for your actions.

Practice notes are not legal advice, nor do they necessarily provide a defence to complaints of misconduct or of inadequate professional service. While care has been taken to ensure that they are accurate, up to date and useful, the Law Society will not accept any legal liability in relation to them.

For queries or comments on this practice note contact the Law Society's Practice Advice Service.

Professional conduct

The following section of the SRA Code are relevant to this issue:

  • Principle 5: You must provide a proper standard of service to your clients.
  • Principle 7: You must comply with your legal and regulatory obligations and deal with your regulators and ombudsmen in an open, timely and co-operative manner.
  • Principle 8: You must run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles.
  • Principle 10: You must protect client money and assets.
  • Chapter 7 of the SRA Code on management of your business.

SRA Principles

There are ten mandatory principles which apply to all those the SRA regulates and to all aspects of practice. The principles can be found in the SRA Handbook.

The principles apply to solicitors or managers of authorised bodies who are practising from an office outside the UK. They also apply if you are a lawyer-controlled body practising from an office outside the UK.

Terminology

Must - A specific requirement in legislation or of a principle, rule, outcome or other mandatory provision in the SRA Handbook. You must comply, unless there are specific exemptions or defences provided for in relevant legislation or the SRA Handbook.

Should -

  • Outside of a regulatory context, good practice for most situations in the Law Society's view.
  • In the case of the SRA Handbook, an indicative behaviour or other non-mandatory provision (such as may be set out in notes or guidance).

These may not be the only means of complying with legislative or regulatory requirements and there may be situations where the suggested route is not the best possible route to meet the needs of your client. However, if you do not follow the suggested route, you should be able to justify to oversight bodies why the alternative approach you have taken is appropriate, either for your practice, or in the particular retainer.

May - A non-exhaustive list of options for meeting your obligations or running your practice. Which option you choose is determined by the profile of the individual practice, client or retainer. You may be required to justify why this was an appropriate option to oversight bodies.

SRA Code - SRA Code of Conduct 2011

SRA - Solicitors Regulation Authority

LSB - Legal Services Board

The Law Society also provides a full glossary of other terms used throughout this practice note

1 Introduction

1.1 Who should read this practice note?

All solicitors, practice managers or law firm IT staff using or planning to use cloud computing services.

1.2 What is the issue?

Legal practices are increasingly using cloud computing as an alternative to 'traditional' IT provision. Cloud computing has a number of advantages, but it also carries risks which your firm should navigate carefully.

2 What is cloud computing?

2.1 Characteristics of cloud computing

Cloud computing is computing as a service: someone else owns and runs the hardware, and often the software, which you access and operate via the internet.

Cloud computing services normally have the following characteristics:

  • you only pay for the computing resources you use and you have immediate control over the amount you use, scaling up or down quickly (and sometimes automatically)
  • costs and prices are kept down because you're making use of shared resources
  • to maximise efficiency, your applications and your data are likely to be automatically moved around within and between data centres, so the location of your data at any one time can be uncertain
  • cloud services are highly standardised at both a technical level and in the terms and conditions that they offer to users.

2.2 Types of cloud service

Cloud services can generally be classified into three types:

  • software as a service (SaaS): ready-made applications like word processing, customer relationship management, data storage or email
  • platform as a service (PaaS): a development platform which customers can use to develop and run their own applications
  • infrastructure as a service (IaaS): basic infrastructure (eg servers in a data centre) on which users can load their own applications

IaaS and PaaS products tend to offer more control and flexibility to the user, but normally demand much more technical expertise. SaaS products usually require little knowledge on the part of the user, but offer less scope for customisation as a result.

2.3 Examples of cloud computing

  • Amazon pioneered cloud computing when they made the spare capacity of their private data centres publicly available. They offer a range of services, which allow users to operate databases and virtual servers. These are examples of IaaS and PaaS.
  • Google Drive is a suite of ready-made applications – word processing, spreadsheets, databases and file storage. Data is stored in Google's data centres, and the service is free within a certain storage limit. This is an example of SaaS.
  • There are also numerous specialist cloud services. Salesforce.com, for example, pioneered a cloud-based customer relationship management suite for businesses which has been running since 1999 and now has over one million users.

