Introducing the Society's new guidelines for firms thinking of procuring cloud computing sercvices

Tesco law and ABS are upon us. As if the economic downturn wasn’t already sufficient reason to have us pruning IT budgets, the new business models looming on the horizon surely dictate that our profession must look at every aspect of the way it currently does business. Outside investors in law firms of the future may be reluctant to incur the cost of in-house IT staff and servers, when client and business information can be both stored and processed remotely.

In other words, solicitors will have no choice but to consider so-called “cloud” data storage and processing, with their data (and their clients’ data) being kept and processed by another organisation, in a different building, in a different country or a different continent. If this should sound far fetched, consider how easily the legal profession and its regulators adapted to remotely typed digital dictation.

Recognising the pressures to adopt “cloud” services, the Law Society of Scotland, through its Technology Subcommittee, has issued guidance after extensive consultation with cloud providers, law firms and in-house counsel. This article is based on the guidance.

What is cloud computing?

Cloud computing is an alternative to storing and processing data and software on a firm’s internal computers or servers. Instead, data is stored and processed remotely by a third party and accessed over the internet. Outsourcing in this way can offer attractive benefits such as cost reduction, increased flexibility for the user, the availability of support and maintenance, the ability to respond more quickly to changing IT demands, and simplification of IT systems.

There are potential regulatory and commercial risks, however, that are specific to the legal profession and which must be managed. These risks can mean that a move to a cloud system can be daunting to the not-so-IT-savvy solicitor.

That said, many solicitors have unwittingly already adopted a form of “cloud computing”, by using web-based email accounts (such as Hotmail or Gmail) or social networking sites. Many reputable cloud providers are household names, but their offerings do not necessarily meet the specific needs of Scottish law firms.

Given the widespread use of cloud computing, and the variety of cloud options available, the approach of the advice note is to flag up the right questions to ask a potential cloud supplier, in an easy-to-understand manner.

Where to start?

Not all cloud solutions are the same. The starting point should be to consider the intended uses of the cloud system. If it is to provide a service or to store confidential client information, consider how business-critical that service is, and the importance of access to, and security of, client information.

These considerations should determine how stringent pre-contract diligence and the service level agreement (SLA) with the cloud provider should be. A low-risk service with no confidential data needs less diligence than a service that hosts documents and your practice management system.

Service level agreement

This should be thought of as akin to your cloud insurance policy, and is a vital document. The most pressing practical issue is getting a good service level agreement (SLA) – one which meets the specific needs of a law firm – and also ensuring that equipment and internet connectivity are reliable.

There are a number of areas to look out for in your SLA. Clearly, it is essential that data is accessible. “Uptime” (the time the cloud system is operating) will generally be advertised as 99.5% or over. Care should be taken in understanding just how this percentage is calculated, because it will allow for service outages where data is unavailable. Down time of 0.5% per year equates to more than 43 hours! Check whether these outages will be announced in advance, and whether they will occur outside normal working hours, and in your time zone, not that of California, for example.

Other factors which could cause service disruption include internet connection failure or a power cut. As part of disaster recovery planning, key resources should be regularly tested. Cloud providers may offer advice on, and support with checking, the necessary technical equipment, internet connection and contingency planning.

Plan ahead

When placing an initial order for a cloud service, be mindful of business planning: think further than short term. Any professional cloud supplier should ask about plans for expansion to enable them to design the best fit for your business.

At the outset, establish which services are included in the subscription and what will incur further cost. Supplementary charges vary considerably among providers for system availability guarantees, premium support and maintenance, and extra users and storage. When specifying your requirements, always ask for the prices in the event that you require to add more applications, services, users and storage, to ensure that these will not be disproportionate to what you will be initially paying, or obstructive to expansion. Equally, check for charges or notice periods for decreasing service requirements.

Ensure there is a clear explanation of the remedies available in the event of unscheduled downtime. The provider may seek to limit remedies to service level credits. These credits are unlikely to compensate for cloud system failure so, where possible, try to reformulate remedies so they are commensurate with damage that might be sustained to business.

