5 questions you must ask cloud tech providers
If your firm is thinking of moving to the cloud, or changing its technology provider, it's vital you ask potential vendors the right questions to make sure you're confident they are up to standard, as Colin Bohanna explains.
In today’s legal landscape, law firm success requires more than just exceptional legal work. You must also find ways to enhance productivity, minimise expenses, and serve clients from anywhere.
While adopting cloud-based legal technology can help with these goals, not all tech providers are created equal – it’s your job to satisfy yourself that vendors are up to standard.
If you’re thinking of introducing (or changing) cloud technology at your firm, it’s a good idea to first assess potential tech vendors.
While it may be obvious to evaluate business factors – like a provider’s history, funding, and stability – it’s equally important to query things like the level of security and reliability they can offer. But what risks should you be mindful of, and what do you need to know from potential cloud technology vendors to make an informed decision?
Here are five questions to help guide your assessment process.
1. What are their terms of service and confidentiality policies?
As a solicitor, it’s essential – and it’s your legal and ethical responsibility – to protect and ensure client confidentiality when it comes to cybersecurity. As such, ask if they have clear and accessible:
- terms of service and privacy policies
- lawyer and client confidentiality policies (specifically, do they recognise and agree to abide by the duties of lawyer/client confidentiality?)
- contractual obligations to notify you of any demands for client information – with time for you to intervene
- What uptime (system reliability) does the vendor guarantee as part of their service level agreement?
- Is there an initial setup fee? Are there additional usage or bandwidth fees?
- Is there a cap or limitation on their ability of service, such as bandwidth caps or storage limits?
- Do they explicitly recognise your ownership of any intellectual property?
2. What is the plan for a backup of data and business continuity?
Disasters (both natural and manmade) do, unfortunately, happen.
While using cloud-based technology can help mitigate the risk of losing data if a physical disaster (such as a fire or flood) should happen at your office, cloud-tech providers must have a plan to protect your data and ensure business continuity should issues arise.
- What are their documented procedures for business continuity and disaster recovery? Have those procedures been tested?
- Are there regular backups that are tested for validity? Are those backups encrypted?
- How, and how easily, could you retrieve your data from the provider, if needed?
- Can you maintain a local backup of your data?
- If you retrieve data, is it in a usable, non-proprietary format?
3. What security measures do they maintain?
Security is critical for your firm – on all fronts. Take time to investigate and understand exactly what reasonable security measures the provider offers.
- What controls to prevent unauthorised access or disclosure of information (including penetration testing) are in place?
- What features and measures (such as two-factor authentication, IP monitoring, strong password requirements, role-based access control, etc) does the provider offer for user authentication and to prevent unauthorised access?
- What are their data protection policies? Do they employ encryption at rest and in transit to protect your data?
- How often, and with what regularity (ad hoc, annually, or on some other schedule) is the provider’s security audited? Will they allow you to obtain copies of any security audits performed?
- What support and/or remedies will they provide in the event of data breaches and service availability failures?
4. What is the provider’s geolocation?
One of the key advantages of using fully cloud-based software is that cloud services let you go mobile, freeing you from on-premise servers at your office. But you still must think about where the provider is physically located.
A true cloud-based provider should be capable of maintaining multiple geographical locations to ensure data safety and residency requirements.
- Where are their servers located?
- Do they have multiple storage locations? If so, how often are they synced?
- Can they provide you with a means to satisfy any applicable data residency requirements?
5. What are the policies for termination of services?
If, in the future, you decide to terminate your use of a cloud-computing technology service, you need to know what happens next.
Are there, for example, any additional costs or penalties that your firm would incur for terminating the service? What would happen to your data and information?
Introducing cloud technology can be a great benefit to your firm, but not all providers offer the same standard of service.
By thoroughly investigating a potential provider’s policies and asking smart questions, you’ll be in a better position to evaluate their value to your firm.
For more information, read Clio’s Cloud Computing Due Diligence Checklist