2.4 Deployment models

Cloud services can be deployed in different ways:

  • A public cloud is the most common deployment type. A public cloud provider offers cloud based services to external customers. The characteristics listed in 2.1 generally apply to public clouds.
  • A private cloud is owned and deployed by an organisation for its own exclusive use. Private clouds can potentially offer you greater security and knowledge of where your data is being held, but costs will be higher and there may be limited scalability. Many of the characteristics of cloud computing identified in 2.1 will not apply to private clouds, so some commentators argue that a private cloud is not really cloud computing.
  • Hybrid clouds integrate private networks or data centres with a public cloud so that the latter can act as a backup to provide additional capacity to meet exceptional demand.
  • Finally, community clouds are established by organisations who have a common requirement for certain standards of service, particular software or levels of security. For example, a group of law firms could establish a community cloud.

A variety of more detailed and informal definitions and descriptions of cloud computing – including an outline of the public, private and hybrid deployment models - can be found under Further Information below.

2.5 Defining cloud computing from a regulatory perspective

In most cloud computing setups, data, including personal data, is processed on a third-party server or application. This is significant from a professional conduct and regulatory compliance perspective.

Data controllers processing personal data on a third-party's cloud computing system must comply with the Data Protection Act, including its security provisions (see Section 4). Practices are also subject to professional conduct obligations to maintain client confidentiality, properly manage their practices and facilitate SRA access to data (see Section 5).
 

3 What are the risks and benefits of cloud computing?

Cloud computing has the potential to offer a rich mix of benefits and risks which your firm should evaluate in the light of its own circumstances.

A 2011 survey of legal firms identified the following potential benefits and risks of cloud computing:

3.1 Benefits

  • improved backup/disaster recovery
  • flexibility
  • increased storage capacity
  • increased data handling capacity
  • reduced infrastructure costs
  • avoiding frequent updates to software
  • reduced internal IT staff costs
     

3.2 Risks

  • security, data confidentiality and location of data
  • service reliability and stability
  • lack of control over customisation and integration
  • service response time, and enforcing SLAs
  • speed and bandwidth
  • danger of supplier lock-in
  • difficulty of achieving executive buy-in
     

3.3 Analysing risks and benefits

Some issues, like information security, can potentially be a risk or a benefit to your firm, depending on a number of factors.

You should understand prospective cloud service offerings fully, to make sure that:

  • they meet your business requirements
  • they are procured under a robust business case
  • they have been subjected to a full risk and compliance analysis

If you don't have relevant expertise in-house, you can obtain independent expert advice.

4 Data protection and information security

4.1 Your existing data protection policies

The starting point for evaluating cloud services should be your practice's existing data protection, information security and business continuity management frameworks and policies.

Your data protection and information security leads should be involved from the outset. Guidance is available in the Law Society practice notes on data protection, information security and business continuity.

4.2 Information Commissioner's guidance

You should read the Information Commissioner's Office (ICO) guidance on the use of cloud computing in order to ensure that your cloud deployment complies with the Data Protection Act 1998.

The ICO defines three roles involved in cloud computing:

  • the cloud provider
  • the cloud customer - the organisation that commissions a cloud service
  • the cloud user - the end user of the service

In most cloud deployments, practices will be both the cloud customer and the cloud user. For example, you might commission a customer relationship management system from a public cloud provider in order to manage your relationships with clients.

However, the separation between provider, customer and user will not always hold. A cloud-based CRM could be deployed as a private cloud, managed and controlled by your practice. Alternatively, you could commission a cloud service that offers services directly to your clients (as with certain online legal services).

Most cloud deployments by practices will involve the processing of personal data which relates to clients, staff or third parties. These deployments must comply with the Data Protection Act 1998.