Data storage and security

Cloud computing involves moving data into the cloud provider’s possession. Control will be ceded to the provider on a number of issues which could potentially affect data security. The provisions in the SLA dealing with these issues will depend on whether data is stored in a private cloud (where servers are designated to one organisation) or a public cloud (where servers are shared by multiple organisations).

The SLA will generally state that the provider is not solely responsible for data security. The SLA should contain a clear explanation of both the provider’s and the user’s obligations in relation to security.

With regard to the provider’s responsibilities, the contract should contain appropriate assurances as to the technical specifications and security of the data centre. The cloud provider should undertake to audit the facilities of its data centre at least annually and provide evidence of compliance with independent certification standards. A number of industry self-certification schemes exist, but it is not yet clear which represent a true “gold standard”, so they should be treated with appropriate care when selecting cloud providers who use them to credential their services. The user must also understand where their security responsibilities lie. In this regard, the cloud provider may issue guidance on the use of appropriate passwords, and ideally offer regular staff training on security, passwords and other cloud issues.

Data ownership and control

The cloud provider should provide assurances that the information they hold on the user’s behalf will be treated as confidential and not used or disclosed to third parties. The user should retain full ownership, in terms of intellectual property, in relation to the data that is stored on the provider’s servers. Furthermore, the user should have an explicit right to have data returned on demand, and be familiar with the provider’s policies and procedures on data deletion on contract termination.

Business continuity

An oft-voiced concern about a move to a cloud system is the fear of data loss due to the failure of, or dispute with, the cloud provider. These concerns can be mitigated by ensuring there is a practical method of returning data on demand in a usable format, even in the event of system failure or dispute. This process should be tested with a dummy set of data on a regular basis as part of ongoing disaster recovery planning.

Alternatively, data can be regularly backed up and stored locally. This will have technical and cost implications, but would reduce the risk of data loss. The SLA should require the provider to carry out regular data backups. Most providers will do this automatically, but you should still ask.

Regulatory issues

A number of regulatory issues arise with third-party data storage because, with many cloud providers, your data could be anywhere in the world at any given time. This sounds alarming, but remember that your email system is already dissecting your unsecured emails and sending them worldwide in packets, before reassembling the message at the other end.

Given that the Data Protection Act 1998 prohibits the transfer of personal data to countries outside the EEA that do not offer adequate data protection, it is recommended that you require your cloud computing provider to store your data within the EEA. This is because data centres which are located in “high-risk” countries could be subject to local rules enforcing disclosure to national authorities without your knowledge. Check the provider’s terms and conditions for notification rights, and be aware of local access rights of the jurisdiction that your provider’s data centre(s) are in. There is currently a particular debate ongoing about using cloud services based in the USA, which gives the US authorities extensive rights of data access under the US Patriot Act.

Bear in mind also that a solicitor has a responsibility to provide certain data to the Society and Scottish Legal Complaints Commission on request, and failure to do so could itself be a conduct issue. You may also be required to provide data under other legal requests, for example under subject access requests, repossession requests, or requests by HMRC, lenders under panel appointment arrangements, or law enforcers. Plan for this by ensuring that data is accessible on demand, even if the worst happens and you are unable to make payments to the cloud, placing you in breach of contract, or if a dispute occurs between you and the provider, or in the event of the failure of a provider.

Is a cloud system right for you?

The risks and challenges associated with cloud computing can be addressed by making sure you are well informed before purchasing a cloud computing solution. Indeed, many of the risks are not new to cloud computing and a comparative analysis should be made with storing data electronically on premises.

Make sure any move to a cloud system is well researched. The guidance is a good place to start. It can be found in the Rules and Guidance section of the Society’s website (link:; download from menu at right of page).


The Author
  Paul Motion, a partner at BTO, and Meryl Skene, a trainee solicitor at Anderson Strathern, are respectively the convener and a committee member of the Society’s Technology Subcommittee
Share this article
Add To Favorites