Secure cloud for legal professionals
What do the SRA Guidance and Bar Council recommendations say about cloud computing?
Moving data to the cloud brings an opportunity for law firms to remain competitive and to satisfy increasing client expectations. It can help them grow their revenue and improve their service. Flexible and mobile working, access to documents on all device at anytime from anywhere, collaboration on documents electronically can help cut administrative costs while streamlining cooperation with colleagues, clients and external partners.
Yet, cloud solutions can also present risks to preserving client confidentiality and complying with data protection regulations. As a consequence, legal businesses are lagging behind in cloud adoption and have security and compliance concerns regarding cloud-based solutions.
Security concerns should not hold legal professionals back from moving data to the cloud though. What's key is to proceed with due diligence when choosing a cloud storage provider and to know what criteria to consider when doing so.
Let’s have a look at key recommendations that solicitors and barristers should consider when choosing a cloud solution.
The SRA explains that due to the heightened requirements of client confidentiality faced by law firms, they should conduct due diligence on any proposed provider to ensure that it can meet the requirements of a legal business before they make a final commitment.
Best practice for due diligence and to improve security includes:
- checking that the provider can offer audited information security that at a minimum is compliant with ISO27001 2005
- ensuring, where staff will be working on the move, that they have properly secured communication channels to protect security
- using software to automatically encrypt documents at the law firm’s end, using security keys that are not known to the provider
- using only providers that are based in EEA countries or countries offering equivalent or greater data protection laws, and that can guarantee that data will not be held in jurisdictions that do not offer such protections
The Bar Council's paper on Cloud computing highlights that Data protection is a legal and regulatory requirement. The relevant regulator basis since May 2018 is the General Data Protection Regulation (“GDPR”) as modified by the Data Protection Bill. To comply with its requirements, barristers should consider the following when choosing a cloud provider:
- ensuring that the remote servers they use in cloud computing are within the EU or otherwise comply with EU data protection laws. Use of these will require a risk-based assessment as to whether the proposed transfer will provide an adequate level of protection for the rights of the data subjects in connection with the transfer and storage of their personal data on such servers.
- encrypting personal data held in the cloud. Most cloud computing providers state that they can encrypt the files but this is not likely to be adequate, as the cloud computing provider will most likely be able to access the data (US providers, for example, will have to be able to access it in order to comply with US court orders or government requests).
- choosing a service which says it has ‘zero knowledge’ encryption. This means that the encryption provider doesn’t store users' password for the data: any requests for the data have to come to the user.
- refraining from cloud storage services which do not encrypt data before the data is uploaded (for example Dropbox, Box and SugarSync) on personally-owned computers, smartphones and tablet computers for purposes related to chambers business. Opting for other cloud storage services for example, Tresorit which encrypt data before it is uploaded to the cloud.
Not all cloud providers are created equal
Most of the mainstream cloud services do not satisfy the criteria mentioned above. Using these services can put a law firm or barrister chamber at risk. Having confidential data leak can not only result in losing clients but lead to a huge reputational damage form which it might be difficult to recover. That’s why legal professionals should make sure they opt for a provider such as Tresorit, which can guarantee sufficient protection for confidential legal documents.
Data protection measures recommended by the Bar Council
Data stored on EU servers
End-to-end encryption for file sharing
Encryption keys controlled by the user
Provider never has access to the plain text content of user files
Learn more about how Tresorit can help legal professionals store and share data securely in the cloud.
Apogee Law Group
See how Tresorit helps West Coast IP law firm grow its business.
10 reasons to move to the cloud
Learn why you should store documents with Tresorit instead of on traditional file servers.
Data Breach Guide: Is your Law Firm in Danger?
Discover how Tresorit can help you avoid the most common data breaches.