Deployments that simply process non-personal data - for example, some knowledge management tools - are not covered by the Data Protection Act, but the law uses a broad definition for 'personal data', so you should look carefully at the ICO's guidance on determining what constitutes personal data.

4.3 Distinguishing data controllers and data processors

Data controllers are responsible for ensuring that data processing complies with the requirements of the Data Protection Act.

As practices are usually cloud customers, they will normally also be data controllers, because they decide the purpose and the manner in which personal data are processed.

The cloud provider will usually be the data processor. However, the issue is not a straightforward one, and the Article 29 Working Party in the EU has said that in some cases cloud providers will be the data controller for the cloud customer's data.

Ultimately, a determination will depend on the precise service being offered. If a cloud provider processes personal data for its own purposes, then it will definitely be a data controller for that data.

Your practice must understand and distinguish the roles of data controller and data processor in relation to their cloud deployments. ICO has issued guidance on identifying data controllers and data processors.

Your practice should understand the relationships between sub-contractors in the provision of cloud services when applying this guidance.

Cloud services are often made up of different layers, owned and managed by different cloud providers - for example, the owner of the software service will frequently be different from the owner of the servers that it is running on. In order to comply with the Data Protection Act, your practice must understand these relationships. This is also likely to make good business sense.

5 Other professional conduct matters

5.1 Confidentiality and outsourcing

Outcome 4.1 of the Code of Conduct states that you keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents.

Outcome 4.5 requires you have effective systems and controls in place to enable you to identify risks to client confidentiality and to mitigate those risks.

Indicative Behaviour 4.3 is that you only outsource services when you are satisfied that the provider has taken all appropriate steps to ensure that your clients' confidential information will be protected.

These outcomes and the indicative behaviour reinforce your obligations in respect of data protection and information security but they also go further in that they do not just apply to personal data.

5.2 Access to outsourced data by the SRA

Outcome 7.10 of the Code of Conduct states that where you outsource legal activities or any operational functions that are critical to the delivery of any legal activities, you ensure that the outsourcing:

(a) does not adversely affect your ability to comply with, or the SRA's ability to monitor your compliance with, your obligations in the Handbook;
(b) is subject to contractual arrangements that enable the SRA or its agent to obtain information from, inspect the records (including electronic records) of, or enter the premises of, the third party, in relation to the outsourced activities or functions;
(c) does not alter your obligations towards your clients, and
(d) does not cause you to breach the conditions with which you must comply in order to be authorised and to remain so.

Adopting a third-party cloud computing platform is likely to constitute outsourcing an operational function that is critical to the delivery of your legal activities.

It follows that you should seek a contractual terms from your cloud supplier that would enable you to satisfy the outcome as set out in paragraph (b) above.

You should understand the different layers of ownership and management in the arrangements you sign up to (see section 4.3 above).

5.3 Lawful access to data

There may be circumstances in which police or intelligence agencies at home or abroad can
lawfully obtain access to your data via your cloud service provider. The Information
Commissioner's guidance on the use of cloud computing makes clear (paragraph 88.) that where this occurs enforcement under the DPA against a data controller is unlikely.

You should have regard to the possibility of lawful access by a foreign law enforcement or intelligence agency when selecting a cloud service, and select a provider who will offer appropriate contractual commitments and operational practices in relation to managing the risks of your data being subject to such lawful access.

You should also consider a range of other factors that may have a bearing on whether or not you should entrust them with client data.

These include:

  • their reputation
  • their ownership and control (including foreign ownership and control)
  • their financial stability, and
  • their independent certifications.

Section 6 below discusses procurement and contract issues further. You should also have regard to the Information Commissioner's checklist in his guidance on the use of cloud computing.

6 Procurement and contract

Cloud computing contracts vary. Whether you are choosing a standardised 'click-wrap' offer (clicking an 'I agree' button to terms and conditions), or negotiating a sophisticated and multi-layered agreement, you should consider the following issues.

6.1 Pre-contract: internal approval

In addition to a review of business requirements, a robust business case and proper risk and compliance analysis (see section 3), you should ensure that you have an internal approvals process which you follow.

