Categories
Latest News

Passing Clouds: The Cloud Club – Client Consent Not Required ?

Associate editor Caroline Hill looks at the law firms that have joined the private cloud club and asks, should client consent be a prerequisite? As top 200 law firms look for scalable solutions to the exponential growth of data they handle and its associated costs, slowly but surely they are turning towards privately hosted document management solutions, presenting a potentially serious client care challenge. IT departments backed by their partnerships, by bringing in or looking at bringing in what they still often dare not call cloud, are – unusually for the legal sector – ahead of many of their clients, particularly those in regulated industries such as the finance and insurance sectors.

passingAssociate editor Caroline Hill looks at the law firms that have joined the private cloud club and asks, should client consent be a prerequisite?

As top 200 law firms look for scalable solutions to the exponential growth of data they handle and its associated costs, slowly but surely they are turning towards privately hosted document management solutions, presenting a potentially serious client care challenge.

IT departments backed by their partnerships, by bringing in or looking at bringing in what they still often dare not call cloud, are – unusually for the legal sector – ahead of many of their clients, particularly those in regulated industries such as the finance and insurance sectors.

While some clients such as Royal Mail have already themselves taken the step of putting their DMS in the cloud – in Royal Mail’s case with NetDocuments’ software-as-a-service (SaaS) platform – others such as HSBC have something approaching a blanket ban. Not only that, but when asked what the bank’s take is on law firms putting client information into the cloud, one HSBC GC answered simply: “We don’t allow it.”

Other clients say they would be prepared to give informed consent subject to certain assurances – Vodafone’s group general counsel Rosemary Martin told the Legal IT Insider: “No-one has asked me yet but it would depend – anything very sensitive such as major litigation or major M&A we would be a bit twitchy about. More run of the mill stuff we would probably be fairly relaxed about. I’d want assurance the cloud and access to it were truly secure.”

A similar position is taken by Suzanne Wise, group GC and company secretary at Network Rail, who said: “I would want to be informed and would ideally like confirmation that the information was as secure as it had been.”

However, the logistics of consulting potentially thousands of clients across multiple jurisdictions with differing regulations and internal policies mean that most of the law firms that have already moved client data into the cloud, either platform-as-a-service (PaaS) or SaaS, have taken the decision not to conduct a blanket consultation exercise with their clients.

At Keystone Law, which operates a heavily IT-reliant dispersed model and signed with NetDocuments earlier this year, IT Director Maurice Tunney said: “Most of our clients are start-ups or small-to-medium enterprises who want to be assured that their data is secure and for our larger banks and insurance companies, we have not had any concerns raised about the fact that their data is stored in the cloud. If it was raised then we would re-assure them that it is highly secure and meets all the necessary security accreditations and requirements.” Tunney was previously at FieldFisher, which became one of the first firms to place its DMS in the cloud with Virtustream on a PaaS model.

At Farrer & Co, which went through a stringent DMS tender process involving numerous partners as part of an 11-strong project committee, Davison said: “Clients trust us to make sure their documents are secure. We are now answering the question ‘are you ISO27001 certified?’ with a ‘yes’. ‘Is your data encrypted?’ ‘Yes’. We couldn’t have done that before and most law firms can’t.”

Firms are, of course, not obliged to seek client consent by the Solicitors Regulation Authority (SRA), which acknowledges in its November 2013 Silver Linings: cloud computing, law firms and risk paper that from a client care perspective, solicitors have implied consent to confidential information being passed to external IT providers. They are also largely updating their terms and conditions to reflect the fact they have a hosted DMS.

But there are definite complexities – the SRA in its Silver Lining guidance advises: “Where the matter is an unusually sensitive or high profile one, firms are advised to discuss with the client and get informed consent to any sharing or passing of client information”– leaving firms to work out which, if any, of their numerous high profile and sensitive matters, do not require consent.

The decision making process

Clearly law firms have been using third party back-up servers for many years but those that have moved to a hosted cloud platform say that their primary duty and concern in getting to a ‘yes’ was to make sure client documents are secure.

Nabarro’s PaaS is limited to two specific data centres and IT director Andrew Powell said: “Yes it’s shared infrastructure but the data is not available to other people – not even the people running the system. Someone else is providing the bucket and they don’t know what I put in the bucket.”

Farrer & Co went through a comprehensive market review and extensive tender process among six providers, presenting to a project board largely made up of partners and fee-earners armed with 17 different criteria. IT director Neil Davison said: “NetDocuments security far outweighs any firm I’ve ever worked with. It is light years ahead, encrypted to the highest level and data is [ISO27001] certified – few law firms have that.

