Secure cloud solutions for law firms: A look at SRA guidance

Although a recent survey puts cloud adoption at 90% industry-wide, law firms are understandably cautious when it comes to the cloud. With ethical and conduct responsibilities to protect client confidentiality in addition to the usual financial and data protection concerns faced by all businesses, the cloud poses a relatively unknown area of risk.

In 2013 a Legal Week Benchmarker survey indicated that 80% of partners and IT directors in legal firms believe that they are likely to be the subject of a cyber-attack. Some cautious law firms therefore shy away from the perceived risks posed by cloud. However, many are acutely aware that technological innovation offers a competitive advantage in a landscape that now consists of one-stop shops, contract lawyers and online legal services.

 Cloud can offer technological innovation that can improve client satisfaction, keep employees engaged and costs low, yet the question remains: is cloud secure enough for law firms?

In brief: yes. However, the cloud will only meet the Data Protection Act and professional ethic regulations if suitable risk assessments and precautions are taken.

Recommended reading: A guide to cloud for legal professionals >

The SRA Code of Conduct Outcomes and data protection

Law firms need to consider the relevant Solicitors Regulation Authority (SRA) Code of Conduct Outcomes, including:

  • protecting client confidentiality (4.1);
  • ensuring systems and controls are in place to identify and mitigate risks to client confidentiality (4.5) and your firm’s financial stability and money assets (7.4); and
  • ensuring that any outsourced activities do not affect your firm’s ability to comply with the Handbook obligations to clients and the SRA’s monitoring abilities.

Firms also need to consider that, under the Data Protection Act 1998, personal data must not be sent out of the European Economic Area unless the country offers a sufficient level of protection.

Cloud computing passes on the task of data processing and storage to an outsourced provider, and it was identified as a potential risk by the Solicitors Regulation Authority (SRA) in their 2013 Risk Outlook.

Law firms should therefore conduct a suitable risk assessment and ensure that their systems and outsourcing partners can adequately meet their data protection and Handbook responsibilities.

How to ensure your cloud solutions are secure

In considering and mitigating the risks of cloud computing, the SRA’s risk resource Silver linings: Cloud computing, law firms and risk recommends taking the following steps:

  • taking references from other companies using the proposed provider,
  • checking service level agreements carefully to ensure that the proposed service can offer at least full Safe Harbour compliance if data is stored outside the EEA,
  • checking that the provider can offer audited information security that at a minimum is compliant with ISO27001 2005,
  • checking that the provider can offer a level of guaranteed uptime and continuity protection that is acceptable to the firm,
  • ensuring, where staff will be working on the move, that they have properly secured communication channels to protect security, and
  • ensuring that their contract with the provider includes the requirements of Outcome 7.10 of the SRA Code of Conduct.

Security can also be improved by:

  • using a private cloud, or private area of a hybrid cloud, for client confidential material,
  • using software to automatically encrypt documents at the law firm's end, using security keys that are not known to the provider, and
  • using only providers that are based in EEA countries or countries offering equivalent or greater data protection laws, and that can guarantee that data will not be held in jurisdictions that do not offer such protections.

Not all cloud solutions are created equal

The SRA’s initial precautionary steps are those that they recommend as a minimum. However, they rightly highlight further steps that law firms should look for when considering a cloud provider.

These underpin a common issue that a move to the cloud can present with security risks. Leading cloud providers like Microsoft, and their Office 365 service, adhere to word-class industry standards - such as ISO 27001, EU Model clauses, HIPAA BAA, and FISMA – and includes essential features such as regular software updates, permissions, versioning control, eDiscovery, and records management. However, an IT support company can help you add extra layers of security to the cloud, such as email document encryption and a remote mobile device wipe if phones or laptops are lost.

Find out more about how law firms can adopt the cloud in a secure and effective way by downloading our free whitepaper: A guide to cloud for legal professionals.

Free whitepaper: A guide to cloud for legal professionals >

TOPICS: Legal, Security, cloud solutions

Written By: Jacob

Stay in touch

Enter your email address to subscribe to our newsletter

IT transformation roadmap CTA square

Technology is an incredibly powerful tool that can drive change, enable innovation and accelerate growth. Our blog is here to help you make sense of it with the latest new, advice and insights from Team Doherty.


Related blog posts

How to use technology to attract and retain the best legal talent


“[Our] success is built on the work of talented and motivated people who thrive in a supportive and collaborative environment, dedicated to delivering an exceptional standard of work for our...

Why your law firm should move to the cloud

The future of IT is in the cloud. Indeed, 88 percent of UK businesses use cloud-based services to carry out their daily activities. Even in the legal sector, an industry that traditionally abhors...

10 tools for improving collaboration and productivity in law firms

Do lawyers in your firm regularly put in more than 40 hours a week? Is overwork itself having a negative impact on productivity?