There is a risk that staff at any level will circumvent your official procurement and approvals processes, particularly with 'click-wrap' and 'free' services.

'Free' services may involve payment for extras, or generate income from processing data about you. They can pose serious data protection, client confidentiality and information security risks. Everyone in your practice should be alerted to these risks, and be made aware of the need to follow your formal approvals process.

6.2 Pre-contract: scope for negotiation

It may not be possible to negotiate standard terms and conditions: many cloud service providers offer take-it-or-leave-it contracts. In other negotiations, your relative bargaining power will be insufficient.

This may not be a problem, particularly if your intended deployment of cloud services is non-strategic.

However, if you do need to negotiate, then you should be aware that many 'integrators' – sub-contractors re-selling primary cloud services – should have greater bargaining power with cloud service providers. As discussed in section 4.3 it is important to understand the basic relationships in your cloud services supply chain.

6.3 Key commercial and legal issues

You should critically question and fully understand any cloud contract you enter into. Some of the matters you may wish to consider include the following:

6.3.1. Liability for service failure

Cloud providers frequently exclude contractual liability for their customers' direct losses and even more frequently, indirect losses, as a result of service failure.

It may not be possible to re-negotiate these terms. In practice the solution may be to choose a cloud provider with

  • a good track record
  • commitment to remain in the cloud computing market
  • a strong reputation to protect

6.3.2. Service levels and service credits

Service levels should be objective, quantifiable, repeatable measures of matters within your cloud provider's responsibility. You should agree the service levels that are important to your firm.

Service availability is likely to be a key measure for most firms. You should consider various aspects of service availability including:

  • point of measurement: availability of service provision or availability at the point of user consumption
  • service measurement period: even if a service boasts high availability 24/7, this could translate into relatively high downtime during normal working hours)
  • application availability: availability of particular applications may be just as important to you as general availability of a service

Cloud providers commonly offer service credit if they fail to meet their service level agreement. You should weigh up the relative merits of this regime against damages at common law.

In general, service credit regimes are advantageous to cloud customers and cloud providers as they offer certainty and keep risk to identifiable and manageable levels.

You should be careful before accepting that service credits are your sole and exclusive remedy. This will limit your right to sue for damages at large or terminate the contract.

6.3.3. Regulation and professional conduct

You should satisfy yourself that the following obligations are, where appropriate, addressed in the terms and conditions you agree with your cloud computing service provider:

  • data protection
  • client confidentiality
  • business continuity
  • your other regulatory and professional conduct obligations

You should read and follow other relevant Law Society practice notes, including:

  • data protection
  • information security
  • business continuity

6.3.4. Disengagement and transition

Before entering a cloud computing contract, you should think about what will happen if you need to terminate it.

You should ensure that if you need to migrate services to another cloud provider, or back to you, it can take place with minimal disruption.

You should therefore define your requirements for exit at an early stage in negotiations, and ensure that the contract provides a clear exit strategy.

You should consider removing contractual provisions permitting the cloud provider the right to exercise lien over your data and client data.

6.4 Other contractual issues

You should critically question and fully understand any cloud contract you enter into. Some of the matters you may wish to consider include the following:

6.4.1. Jurisdiction and governing law

Cloud providers and their customers are commonly located in different jurisdictions. Where this is the case, two separate issues need to be considered: applicable governing law and jurisdiction.

Governing law relates to the law that governs the contract. Jurisdiction relates to courts of the country which is to resolve any dispute.

In each case, the cloud computing contract may stipulate the choice of law and jurisdiction. However, there may also be separate rules on applicable law and jurisdiction which apply irrespective of provisions in the contract. For example data protection has its own free-standing rules on applicable law and jurisdiction.

6.4.2. Minimum terms, renewals and notice periods

Cloud computing contracts frequently have a fixed term, which sometimes renews automatically unless terminated. As these contracts require notice of non-renewal within a set period before expiry, you should be careful not to miss the window.

