Embracing the cloud: Balancing the risk vs. reward

As of 2017, 88% of UK organisations hadadopted cloud technology, and this has continued to rise throughout 2018. Thistrend has also been seen within the legal industry, both within individualfirms and legal governing bodies. The Law Society of England and Wales recentlymoved to their data to the Microsoft Azure platform, and adopted Office 365,Microsoft’s cloud document management solution, signalling to the entire legalindustry that cloud is here to stay.

This article shows what law firms will needto consider if they want to embrace cloud technology.

TheRewards

One of the key advantages of cloud softwareis mobility in terms of both location and devices. Having access to the entirecompany dataset on a train, in a client office and on a tablet or mobile allowslawyers to work flexibly, and to respond quickly and accurately to clientswhilst on the move. In an industry where client service is paramount this ishugely beneficial to law firms.

Specifically for lawyers, the ability toadd time and billing information in real time offers advantages over having tomake a note and then update a system once back in the office. It also allowslawyers to have an entire case’s documents at their fingertips, wherever theyare – no more carrying paper copies, or phoning into the office to check adetail on a case. Finally, it also allows for greater collaboration andefficiency. Lawyers in different locations have access to the latestinformation in real time and can work together on documents and cases in realtime as well.

Another key advantage of cloud computing isthe security of data itself. If a Tier 1 cloud provider such as Microsoft Azureor Amazon Web Services is used, data can often be safer than if it was storedin-house – and if a catastrophic event such as a fire or flood were to hit theoffice, client data would not be affected.

TheRisks

Both the Law Society and the SolicitorsRegulation Authority, whilst embracing cloud themselves have expressed concernsabout cloud technology. The SRA has identified cloud computing as a risk factorfor lawyers because it involves users “surrendering true control of their dataand software to a remote provider”. This is of particular concern for the legalindustry, because even sole traders process significant amounts of confidentialinformation and personal data.

Under the GDPR, it is a lawyer’sresponsibility to ensure data has an appropriate level of security – thisincludes when data is being held within a processor such as a cloud platform.Everybody knows that significant fines occur under the GDPR if personal data iscompromised. What is less well known is that the fine is based not just on thebreach itself, but on how well the organisation tried to protect its data.Lawyers who choose a cloud provider without carefully considering security notonly make data breaches more likely, they also open themselves up to higherfines under the GDPR. These fines can be up to €40 million, or 4% of turnover.

As aLawyer, What Should You Do? 

How can law firms balance the risks andrewards, and ensure that they are keeping data safe whilst reflecting modernworking practices? The key is in due diligence, and in thoroughly questioningpotential providers during the buying process.

Case management software providers willnaturally focus on features and benefits, as that is what will encourageprospects to buy. Several of the top case management software companies do notcontain information on where law firm data will be stored anywhere on theirwebsite. This means that if firms do not ask, they sign up to a contract withno knowledge of how safe their data really is.

It is up to law firms to determinethemselves what information they require from a provider. However, here are afew of the questions we suggest you ask your potential software provider:

TheCloud Provider

• Who is the cloud provider? Is this a third party, or does the software provider itself hold the data?

As discussed previously, many case management providers use a third party as the cloud host.

• What physical and online protections does the cloud storage provider deploy? How do they protect from insiders inappropriately accessing data?

The software provider should be able to provide you with comprehensive information on how their chosen cloud provider will keep your data safe.

• Does the cloud provider have any independent certifications, such as ISO qualifications or UK Cyber Essentials certification?

This proves that the cloud provider has independent verification of any claims they make.

• Is the data encrypted both in transit and at rest?

Encryption of data protects it in the case of access by malicious parties. Most providers will encrypt data in transit (when moving between user and cloud system) – but you should ensure that they also encrypt it at rest (sitting on the cloud system). This provides data with an additional layer of protection if a breach does occur.

• Where is the data stored?

Under GDPR, all EU data must be stored in the EU. Companies who transfer data outside of the EU without an EU-approved data processing contract are liable for the highest level of fines under GDPR.

• Does the cloud provider ever schedule downtime to update its systems? When would this typically occur?

One risk factor with pure cloud software is that if the cloud is unavailable, then no company data can be accessed. You need to know in advance how disruptive scheduled downtime could be to your operations.

• What is the Service Level Agreement for uptime, and what was the uptime level achieved last year?

Uptime is the amount of time that the system is live and working. Reputable cloud providers should be providing at least 99% uptime. As with the previous question, unscheduled downtime can be even more disruptive to a business, so if a cloud provider has had previous issues with uptime this needs to be a consideration.

TheSoftware Provider

• Can the software provider see my data? What physical and online protections does the software provider deploy? How do they protect from insiders inappropriately accessing data?

This will vary between software providers. If they can access your data, you need to make sure they have appropriate measures in place to prevent inappropriate access from insiders or outside parties.

• Does the software provider ever schedule downtime to update its systems? Could an issue with the software provider’s application ever cause unscheduled downtime? What was the total downtime for the previous year?

As with the cloud provider, if the software application has scheduled or unscheduled downtime then all data will be unavailable to users. You need to be aware of any potential disruption to your business operations in advance.

• Do I retain control of my data, and how would I migrate to another provider if I decided to terminate my service?

Many companies do not consider this until they decide to terminate and realise that they are unable to move their data from one system to another. They may equally find that data can be migrated – but only for a significant fee.

You should ensure that you have a clear understanding of the exit plan if you do decide to end your contract and that your data can be transferred easily and for a reasonable fee.

Conclusion

Lawyers are generally not IT experts, so itcan be easy to trust a provider when they say that they have everythingcovered. However, in order to ensure the safety of one of their mostsignificant assets, lawyers need to make sure that they are asking the hardquestions of their providers and continue to question until they are satisfiedthat both software and cloud provider can keep data safe.

Lawyers have a responsibility under theGDPR to keep personal data safe – or face significant, potentially business-endingfines. Equally importantly, lawyers have an ethical responsibility to theirclients. Clients trust lawyers to act in their interests, and to keep theirpersonal and confidential information safe and secure.

When lawyers are confident that their data is securely protected within the cloud, they can then focus on the benefits that cloud software can provide. You can work more flexibly, collaborate more efficiently and provide an excellent service to clients no matter where you are.

by Sabina Horgan

VP Marketing and Development

Thread.Legal