Posted by Daniel Dosen, general manager cloud services at Legal Futures Associate iManage
There is little clarity presently on ‘how’ Brexit will take place – and law firms, many of whom are involved in cross-border activities – need to be prepared.
The UK will no longer be part of the EU – it will become what EU treaties refer to as a third country. This complicates compliance with GDPR, which governs how data in the EU needs to be handled.
Since many law firms rely on the cloud to run their business-critical applications, including document and email management systems which contain confidential client data, firms need to assess whether their cloud provider is ready for Brexit.
The below provides some key questions any law firm should ask their cloud provider.
Do you have datacentres in the EU?
First things first: if your cloud provider only has a datacentre in the UK, that’s a risky position to be in.
While there is every likelihood that the UK will adopt GDPR in its entirety, cloud providers will need datacentres that are actually located in the EU if the UK does not adopt GDPR.
The bottom line: look for vendors that have an adequate number of datacentres across geographies.
Can you offer geo-isolation?
If your cloud provider has datacentres in the EU, that’s a step in the right direction; however, there’s more to consider. More and more countries within the EU are requiring that customer data stays within that specific country.
This isn’t as easy or as straightforward to achieve as it might seem. A law firm that chooses Germany as its ‘home’ datacentre for their cloud document management system might reasonably assume that all their confidential files and data will stay within Germany at all times.
However, there are many services that are run against these files – such as preview, OCR (optical character recognition), encryption, and so on – which might be carried out somewhere other than Germany.
Geo-isolation is a way to ensure that all these services are performed in one location. As a result, a file that’s supposed to stay in Germany, stays in Germany rather than being sent to the US or the UK to be previewed, processed for OCR, or encrypted.
Customers should ensure their cloud provider is able to perform these services itself wherever possible, rather than subcontracting it out to other vendors.
For example, a cloud document management system might be missing OCR functionality of its own – so, without your knowing it, it passes a document on to a third-party entity on a completely different platform for OCR.
Every time the vendor has to send a file to a third party to perform a function – a third party who may not be ISO or SOC 2 certified or have the same security in place as the cloud vendor – it’s opening itself up to risk. A cloud provider, after all, is only as strong as its weakest link.
The bottom line: look for vendors that can offer a full range of services – including preview, OCR, encryption, and more – from one datacentre.
Can you protect against man-in-the-middle attacks?
Your cloud provider has a datacenter in the EU, and they offer geo-isolation. But can they protect against man-in-the-middle attacks?
Imagine a safe deposit box inside a bank, containing valuable documents. Imagine that the box needed repairs of some sort, and you called in a repairman. That repairman now has access to that sensitive material.
The same type of scenario can occur if OCR, or indexing, or another service being run on confidential documents suddenly stops working and needs to be fixed. Documents need to be decrypted for many of these services to run, making them vulnerable.
Someone who goes in to troubleshoot the service that stopped working could potentially access those vulnerable documents and make a copy of the data for themselves.
The bottom line: look for a vendor who ensures data is encrypted at all times – both at rest, and in transit. Also, look for a vendor who, by design, has made it impossible for anyone to get into the production area where documents are decrypted for services to be performed.
Brexit is no small matter, and how it all plays out remains to be seen. However, by asking the right questions of their cloud providers, law firms can better ensure the preparedness of both parties.