Passing Clouds: The Cloud Club – Client Consent Not Required ?

passingAssociate editor Caroline Hill looks at the law firms that have joined the private cloud club and asks, should client consent be a prerequisite?
As top 200 law firms look for scalable solutions to the exponential growth of data they handle and its associated costs, slowly but surely they are turning towards privately hosted document management solutions, presenting a potentially serious client care challenge.
IT departments backed by their partnerships, by bringing in or looking at bringing in what they still often dare not call cloud, are – unusually for the legal sector – ahead of many of their clients, particularly those in regulated industries such as the finance and insurance sectors.
While some clients such as Royal Mail have already themselves taken the step of putting their DMS in the cloud – in Royal Mail’s case with NetDocuments’ software-as-a-service (SaaS) platform – others such as HSBC have something approaching a blanket ban. Not only that, but when asked what the bank’s take is on law firms putting client information into the cloud, one HSBC GC answered simply: “We don’t allow it.”
Other clients say they would be prepared to give informed consent subject to certain assurances – Vodafone’s group general counsel Rosemary Martin told the Legal IT Insider: “No-one has asked me yet but it would depend – anything very sensitive such as major litigation or major M&A we would be a bit twitchy about. More run of the mill stuff we would probably be fairly relaxed about. I’d want assurance the cloud and access to it were truly secure.”
A similar position is taken by Suzanne Wise, group GC and company secretary at Network Rail, who said: “I would want to be informed and would ideally like confirmation that the information was as secure as it had been.”
However, the logistics of consulting potentially thousands of clients across multiple jurisdictions with differing regulations and internal policies mean that most of the law firms that have already moved client data into the cloud, either platform-as-a-service (PaaS) or SaaS, have taken the decision not to conduct a blanket consultation exercise with their clients.
At Keystone Law, which operates a heavily IT-reliant dispersed model and signed with NetDocuments earlier this year, IT Director Maurice Tunney said: “Most of our clients are start-ups or small-to-medium enterprises who want to be assured that their data is secure and for our larger banks and insurance companies, we have not had any concerns raised about the fact that their data is stored in the cloud. If it was raised then we would re-assure them that it is highly secure and meets all the necessary security accreditations and requirements.” Tunney was previously at FieldFisher, which became one of the first firms to place its DMS in the cloud with Virtustream on a PaaS model.
At Farrer & Co, which went through a stringent DMS tender process involving numerous partners as part of an 11-strong project committee, Davison said: “Clients trust us to make sure their documents are secure. We are now answering the question ‘are you ISO27001 certified?’ with a ‘yes’. ‘Is your data encrypted?’ ‘Yes’. We couldn’t have done that before and most law firms can’t.”
Firms are, of course, not obliged to seek client consent by the Solicitors Regulation Authority (SRA), which acknowledges in its November 2013 Silver Linings: cloud computing, law firms and risk paper that from a client care perspective, solicitors have implied consent to confidential information being passed to external IT providers. They are also largely updating their terms and conditions to reflect the fact they have a hosted DMS.
But there are definite complexities – the SRA in its Silver Lining guidance advises: “Where the matter is an unusually sensitive or high profile one, firms are advised to discuss with the client and get informed consent to any sharing or passing of client information”– leaving firms to work out which, if any, of their numerous high profile and sensitive matters, do not require consent.
The decision making process
Clearly law firms have been using third party back-up servers for many years but those that have moved to a hosted cloud platform say that their primary duty and concern in getting to a ‘yes’ was to make sure client documents are secure.
Nabarro’s PaaS is limited to two specific data centres and IT director Andrew Powell said: “Yes it’s shared infrastructure but the data is not available to other people – not even the people running the system. Someone else is providing the bucket and they don’t know what I put in the bucket.”
Farrer & Co went through a comprehensive market review and extensive tender process among six providers, presenting to a project board largely made up of partners and fee-earners armed with 17 different criteria. IT director Neil Davison said: “NetDocuments security far outweighs any firm I’ve ever worked with. It is light years ahead, encrypted to the highest level and data is [ISO27001] certified – few law firms have that.
“If someone wanted your data one of the easiest places to hack are law firms, which have notoriously weak security.” He add: “We were buying for the future. We didn’t want a document management system for four years but for 10 years’ time. If you work out how many documents you produce and how much that is growing by the day and work out how much that will grow over the next five to ten years, it doesn’t matter how big your firm is, law firms will become a small data centre. That offers no value.”
Tunney, who at the time of going to press had moved a third of his dispersed model lawyers across to NetDocuments shared but segregated servers, said: “NetDocuments have pretty much the most secure set up I’ve ever come across. They have had external banks run penetration testing that couldn’t get close. The resources to make sure their data is secure and backed up are far more impressive than any budget I’ll ever have.”
Client attitudes and retaining business
The difficulty is that for some clients, fears over the cloud, including third party and government access, still outweighs the benefits. There are contradictions in their attitudes: third party run deal rooms have long been used by clients and, as David Aird, the IT Director of DAC Beachcroft points out: “If a client has a blanket ban up front it’s nice for them to have that ethos but if they use services like Mimecast or Saleforce then they’ve already put their data in the cloud.”
At DAC Beachcroft, Aird is currently going through his own decision making process and seriously looking at a hybrid cloud model, such as that provided by HP, which enables firms to keep their documents in the cloud or on the premises. “We might say to a client we’re happy to keep your data within our offices but there will be a premium cost for that,” Aird said.
This is something Nabarro has had to do, retaining on its premises a government e-discovery system, where the certification process for moving it was too onerous, although the firm is hoping to move it during the next recertification process.
Without the ability to offer an alternative to cloud, being part of the cloud club presents the unusual possibility that a firm’s IT arrangements may become a bar to retaining or winning business.
Davison candidly says: “In some cases it may mean we can’t take the work. Every firm experiences times when they can’t accept and can’t take on the work – but it’s changing.”
Client attitudes are certainly evolving, with Royal Mail a good example of that. The UK legal team at global engineering and technology group Siemens is currently in the process of considering its position on data storage and the cloud.
But with the Magic Circle known to be actively looking at cloud options, given their heavy financial institution and corporate client base, not to mention the tendency of the rest of the market to follow their lead, it is certainly worth revisiting first principles.