SRA Guidance on the Cloud

November 13, 2013

A new publication from the SRA, Silver Linings: cloud computing, law firms and risk, offers guidance to law firms who are using, or contemplating using, cloud computing. The guidance can be downloaded from the panel opposite (as a pdf) or accessed here.

The guidance arises from the SRA’s concern over ‘outsourcing risks’ in law firms. Since cloud computing involves outsourcing data processing and storage to an external provider, the SRA is concerned about firms failing to exercise due diligence in controlling those risks. Concern is expressed too about data protection and, in the light of recent revelations, the use of US-based cloud providers. 

The guide includes a useful checklist. Best practice for due diligence includes:

? taking references from other companies using the proposed provider

? checking service level agreements carefully to ensure that the proposed service can offer at least full Safe Harbour compliance if data is stored outside the EEA

? checking that the provider can offer audited information security that at a minimum is compliant with ISO27001 2005

? checking that the provider can offer a level of guaranteed uptime and continuity protection that is acceptable to the firm

? ensuring, where staff will be working on the move, that they have properly secured communication channels to protect security

? ensuring that their contract with the provider includes the requirements of Outcome 7.10 of the SRA Code of Conduct. 

The SRA also states that security can be improved by:

? using a private cloud, or private area of a hybrid cloud, for client confidential material

? using software to automatically encrypt documents at the law firm’s end, using security keys that are not known to the provider

? using only providers that are based in EEA countries or countries offering equivalent or greater data protection laws, and that can guarantee that data will not be held in jurisdictions that do not offer such protections. 

The SRA guide is by no means against the use of cloud computing, recognising that one of its major advantages is that it enables mobile working without the need to carry data around on laptops or datasticks, which are the main risks for data loss:

‘The SRA recognises that provided an effective provider is used, cloud computing can provide benefits for the firm and for clients, both in terms of costs and providing better levels of encryption and security, and the SRA Code of Conduct (‘the Code’) does not prevent you from entering into such an arrangement. However, there are obvious risks, one of which is giving up control of your data to a third party which has the potential to compromise the SRA’s ability to properly regulate the affairs of a firm and ensure that the interests of clients remain fully protected (for example, if a firm becomes insolvent, or subject to an investigation or intervention).’