The Solicitors Regulation Authority’s (SRA) reluctance to give detailed guidance to law firms on cloud computing could be because it is “waiting for something to go wrong” before it acts, a report has suggested.
Written by DMH Stallard commercial partner Frank Jennings, who advises on cloud computing contracts and chairs the Cloud Industry Forum’s code governance board, The real challenges and benefits of cloud computing to law firms finds that solicitors continue to worry about data security in relation to the cloud.
Mr Jennings spoke to senior IT personnel at major law firms, including Berwin Leighton Paisner and Sidley Austin. Most believed the SRA’s concern was client confidentiality, and was relying on outcomes-focused regulation (OFR) to place the burden on firms to ensure data security.
The report drew attention to the Law Society of Scotland – the regulator of Scottish solicitors – which, by contrast has produced a detailed guidance on cloud computing, and the Information Commissioner, who has published general guidance for organisations.
Mr Jennings also quoted one contributor, who characterised the SRA’s lack of views on cloud computing as being because it, like others “appear to be in waiting mode. They’re waiting for something to go wrong”.
An SRA spokesman confirmed that OFR was its guiding principle on cloud computing and added: “Issues over keeping client files safe are dealt with in the code of conduct [under] client confidentiality, while our risk team doesn’t have any data that suggests it’s a problem that needs tackling at this time.”
He went on: “We continue to research the issue, however, should it become a risk in the future, as technology is a rapidly-changing environment.”
Mr Jennings concluded that the IT chiefs he consulted had a more sophisticated understanding of data security than many equivalents outside legal practice. While it was commonly believed the security of cloud computing compared unfavourably with internally-stored data, they understood that cloud-based data is often stored with a level of security exceeding firm-hosted data.
But when choosing between private and public cloud providers – which respectively offer higher and lower levels of certainty over the location and security of stored data – most opted for private cloud products, although public cloud data storage is cheaper.
Mr Jennings recommended that firms focus security efforts on controls over access to data, including staff training and procedures. Cloud providers should meet accreditation standards, such as ISO 27001 – the international information security standard – and undertake ‘external penetration’ testing, which detects resistance to hackers.
Due diligence should also cover such things as having a back-up plan for data crashes; for the insolvency of a provider; and when considering moving data to the cloud, firms need to ask various questions, including the nature of the data, in which jurisdiction will it be stored, and how it will be transferred from firm to provider.
The Law Society last year held a seminar on cloud computing and in September 2013 it will publish a , authored by Tim Hill, Chancery Lane’s technology policy officer.