Do you know what you’re signing up to?
Posted by Nigel Wallis, partner at Legal Futures Associate O’Connors
Wallis: SRA obligations require a ‘security of data’ risk assessment
“Just because something doesn’t do what you planned it to do doesn’t mean it’s useless” – Thomas Edison
I wonder if Edison’s IT department told him to switch off and switch on again before he got things working properly. It’s amazing to think that if it hadn’t been for him we’d still be reading our smartphones by candlelight.
Like most business sectors, law firms are now almost entirely dependent on technology and in particular on software solutions that enable operating systems to operate and client service delivery to be delivered. To say nothing of artificial intelligence that will one day replace large tranches of what we do without moaning about the mess by the coffee machine or turning in late due to a dental appointment.
In truth, few managing partners care how technology works but all of them care if it works.
Given this dependency, IT procurement is now right up there with staff recruitment as a mission critical success factor for law firms and yet far less rigour tends to be applied to the commercial, regulatory and contractual issues involved in this key area of business risk.
So, if you are about to replace, upgrade or outsource your firm’s IT systems, here are our top five tips:
Tip one – Due diligence
It is important to conduct thorough due diligence on the proposed product or service provider. Take up references from existing customers and check their financial stability.
Tip two – Specification
Ensure a detailed and properly understood specification is agreed. For example, check how scalable the system is and whether the description of the services in the agreement actually reflects the reality of what you are expecting to have provided.
If bespoke software is being purchased, check that acceptance tests are included in the agreement with the option to reject or terminate if the tests are not passed to your satisfaction.
Tip three – Confidentiality
SRA obligations require a ‘security of data’ risk assessment. This should include assessment of the risks associated with where your data will be stored. For example, there is a world of difference between locally hosted data on UK-based servers and data stored on a public cloud in a country with less secure levels of encryption and confidentiality.
IT agreements should impose security obligations on an IT provider, including an obligation to comply with ISO data security standards.
Tip four – Data protection
If your data will be stored offsite at a service provider’s data centre or in a public cloud, you should check that your clients have consented to their data being handled in this way and restrict what the IT provider can do with the data.
If your data is to be stored on servers outside the EEA, attention needs to be paid to the Data Protection Act restrictions. And remember, all IT agreements involving remote storage must reserve rights for the SRA to inspect data in relevant circumstances.
Tip five – Service levels
It may sound obvious, but check what hours the helpdesk will be available and make sure this fits with your firm’s working hours. Also check guaranteed ‘uptime’ of the system and that there are meaningful penalties for ‘downtime’.
IT systems should drive efficiency, reduce costs and streamline processes and service levels in IT agreements should be geared towards this and aligned with the firm’s overall business strategy.
All these issues can be addressed, but there is significant scope for entering into IT agreements which do not fully reflect the compliance or commercial needs of a law firm. Time (and, dare we say, even money) spent in reviewing and negotiating the terms of IT agreements is likely to prove a good investment, both in the short and long term.
Leave a comment
* Denotes required field