Cloud computing is seen as the way forward for many law firms but like anything it can carry risks which need to be identified and then managed.
In its November 2013 report on cloud computing (Silver linings: cloud computing, law firms and risks), the SRA provided some excellent guidance for those looking to move over to ‘the cloud’; however, some readers of the report have been put off moving to the cloud by the potential risks identified by the SRA. But are the fears well founded?
The short answer is it depends. Any business activity involves some form of risk, especially when it is relatively new, and eradicating risk is pretty near impossible; the trick is to employ good risk management principles where you identify the risks and mitigate them with systems, controls and procedures, which are reviewed on an on-going basis to ensure they keep up with changing operational requirements and technological advances.
So let’s look at some of the identified risks:
1. Failing to provide the SRA with access to data – firms that outsource various parts of their operation must ensure that the contracts they have with the outsourcing companies allow for the SRA to have access to data and premises, as required, to ensure clients and their confidential information are protected. This is nothing new for most firms so it should just be a matter of ensuring contracts are drafted in such a way to ensure compliance with Outcome 7.10 of the SRA Code of Conduct.
2. Confidentiality – firms have a duty to protect clients’ confidential information no matter where it is located. This is another area that should be covered in the due diligence process when reviewing outsourcing arrangements and should be covered in the outsourcing contract. Compliance with the Data Protection Act must also form part of the due diligence process to ensure that data stored, processed or accessed inside and outside of the EEA is appropriately considered.
3. Loss of data control – firms must retain control of data that is outsourced and therefore this also needs to be included in the outsourcing contract where appropriate. Due diligence should include the backing up of data and what would happen to data in the event of an outsourcing business collapsing.
4. Availability of the system – firms can only provide a proper service to clients if they can get the data they need at the time it is needed, so it is essential that outsourcing contracts cover service levels where system downtime is kept to a minimum. It is essential that service levels are considered when carrying out due diligence and are part on the contract.
Clearly, the risks identified by the SRA are real, but they can be mitigated by taking the appropriate steps and ensuring safeguards are put in place. However the key challenge is that most cloud service providers have very one-sided contracts and are unwilling to negotiate. Contract evaluation therefore should be part of the process of selecting a vendor.
In order to remain competitive and provide clients with services in a format that is appropriate to them, firms must embrace technology, but it must be in the context of a formal technology and outsourcing strategy that has risk management at its heart. A key part of this strategy is to ensure that appropriate cloud computing contracts are put in place.
Dr Sam De Silva, a Partner and head of the IT and Outsourcing practice from Top 100 law firm Penningtons Manches LLP, who is the Chair of the Law Society’s Technology and Reference Group and is a member of the EU Expert Group on Cloud Computing, and has been looking at identifying safe and fair contract terms for SMEs and consumers.
Dr De Silva commented: “The formation of the Expert Group was as a response to stakeholder concerns relating to cloud computing contracts. The view from SMEs and consumers was that although existing European legislation may protect them using cloud computing services, they are often unaware of their rights and are not informed by the provider in a sufficiently clear and unambiguous manner about the contract conditions. In addition, it was indicated that vague and unbalanced cloud computing contracts make them reluctant to take up cloud computing services.
“The following key areas should be considered when reviewing cloud contracts:
- Pre-contractual information
- Availability of the service
- Modifications of the contract
- Switching – data portability upon switching
- Liability for non-performance including remedies and penalties
- Cloud specific unfair terms
- Data location and date security
- Auditing, reporting and monitoring
- Jurisdiction/applicable law
- Compliance with the provisions of data transfers
- Regulator’s access to data
- Consequences and conditions of termination of contract such as preservation, transfer or erasure of data.”
It should be noted that the Law Society has also recently issued a Practice Note on cloud computing for law firms which provides useful guidance and outlines further issues to consider.
Riliance’s view is that firms need not be frightened of using cloud systems as long as they take the appropriate risk approach to their operation, and as Dr De Silva says “The nature of cloud computing can create new or different risks and consumers and SMEs will need to consider those issues afresh in the cloud computing context.
Author: Brian Rogers, Director of Regulation & Compliance Services, Riliance.