Government surveillance threatens law firms’ cloud data security, regulator warns

US freedoms: insufficient to meet European standards

Widespread data snooping by the US National Security Agency (NSA), as revealed by whistle-blower Edward Snowden, could threaten the security of cloud computing for law firms acting in confidential merger negotiations, the Solicitors Regulation Authority (SRA) has warned.

In a detailed paper on the risks associated with cloud computing, Silver Linings: cloud computing, law firms and risk, the authority concluded that due diligence over outsourcing data processing, such as cloud computing – the use of the internet to store data remotely – should take into account government surveillance as a risk factor.

The SRA went out of its way to demonstrate that it understood the positive benefits of cloud computing, in particular for firms wishing to reduce overheads, for example with a ‘virtual’ practice model, and access their data remotely. It noted that cloud providers generally pay close attention to data security. It stressed its code of conduct does not prevent its use.

But it summed up its dilemma: “We seek to encourage the development of an efficient legal services market, and regulate based on risk. The [SRA] recognises the benefits of advanced information technology architectures. It is, however, our role to consider the risks arising from such new technologies.”

It identified breach of confidentiality as the major threat from IT systems. While the cloud dispensed with the risks associated with carrying data on memory sticks and laptops, there were different risks created by “passing data to a remote provider”, such as from their staff “who are not under the firm’s control”.

Clearly spooked by revelations of the extent of governmental agencies’ involvement in data harvesting, the authority concluded: “Governmental data seizure and surveillance powers represent a significant challenge to law firm use of cloud systems, in particular those based in countries with weaker data protections than those in the EEA [European Economic Area].”

It included the US among those states in which law firms “should give serious consideration to the risks of storing data in countries with weak data privacy protections”. The reason for this was that due to its intrusion-permitting Patriot Act, the US is not on the list of countries deemed to have “adequate” data protections by the European Commission (EC).

The SRA continued: “If firms do intend to use US providers, then they must at a minimum ensure that the provider can meet the terms of safe harbour.” US businesses can boost their EC data rating – to that required by the UK Data Protection Act – if they sign up to a voluntary safe harbour agreement.

The authority highlighted confidential merger negotiations conducted by a law firm as potentially at risk from NSA spying activities, which it said were rumoured to have led to data “being passed to commercial organisations for business advantage”, although that had been officially denied. “With the heightened need for confidentiality of law firms, this represents a challenge to their ability to use cloud services,” it said.

The harvesting of metadata – data that shows, for example, when and where e-mails were sent but not the content – was dangerous because it revealed “networks of individuals”. But if the Snowden leaks were correct, then the NSA could also obtain the content of communications directly from providers, the SRA observed.

It concluded that the encryption of data was therefore something any law firm dealing with US cloud companies should be thinking about. “Given the possibility of data seizure from the provider, the recommendation to encrypt sensitive information at the user’s end is of particular importance in this case.”

Separately, the UK cloud provider body, the Cloud Industry Forum, which has a code of practice to ensure services are “transparent, credible and certifiable”, has predicted that by the end of this year, three-quarters of all businesses will use at least one cloud service.


    Readers Comments

  • John says:

    In November the SRA published its guidance with respect to cloud computing. Its primary take-away for me was that UK law firms will reduce their compliance burden and to my mind their attractiveness to clients, by having their cloud data hosted in the UK, as opposed to the US and I am glad to see that so many are now doing so and making the move to secure UK cloud providers.

Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Building a brand – lessons from Cazoo

Building a brand takes more than money – just ask Alex Chesterman, the founder of ill-fated online used car retailer Cazoo, which collapsed into administration last month.

The future of organic search for law firms

In a significant turn of events, thousands of internal Google search API documents have recently been leaked, shedding light on the intricate workings of the search giant’s ranking algorithms.

Commercial real estate: The impact of AI and climate change

There is no doubt climate change poses one of the most complex challenges for the legal industry; nonetheless, our research shows firms are adapting.

Loading animation