SRA "waiting for something to go wrong" before taking action on cloud computing

Print This Post

18 July 2013

Cloud computing: security can be higher than firm-stored data

The Solicitors Regulation Authority’s (SRA) reluctance to give detailed guidance to law firms on cloud computing could be because it is “waiting for something to go wrong” before it acts, a report has suggested.

Written by DMH Stallard commercial partner Frank Jennings, who advises on cloud computing contracts and chairs the Cloud Industry Forum’s code governance board, The real challenges and benefits of cloud computing to law firms finds that solicitors continue to worry about data security in relation to the cloud.

Mr Jennings spoke to senior IT personnel at major law firms, including Berwin Leighton Paisner and Sidley Austin. Most believed the SRA’s concern was client confidentiality, and was relying on outcomes-focused regulation (OFR) to place the burden on firms to ensure data security.

The report drew attention to the Law Society of Scotland – the regulator of Scottish solicitors – which, by contrast has produced a detailed guidance on cloud computing, and the Information Commissioner, who has published general guidance for organisations.

Error, group does not exist! Check your syntax! (ID: 14)

Mr Jennings also quoted one contributor, who characterised the SRA’s lack of views on cloud computing as being because it, like others “appear to be in waiting mode. They’re waiting for something to go wrong”.

An SRA spokesman confirmed that OFR was its guiding principle on cloud computing and added: “Issues over keeping client files safe are dealt with in the code of conduct [under] client confidentiality, while our risk team doesn’t have any data that suggests it’s a problem that needs tackling at this time.”

He went on: “We continue to research the issue, however, should it become a risk in the future, as technology is a rapidly-changing environment.”

Mr Jennings concluded that the IT chiefs he consulted had a more sophisticated understanding of data security than many equivalents outside legal practice. While it was commonly believed the security of cloud computing compared unfavourably with internally-stored data, they understood that cloud-based data is often stored with a level of security exceeding firm-hosted data.

But when choosing between private and public cloud providers – which respectively offer higher and lower levels of certainty over the location and security of stored data – most opted for private cloud products, although public cloud data storage is cheaper.

Mr Jennings recommended that firms focus security efforts on controls over access to data, including staff training and procedures. Cloud providers should meet accreditation standards, such as ISO 27001 – the international information security standard – and undertake ‘external penetration’ testing, which detects resistance to hackers.

Due diligence should also cover such things as having a back-up plan for data crashes; for the insolvency of a provider; and when considering moving data to the cloud, firms need to ask various questions, including the nature of the data, in which jurisdiction will it be stored, and how it will be transferred from firm to provider.

The Law Society last year held a seminar on cloud computing and in September 2013 it will publish a , authored by Tim Hill, Chancery Lane’s technology policy officer.

Tags: ,

2 Responses to “SRA "waiting for something to go wrong" before taking action on cloud computing”

  1. Well, are they giving guidance to ordinary firms on having burglar alarms on their buildings, locking filing cabinets when they go home (as if!!) and making sue their landlord doesn’t go insolvent and board up their building?

    Something will go wrong in a Cloud Computing environment and probably something unforeseen which is why nobody has done anything about it! But it is much safer than ordinary firms arrangements and certainly much safter than those with their own servers in the office.

    (Heard the true story about the law firm who were very proud of their new in-house servers and their back-up procedures which included running a back-up to tape every night? Their computers and servers were stolen—along with their back up tape…..)

  2. Andrew Woolley on July 22nd, 2013 at 5:31 pm
  3. SRA is in no position to comment on Cloud Computing in Law Firms in the post-PRISM era, so I understand why they have yet to weigh in.

    But at least now Law Firms are realising that security in the age of information is vital and that not all Cloud partners / providers are equal in this respect and that a public cloud option is sheer madness.

    I think the SRA should make it clear to Law Firms that while hosted services / moving to the cloud offers Law firms great cost-saving and productivity gains, these need to be off-set against the quality of security that a partner can offer, so in effect saying: don’t go for the cheapest provider who of course cannot then afford to invest in the level of security that a business requires in this age of cyber-crime.

    I hope it is clear that private is the only option NOT public cloud, although public cloud data storage is cheaper, and that Law firms should only partner with cloud providers that are on a good financial footing and have at least 10 years as a specialist cloud provider and existing and happy Law Firm clients.

  4. Alex on August 1st, 2013 at 10:51 am

Leave a comment

* Denotes required field

All comments will be moderated before posting. Please see our Terms and Conditions

Legal Futures Blog

Delivering a first-class service experience

Helen Hamilton Shaw 2

I visit a lot of different businesses in the course of my job – both law firms and other types of organisations. This gives me a unique opportunity to compare how the legal sector is shaping up against the commercial world in how they welcome visitors to their business, and it’s fair to say that those that go the extra mile certainly stand out.

October 21st, 2016