Ignorance of data protection rules is no excuse
By Peter Wright
Cloud computing has become a highly attractive option, but not all firms 'outsourcing their data storage have factored in the risks involved when 'procuring their IT services, says Peter Wright
With businesses turning increasingly to the cloud for data storage, it is not surprising that law firms in England and Wales should also consider its potential.
Given the financial pressures that law firms have been dealing with in the last five years, the option of taking an upfront saving of anything up to 50 per cent on IT costs by investing in the cloud, rather than maintaining their own servers that seem to become obsolete and overcapacity within months installation, becomes overwhelming to firms.
Furthermore, the possibilities in terms of mobile working that are opened up by using the cloud and the greater productivity that this can facilitate from fee earners, can make the choice of a cloud based IT system irresistible to many small and medium sized firms that are struggling to reduce their overheads.
While the benefits of cloud computing are manifest, the risk to law firms from using the cloud was illustrated to devastating effect in May 2011 when sole practitioner Andrew Crossley, trading as ACS Law, received a monetary penalty notice from the Information Commissioner's Office (ICO).
Security guarantees
ACS used a public 'shared server' web hosting package, described as being suitable for 'home' use to support his firm at a monthly cost of £5.99, with no guarantees as to the security of personal data that was to be stored on it.
The cloud server was attacked leading to the personal details of 6,000 individuals written to ?by ACS being published online. ACS spent £20,000 in remedial work following the data breach and the loss of business led to job losses for 14 employees. The ICO held ACS to a higher standard of care and found that as a law firm whose business involved handling large quantities of personal data, ACS failed to take the necessary professional IT advice and issued a monetary penalty notice of £200,000, although this was subsequently reduced.
The SRA, while recognising the benefits that using the cloud can provide, has sought to highlight the risks that all law firms should be aware of when giving up control of their data to a third party as part of their updated risk outlook in November 2013.
Under the Data Protection Act (DPA), any law firm using a cloud provider must have a written agreement in place with their provider. The SRA insists under outcome 7.10 that, incorporated into the contract with the provider, is an express term allowing the SRA to have full access to any data stored by the law firm with the cloud provider and visit the premises of the cloud provider.
Compliance with this term inevitably limits the number of cloud providers available for use by a firm. If a firm does not have such a term in place, it can inevitably be held to account by the SRA. According to research carried out by legal risk and compliance software specialists Riliance, due diligence is in many instances inadequate and many firms 'don't even read the supplier Terms and Conditions'.
Consequently, if inspection provisions are not requested, they are unlikely to be present and a firm can be in breach of an outcome and unaware of it. It is also necessary for a firm to have sufficient business continuity measures in place to ensure so that data can continue to be accessed.
Backed up data
24 hours a day, regardless of downtime, any dispute that could arise with the firm and particularly in the event that the cloud provider should cease trading or be taken over, under the DPA, a firm is required to ensure that data is adequately backed up. In such an eventuality, what will happen to the data?
SRA outcome 4.1 requires evidence of compliance in ensuring client confidentiality. As a result, there is an obligation on firms to ensure that they have ascertained what security measures are being taken by the provider, while outcome 7.3 requires that a firm needs to monitor compliance, and should specify exactly what checks are being carried out and how frequently they are taking place.
Firms also need to ensure that their clients are fully aware of how their personal data is being stored and used by their solicitor. Outcome 1.2 states that firms must provide services to their clients in a manner that protects their clients' interests. Meanwhile, outcome 1.12 requires that clients should be in a position to make informed decisions about services that they need, with outcome 4.2 specifying disclosure to the client all information material to the retainer.
While there is implied consent to confidential material being passed to a cloud service provider by a firm, it may be prudent to advise clients of the terms that a firm has with its cloud service provider within its own terms and conditions at the outset of a matter.
States' protection regime
The location of cloud providers is also critical. Under principal eight of the DPA, data should only leave the European Economic Area (EEA) if a state's data protection regime is sufficiently secure. The EU has published a list of states outside the EEA with 'adequate' levels of protection, and just 11 countries make the list, with a notable absentee being the United States.
A feature of the PRISMS Global Wireless Summit of summer 2013 was how US security services focus on data stored in the US by foreigners, so data stored in US cloud providers would be particularly at risk.
The SRA are of the view that if a provider is compliant with the US Safe Harbor standard that this should be sufficient. However, firms need to be mindful that the majority of US businesses that claim to follow the Safe Harbor have not actually followed the annual re-accreditation process and hence are not compliant with the standard after all.
Furthermore, the EU has made it clear that it is reviewing the Safe Harbor and Germany has even called for its suspension in the wake of PRISMS' revelations. Given the high concentration of the world's cloud providers in the US, this is a very real concern for any UK firms that consider using any US cloud providers.
However, firms should also consider the risks presented by staff accessing the cloud from anywhere, including insecure networks in cafes or airports, particularly in the US, and this should be covered comprehensively as part of a firm's information security policy.
Cloud computing is ultimately the future for ?IT provision. However, firms need to exercise ?care in how they procure their IT services, as ?they must with every aspect of their business. What's more, under outcomes-focused ?regulation, ignorance of the outcomes that govern its use is no defence, so the onus remains on firms to use the technology wisely and responsibly and to take the appropriate professional advice in its use, in the same way that they would for banking, financial, accounting or regulatory matters.
IT is no less important and the ramifications from getting it wrong can be significant. SJ