Embracing the cloud: Balancing the risk vs. reward
As of 2017, 88% of UK organisations had adopted cloud technology, and this has continued to rise throughout 2018. This trend has also been seen within the legal industry, both within individual firms and legal governing bodies. The Law Society of England and Wales recently moved to their data to the Microsoft Azure platform, and adopted Office 365, Microsoft’s cloud document management solution, signalling to the entire legal industry that cloud is here to stay.
This article shows what law firms will need to consider if they want to embrace cloud technology.
One of the key advantages of cloud software is mobility in terms of both location and devices. Having access to the entire company dataset on a train, in a client office and on a tablet or mobile allows lawyers to work flexibly, and to respond quickly and accurately to clients whilst on the move. In an industry where client service is paramount this is hugely beneficial to law firms.
Specifically for lawyers, the ability to add time and billing information in real time offers advantages over having to make a note and then update a system once back in the office. It also allows lawyers to have an entire case’s documents at their fingertips, wherever they are – no more carrying paper copies, or phoning into the office to check a detail on a case. Finally, it also allows for greater collaboration and efficiency. Lawyers in different locations have access to the latest information in real time and can work together on documents and cases in real time as well.
Another key advantage of cloud computing is the security of data itself. If a Tier 1 cloud provider such as Microsoft Azure or Amazon Web Services is used, data can often be safer than if it was stored in-house – and if a catastrophic event such as a fire or flood were to hit the office, client data would not be affected.
Both the Law Society and the Solicitors Regulation Authority, whilst embracing cloud themselves have expressed concerns about cloud technology. The SRA has identified cloud computing as a risk factor for lawyers because it involves users “surrendering true control of their data and software to a remote provider”. This is of particular concern for the legal industry, because even sole traders process significant amounts of confidential information and personal data.
Under the GDPR, it is a lawyer’s responsibility to ensure data has an appropriate level of security – this includes when data is being held within a processor such as a cloud platform. Everybody knows that significant fines occur under the GDPR if personal data is compromised. What is less well known is that the fine is based not just on the breach itself, but on how well the organisation tried to protect its data. Lawyers who choose a cloud provider without carefully considering security not only make data breaches more likely, they also open themselves up to higher fines under the GDPR. These fines can be up to €40 million, or 4% of turnover.
As a Lawyer, What Should You Do?
How can law firms balance the risks and rewards, and ensure that they are keeping data safe whilst reflecting modern working practices? The key is in due diligence, and in thoroughly questioning potential providers during the buying process.
Case management software providers will naturally focus on features and benefits, as that is what will encourage prospects to buy. Several of the top case management software companies do not contain information on where law firm data will be stored anywhere on their website. This means that if firms do not ask, they sign up to a contract with no knowledge of how safe their data really is.
It is up to law firms to determine themselves what information they require from a provider. However, here are a few of the questions we suggest you ask your potential software provider:
The Cloud Provider
- Who is the cloud provider? Is this a third party, or does the software provider itself hold the data?
As discussed previously, many case management providers use a third party as the cloud host.
- What physical and online protections does the cloud storage provider deploy? How do they protect from insiders inappropriately accessing data?
The software provider should be able to provide you with comprehensive information on how their chosen cloud provider will keep your data safe.
- Does the cloud provider have any independent certifications, such as ISO qualifications or UK Cyber Essentials certification?
This proves that the cloud provider has independent verification of any claims they make.
- Is the data encrypted both in transit and at rest?
Encryption of data protects it in the case of access by malicious parties. Most providers will encrypt data in transit (when moving between user and cloud system) – but you should ensure that they also encrypt it at rest (sitting on the cloud system). This provides data with an additional layer of protection if a breach does occur.
- Where is the data stored?
Under GDPR, all EU data must be stored in the EU. Companies who transfer data outside of the EU without an EU-approved data processing contract are liable for the highest level of fines under GDPR.
- Does the cloud provider ever schedule downtime to update its systems? When would this typically occur?
One risk factor with pure cloud software is that if the cloud is unavailable, then no company data can be accessed. You need to know in advance how disruptive scheduled downtime could be to your operations.
- What is the Service Level Agreement for uptime, and what was the uptime level achieved last year?
Uptime is the amount of time that the system is live and working. Reputable cloud providers should be providing at least 99% uptime. As with the previous question, unscheduled downtime can be even more disruptive to a business, so if a cloud provider has had previous issues with uptime this needs to be a consideration.
The Software Provider
- Can the software provider see my data? What physical and online protections does the software provider deploy? How do they protect from insiders inappropriately accessing data?
This will vary between software providers. If they can access your data, you need to make sure they have appropriate measures in place to prevent inappropriate access from insiders or outside parties.
- Does the software provider ever schedule downtime to update its systems? Could an issue with the software provider’s application ever cause unscheduled downtime? What was the total downtime for the previous year?
As with the cloud provider, if the software application has scheduled or unscheduled downtime then all data will be unavailable to users. You need to be aware of any potential disruption to your business operations in advance.
- Do I retain control of my data, and how would I migrate to another provider if I decided to terminate my service?
Many companies do not consider this until they decide to terminate and realise that they are unable to move their data from one system to another. They may equally find that data can be migrated – but only for a significant fee.
You should ensure that you have a clear understanding of the exit plan if you do decide to end your contract and that your data can be transferred easily and for a reasonable fee.
Lawyers are generally not IT experts, so it can be easy to trust a provider when they say that they have everything covered. However, in order to ensure the safety of one of their most significant assets, lawyers need to make sure that they are asking the hard questions of their providers and continue to question until they are satisfied that both software and cloud provider can keep data safe.
Lawyers have a responsibility under the GDPR to keep personal data safe – or face significant, potentially business-ending fines. Equally importantly, lawyers have an ethical responsibility to their clients. Clients trust lawyers to act in their interests, and to keep their personal and confidential information safe and secure.
When lawyers are confident that their data is securely protected within the cloud, they can then focus on the benefits that cloud software can provide. You can work more flexibly, collaborate more efficiently and provide an excellent service to clients no matter where you are.
by Sabina Horgan
VP Marketing and Development