6.4.3. Acceptable use policies

In cloud computing contracts, the customer has an obligation to comply with the cloud provider's acceptable use policy. This policy protects the cloud provider from liability arising out of the conduct of their customers.

The vast majority of policies prohibit a consistent set of activities that cloud providers consider to be improper or illegal uses of their service.

In most cases, the prohibition of activities referred above may be acceptable. However, in a law firm context, they need to be considered carefully. For example, if a law firm is acting for a client who is defending a defamation claim, materials which are hosted by the cloud provider could be defamatory.

Consequently, you should review the acceptable use policy carefully and seek to revise any restrictions which you may inadvertently breach.

6.4.4. Introduction of harmful code

In the cloud computing environment, the introduction of harmful code like viruses and other malicious code is a potential threat to your systems and data.

You will need to rely on the cloud provider applying sufficient protection against the introduction of harmful code in hosted data and systems as well as via any communication with the customer's local systems.

To manage this risk, you should consider the potential risks posed by harmful code and the relevant obligations that should be imposed on the cloud provider to ensure that your systems and data are protected.

6.4.5. Change of control and assignment / novation

You should consider the risks associated with another entity obtaining control of your chosen cloud provider.

Contractual approaches to managing this risk include:

  • requiring the cloud provider to inform you in advance (subject to any listing rules of a relevant stock exchange) of any proposed change in control of the cloud provider
  • having the right to terminate the contract if a change of control has occurred
  • ensuring that any transfer of the cloud provider's rights and obligations under the contract to another entity (commonly referred to as 'assignment' in the case of rights and 'novation' in relation to rights and obligations) is subject to the prior written approval of the customer
     

6.4.6. Subcontracting

Understanding the supply chain has already been covered in sections 4.2 and 4.3, but it has consequences beyond data protection compliance. When determining your contractual approach to supply chain risk management, you should also consider:

  • Should subcontracting be permitted at all?
  • If subcontracting is permitted, should it be permitted in respect of the whole or part of the subject matter of the contract?
  • If subcontracting is permitted, on what basis can you withhold your consent?
  • Do you have the right to review the terms of the subcontract?

You should also consider the various mechanisms you can use to allocate, manage or transfer the risks associated with subcontracting - for example, by ensuring that the cloud provider is fully liable for the performance of sub-contractors.

6.4.7. Suspension of services

Cloud computing contracts frequently contain a right for the cloud provider to suspend services at its discretion. You should resist this. Consider, for example, Outcome 7.10 of the Code of Conduct (shown in section 5.2).

Alternative approaches include:

  • not permitting suspension except with prior notice and agreement
  • not allowing suspension for any reason other than non-payment, unless prior notice was given, including reasons for suspension
  • not allowing suspension without prior written notice of non-payment, with an obligation on the provider to give a final notice, and a commitment to restore services within a certain number of days after payment
  • allowing suspension for material breach, but only after reasonable prior notice and good-faith consultation with you.

You should always have effective business continuity arrangements in place.

6.4.8. Change of terms at discretion of the cloud provider

Some cloud computing contracts include clauses allowing the cloud provider to change the terms of the contract at any time without agreement by the customer. You should consider:

  • deleting the right or making the right subject to your agreement to any change
  • placing an obligation on your cloud provider to notify you in advance of any changes and give you the right to terminate the contract if you do not agree to the changes.

7 Further information

7.1 Law Society

7.2 Law Society Consulting

If you require further support, Law Society Consulting can help. We offer expert and confidential support and guidance, including face-to-face consultancy on risk and compliance and finance and accounting. Please contact us on 020 7316 5655, or email consulting@lawsociety.org.uk.

Find out more about our consultancy services

7.3 Other

Did you find what you were looking for?
What were you looking for?
Did you use the site search?
Feedback from you will help us improve out website. If you would like us to contact you please leave your contact details.

Your name


Your email address



Practice Advice Service

The Practice Advice Service provides a dedicated support line for Law Society members and employees of law firms. Call us on 020 7320 5675.

> Contact the Practice Advice Service
Related content