Don't sleepwalk into the cloud - the challenges for law firms and their clients

marketing-cloud

The benefits and risks of using cloud services to store corporate data have been debated for years, and many organisations have taken a firm stance against their use.

GCs have mixed feelings about cloud services – particularly if third-parties, including law firms, are using them on their organisation’s behalf. However, while GCs may be keeping a strict eye on how well their own companies store and handle data, their awareness of the systems used by the organisations they outsource to and trust with their own corporate information may not be so high. However, this looks likely to change, in part due to guidance published in 2013 by the Solicitor’s Regulation Authority (SRA), which aimed to address the “lack of due diligence over outsourcing arrangements” and reminded firms of their duty when using the cloud to “keep client information confidential”, with particular reference to Outcome 7.10 of the SRA Code of Conduct.

Some GCs have a very strict and thorough policy on how their company data should be stored and categorised, with some stipulating they do not want cloud use. Law firms increasingly need to take note of this sensitivity, not only from a perspective of winning and maintaining business, but also based on complying with the SRA Code of Conduct. As the SRA report states:

“Solicitors have implied consent to confidential information being passed to external IT service providers. Given the potential risks of cloud computing, it would, however, be prudent to inform clients in your terms of business that your firm uses cloud computing. However, there may be circumstances where this would not be sufficient and informed consent would be advisable. Firms should consider their clients individual needs and whether, in certain matters, the risk to confidentiality is too great.”

Philip Bramwell, group general counsel at BAE Systems, says that he is “uncomfortable” with the idea of law firms keeping company documents in the cloud as “security varies widely according to provider, technology and location” -a serious concern given the nature of BAE’s work, and the national security, regulatory and legislative requirements imposed upon it. Instead, the company prefers its law firms to store company data on secure servers, with Bramwell adding that “we have clear requirements setting out what data can be held on which servers”.

Bramwell says that BAE only permits information that is already in the public domain to be stored in the cloud by its law firms, and that this condition is set out in a formal policy. He also says that there are documents that the company considers too sensitive to store in the cloud, and that the policy prohibits cloud storage for these types of documents or data.

Bramwell says the policy is enforced and respected “by audit or by virtue of the fact that our own cyber security division provides services to the law firm concerned”. He adds that BAE reviews or audits how securely and effectively its law firms store its information in the cloud “upon instruction in a new matter or as required”.

Although many organisations prohibit the use of cloud services by their own employees over fears of a lack of security (particularly ‘public’ cloud services such as Dropbox, which allows users to upload and send large electronic files), many GCs interviewed by Legal Week have been slow to ask their law firms what kind of cloud protocols they have in place, particularly as they hold vast quantities of sensitive data on their clients’ behalf.

Instead, while many organisations have specific and detailed data security protocols in place with their technology partners, they tend to only have ‘blanket’ policies that apply to all contractors and reinforce the importance of data protection, integrity, security and confidentiality (with appropriate sanctions), but which are not prescriptive about how this should or could be done.

One GC who spoke to Legal Week said: “As clients, we have an expectation that our corporate information will be held securely, safely and responsibly, and that it will be deleted when we cease our contract with them,” says one GC. “If there is any breach of this, we will take action and our law firms know this.”

Some expect clients to demand more detailed and customised cloud security standards in the near future. Crawford Hawley-Groat, director of IT at Maclay Murray & Spens says: “We need to properly understand each client’s attitude towards cloud security and how they want their data to be managed and then ensure that we are able to offer suitable mechanisms and services to be able to manage their data accordingly.”

Unilever chief privacy officer Steve Wright offers an example of the differing security needs of a single client. He says: “We have around 30 law firms that support us around the world and we have service agreements with each of them that include specific requirements for the safe handling of data.” He adds: “Our contracts clearly state that should there be any breach of our corporate data in our law firms’ possession, then we would expect remediation and compensation.”

While GCs may not be prescriptive about the use of the cloud to store their information, it is implicit that if corporate data is leaked due to a law firm using unsecure cloud services, immediate action will be taken and – more than likely – legal services moved to another firm. As a result, law firms need to recognise that not all GCs will be happy if all – or even a significant portion – of their corporate data is stored in the cloud. In fact, some organisations may even move their legal work to another firm due to data security risks, particularly in highly regulated industries such as defence and financial services.

Law firms – like any other sector – are not immune to mishandling client data. The UK’s data regulator, the Information Commissioner’s Office (ICO), investigated 173 UK firms for 187 incidents that may have breached the Data Protection Act last year, according to a freedom of information request made public this April by Egress Software Technologies. Furthermore, last August the Information Commissioner warned barristers and solicitors to keep personal information secure, especially paper files, after a string of at least 15 incidents involving data breaches.

Besides the reputational damage a data leak can cause, regulators can also impose stiff sanctions. In the UK, the maximum financial penalty imposed by the ICO for an organisation breaching the terms of the Data Protection Act 1998 is £500,000. However, the Financial Conduct Authority (FCA), the UK financial services regulator, has the power to issue even stiffer penalties. For example, in 2010 the UK branch of Zurich Insurance was fined £2.2m for mishandling customer data. HSBC was fined £3.2m in 2009 by the Financial Services Authority for customer data breaches, while Nationwide Building Society was forced to pay a £980,000 fine in 2007 for similar failings.

Ensuring data security is set to stay on organisations’ risk agendas for some time. The European Commission is preparing to significantly tighten data regulations in an update to its 1995 Data Protection Directive, while in the US, Congress is considering 112 pieces of legislation addressing privacy and data breaches.

