Cloud solutions security: An ethical dilemma for barristers’ chambers?
Cuts to legal aid, unbundling of legal work and the increased demand for fixed fee work are driving down profits for many barristers’ chambers.
Those wishing to attract retain work will often have to modernise their ways of working to fit in with increasing innovation in law firms and the increased client expectations set by new entrants to the marketplace.
Cloud solutions can help barristers on both fronts, increasing profits whilst improving service. Remote/mobile working, hosted video conferencing and the ability to store, annotate and collaborate on documents electronically can help reduce administration costs and office requirements, whilst making chambers sets a much more appealing option.
Lagging behind the rest of the legal sector
Law firms and alternative business structures are fast adopting the cloud and Gartner predicts that 90% of legal services will be cloud based by 2018. Yet in the legal services market, barristers’ chambers generally lag behind in legal technology innovation. A common objection surrounds security issues and whether the cloud conflicts with ethical conduct duties in the profession.
The Bar Council’s advice may be quite scant in this area, but there are practical steps that barristers can take to meet their ethical duties – and the cost of not moving into the cloud can sometimes be higher.
The Bar Council’s Code of Conduct – relevant considerations
In the Bar Council’s Code of Conduct CD5, CD6, CD10 and Rc86 are of particular importance in the area of cyber security, which include: maintaining public trust and confidence in the individual barrister and the profession, keeping client affairs confidential, taking reasonable steps to manage or carry out your role competently and in compliance with legal and regulatory obligations, and ensuring that any outsourced activities do not affect the chamber’s ability to comply with obligations under the Handbook.
The Bar Council’s advice in the area of reducing risks in the cloud is contained in Cloud Computing: security issues to consider.
- Complying with The Data Protection Act 1998. In order to comply with the Data Protection Act’s Eight Data Protection Principle, the Bar Council advise that personal data must not be sent out of the European Economic Area unless the country offers a sufficient level of protection. It warns that a European Court of Justice ruling has concluded that businesses cannot rely on the Safe Harbour provisions between the US and UK to comply with European data protection laws, and so all businesses must carry out their own risk assessment.
- Data security encryption. As cloud providers will still be able to access data, extra precautions will be required. Applications exist that allow encryption folders on the cloud computing space, which are also suitable for mobile and tablet devices. They recommend ‘zero knowledge’ encryption services, where the provider does not store the password for you.
- Back-ups. Caution is recommended against reliance on cloud computing in replacement of a good back up system. Instead, automated back-ups are best as “any system that requires the user to remember to do something is probably doomed to fail eventually”.
Other cloud solutions security considerations
Unlike the Solicitors Regulation Authority (SRA), The Bar Council makes no reference to ensuring cloud suppliers adopt ISO27001 2005 as a minimum standard, which is “designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties”. However, chambers sets would be wise to look for these as a minimum and ensure that essential features such as regular software updates, permissions, versioning control, eDiscovery, and records management are in place.
Added security features are also a must, including email document encryption abilities and a remote mobile device wipe for work-related data in the event that phones or laptops are lost. However, these will require additional input from a dedicated IT cloud solutions provider.
Human error is also a major cause of security breaches and you should consider whether your provider can provide training to your barristers over-and-above the basic security measures that can readily be found online.
Why the status quo is not an option
Cloud solutions are often feared by barristers as a potentially risky move but, in fact, experience at law firms demonstrates that paper documents are just as risky. ICO data in 2015 showed that cybercrime was not the top risk; human error in sending the wrong documents electronically or by fax/post was the biggest cause of security breaches, with the second most common cause being loss of confidential documents in hard copy format.
Barristers chambers would not dream of limiting fax or email usage, so cloud should be no different. It simply requires a thorough risk assessment and ensuring that your cloud service provider can provide the right features to meet your ethical duties in this area.
Find out more about the cloud computing issues that barristers chambers’ need to consider with our free whitepaper: A guide to the cloud for legal professionals.