It seems clear that there is a growing trend in the legal sector towards Cloud computing from the fact many firms have already made the transition, and most others considering making the move in the future. But for those firms who haven’t yet adopted Cloud, the Law Society of Scotland has compiled some useful tips to help alleviate concerns over data storage, treatment and control.
As law firms deal with sensitive client data on a daily basis, and Cloud computing involves moving this data from the firm to the possession of the Cloud provider’s data centre, it is clear that safety and security is the highest priority. It is therefore essential that firms receive assurance from their chosen provider that all of their information will be treated and confidential, and will never be used to disclosed to third parties. Furthermore, in terms of intellectual property law, the firm should retain full ownership of the property regardless of the fact it will now be stored at the provider’s data centre. The Law Society has also recommended that firms make sure they have an explicit right to have all data returned on demand, or the ability to move it to another Cloud provider timelessly and in a useable format.
Before choosing a Cloud provider, firms should investigate their data centre, to find out the physical location of where their data will be stored. What’s more, the Law Society has provided a check-list of necessities required by the data centre, including: a safe facility with 24/7 security monitoring; strictly controlled access only to personnel who have been security vetted; an effective fire detection and fire suppression system; air conditioning to prevent overheating; backup generators to sustain long power outages; and a backup of everything must be provided so there is no single point of failure.
Also, independent security certification authorities, should conduct an audit of data centres – at least once per year. The Law Society has warned that, as of yet, there is no “gold standard” to industry self-certification schemes, so a level of care is necessary when assessing a cloud providers credentials. It is however recommended that a cloud provider should comply with:
- – ISO 9001 (quality management) standard;
- – ISO 27001:2005 (security management) standard;
- – ISAE3402 (assurance reporting) standard;
- – BS 27999 (business continuity management) standard; and
- – the requirements of the Tier 3 data centre set out in the Telecommunications Industry Association’s TIA 942 standard.
Another important point to note before selecting a Cloud provider should be how they would deal with a system failure, and where and how often they back up your data. It is essential that a Cloud provider have a disaster recovery plan in place for system failure, to allow your firm to continue business in the worst-case scenario. The plan should be tested regularly to ensure it works in practice and with the least amount of disruption to the firm possible. Alternatively, the Law Society has said having a local back up is possible, but advises this option has technical and cost implications.
Overall, the main message of the Law Society’s recommendations is to think carefully before choosing a provider. If the proper care and attention is paid to the Service Level Agreement (SLA) and the service provider’s security history is looked into, law firms can adopt Cloud with confidence that their data will be safe and secure.
Contact us – Helping Lawyers Understand Law Society’s Cloud Computing Rules
Denovo’s Cloud solutions, aimed at lawyers and legal professionals in Scotland and across the United Kingdom, comply with Law Society requirements. To discuss the requirements, for an explanation of them or, simply, to start your move to a Cloud based system, please call 0141 331 5290. You can also complete our online enquiry form.