Comment: Are UK Law Firms Imprisoned by Data Security?
The Case for and Against Embracing Modern IT Technology as a Solution
by Tim Maxwell
The legal sector has probably been among the slowest in the UK to adopt recent technological advances such as cloud computing, virtualisation and mobile working, or has implemented them only partially. This is especially true of the country’s smaller and high street firms, which could perhaps most benefit from the unique advantages each approach offers as they aim to compete with larger, global organisations. A large part of the reluctance among SMBs in the legal sector to fully embrace each of the three technologies stems from a common concern: security. Tim Maxwell, business development director at JMC IT, considers the well-founded reservations about the storage and use of sensitive information in a more open IT environment and outlines the strides being made specifically to address such concerns.
Ahead in the Cloud?
Cloud computing, where IT resources are delivered remotely via the web, is also now used to process and store data rather than merely deliver it from on premises IT solutions. So rapid has been the uptake, that in its annual Global Cloud Index (2012–2017), Cisco predicted that 2014 will be the first year when the majority of workloads shift to the cloud, 51% versus 49% in the traditional IT space. According to research company Gartner, the figure will be even greater, standing at 60%. However, practically speaking these statistics are more indicative of the global market; the reality in the UK, especially among Legal SMBs, is that those electing to use the cloud in this way are still in a small minority.
The advantages of cloud hosting are well-documented and include its flexibility to meet changing IT demands, perceived unlimited storage, theoretically streamlined backup and recovery, freeing the workforce to operate remotely more easily and reducing infrastructure overheads.
However, somewhat understandably, the legal sector has largely avoided early (and now, late) adoption of the technology. The single most common concern across all markets with cloud servers is security of data as, any way it is approached, relying on a third-party cloud service provider means that you are no longer in control of your information.
Almost all law firms, SMBs included, will have data held on premise or in a remote server location on their own dedicated piece of hardware in a secure, non-multi tenant environment and access this via the cloud. But when it comes to hosting data in the cloud itself, in a sector with highly sensitive client and company information worries over security are hugely magnified, as web-hosted information is perceived by many to be more vulnerable to malicious attacks. There are also substantial compliancy requirements imposed on UK firms by third-party organisations such as the Solicitors Regulation Authority (SRA). The most obvious of these is data protection and confidentiality, and it is still very unclear whether or to what extent a dependence on cloud hosting allows a business to meet those obligations. A prominent issue to consider is to what degree a vendor is subject to outside access; using a US company’s cloud service, even where the data centre is based in the EU, causes significant issues as the data may be covered by invasive US laws like the Patriot Act.
There are myriad cloud solutions available that are designed to address such concerns, including hybrid systems combining physical EU servers with partially web-based functions. Using a private cloud with a non-multi tenant and non-shared storage environment would certainly help mitigate the risk of non-compliance, but such a solution may negate the very commercial benefits it is deployed to achieve.
Before committing, law firms need to question very carefully whether potential solutions meet with their compliancy requirements. While some claim specific solutions are viable, cloud-based hosting for the legal sector has yet to be fully tested in the courts, so it is impossible to confidently assert one way or another.
Do Not Leave Security to its own Devices
A culture of work from home, coupled with the commercial impetus behind mobile working, has led to an almost universal adoption of a ‘bring your own device’ (BYOD) environment, where staff either work on personal devices or use a company-provided device for personal use. While the use of BYOD has been hailed in some quarters as a revolutionary move towards full remote working on the go, it has to be acknowledged that in many areas, particularly among legal SMBs, BYOD is limited to email and calendar access via a smartphone.
Whatever the device, BYOD carries with it inherent security risks. In the case of a laptop joined into the practice’s domain, law firms can manage the device relatively easily. The firm can prevent people installing software, regulate access to data and remotely wipe if the computer is stolen, but in the case of a mobile device, the facilities to exert such a level of control simply do not exist right out of the box due to their consumer-based nature.
For personal smartphone and tablet BYODs, an employer cannot fully control or manage the device as they would like to, because the majority of data on it is personal. If that person leaves the organisation or their device is stolen, there is no pre-installed solution that would enable a law firm to wipe only corporate data and leave the personal information intact. The risk can be mitigated by introducing mobile device management from third-parties, some of which allow for the compartmentalisation of data in a ‘sandbox’. This means select, specific tranches of data can be erased if necessary and also that private information is distinct from personal profiles, and therefore prevented from being shared automatically by applications such as Dropbox or iCloud.
Even if the device in question is a firm-owned one and a greater degree of control is afforded to the organisation, it is still likely to be relied on for personal use and therefore there is a risk to data. Law firms should be especially aware of contractual agreements that can be put in place to confirm that that devices cannot be used for private purposes, or to limit their personal use. However, the majority do not exercise this option, leaving sensitive client information at risk.
Increasingly common is virtualisation, where an individual or numerous applications normally confined to multiple pieces of server hardware are run concurrently on fewer physical servers. This can be extremely effective in reducing overheads, but there should be caution in taking it to extremes. It may be entirely possible to virtualise to the extent where all applications are running on a single server, but this disproportionately increases the likelihood of bringing the entire firm to halt in event of hardware failure. The best advice is to consider resilience and have multiple servers, so that any failure only brings down some applications or, better, to be in a position where those applications on damaged hardware can be migrated to other servers to maintain a fully functioning system.
In order to ensure there is minimal server downtime and data is secure, firms need to explore solutions delivered by a competent, stable provider that are resilient, properly scalable and have contingency options. Increasingly, law firms are realising that their systems need to be properly supported at a proactive level on a 24/7 basis. There has been a shift away from the commonly held belief among organisations that because they are not a 24/7 business, the same applies to their IT support needs. Considering that in a typical working week an office is only open roughly 42 out of a possible 168 hours, a system is almost four times as likely to fail when no-one is working on it; therefore, having a service monitoring server integrity at all times is essential. After all, the time to find out a system has failed at 3am or over the weekend is not when arriving at the office work at 9am when an injunction needs urgently filing. Dedicated support means that such faults are identified and fixed as they happen, meaning less downtime impacting working hours.
The sheer pace of technological capability, advances in cloud computing and commercial impetus behind BYOD has far exceeded the rate at which the UK’s firms have been able to exert control, and indeed legislation itself. The sector has unique challenges and concerns when approaching these technological advancements and there are still far too many uncertainties with regards to legal compliance surrounding certain IT solutions. For those embracing the leading edge in cloud hosted data, a lack of clarity and no established case law means a degree of exposure.
Such exposure to security risks is less inherent with BYOD and virtualisation, though law firms seem to welcome it by having no policy or data management structure in place. Safeguarding can be straightforward and law firms should be more acutely aware of the responsibility concerning data security and integrity than other sectors, but the truth is that organisations taking steps to secure themselves are rare. This has led to a situation whereby firms are either not committing at all to technology that might add real benefits to their organisation, thus allowing concerns over data security to imprison themselves with legacy solutions, or have only partially implemented infrastructure around the cloud, servers and mobile working. With technology evolving so rapidly and staff embracing a new era of work, perhaps it is time for the law, and firms practising it, to do the same.