Secure cloud for legal professionals

What do the SRA Guidance and Bar Council recommendations say about cloud computing?

Moving data to the cloud brings an opportunity for law firms to remain competitive and to satisfy increasing client expectations. It can help them grow their revenue and improve their service. Flexible and mobile working, access to documents on all device at anytime from anywhere, collaboration on documents electronically can help cut administrative costs while streamlining cooperation with colleagues, clients and external partners.

Yet, cloud solutions can also present risks to preserving client confidentiality and complying with data protection regulations. As a consequence, legal businesses are lagging behind in cloud adoption and have security and compliance concerns regarding cloud-based solutions.

Security concerns should not hold legal professionals back from moving data to the cloud though. What's key is to proceed with due diligence when choosing a cloud storage provider and to know what criteria to consider when doing so.

Let’s have a look at key recommendations that solicitors and barristers should consider when choosing a cloud solution.

Cloud Compliance and Data Breache Guide for Legal Professionals

Cloud Compliance and Data Breache Guide for Legal Professionals

Interested in learning about how Tresorit can help legal professionals safeguard their clients’ data in the cloud and avoid the most common data breaches? This free guide helps you explore real-world data breach scenarios, the consequences they could entail under the General Data Protection Regulation (GDPR), and the way they could be avoided using Tresorit's end-to-end encrypted cloud service. It also provides a comprehensive overview of the requirements a cloud provider has to satisfy to keep confidential documents safe and help you comply with data protection requirements.

In this free cloud compliance and data breach guide, you'll learn:

  • What are common human mistakes that could lead to accidental data breaches?
  • What are the consequences of data breaches under the GDPR?
  • What measures your firm can take to prevent data breaches?
  • What are the Bar Council's and the Solicitors Regulatory Authority's criteria for a secure cloud solution?
Get the free Cloud Compliance Guide

The SRA Code of Conduct – relevant provisions

The SRA explains that due to the heightened requirements of client confidentiality faced by law firms, they should conduct due diligence on any proposed provider to ensure that it can meet the requirements of a legal business before they make a final commitment.

Best practice for due diligence and to improve security includes:

  • checking that the provider can offer audited information security that at a minimum is compliant with ISO27001 2005
  • ensuring, where staff will be working on the move, that they have properly secured communication channels to protect security
  • using software to automatically encrypt documents at the law firm’s end, using security keys that are not known to the provider
  • using only providers that are based in EEA countries or countries offering equivalent or greater data protection laws, and that can guarantee that data will not be held in jurisdictions that do not offer such protections

The Bar Council’s Recommendations – relevant provisions

The Bar Council's paper on Cloud computing highlights that Data protection is a legal and regulatory requirement. The relevant regulator basis since May 2018 is the General Data Protection Regulation (“GDPR”) as modified by the Data Protection Bill. To comply with its requirements, barristers should consider the following when choosing a cloud provider:

  • ensuring that the remote servers they use in cloud computing are within the EU or otherwise comply with EU data protection laws. Use of these will require a risk-based assessment as to whether the proposed transfer will provide an adequate level of protection for the rights of the data subjects in connection with the transfer and storage of their personal data on such servers.
  • encrypting personal data held in the cloud. Most cloud computing providers state that they can encrypt the files but this is not likely to be adequate, as the cloud computing provider will most likely be able to access the data (US providers, for example, will have to be able to access it in order to comply with US court orders or government requests).
  • choosing a service which says it has ‘zero knowledge’ encryption. This means that the encryption provider doesn’t store users' password for the data: any requests for the data have to come to the user.
  • refraining from cloud storage services which do not encrypt data before the data is uploaded (for example Dropbox, Box and SugarSync) on personally-owned computers, smartphones and tablet computers for purposes related to chambers business. Opting for other cloud storage services for example, Tresorit which encrypt data before it is uploaded to the cloud.

Not all cloud providers are created equal

Most of the mainstream cloud services do not satisfy the criteria mentioned above. Using these services can put a law firm or barrister chamber at risk. Having confidential data leak can not only result in losing clients but lead to a huge reputational damage form which it might be difficult to recover. That’s why legal professionals should make sure they opt for a provider such as Tresorit, which can guarantee sufficient protection for confidential legal documents.

Data protection measures recommended by the Bar Council
Encryption at-rest
On request for businesses
Encryption in transit
Data stored on EU servers
End-to-end encryption for file sharing
Encryption keys controlled by the user
Only if using external encryption module
Partly / on request for enterprises
Partly / on request for enterprises
Provider never has access to the plain text content of user files
Zero-knowledge authentication

Learn more about how Tresorit can help legal professionals store and share data securely in the cloud.