Blog - Commentary

Cloud and data protection are inextricably linked

The business rationale for law firms to switch to the cloud is clear, writes Janet Day of LexisNexis Enterprise Solutions, but there are two key issues they must address when it comes to cloud and data protection.


In the last few years, the pace of cloud adoption has gathered momentum. There is also widespread recognition that a cloud-based IT infrastructure will gradually dominate in the enterprise. In fact, it is already happening. Any organisation that has Office 365 is in the cloud.

The business rationale for law firms to switch to the cloud is clear. Utilising third party IT infrastructure in place of on-premises systems means that organisations can reduce, if not eliminate, their capital expenditure costs of purchasing and maintaining expensive hardware. Additionally, they don’t have to worry about infrastructure maintenance, software licensing, security and patching, and electricity and cooling costs. There is greater availability and reliability of IT infrastructure; security, disaster recovery and business continuity is assured. This approach requires the firm to maintain minimal on-premises IT services, allowing it to concentrate on and invest in its core area of business – i.e. delivering legal services and advice to clients.

Additionally, lawyers too make efficiency and productivity gains – the ability to work from anywhere and from any device ensures them access to ‘just in time’ information. Given today’s globalising and dynamic legal sector, to deliver the best possible client service, lawyers need to work at the same productivity levels while on the move as they would in the office. Traditional on-premises systems require complex support to facilitate this.   

All the queries and reservations around cloud adoption today are around data – data separation, data location and data integrity. Against this scenario, cloud and data protection are inextricably linked and yet they are at odds with each other. Data protection is all about knowing where the data is stored, who has access to it and who is responsible for its safe keeping. On the other hand, one of the biggest issues for enterprises with cloud adoption can be that they are unsure of where their data will be housed.

For law firms and indeed professional services advisors, there are two key issues they must address when it comes to cloud and data protection:

1.       Have clients provided a reason for their data to not be in a third party environment?

2.       Does the regulator in the jurisdiction they are based in or in another jurisdiction they practice in, proscribe where the clients’ data may or may not be housed?

There are several approaches that law firms can take to adequately meet the above requirements and manage client data in the public cloud – i.e. a shared space like Microsoft Azure where they can guarantee the security and integrity of data within that space, based on their business and client needs. Here are some considerations for law firms to take when adopting cloud infrastructure:

Accredited suppliers – Foremost, it is important to use properly accredited suppliers of the cloud-based environment, keenly interrogating the security measures they adopt and the industry standards they comply with. It’s worthwhile for firms to benchmark the cloud service provider’s standards against their own to ensure that they meet, but better still exceed expectations. For instance, if a firm is ISO 27001 certified, the cloud provider must at the very least have the same certification. Additionally, it’s critical that firms within the European Union ensure that the cloud service provider adherers to the European Unions’ privacy requirements set out in Article 29. Compliance with Article 29 effectively states that personal data stored in the service provider’s enterprise cloud is subject to Europe’s rigorous privacy standards – no matter where that data is located.  

Physical location of data including restrictions imposed by local regulators – Clearly understand where data will be located, based on the jurisdictions the firm operates in and the rules of business imposed by the local regulators. For instance, in Switzerland, an organisation’s data has to reside in that country. Professional services firms can only locate their client data in a third party environment, which is physically located in another jurisdiction if they have the ‘explicit’ consent of customers. In the UK, on the other hand, the regulations allow for the data to be housed anywhere in Europe. Of course this might change in due course with Brexit.

Similarly, firms should consider if data will be housed with a cloud provider that is headquartered in the US or has an American arm. This is with regard to the US Patriot Act, giving the American government the right to demand data that is located within the US. This could potentially have commercial confidentiality-related implications for law firms and clients.

Due diligence – Similar to employing any services provider, law firms must undertake the necessary due diligence to check a cloud service provider’s track record – everything from securing client references, evidence of quality of service (e.g. uptime and brownout records), any legal issues against them and so forth. Additionally, with the new EU data protection regulations, cloud service providers and organisations will be equally responsible for the security of the data. Law firms will do well to review the cloud service provider’s incident response programme.  

Contract negotiations – Firms must clearly negotiate the level of service they expect from the cloud service provider. Things like service availability or uptime, service provision in the event of an outage, quality of integration with third party software, and so on must be clearly defined. This will ensure that the cloud service provider conforms to the CIA norm – i.e. Confidentiality, Integrity and Availability. All these factors impact the performance of law firms and the service they deliver to clients.

These measures will help law firms institute the necessary safeguards to protect critical data in the cloud, comply with regulations and partake of all the business benefits that this technology offers.  Rather than purchase technology that sits idle for 98 per cent of the time, buying services on a pay per use basis is a much more cost effective approach. More critically, dynamic, cloud-based business operations benefit from flexibility and scalability in today’s ever increasing digital environment.

Janet Day is a consultant at LexisNexis Enterprise Solutions

Posted by:


19 October 2016

Editor's picks


Also read...

LawAdvisor in start-up acquisition

Firm invests in legal automation with acquisition of early-stage consultation startup from Mills Oakley.