You are here

Cloud computing puts client confidentiality at risk, warns Law Society

'The more control you have, the more secure your data is' 

8 April 2014

Add comment

By Manju Manglani, Editor (@ManjuManglani)

Law firms are risking breaches of client confidentiality by storing highly sensitive information in the cloud, the Law Society of England & Wales has warned.

"There may be confidential or highly sensitive information that you shouldn't put in the cloud," said Dr Sam De Silva, chair of the Society's technology and law reference group and a member of the EU Commission's expert group on cloud computing.

"By putting it in the cloud, you don't have control of where the data goes and you have less visibility and control of the data."

De Silva noted that firms should undertake a risk assessment of each cloud provider in line with the Society's new practice note on cloud computing before handing over client data.

"Not all cloud providers are the same and not all solutions are the same," said De Silva, who is also technology partner at Penningtons Manches.

"It depends on what kind of cloud it is. You could have a private cloud or one where you are the only customer of the service provider.

"Or you could go to a community cloud which only services law firms and so has tougher security protocols in place and manages that risk."

Firms should also consider obtaining accreditation in information security management from an established provider, he said. Recognised industry standards include ISO/IEC 27001.

But, he warned that information security accreditation should be considered the bare minimum in protecting client data.

"Security standards are the not the be all and end all, they're a useful first step," he said. "Just because you comply with them, it doesn't mean that you manage the risks completely."

"You need to do a risk assessment exercise and do the due diligence on the service provider and you need to read and understand the contract."

Failure to have cloud contracts read and signed off by lawyers is a common oversight in law firms, De Silva said.

"One of the problems of cloud computing contracts is that often they are presented as non-legalese contracts and people just click the 'I accept' button.

"This means that some IT directors or people who don't necessarily get the sign-off may actually enter into a cloud contract without actually doing the due diligence and the review.

"In a traditional outsourcing or IT procurement you would typically sign a contract, so that would focus people's minds as to what they were actually signing up to."

Asked if all third-party software should be signed off by the legal team rather than the IT team, De Silva said: "No, I think it needs to be a joint effort between the legal team and the IT team."

The challenge, he said, is getting the firm's technology lawyers actively involved in internal IT procurement.

"I think there needs to be a bit of a mind shift - the IT department needs to be able to use that resource."



Categorised in:

Risk & Compliance Technology