QBE North America, a division of QBE Insurance Group, has also taken various steps to address its concerns regarding cloud computing, including the creation of a cybersecurity committee and a thorough review of its policies and procedures (including those governing outside counsel). Jose Ramon Gonzalez, the company’s chief legal officer, says: “The use of cloud computing by the law firms we engage presents significant issues, not only with respect to the security of sensitive or personally identifiable information, but of legal privilege as well. As the technology becomes better understood, we have increased our comfort level with firms storing certain information in the cloud – but only when done so securely and in accordance with the applicable rules of professional conduct.”

Gonzalez adds: “We require written representations and other assurances with regard to cybersecurity measures taken by our counterparties and services providers – both contractually and in the context of our diligence and auditing.”

Of those GCs contacted by Legal Week, the majority do not currently have formal cloud policies with law firms or other third parties, but instead have strict agreements in place regarding data security, which are flexible enough – if necessary – to include cloud storage issues. Charlotte Heiss, head of group legal at insurer RSA, says: “Clearly, we expect the firms we use to keep our data safe. The information we share with them is confidential, could involve litigation and is sometimes price-sensitive. When we instruct firms on claims issues, the subject matter will often include sensitive personal data, so we are particularly mindful of data security.”

She adds: “It is important that firms respect client confidentiality and have the processes in place to ensure that this expectation is met. Our engagement terms for corporate transactions will specify the need to ensure that confidentiality is maintained.”

Heiss says that the legal department looks at all third-party (including law firms) engagements regarding data on their merits using a risk-based approach. RSA’s assessment would include what the data comprises, how much of it there is, and how it is being processed. Heiss adds: “We control risk in this area through our information security policy which includes third-party management of data”, and which is also underpinned by detailed standards.

Other GCs are of the same view. As one says: “The point you have to make to your law firms is that data must be held securely and that they can provide assurance that this is the case. If there is any lapse, then you will take immediate action against them, so it is absolutely their responsibility to ensure security.”

Some GCs have concerns about which type of cloud services are being used by their law firms, and whether these services are ‘public’, and can be used generally over the internet by anyone, or ‘private’ – administered by a dedicated service provider. Concerns about the risks around both types of cloud service have been well documented.

Cloud data specialist CipherCloud’s Cloud Adoption and Risk Report For North America And Europe report, released this February, found that 86% of cloud applications used by enterprises are unsanctioned ‘shadow IT’ applications that are not readily visible to the organisation’s IT department or known about, and so could put key company (as well as client) data at risk. Furthermore, 70% of US cloud applications used by European organisations are not “safe harbor” approved, and so do not comply with EU legislation on data protection.

Many clients may simply be unaware that most firms use the public cloud for some core office functions, such as email and contact management. David Aird, IT director at DAC Beachcroft says: “Many firms use solutions such as Salesforce and Mimecast, which puts their data in the cloud without even realising it.

Grant Crockart, head of legal commercial outsourcing at insurer Aviva Group, says that the debate about the pros and cons of public and private cloud usage is “a big issue for us”.

“Generally speaking, I would not put personal data on the public cloud because of the regulatory requirements that financial services firms need to comply with in the UK regarding customer information. However, we might consider the merits of using public cloud services on a project by project basis, but there would be strict criteria about the kind of information that we would be storing there.”

Crockart says that one major advantage of using the private cloud is that “you have more chance of effectively auditing a private cloud services provider than a public cloud services provider”.

Law firms are becoming more acclimatised to providing cloud security that answers the sensitivities of individual clients, including dividing data between the public and private cloud. Aird says, “We will work with clients to provide adequate security for their individual needs, though this may result in a different pricing structure.”

Some GCs also have concerns surrounding the issue of legal privilege, believing that if a third party has access to private information, that could eliminate confidentiality, pose a liability risk or even potentially violate the law. “If a regulator or enforcement agency wants your data, it is not going to be put off by the fact that it is held in a cloud. To think otherwise is complete nonsense,” says one GC.

It appears that the level of comfort that GCs have regarding their law firms’ use of cloud services varies from one organisation to another. This finding may not be a surprise, but it is revealing, and law firms will need to take into account that not all GCs and industries share the same view of the cloud’s benefits. As a result, law firms will need to offer bespoke cloud storage options for clients in the future, varying from non-cloud use to a more likely hybrid cloud option, defined by the law firm offering a combination of cloud DMS storage plus on premise for those matters and/or clients who do not wish to be in the cloud.

Such an approach, however, is dependent on law firms being open with clients about how they currently use cloud services on their clients’ behalf, and GCs asking for more specific information or imposing stricter conditions on their contractors. Currently, neither scenario is very common, but this is likely to change as data storage risks become more prevalent.

Several GCs privately admit that scrutiny surrounding cloud storage usage by law firms on their clients’ behalf may “not even be on the radar”. As one GC says: “I suspect that generally, companies are not asking law firms about whether they are using cloud services to store their data, in the same way that our clients do not ask us about it. The question only arises when it all goes wrong and there’s a data leak, but until that happens, you have to trust that your contractors and law firms are doing what they should be and honouring your data protection terms and conditions.”

The same GC adds: “Law firms are obviously interested in using cloud services for ease of use and to generate cost savings. However, outsourcing data storage and handling to a third-party does not shield anyone for taking ultimate responsibility for mishandling client or personal data, and every organisation needs to be aware of that”.

The bottom line is that when GCs talk to firms about the sensitivity of storing their client data, firms need to be straightforward about how the cloud is being used and even suggest when it should be prohibited. While the cloud is fit for many purposes, it is not ‘one size fits all’ for client data needs. This client expectation of flexibility with cloud security is not only increasingly normal, but may soon become a legal obligation.