This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Subscribe
Jonathan Armstrong

Partner, Cordery Compliance Limited

Scoping the risk of cloud computing

Feature
Share:
Scoping the risk of cloud computing

By

A report last November by the Solicitors Regulation Authority specifically addressing compliance issues in relation to cloud computing is evidence of how significant this technology has become, says Jonathan Armstrong.

Data protection

The Information Commissioner’s Office (ICO) gave some advice on putting data into the cloud in its 2010 Personal Information Online Code of Practice. The code reminds those responsible for personal data that the primary responsibility when data is passed into the cloud remains with them and not any cloud provider. It also includes a
useful checklist.

As a general rule from a regulatory point of view it is best for personal data to stay in the European Economic Area (EEA). Moving data from one country to another could result in data protection and data security concerns. It could also be a submission to the laws of that country if the data is not simply in transit. In the UK for example under s.5 of the Data Protection Act 1998 (DPA) if a data controller is not established in the EEA but uses equipment in the United Kingdom for processing the data other than “for the purposes of transit through the United Kingdom” they will be subject to UK data protection legislation. Similar provisions exist in other countries which could be a problem for a law firm, especially in a country where the laws
on legal professional privilege are different.

Any cloud arrangement will also need to take into account the provisions of the proposed new EU regulation, which could be law in a little over three months and bring in heightened penalties for breach of data protection rules.

Silver linings

The SRA’s report in November ‘Silver Linings: cloud computing, law firms and risk’ outlines some of the compliance and legal issues law firms will face when seeking to adopt a cloud computing solution. The report reminds solicitors that they are obliged to keep client information confidential but says that that duty of confidentiality is not an absolute prohibition on using cloud computing services.

One area which could cause practical difficulties however is the SRA reminding lawyers that any cloud provider must agree to the SRA having an independent right to inspect client data in order to comply with the SRA Code of Conduct. In practice many cloud providers will resist any alteration to their standard terms and (needless to say) the right for the SRA to inspect servers and data is not standard for all businesses.

The report also touches on some of the matters in the ICO’s code, including the need for appropriate written guarantees from a provider and the need to conduct due diligence to ensure that the provider “can meet the requirements of legal business before they make a final commitment”.

Additionally the report touches on the recent PRISM scandal saying that solicitors should have particular regard
to the dangers of using US
cloud providers given recent surveillance issues which
may compromise client confidentiality. The report
also raises the question of
client consent.

When things go wrong

A graphic example of what can happen to a law firm who fails to take the appropriate precautions when adopting new technology is provided by ACS:Law and its principal Andrew Crossley.

ACS were involved in threats to alleged copyright infringers which attracted the ire of some online protestors. Crossley seemed to have underestimated the threat from this group and after some perhaps injudicious press comments, the law firm’s systems were hacked.

Complaints were made to the SRA and Crossley was suspended from practice. After the hack a backup of Crossley’s website was available which included copies of emails sent by the firm. Some of those emails contained unencrypted spreadsheets of people who had allegedly broken the law. As a result, ACS was also investigated by the ICO, who ordered Crossley to pay a monetary penalty which was reduced to take into account the fact that he had ceased trading. The ICO criticised ACS for having computer security measures
that were “barely fit for purpose in a person’s home environment,
let alone a business handling such sensitive details”. Crossley was declared bankrupt
shortly afterwards.

More challenges

It is likely that in the years ahead we are going to see more data go into the cloud.  While the SRA has attempted to map out some of the challenges involved, more will be encountered. It is often particularly difficult to negotiate even the most basic contractual amendments with cloud providers and this in itself may reduce cloud adoption among lawyers.

 

 

Jonathan P. Armstrong is a partner at Duane Morris

www.duanemorris.com