Cloud computing is proliferating the legal sector as firms see the benefits of having effective business continuity procedures in place and being able to offer staff more flexibility around how and where they work.
But while most firms strive to put the protection of client information and data at the top of their priority list, how many firms actually have full knowledge about their provider? And how many are compliant with the Solicitors Regulatory Authority’s code of conduct?
The SRA recently consulted on regulatory reform, of which cloud computing and technology formed part. It was asking law firms specifically if its current ruling of being able to enter firms’ (and providers’) premises to inspect records is stopping firms from taking advantage of new technology, such as cloud computing. Specifically, the SRA wanted to know if it should: provide clearer guidance, explaining that this is not always necessary to enter premises; or make changes to the outcome to make it clear that contractual arrangements (with third parties) need to allow for the SRA to monitor compliance, which may still include entry.
Currently, firms must ensure that their outsourced cloud computing solution is subject to contractual arrangements that enable the SRA or its agent to obtain information from, inspect the records (including electronic records) of, or enter the premises of, the third party, in relation to the outsourced activities or functions.
On this particular issue, the SRA clearly sets out its minimum standard for firms wanting to work on the cloud. Of key importance, is the onus on firms to conduct the necessary due diligence on potential providers, asking the right questions to ensure compliance. It is not down to the provider to do this – and not all providers are SRA compliant.
Some international suppliers may not necessarily provide the best solution, as they may be accountable to international regulation on data disclosure that conflicts with the SRA requirements.
Firms need to know specifically about:
• What is the infrastructure of the proposed data centre?
• Who is the owner of that data centre?
• What is their capacity?
• What is their disaster recovery failsafe?
• What security is being offered in the event of failure or destruction of the physical premises?
Sadly, failure to know this information could result in costly fines if the SRA asks questions that firms cannot prove they have answers to. Most importantly, not knowing can cause reputational issues, which will ultimately impact firms’ profitability and their clients too. From a risk management perspective, it’s better to be safe than sorry.