This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Subscribe
Jean-Yves Gilg

Editor, Solicitors Journal

Cloud computing for law firms

Feature
Share:
Cloud computing for law firms

By

Cloud-based systems contain some traps for the unwary, but these can be avoided with good judgement and good management, explains Damian Blackburn

For law firms, cloud computing offers a vast array of advantages that systems simply could not provide only a few years ago. The two most popular cloud-based options for firms are practice management and document storage (some practice management systems include document storage as part of their offering). The majority of current cloud-based practice management systems are provided from bases within the EU, which in one fell swoop removes one particular issue with cloud-based systems: data jurisdiction legislation. 

The same is not true of document storage solutions, and this is a question I often deal with for firms, especially start-ups that have gone from the shelter of computing provision by a large, well-organised firm to the vast open landscape of technology that exists today. 

There are many advantages to using cloud-based document storage, and numerous providers with endless variations of features to tempt users in. Like with all technology purchases, a considered approach pays dividends. As firms are regulated, it also pays to understand how the regulatory landscape affects your decision making. 

Compliance standards

If you are considering cloud storage, the first thing you need to understand is that the Solicitors Regulation Authority (SRA) does not issue rules, regulations, or compliance standards on the subject. From conversations I have had recently, there appears to be some degree of urban myth about this. What the SRA does publish is a guideline on cloud computing and risk, which outlines the general advantages and issues, and gives advice on what to consider. 

The advice is in line with that given in any decent overview of cloud computing, but with a particular emphasis on the fact that firms are likely to be storing sensitive client information, which requires a degree of additional care. 

The notion of additional care might lead firms to think that some solutions offer more protection than others, and while this may be true to a certain extent, the onus is largely on the firm and its staff to apply good judgement and good management to its stored documents.

Good management can be linked to existing generic standards, such as those ?found in ISO 27001 (the information security standard), and it is worth familiarising yourself with these. Good management does not stop there, though. In other ?words, buying from an ISO 27001-accredited supplier does not inoculate a firm against all the issues that cloud computing can bring. 

Theoretically, any firm can become ISO 27001 accredited, but the expense and imposition mean this is impractical for all but the largest firms. However, that should not stop even the smallest firms understanding what the ISO standards are about. From this, mimicking the standard with its own internal controls is both practical and achievable for a firm. It also means that the message published by the SRA ?is more likely to be adhered to. 

Good practices

For the unwary, management of cloud-computing facilities can be distilled down to a handful of good practices. These start with data jurisdiction, which means either keeping your data within the confines of the EU or having safe harbour provisions that you and your clients are content with. 

Another consideration is that of access control. This has two facets: access within your organisation and access by the cloud storage supplier. Access control within the organisation is often overlooked, but it is of critical importance, and not just in terms of who is allowed to see what information. Cloud storage is immensely easy to supply to users, but the ease of delivery must be matched with comprehensive controls when access is no longer required. A good data access policy should ideally be produced and applied across the firm.

Encryption of data should be applied to cloud-stored documents. This comes in two broad forms: encryption in transit and encryption at rest. Most providers supply encryption in transit – that is, encrypting the data as it moves between the firm and the cloud storage facility. Encryption at rest is an additional layer of security that is designed to keep third parties from seeing your data, including the cloud storage suppliers themselves.

Lastly, even though cloud storage is usually backed up in various locations, it pays to run your own backup periodically. This is not so much to assuage the fear of the cloud provider collapsing, but to ensure you have a fall-back position if your data is hit by a problem such as the Cryptolocker virus.

Damian Blackburn is director of SLFtech @Damian_SLFtech www.slftech.com