“If someone wanted your data one of the easiest places to hack are law firms, which have notoriously weak security.” He add: “We were buying for the future. We didn’t want a document management system for four years but for 10 years’ time. If you work out how many documents you produce and how much that is growing by the day and work out how much that will grow over the next five to ten years, it doesn’t matter how big your firm is, law firms will become a small data centre. That offers no value.”

Tunney, who at the time of going to press had moved a third of his dispersed model lawyers across to NetDocuments shared but segregated servers, said: “NetDocuments have pretty much the most secure set up I’ve ever come across. They have had external banks run penetration testing that couldn’t get close. The resources to make sure their data is secure and backed up are far more impressive than any budget I’ll ever have.”

Client attitudes and retaining business

The difficulty is that for some clients, fears over the cloud, including third party and government access, still outweighs the benefits. There are contradictions in their attitudes: third party run deal rooms have long been used by clients and, as David Aird, the IT Director of DAC Beachcroft points out: “If a client has a blanket ban up front it’s nice for them to have that ethos but if they use services like Mimecast or Saleforce then they’ve already put their data in the cloud.”

At DAC Beachcroft, Aird is currently going through his own decision making process and seriously looking at a hybrid cloud model, such as that provided by HP, which enables firms to keep their documents in the cloud or on the premises. “We might say to a client we’re happy to keep your data within our offices but there will be a premium cost for that,” Aird said.

This is something Nabarro has had to do, retaining on its premises a government e-discovery system, where the certification process for moving it was too onerous, although the firm is hoping to move it during the next recertification process.

Without the ability to offer an alternative to cloud, being part of the cloud club presents the unusual possibility that a firm’s IT arrangements may become a bar to retaining or winning business.

Davison candidly says: “In some cases it may mean we can’t take the work. Every firm experiences times when they can’t accept and can’t take on the work – but it’s changing.”

Client attitudes are certainly evolving, with Royal Mail a good example of that. The UK legal team at global engineering and technology group Siemens is currently in the process of considering its position on data storage and the cloud.

But with the Magic Circle known to be actively looking at cloud options, given their heavy financial institution and corporate client base, not to mention the tendency of the rest of the market to follow their lead, it is certainly worth revisiting first principles.

8 replies on “Passing Clouds: The Cloud Club – Client Consent Not Required ?”

The SRA are OK with cloud storage but Data Protection Act is not as most held in USA etc! < which is why many vendors are setting up (or have already set up) datacenters in the EU ..Ed

We have UK based cloud nodes but we connect customers in with a private network connection so they avoid the worries of hacking over the internet. This ensures data is protected in transit as well. < Well done David, you win an Initiative Gold Star as the first vendor to take advantage of this story to promote your own services

Cloud is not a security strategy. The shocking lack of security that most law firms have comes from how their end-users (i.e. lawyers) treat security. It doesn’t matter if they’re using a hosted DMS or an on prem DMS or a hybrid DMS – the same security holes (i.e. people) are still in the mix.

Similar situation with e-billing. Some firms still reluctant to trust their billing data to the cloud (or more importantly to servers in the US) Cannot rely on Safe Harbor either. That is why many firms prefer an e-billing solution where data resides behind the client’s own firewall. Also we advise that law firms get their clients to indemnify them if requesting a US based e-billing solution

I think we need to differentiate between the original concept of cloud computing, which is where any server in any location is pressed into service as and when necessary, usually without anyone really caring very much (perfect for, say, social media or an individual’s images or music). By definition this requires data to straddle legal jurisdictions and very rightly worries any sensible business person.

However, the decades-old concept of a privately hosted and secure service is an entirely different, and safe, beast. Unfortunately, people started terming this service as “the cloud” as well. It’s not, and never will be, but someone clearly thought it would be a good idea to jazz up a tried and trusted business model with a barely understood modern computing term. In this way things got somewhat blurred: PaaS or SaaS are NOT “the cloud” and should NOT be referred to as such.

Good and well recognised definitions of cloud computing in this document by NIST (National Institute of Standards and Technology) –

http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

I note that they define SaaS and PaaS as follows:

Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure2. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming

Thank you Tim. Looks like I now need to lock horns with NIST!

I maintain even more that traditional hosted solutions and cloud computing should not be bundled up into the same conversation, other than under different headings.

I’m with you. NetDocs co-opted the term to describe their hosted offering and then rely on their slick marketing to refer to every other vendor as “legacy,” which is disingenuous at best given that they wrote SoftSolutions and then just created a new-and-improved version of it to sell in a hosted capacity termed NetDocuments. The platform doesn’t matter – it’s all about cost and benefit.

Comments are closed.